In recent months, the problem of cybersecurity of large companies and their customers has become particularly acute. Three times since the end of February 2022, according to Group-IB grew up in particular, the number of cyberattacks accompanied by the release of uploaded data for public viewing. A vivid example is the February release of data stolen from Yandex Food customers in the form of a map, which was later supplemented by data stolen from customers of other companies such as Gemotest, SDEK, WildBerries.
Mintsifra admits leaks are coming soon May seen in tens of thousands of organizations. According to a ministry spokesperson, endorsement penalties could be introduced earlier this year for companies for leaking personal data, according to a post on the Positive Hack Days forum. The Ministry of Digital Development has already agreed on a draft law on such fines – they will make up 1% of the company’s turnover.
Not only do companies need to be penalized
According to Alexander Zhuravlev, head of the commission on legal support for the digital economy of the Moscow branch of the Russian Bar Association, responsibility for data leaks must be defined legally.
“In the event of a leak, there can be two responsible parties: the company whose data was stolen, and those who made an effort to steal it. It can be a full-time employee or an outsider. And essentially a fine for the affected company won’t prevent the next leak until a specific attacker is found. Therefore, both parties should be punished for both action and inaction and the amount of responsibility should be determined according to the circumstances,” explains the expert.
Statistics confirm: for example, the cause of leakage in 60% of cases in 2020 had they were deliberate acts, the remaining 40 percent due to people’s carelessness and naivete. Attackers can be prosecuted today for stealing information under Article 137 of the Criminal Code of the Russian Federation.
While it was hardly used against those responsible for large-scale personal data leaks, today it is prosecuted for posting private photos and personal correspondence on social networks.
In some cases, malicious activity can be prevented by adequate attention to security protocols and restricting customers’ access to their personal data. However, according to Zhuravlev, the increasing number of leaks shows that no company is exempt from this. At the same time, the most worrying situation is in small and medium-sized enterprises – they often do not have the necessary procedures to prevent leaks, and the processes associated with the information security architecture are not always debugged. In today’s conditions, all companies need to improve both processes and security systems.
“If a company collects and stores too much customer data, it is necessary to reinvest some of the profits into its own security. If for some reason a company is unable to establish an adequate level of security, it must reduce the amount of data it collects,” adds Zhuravlev.
Penalties must take into account the circumstances of the leak
Companies, like attackers, must be held accountable. However, the sharp increase in fines, according to the expert, may lead to the fact that their efforts are directed at correcting problems, not on timely reporting of incidents and eliminating their consequences. Therefore, liability measures for businesses need to be supported by appropriate conditions.
Mintsifra already has the makings of this idea. For example, Vladimir Bengin, director of the cybersecurity department suggested impose a separate penalty for not reporting a leak. Alexander Zhuravlev believes that this is not enough to fully regulate such situations – it is necessary to introduce a single standard so that companies can act in case of leakage. It should contain a list of measures companies should take to reduce harm to citizens.
For example, Zhuravlev emphasizes that companies should notify citizens of leaks in a timely manner, adding to the letter general advice on how the user can protect themselves from their effects. In addition, the message should be delivered in such a way that users can see it immediately. For example, he believes he is an expert in using push notifications in the app. Yandex Food and GeekBrains, who experienced the theft of customer data this spring, sent letters about the incident. Gemotest has posted an ad on its website. Such actions may set an example for other companies, but a general mechanic must be written. Companies must also deal with the consequences of the leak, such as monitoring public resources and the dark web for user databases and working to remove or block them.
Based on a single standard of action, it will be possible to determine measures of responsibility.
“For example, if a company notifies users of a leak on its own and as soon as possible, takes adequate security measures, develops a detailed threat model, takes action to eliminate the causes of the leak, and tries to minimize its consequences as much as possible. punishment should be reduced as much as possible. If a company hides or denies the fact of a leak, it acts maliciously towards affected customers. Also, if leakage could be avoided thanks to the rudimentary architectural solutions of the information security system and the internal organization of the data management system, then the amount of sanction should be significant, ”explains Alexander Zhuravlev.
Zhuravlev believes that the bill of endorsement penalties for leaking personal data is often necessary, as it has a disciplinary effect. It is important to set penalties for different categories of people involved in such leaks. In addition, it is necessary to distinguish between the application procedure, liability, and also establish a standard for actions for companies in the event of a leak. This way, businesses will have an incentive to improve the security of citizens’ data, and the circumstances of the leaks will become more transparent to customers and authorities.