In recent months, cybersecurity for large enterprises and their customers has become a pressing concern. Data from Group-IB indicates multiple ransomware-like incidents and data dumps since late February 2022, with notable cases including a data map release from Yandex Food customers and subsequent disclosures affecting Gemotest, SDEK, Wildberries, and others. These events highlight the fragility of digital ecosystems where customer information is at risk and the need for robust protection measures across industries.
The Russian Ministry of Digital Development has signaled that breaches could become common across tens of thousands of organizations. A ministry spokesperson noted that penalties for mishandling personal data may be introduced earlier in the year. A draft law has already been prepared to impose fines amounting to as much as 1 percent of a company’s turnover for personal data leaks, reflecting a shift toward stronger accountability in the data privacy landscape.
Not only do companies need to be penalized
Alexander Zhuravlev, head of the commission on legal support for the digital economy at the Moscow branch of the Russian Bar Association, argues that data-leak responsibility must be defined within the legal framework. He explains that in a breach there can be two liable parties: the organization whose data was compromised and the individuals or external actors who facilitated the theft. A fine for the affected company alone will not deter future breaches, and accountability should apply to both action and inaction, with penalties calibrated to the circumstances involved.
Statistics show that in 2020 about 60 percent of data leaks stemmed from deliberate acts, while roughly 40 percent arose from carelessness or naivety. Today, perpetrators can be prosecuted under Article 137 of the Russian Criminal Code for stealing information. While that statute has rarely targeted the organizers of large personal data leaks, it is increasingly used to pursue cases involving the posting of private photos and personal correspondence on social networks.
Security measures and restricted access to consumer data can prevent some malicious actions. Yet Zhuravlev notes that the rising volume of breaches suggests no company is immune. Small and medium-sized enterprises are particularly vulnerable, often lacking formal data-security procedures or a mature information-security architecture. In the current climate, all firms should strengthen processes and security systems to reduce risk.
When a company collects and stores excessive customer data, profits should be reinvested into stronger security. If a company cannot establish an adequate level of protection, it should limit the amount of data it retains, according to Zhuravlev.
Penalties must take into account the circumstances of the leak
Both companies and attackers should be held accountable. Yet an abrupt rise in fines could shift incentives toward quick remediation rather than transparent incident reporting and effective remediation. Liability rules for businesses should be paired with practical conditions that support responsible behavior.
The ministry has already explored such frameworks. For instance, Vladimir Bengin, who leads the cybersecurity department, suggested a separate penalty for failing to report a breach. Zhuravlev cautions that a single standard is needed to guide action during leaks, outlining measures to minimize harm to citizens. He points to examples from the field where organizations notified users promptly and used clear channels to communicate the breach. Yandex Food and GeekBrains issued notices in spring, and Gemotest posted notices on its website. These efforts demonstrate what proactive communication can look like, but a unified standard would ensure consistent responses across all firms. In parallel, efforts to monitor public resources and the dark web for compromised user databases continue, with companies expected to take steps to remove or block such data where possible.
Under a unified standard of action, it would become possible to define responsibility more clearly. If a company notifies users quickly, implements robust security measures, develops a thorough threat model, eliminates breach causes, and minimizes consequences, penalties should be modest. Conversely, concealment or denial signals malicious intent, and penalties should rise significantly if the breach could have been prevented by basic architectural protections and proper data management practices. The case for endorsement penalties, the policy framework, and the enforcement approach are widely viewed as necessary to maintain discipline and transparency in data handling. A well-conceived bill may balance accountability with practical steps to protect citizens, driven by a clear map of required actions in the event of a leak. By focusing on timely notification, risk mitigation, and user protections, authorities seek to create a more trustworthy data environment for individuals and businesses alike.