Roskomnadzor has suggested that business representatives report any data leaks that have occurred, which will allow them to avoid the stricter legislation that will come into force on May 30, 2025. Deputy head of the agency Milos Wagner spoke about this at a press conference entitled “Data Leaks as a Socioeconomic Problem.”
Image source: Rohan / Unsplash
Currently, companies do not receive fines for failure to notify Roskomnadzor of such incidents, nor turnover fines. According to Wagner, the date of the violation will be considered the moment when the disclosure of data to an unlimited number of people is confirmed. Such confirmation can be, for example, a database published by the attackers or a notification from the company itself that allowed the leak of personal data.
«Therefore, companies have until May 30 to inform the authorized bodies about leaks that have occurred earlier. And then, accordingly, the measures of responsibility provided for by the current legislation will be applied to them,” the source quotes Mr. Wagner as saying. He also added that after the new legislation comes into force, not only the fact of the leak itself, but also the failure to notify Roskomnadzor about the incident will be considered an offense.
Currently, punishment for incidents related to the leakage of personal data is regulated by two federal laws that were adopted in November 2024. They provide for liability for obtaining personal data without legal grounds and unauthorized access to them, and also tighten liability for violations in the processing and storage of confidential information, introduce new fines, offenses, and provide ways to reduce the amount of liability. Criminal liability for the illegal use of personal data has been in effect since December 11, 2024.
During the aforementioned press conference, Wagner called on business representatives to think about observing the principles of working with personal data. He believes it is necessary to minimize the volume of personal data, as well as delete such information after achieving the purpose of its use. “In our opinion, many ignore this requirement. And it would be possible, for example, to depersonalize the data after achieving the goal, transfer it to the archive, etc.,” Wagner added.
The data from the survey by InfoWatch and the BISA Association, which involved large and medium-sized companies in the information security segment, indicate that 58% of respondents are taking organizational measures and preparing for inspections after the tightening of liability for leaks. At the same time, 28% of companies are inactive or do not consider the upcoming changes to be important. It is noted that 53% of survey participants are planning or have taken measures, but they are not confident that they will be sufficient.
«When asked what they lack to improve the protection of personal data in their organization, respondents did not name financial support, technical means or any other material resources. Almost half of respondents (45%) noted the lack of understanding of management and employees. This suggests that the problem of personal data leaks is a matter of awareness of the problem by management and within the organization, understanding that data protection is the task of the entire company, and not just the security service,” noted Natalya Kasperskaya, President of InfoWatch Group and Chairman of the Board of ARPP “Domestic Software”.
A study by InfoWatch, BISA and the Zircon research group, in which 350 companies took part, showed that only a quarter of respondents sent information about leaks to authorized bodies. At the same time, 59% of survey participants preferred not to disclose information about such incidents.
«Personal data leaks are a problem that affects not only businesses, but also all residents of our country without exception. It is important to understand that leaks are the root cause of fraud, the soil on which endless calls from fake security services and law enforcement officers grow. According to estimates by the largest banks, last year citizens lost up to 295 billion rubles due to telephone fraud, this is a colossal scale of damage. Only joint efforts of regulators and businesses aimed at working and effective data protection will help reduce it,” noted Natalya Kaspersky.