''It’s easier for them to pay a fine given the price of information protection means assessed at millions of rubles''

How institutions and state enterprises store personal data of citizens, the causes of large-scale leaks and why Tatarstan is a role model for other regions

Official institutions and state enterprises, together with telecommunication companies and retailers, are the biggest controllers of the population's personal data. Safety of their storage is controlled by the Federal Service for Supervision of Communications, Information Technology and Mass Media and the Federal Service for Technical and Export Control (FSTEC) and the FSB (Federal Security Service). However, as practice shows, the state sector and organisations associated with it remain one of the main sources of information leaks. Realnoe Vremya remembers the most notorious scandals in this sphere and asked experts how such a situation is explained and if Tatarstan residents should concern about their personal data.

How Russians' personal data leaked

One of the latest major scandals about the leak of the citizens' personal data was in November last year: Kommersant's journalists visited Moscow municipal service offices and found out that copies of passports, personal insurance policy numbers, forms with mobile phones, bank account details and other documents of citizens were stored in computers installed in departments. Anyone interested had access to this information.

The city administration of Moscow distinguished itself several months before this incident: addresses of citizens that were to reach urban authorities encrypted were published directly on the website and indexed by search engines. Consequently, requests and complaints together with passport data and scans of other documents turned out in public domain.

In summer 2017, the Pension Fund of Russia was to carry out examination due to a leak of over 17,000 people's personal data. Web designer Sergey Deryabin, who accidentally received a mailing from one of the PFR's offices, raised the alarm first: a document containing dates of birth, registration addresses and the personal insurance policy numbers of thousands of citizens was attached to the letter. In the same year, Mine Rescue Brigade Federal State Unitary Enterprise, which comes under the Ministry of Emergency Situations published passport numbers, addresses and posts of 158 of its employees. This 2019 hasn't yet managed to ''present'' us any new scandal about the leak of the population's personal data. However, there is no guarantee it won't happen at any moment.

One of the latest major scandals about the leak of citizens' personal data was in November last year. Photo: mosday.ru

Easier to pay fine than provide security

The regulatory framework and requirements for personal data operators were created in Russia a long time ago. As head of Information Security Service at BARS Group Ildar Garipov explains, as for the processing of personal data, the federal law On Personal Data has been used in Russia as early as since 2006, which is applied to state and municipal departments, juridical and natural persons processing personal data. The decree of the Russian government defining requirements for data protection in information systems was created on the basis of this federal law.

These documents, in turn, served as a foundation for a decree of the FSTEC to define a set of measures to provide security of storage of citizens' personal data. It should be noted that the FSTEC uses non-cryptographic methods for protection measures – the FSB is responsible for protecting information with the help of cryptographic means. And the latter also created its own decree on personal data protection.

''Consequently, we have a federal law, the government's ruling as well as the regulators' decrees that define how to provide personal data protection in information systems,'' Ildar Garipov comments. ''The next step is to take measures to provide personal data security. There are certain problems in this area.''

The first of them is about the responsibility personal data controllers have: legislation presupposes fines in case security requirements aren't met. Moreover, the size of fines is incomparable with the size of costs to purchase protection means.

''The most interesting thing here is what sanctions are imposed in case there was a leak. Fines are measured in tens of thousands of rubles. It's easier to pay this fine given the price of information protection means assessed at millions, not low salary of the information security staff, which makes up a big sum during the year. At the same time, I'm sure that the legal framework in this regard will compulsorily tighten,'' thinks SearchInform's analyst Aleksey Parfentyev.

Director General of Etton IT company Yefim Klimov confirms that the situation now is that it's easier to pay a fine, as complying with legislation requires certain costs.

''By our company's experience, I can say it's necessary to provide a separate room to locate special equipment, specialists who must receive training and get special diplomas are also needed – it's a range of organisational measures and costs on the equipment itself. For this reason, it's easier for many to pay a fine. But I assure you it happens too rarely – many just get away with only a fine,'' the expert comments.

Technical solutions against human factor

The second problem is linked with technical means providing control and security of data storage. According to SearchInform's analyst Aleksey Parfentyev, they do have necessary products, but they are used not in the most effective way. Director in Methodology and Standardisation Dmitry Kuznetskov shares a similar position.

''The main problem that all sectors face, including the state sector, isn't the absence of information security solutions but the vulnerability of the used software, especially applied. Until recently, owners of state information systems had tried to formally meet security requirements, and it's not compulsory to get rid of such vulnerability,'' the expert states.

The analyst from SearchInform, in turn, advises not to shift the blame to juridical gaps or the absence of Russian OS, as applied security products have enough imperfections. Particularly, according to him, they are anyway about the necessity to digitalise the ''human factor'', the motive and intentions.

''Not only legislation but also common sense divide threats into two types: technical and human-based. To cope with technical threats, there are enough means. However, everything is by far more complicated with the human factor, as in this case there is a risk data will leak, a company's infrastructure might be used for personal purposes and ordinary theft or fraud in the end. The task to find out 'bad intentions' of employees who have access to information or the infrastructure remains topical in the IT world now. And again, Russian developments come to the fore. For this reason, I wouldn't exaggerate. Of course, there are enough problems, but successes are seen with the naked eye,'' Parfentyev concludes.

Tatarstan as a role model and hope for FSTEC

If the situation with the security of storage of the population's data across the country in general can be called not very stable, in Tatarstan, according to the experts, the state of affairs is a bit different.

''Tatarstan doesn't have problems with it. All personal data associated with the State Services portal are protected, there is a controlled certified by both the FSB and the FSTEC. In addition, this all is located at IT Park, which is also certified in accordance with very strict requirements in terms of security. In general there aren't problems in your region. Tatarstan is a unique territory to a certain degree,'' thinks Yefim Klimov.

Ildar Garipov also gives a positive evaluation.

''We cooperate with different ministries and departments of the republic. And I see that works to provide information protection, including personal data protection, are done. Talking about state information systems, a system can't be put into operation without certifying it according to information security requirements. Yes, probably this takes much time. But one should consider that this issue is closely connected with money allocation. I can't say nothing is done – measures are certainly taken. For instance, if we consider data centres of the republic, they create protected certified loops where a controller can calmly place his information system,'' the expert comments.

As the Tatarstan Ministry of Informatisation and Communications explains, data storage protection is provided at the technical, regulatory and organisational levels. Regarding technical protection, advanced means of protection, both equipment and software, are introduced. Departmental regulatory acts regulating relations arising when providing information security, including personal data, are adopted at the regulatory level. At the organisational level, employees who are responsible for controlling information security by restraining personal data from leaking through organisations' employees and through technical channels.

In answer to our newspaper's question if the ministry wrote down imperfections in the protection of citizens' personal data in departments and state enterprises of the Republic of Tatarstan, the Ministry of Informatisation and Communications asked to reach out to the Federal Service for Supervision of Communications, Information Technology and Mass Media.

Data storage protection is provided at the technical, regulatory and organisational level. Photo: osp.ru

Should we expect new leaks?

In Etton's director's opinion, new leaks of personal data are quite possible in other Russian regions.

''Coming to different departments in some regions, we see a situation when information security is at a too unsatisfactory level. Of course, we warn personal data might be stolen, might be hacked. If a swindler wants he will certainly do it,'' Yefim Klimov is sure.

Director in Methodology and Standardisation at Positive Technologies Dmitry Kuznetsov pins his hopes on the FSTEC, which has been mentioned many times.

''The Federal Service for Technical and Export Control has changed an approach to information security protection in the last years. Now, according to the FSTEC's requirements, an information system can't be put into operation until the vulnerability is analysed, and all detected vulnerability is eliminated. Such a job is to be done from time to time as the system is used. The tighter control over information security led to higher demand from authorities for services to test penetration, while results of such tests make evaluate the level of their systems' protection in a more sober way,'' the speaker sums up.

By Lina Sarimova