Why our personal data still easily leaked online?
It is necessary to raise the fines, but this is not enough
The authorities in Russia are slowly but surely (or rather, surely but slowly) trying to solve the issue of protection of personal data of citizens. Not so long ago, Vice-Speaker of the State Duma Pyotr Tolstoy was puzzled by that the data of his colleagues leaked in the Network. Then Sergey Neverov, the leader of United Russia in the State Duma, said: “We should also consider the penalty increase for incidents with information security of personal data.” In the column written for Realnoe Vremya, Head of the Analytics Department at SearchInform Aleksey Parfentiev explains why he believes the initiative to be sensible and timely, but insufficient.
The database of passport scans for $300
Personal data security is provided in Russia worse than abroad. European and American laws are much stricter against companies — they consider the very fact of vulnerability, that is, the possibility of illegal use of data, as a violation. The GDPR regulation, which came into force last year, obliges companies to report such incident within 72 hours. If you look at the main defaulters 2018 (in addition to Facebook and Uber, it is Yahoo! and Equifax), they found themselves at the receiving end just because of the fact that waited too long to report a leak.
Russian law does not require operators of personal data processing to report an incident. Very few do it voluntarily (according to our research, only 12% of the surveyed companies). Therefore, we learn about leaks from Russian companies on indirect evidence, when another insider or hacker uploads another base in the darknet. Judging by the “range” of data in the “dark Internet”, almost every large bank has enough insiders. For example, the first website one comes across has a database of scanned copies of passports in 500-700 pieces for $300. The cost depends on the completeness and relevance of the database.
The victims of leaks are also not very active in claiming their rights. Meanwhile, the regulator (Roskomnadzor) works on the basis of appeals. Since 1 September 2015, when the register of personal data operators appeared in Russia, the courts decided positively only on 238 Roskomnadzor's appeals. The figure is ridiculous against the background of the number of operators in the registry — 401,624 as of 31 December 2017.
The first website one comes across has a database of scanned copies of passports in 500-700 pieces for $300
Leak protection systems cost millions of rubles, but the penalty for a leak is tens of thousands
Most companies-offenders are just issued a fine. Today, its upper limit for legal entities is 75,000 rubles, and these are fines for processing data of the subject without the written consent. The total amount of fines last year was 4,068,500 rubles. That is, 54 maximum payments. Against the background of the number of operators in the country — again it is a miserable amount. Every year the fines increase but still remain very low.
However, fines alone will not solve the problem, the formal approach to the implementation of the law should be changed. How it is applied is well illustrated by the data leak from the Moscow Multifunctional Centres for Рrovision of State and Municipal Services. The press and the public announced the availability of copies of documents on the computers of the Centre, but the regulatory agency did not see this as a violation of the law. The timing of the decision shows that they did not have time to conduct a comprehensive investigation.
So the situation is, in fact, absurd. The organizations have the right to request and use documents, but they provide protection of this data conditionally. There are modern automated Data Leak Prevention systems (DLP) that take control of any data manipulation in organizations, as well as suspicious activity of employees. These software packages are often not used for reasons of economy and because of the low probability of punishment for the disclosure of personal data. The cost of the programmes is millions of rubles, the punishment is tens of thousands.
However, fines alone will not solve the problem, the formal approach to the implementation of the law should be changed
The only reason why companies in this situation take measures to protect data is the likely image risks, and they are increasing every year. Technical means enable us to effectively deal with leaks. So the only thing the companies need is desire, money and people.