Personal data leaks
Information plays an important role for a private company, a government organization, and in the lives of ordinary people. Possession of other people's information allows you to win the competition and eliminate business rivals. At the same time, the development of information technology and the expansion of communication capabilities have contributed to an increase in the dissemination of data. For ordinary people, this means a high risk of personal data leakage, which can result in moral and material damage from the unauthorized distribution of personal information.
The consequences of personal data leakage
Companies are becoming hostages of information technology. Without software mechanisms, it is impossible to conduct and develop a business, build partnerships, and perform operations with personal data. The transition to an electronic platform requires serious attention to information security issues to avoid personal data leakage.
Interference with the functioning of an information system, whether it is theft, destruction, or gaining unauthorized access, can cause serious losses. Sources of losses are lawsuits brought by victims of the leakage of personal data processed by the company, as well as fines that supervisory authorities have the right to impose on operators of personal data.
The risk of personal data leakage will increase in the second half of 2018 when a unified personal identification system will become operational. The national database will receive the biometric data of every Russian who becomes a bank client. The danger of biometric data leakage is extremely high. Unlike payment card numbers or passport data, biometric information cannot be changed.
Punishment for leakage of personal data
In Russia, there are penalties for PD leakage. However, the size of the fines is insignificant, so the Ministry of Digital Development, Communications and Mass Media tried to push forward a bill that would expand the boundaries of administrative responsibility for the distribution of PD. The project introduced sanctions for two more offenses:
- storage of personal data of Russian citizens in databases outside of Russia;
- non-compliance with the requirements of the law to ensure the confidentiality of personal data, illegal disclosure, provision to third parties, including PD leaks.
The types of offenses that are highlighted by the current legislation are listed in article 13.11 of the Administrative Code of the Russian Federation. The provisions of the article apply to citizens, officials, individuals, and legal entities who perform the functions of operators of personal data. Violations for which liability is provided:
- processing of personal data without sufficient grounds or misuse of data;
- processing of personal data without written consent, drawn up strictly by the requirements of Law 152-FZ;
- PD protection and processing requirements policy has not been published;
- the subject has not received information about the composition of personal data from the operator;
- failure to comply with the legal requirements of the subject to clarify, block, delete data;
- non-compliance with the requirements for safe storage during manual processing of PD;
- non-fulfillment of obligations by state or municipal bodies for the depersonalization of personal data or incorrect depersonalization.
Any violation can lead to leakage of personal data. Those guilty of a violation face an administrative penalty - a fine from 1,000 to 75,000 rubles, depending on the status of the perpetrator and the type of violation.
Data Loss Prevention Measures
Organizations that work with personal data must implement mandatory measures to protect against modification and disclosure by the requirements of Law 152-FZ. Roskomnadzor monitors compliance with legislation. The regulator's employees are authorized to check any companies on the protection of personal data from leakage. In case of revealing insufficient care about protection against PD leaks, the service has the right to require the operator to eliminate all inconsistencies or correctly destroy the PD within three days. To avoid troubles, the operator who performs any actions with personal information needs to classify the data and provide full protection.
The norms of bylaws issued by the FSTEC and the FSB require operators to build modern effective protection with the help of:
- implementation of effective antivirus solutions;
- installation of firewalls;
- application of systems to prevent unauthorized access (intrusion);
- building a user identification system;
- establishment of full-fledged access control, encryption, PD protection.
Possible ways of implementing the measures are set out in the FSTEC manual "Main measures for the organization and technical support of the security of personal data processed in personal data information systems."
The standard describes the main methods of creating protection of information systems. Also, the operator must qualify the PD, determine the places of safe storage, simulate threats and draw up a portrait of the violators, and then select methods and means of protection against leaks, preventing the implementation of the leak by the prepared list.
Documentation on protection against PD leaks in the banking sector
It is especially important to protect personal information in the banking sector. The legislation does not establish a list of mandatory documents for regulating PD processing processes, which is relevant in Russia. Therefore, many financial institutions cannot independently determine which mandatory local documents need to be guided by and which ones should be referred to as optional. Most often, the protection of personal data is regulated by the Internal Processing Policy based on article 18.1 of Law 152-FZ, the Regulation on the Protection of Personal Data of the Organization's Employees, and a similar Regulation on the Protection of Client Personal Data.
Organizations have the right to focus on one more document - the Recommendations of Roskomnadzor, by which it is necessary to create a Policy with all the requirements for the protection of personal data.
For borrowers and policyholders, the bank should develop a separate regulation, were to describe the main controversial points, guided by work experience and real judicial practice.
It will not be superfluous to pay special attention to internal documentation, where items relating to the processing of PD should be entered. Additionally, it is necessary to adopt job descriptions for specialists who carry out and are responsible for processing PD in the institution.
It is advisable to strengthen the documentary base with the help of other documents, including:
1. The list of information systems in which PD processing is performed in a financial institution.
2. Rules for access to server rooms where data processing is performed, with a list of employees who have access to these rooms.
3. Model of possible and real threats to personal data during processing in information systems where data is processed and stored. The threat model is the most difficult to develop, but the existence and implementation of the document are required by FZ 152 (clause 5 of part 1 of article 18.1).
The bank must also issue orders and orders, which appoint specialists responsible for the processing of PD by the charter.
Conclusions
Analysis of court decisions based on multiple inconsistencies in the work of companies involved in the processing of personal data, allows you to summarize and recommend steps to improve the process of processing, storing, and protecting data.
1. Organize a full audit of the processes performed in the company for the collection, processing, distribution, storage, destruction of PD. This will help identify potential leakage risks. An audit is an effective form of not only identifying bottlenecks but also provides an opportunity to:
- determine the types, categorize PD that are processed in the company;
- identify and classify the subjects whose PD is processed;
- develop or improve local standards describing the collection and processing of PD;
- provide leverage and technical measures to ensure the necessary measures to maintain the confidentiality of the information and protect against PD leaks.
2. Modify (implement) internal documentation for the collection and processing of PD.
3. Revise the standard forms of contracts to exclude items on the processing of PD.
4. Draw up standard forms of consent for employees, customers, and partners to process PD.
5. Ensure the collection of only the data necessary for the operation for the purposes to avoid receiving unnecessary personal information.
6. Provide written forms of agreements with third parties and partners to whom the PD is transferred.
An additional measure is the creation of a Policy that will regulate interaction with relevant government agencies. The creation of documents mustn't be an end in itself. Interested and responsible persons must familiarize themselves with each item of the documents, and the requirements are strictly followed.
24.11.2020
