Implications of personal data leaks
Personal data leaks are not uncommon in the work of companies and government agencies. They are often associated with a dishonest attitude towards their protection. The consequences of leaks can be very serious or minor. Protection against them should be the task of both operators and subjects of personal data.
Who can get hurt
Personal data is any information about a person that is associated with him, allows him to be fully identified, to obtain other information about him, to commit any encroachments on the secret of his personal life or property. Many people are at risk of losing important information when processing personal data, including:
- citizens using bank cards;
- citizens receiving medical services;
- owners of pension savings;
- bank depositors;
- property owners.
This is not an exhaustive list; many others can suffer from personal data leakage. Therefore, the state has built a personal data protection system. It is based on the Federal Law "On the Protection of Personal Data", the system of technical measures is regulated by the government, FSTEC, FSB.
Any organization that processes personal data in its activities is obliged to take a set of organizational and technical measures aimed at protecting them. The list of these measures and methods is regulated for each data group. When developing a system of such technical and administrative solutions, a threat model is used, which takes into account two types of risks:
The first type of threats that represent illegal penetration into the protected information perimeter of the operating organization is hacker attacks, which in Russia rarely become serious threats to the life and health of citizens. The appearance of the databases of the Central Bank of the Russian Federation, the State Traffic Safety Inspectorate, the Pension Fund on the Web has ceased - information systems are seriously protected, and the leak of an array of information protected by means of cryptographic protection, without the possibility of personification, does not carry serious risks. The number of external attacks on bank websites has also decreased.
The latter are implemented most often. A citizen provides information about himself in many cases in a medical institution, in a travel agency, in which, in order to obtain a visa, he almost completely discloses information about his financial status. Consent to the processing of personal data is often not signed. Thus, passport data, information about real estate, income, bank card transactions appear in an unprotected form on a computer, which may not even have anti-virus protection. In this case, access to them becomes possible:
- in case of direct penetration of an unscrupulous employee of the agency into a computer or material storage media;
- when hosting them in cloud networks, sometimes on many servers, often located outside of Russia. The legislation requires the mandatory storage of personal data within the country, but these requirements are not met by all operators, often not even aware of the existence of such a duty;
- when a laptop or a briefcase of a company employee is stolen, which contains information of interest to the attacker.
Frequent cases appearing in court practice in which doctors or employees of banking institutions are fined or otherwise punished for leaking information, for example, passport data, indicate the existence of the problem and its seriousness.
Consequences of leaks
The consequences of leaks can be serious for both data owners and operators. For the first group, there are numerous risks of becoming a victim of intruders. They may suffer:
- from the disclosure of any information related to the person;
- from blackmail;
- from illegal debiting of funds from a bank card;
- from interference with privacy;
- from threats to children, for example, in the case of publication in the media of data about the schools where they study.
The minimum risk is the misleading transmission of information, such as e-mail addresses, to any companies that start harassing their advertisers. But even this makes it possible to initiate a case for both illegal advertising and data breach and will lead to fines imposed on operators if the source of the leak or spam can be reliably identified.
Operators, in turn, who have leaked personal data, will be liable:
- civil, in the form of judicial recovery of losses incurred by citizens and moral harm;
- administrative, in the form of a fine, suspension or prohibition of activities related to the processing of personal data;
- criminal, in case of unlawful distribution of personal data, causing significant damage and transfer of information to law enforcement agencies.
So far, companies have not seriously considered the seriousness of claims for compensation for non-pecuniary damage related to the leakage of confidential information. Even if the court has established such a fact, the amount of the awarded amounts rarely exceeds several tens of thousands of rubles, even in the capital. In the region, the court will most likely refuse to satisfy the requirements for both banks and online stores. Situations become more serious when regulators intervene in a dispute and bring the situation to the initiation of a criminal case.
How to avoid negative consequences from data leaks
Measures to protect information require not only the operators to fulfill the obligations established by law, but also prudence from the subjects of personal data. The former will need to be as attentive as possible to compliance with the requirements of the law, decrees of the government of the Russian Federation and regulations of the FSTEC of Russia, which determine the required level of technical means designed to protect personal data from leakage. These are measures such as:
- installation of firewalls that impede the penetration of information arrays;
- introduction of a system of identification and authentication of employees who have access to them;
- recording in the logs of all the actions of specialists performing data processing, which makes it possible to understand what exactly they did with the information protected by law;
- installation of anti-virus protection means;
- use of means of cryptographic protection to encrypt data during storage and transmission;
- application of methods and measures that can prevent data leakage through physical channels, for example, by photographing a computer screen, removing audio information, intercepting electromagnetic radiation.
All of these measures to protect against data loss are significant, but they are implemented in most government agencies and large companies. Small firms, more often operating in the market for providing services to citizens, remain at risk. They are far from always included in the list of inspections of Roskomnadzor, since they do not consider registration as operators a necessary action. Even if this is done, the creation of a technical protection system for information databases of personal data is a costly undertaking that not everyone can afford. This is precisely what requires the citizens to exercise discretion when choosing and interacting with a service provider. Among these rules:
- not transfer personal data to companies that are not registered as operators;
- be more careful about any payments on the Internet;
- always study the text of consent to the processing of personal data, determining in what ways it is performed, what are the purposes of processing, the possibility of transferring information to third parties and in what cases.
Observance of caution by both operators and citizens will minimize risks. You should always remember that a citizen will not be able to fully compensate for material and moral damage.