Combating Personal Data Leaks – Will Tightening Liability Help?

Introduction: the article examines mass cyberattacks on the Russian information infrastructure. It is indicated that one of the main goals of criminals is personal data information systems. Literature review: the research analyzed the scientific works of A.V. Minbaleev, L.K. Tereshchenko, M.B. Dobrobaba, P.A. Vinogradova, Yu.N. Milshina, S.G. Chubukova and others, as well as recent changes in the legislation on personal data. Materials and Methods: the study employed a systematic methodology, integrating legal, comparative-legal, and sociological approaches. The empirical data consisted of legal acts of the Russian Federation, statistical studies, and scientific works. Results: the changes made in July 2022 to the Federal Law "On Personal Data" which, among other things, had the goal of reducing the number of leaks, increasing the number of identified cyber incidents and repulsed attacks, are analysed. It is noted that the number of personal data operators who must report to Roskomnadzor that they are processing personal data has increased tenfold. The comprehensive design of the processing of personal data and the protection of personal data information systems present significant challenges for "new" operators. These challenges are further compounded by the lack of trained personnel. The provisions pertaining to the response and notification of incidents related to personal data leaks are also analysed. These provisions stipulate that the FSB of Russia and Roskomnadzor are responsible for responding to and informing the public about such incidents. Discussion and Conclusions: it is concluded that the implementation of the adopted changes in legislation by small and medium-sized companies, including municipal organisations, is challenging. This indicates the problems that have arisen in connection with the changes made to the legislation and the expected introduction of norms of administrative responsibility for their failure to comply. A number of potential solutions to the issues that have arisen are put forward, including the establishment of comprehensive training programmes for employees of data processors, the creation of dedicated cloud platforms for the protection of personal data processed by small and medium-sized organisations, and the postponement of the introduction of administrative responsibility standards for small businesses for a year.