Expert opinions, INVESTMENT CLIMATE, TECHNOLOGY

Data leaks: Prevention instead of penalties

Personal data breaches constitute a paramount risk for businesses in 2025. Companies and organizations experiencing such incidents may face substantial financial penalties, decline in customer trust, and reputational damage. In 2024, Russia’s State Duma passed Federal Law No. 420-FZ changing business liability: fines can reach up to 500 million rubles or 3% of the annual turnover.

Image by onlyyouqj on Freepik

Higher liability: The rationale behind regulatory tightening of data protection

In the past two years, Russia has witnessed a sharp escalation in data leakage incidents. In January–February 2025 alone, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) detected 24 mln records exposed in the public domain. Organizations are increasingly falling victim to breaches stemming from both cyberattacks and internal employee negligence.

In the early months of 2025, 19 instances of database leaks on the internet were reported, resulting in the issuance of five administrative offense protocols, leading to financial and reputational losses for personal data operators.

In view of this, Federal Law No. 420-FZ of November 30, 2024, introduces higher accountability measures for personal data operators.

Detailed overview of liability and turnover-based penalties for data breaches

The objective of the law is to institute material accountability for security incidents, thereby incentivizing companies to invest in information security and safeguard their clients’ data. Key provisions are outlined below:

  1. Penalties for businesses:
    • Up to RUR 500 mln (over $6 mln) for personal data breaches.
    • Up to 3% of the company’s turnover (but not less than RUR 20 mln, or $245,000) for repeated violations.
    • Up to RUR 700,000 ($8,600) if the company conceals a breach from its clients.
  2. Penalties for executives:
    • Up to RUR 300,000 ($3,700) for responsible officers who permitted the breach.

Concurrently, Article 4.1 General Rules for the Imposition of Administrative Penalties is supplemented by Part 34-2 that mitigates sanctions in the event of a breach involving special categories or biometric personal data.

The penalty amount is reduced to 0.1 of its minimum value for the corresponding violation, but can constitute no less than RUR 15 mln and no more than RUR 50 mln, provided the following conditions are met concurrently:

  1. The operator’s annual expenditure on information security, utilizing licensed solutions, amounted to at least 0.1% of the annual revenue for the preceding three years.
  2. Documentary evidence confirms that the operator adhered to legislative requirements for the protection of personal data during their processing in personal data information systems in the preceding year.
  3. The organization had no prior violations concerning the collection and processing of personal data, timely notifications to Roskomnadzor, and complied with the rules for informing data subjects about the operator’s policy regarding personal data processing and the destruction/blocking of personal data in information systems upon request.

Recommendations for companies on how to minimize the scope of leaked personal data and penalties

To prevent personal data breaches and mitigate associated financial and reputational losses, the following measures are recommended:

Enhancing internal security:

  • develop and implement a personal data processing policy;
  • appoint a Data Protection Officer (DPO) responsible for information security;
  • conduct annual security audits;
  • restrict access to personal data solely to employees with a legitimate need for such access to perform their duties.

2. Using state-of-the-art data protection tools:

  • deploy data leak prevention systems (DLP, NGFW, XDR);
  • set up data encryption (for transmission and storage);
  • update your software regularly;
  • use VPN for secure remote access.

3. Regular staff training:

  • conduct personal data protection training sessions;
  • train your employees to recognize phishing attacks and other social engineering tactics.

4. Incident response:

  • develop and test a leak response plan;
  • promptly notify your customers and regulators of any leaks.

5. Contractor monitoring:

  • verify security procedures used by your partners working with personal data;
  • sign non-disclosure agreements (NDAs) with counterparties.

It is important to implement these measures as soon as possible because information security is a multilayered set of procedures.

Summing up: Further development of Russian IS laws

The legal framework for personal data protection in Russia will further evolve in the next three to five years with no dramatic changes to be expected.

The development of artificial intelligence will be one of the key factors and may have a significant impact on respective legislative initiatives. Even now, we are seeing a rise in deepfakes and other technologies that can be employed to create false data, which in turn can be used in a setup to have a business fined.

Turnover-based fines should incentivize companies to consider which is cheaper – to invest in cybersecurity or pay lofty sums for IT incidents.

In addition, it is believed that higher administrative penalties will have a compelling effect on operators who neglect compliance with personal data laws. This should bring the number of personal data leaks significantly down.

By Anton Antropov, CTO, IT Task

Previous ArticleNext Article