Personal data: protect and preseve

The rapid development of technology has made personal data one of the most valuable assets. It is collected for various purposes – from personalizing advertisements and assessing creditworthiness to improving products and developing new services.

The increase in revenue and capitalization of many companies directly depends on the reach of their target audience and the scale of their personal data (PD) databases, as well as the availability of tools for analyzing this data and the ability to use these tools effectively.

The more valuable an asset is, the more people want to exploit it, including for dubious and illegal purposes.

The relevance of this issue for our country cannot be overstated. According to a study by Positive Technologies, at the end of the first half of 2024, Russia ranked first in the world for the number of offers to sell corporate databases on the darknet, accounting for 10% of the total volume. These databases contain personal information about citizens, including surnames, first names, phone numbers, addresses, passport details, and even passwords.

According to Roskomnadzor, the number of data leaks over the past two years has increased almost 40 times! Last year, 135 data leaks were identified, containing more than 710 million records about our citizens. These are official figures, but in reality, the number of incidents is much higher, as not all companies due to fear of punishment or lack of knowledge “admit” to what has happened and report information to regulators as required by law.

Personal information is a coveted prize for fraudsters. With access to an individual personal data, criminals can use it to obtain microloans, SIM cards, and even register companies, forge payment receipts from various government organizations (such as fines from traffic police, tax authorities, etc.), impersonate bank or investigative agency employees to extract additional information needed to steal money from a card, register electronic wallets, and so on. Modern day fraudsters have an extensive list of methods to defraud the public, so losing a passport can lead not only to headaches from navigating bureaucratic processes but also to significant financial losses.

Unfortunately, safeguarding a passport nowadays does not guarantee the absence of problems. User data primarily falls into the wrong hands via the internet such as during registration on an online service, account hacking, or through careless handling of confidential information by users themselves (most incidents involving confidential data occur in online retail). According to the Ministry of Internal Affairs, losses from cyber fraud increased by 36% in 2024 compared to the previous year, totaling 200 billion rubles.

Massive data leaks can result from human errors, industrial espionage, or unscrupulous actions by insiders, such as employees of telecommunications operators, banks, or insurance companies.

However, the most common cause of mass data leaks is targeted theft – cyberattacks on the IT infrastructure of large companies. The second most significant cause-after cybercrime – is vulnerabilities in software, many of which pose critical risks. Bugs, outdated security measures, failures and malfunctions in IT systems, weak antivirus programs, etc., significantly facilitate the work of criminals. Additionally, due to a lack of risk management, data often “leaks” without any malicious intent-simply due to the carelessness of their owners. Sometimes even improper server configuration can allow search engines to index data stored on it.

Any actions involving personal data are regulated by legislation: data operators are required to adhere to mandatory conditions for protecting personal data from illegal manipulations – such as destruction, alteration, copying, unauthorized access, etc. A comprehensive set of measures has been developed to counteract leaks, both technical and organizational, which can be found in the text of the law as well as in numerous public sources. In summary, this list can be condensed into four key points. Any company or organization dealing with personal data must:

• Ensure the protection of personal data in such a way that it is not accessible to third parties. Store it centrally, avoiding distribution across various devices.
• Limit access to personal data through accounts with different rights and passwords, which should be regularly updated. Only authorized individuals who have the right to process this data should have access.
• Use personal data exclusively for the purposes for which it was provided (i.e., you cannot collect data for product delivery and use it for targeted advertising unless this was stipulated in the personal data processing agreement).
• Use up-to-date versions of antivirus software.

The more personal data a company collects, the more stringent the security requirements for its infrastructure. Legislation sets four levels of protection, determined by the category of information being processed, types of potential threats, the number of personal data subjects, and their affiliation (clients or employees). Technical protection measures should be selected according to the certain level.

The data localization within the territory of the Russian Federation under the new version of Federal Law No. 242-FZ has become a powerful driver for the development of the Russian data center industry.

Revenue for data center providers increases annually by 30%, and spaces in new facilities are sold out even during the construction phase.

Over the past ten years, the number of rack units in commercial data centers has grown from 28,700 in 2015 to 82,400 in 2024. This dynamic is entirely logical.

One way to ensure reliable storage and processing of personal data in accordance with legal requirements is to transfer one’s infrastructure to an external site – a data center that assumes obligations to create a secure environment, ensure IT infrastructure resilience, and provide reliable physical security for equipment.

Legislation in the field of personal data protection is constantly evolving, imposing increasing obligations on businesses. At the beginning of 2024, the State Duma adopted a bill that strengthens administrative and criminal penalties for abuses and leaks of personal data. Fines will be calculated in millions of rubles and could become financially devastating for businesses if applied. The law will come into effect in May 2025, meaning that Russian companies have very little time left to enhance their security and cyber resilience against incidents.

However, it is not just about fines: given modern realities, companies can no longer afford to take a reactive approach to personal data protection. They need to safeguard their customers’ data to gain their trust and maintain their reputation.

What are personal data? 

Personal data refers to any information related to an identified or identifiable natural person (data subject). Essentially, it includes any details that can be used to identify an individual.

Categories of Personal Data (PD):

• Other Data: This includes information that allows to identify a person, such as name and surname, date and place of birth, registered address, phone number, work experience, etc.
• Special Data: These are data that can be used for discrimination or harm against a person, including information about ethnic background (race, nationality), political views, religious beliefs, medical data, criminal records, etc.
• Biometric Data: This category includes data that is subject to special regulation and protection, such as biometric data (fingerprints, voice recordings, photos and videos of a person’s face, iris scans).

Who is the operator of personal data?

An operator is an entity that determines the purposes, terms and methods of processing personal data. This can be either an organization or an individual.

What regulations govern the protection of personal data in Russia? 

The main regulatory act in the field of personal data circulation is Federal Law No. 152-FZ “On Personal Data”, enacted on July 27, 2006. This law applies to any individuals or legal entities processing personal data of Russian citizens, regardless of their location. The primary regulatory authority overseeing this area is Roskomnadzor.