Concise and to the point with ALRUD: HR & DIGITAL (№17)

A draft law has been submitted to the State Duma to increase the fines for violating information protection requirements

An amendment to ****Article 13.12 of the Russian Code of Administrative Offences**** (Violation of information protection requirements) has been proposed. The draft law establishes the amount of the corresponding fines for officials at ****RUB 10,000 to 50,000**** (from the current RUB 1,000 to 2,000), and for companies at ****RUB 50,000 to 100,000**** (from the current RUB 10,000 to 15,000).

The fines for the use of ****non-certified information systems****, ****databases****, ****or non-certified information security tools will also increase**** – for officials, it will be from ****RUB 10,000 to 50,000**** (from the current RUB 2,500 to 3,000), and for companies, from ****RUB 50,000 to 100,000**** (from the current RUB 20,000 to 25,000).

An increase in the ****limitation period**** for prosecution for violations of information security requirements to ****one year has also been proposed****. The current limit is 60 calendar days (or if the case has been considered by a judge, 90).

How an employer can protect its employees from phishing attacks and protect itself from personal data leaks

****Phishing**** is a type of ****cyber attack**** in which the attackers use ****fake messages****, ****websites****, or ****applications**** to ****obtain confidential information****. If an employee, not recognizing phishing, clicks on such a ****link**** or enters a ****discussion**** with such an attacker, the latter can gain access to the ****corporate database**** or the ****employee's email****.

Phishing can lead to serious consequences, including ****financial losses****, ****leakage**** of ****confidential information such as personal data****, ****legal liability****, and ****reputational damage****.

The legal risks may include, inter alia, bringing the company to ****administrative responsibility****. In one case, as a result of a phishing, an ****external user**** was able to log into a company’s internal IT resources using an ****employee's account****, download, and then ****publish its employee’s database****. The database contained the following ****personal data of all the employees****: full name, phone number, work address, speciality, position, type of employment, work experience, email address, and educational background.

The company ****admitted its culpability****, and the court imposed the ****minimum fine**** under Part 1 of Article 13.11 of the Russian Code of Administrative Offences, ****RUB 60,000****, having taken the following into account:

****1)**** the leak did not result in a ****violation of the rights**** and ****legitimate interests**** of the ****company or**** its ****employees****, and ****no complaints**** regarding the compromise of personal data arose ****as a result of the incident****;

****2)**** the personal data was accessed as a result of the ****illegal actions of third parties****, with ****no use of malware detected****;

****3)**** the company’s ****IT department**** immediately ****blocked the compromised accounts****;

****4)**** the company promptly ****notified Roskomnadzor of the incident****;

****5)**** there was ****no damage****, and no information that could pose a ****financial****, ****reputational****, or other ****threat to the employees**** has become publicly available;

****6)**** this was a first offence, the company had ****never previously been prosecuted**** under Article 13.11 of the Russian Code of Administrative Offences and has a ****good business reputation**** in terms of ****compliance with personal data legislation****.

For more information, see Resolution of the Justice of the Peace of Judicial District No. 349 of the Begovaya district of Moscow, dated February 27, 2024, in case No. 05-0381/349/2024.

To protect employees from phishing, we recommend taking the following measures:

1. Education and raising awareness. Conduct trainings on cybersecurity for employees so that they can recognize phishing attacks and not fall for scams.

2. Mail filtering. Use antivirus programs and spam filters to detect and block suspicious emails.

3. Multi-factor authentication. Implement multi-factor authentication for access to important systems and applications to make it harder for attackers to gain access to personal data.

4. Regular software updates. Ensure that all employees install all the latest updates to their software and operating systems as they contain fixes for the vulnerabilities exploited by phishers.

5. Access restrictions. Limit employees' access to confidential information and systems only to those whose work requires it.

6. Monitoring and analysis. Monitor suspicious activity and analyze phishing attack attempts to identify trends and improve security measures.

7. Cooperation with the IT department. Maintain close cooperation with the IT department to quickly respond to threats and implement new security technologies.