Roskomnadzor
It has been discovered that personal data has been illegally/accidentally transferred, provided, or distributed. If this has resulted in a violation of the rights of personal information subjects, the operator must notify Roskomnadzor of this fact within 24 hours. This body is authorized to ensure security in this area.
The operator must report the chinese student data package incident itself and the presumed main causes of the leak of personal data. Additionally, information must be provided on the damage caused to the rights to personal information and on the measures taken to eliminate the consequences of the incident. The operator must provide information on the person appointed by him/her who is responsible for interaction with this body to resolve issues related to the incident (in accordance with the provisions of paragraph 3.1 of Article 21 of Federal Law No. 152).
Roskomnadzor frantic00 Shutterstock.com
Source: frantic00 / Shutterstock.com
A notification about a personal data leak can be sent via the personal data portal, where Roskomnadzor has created a specialized service. In the "Incidents (leaks)" section on the "Notification of the fact of illegal or accidental transfer (provision, distribution, access) of personal information that resulted in a violation of the relevant rights" page.
What to do if a leak of personal data from the system occurred as a result of a hacker attack? In addition to the already mentioned interaction with Roskomnadzor, the operator is obliged to notify the federal system for detection, prevention and elimination of consequences of computer attacks on information resources about cases of hacking that led to the transfer, provision, distribution of information in violation of the law or unauthorized access to personal data.
GDPR
If a personal data breach occurs and the company may be subject to the GDPR, the relevant European supervisory authorities must be informed. It is important to note that the fact of a personal data breach itself is not considered a breach under the General Data Protection Regulation.
General Data Protection Regulation
Source: shutterstock.com
This may happen even if effective protection measures are in place. However, if attempts are made to conceal such an incident or facts of insufficiently prompt reaction to the event are detected, this will already be considered a violation. The company may be subject to a fine of up to €10 million or two percent of annual turnover (depending on which amount is higher).
What's next?
At the beginning of an internal investigation, the security service identifies the type of information leak (whether it is accidental or not).
Typically, accidents are easy to detect by analyzing DLP (Data Leak Prevention) reports, interviewing employees, or analyzing surveillance video recordings that capture the actions of specialists at work.
The interview is conducted by the security manager or the director of the organization. It is important not to disclose the reasons for the meetings. During the interview, psychological methods of influence are used and the employee's reaction is observed. Insufficiently clear or inconsistent answers may indicate the employee's possible involvement in the incident.
If the data has been stolen intentionally and has already been disclosed, certain steps should be taken, following this algorithm:
Identify the category of employees who had access rights to the stolen information.
Conduct a survey with each employee from the designated group.
Compare all the evidence collected and identify the main suspects.
Conduct an analysis of the suspects' actions over the last period, including the arrival/departure schedule, what data they worked with. This will allow identifying a potential violator.
Initiate the procedure for bringing to justice.
Taking into account the extent of the damage, the head of the security service, together with the director, determines the penalties applied to the person guilty of leaking information. They may include financial sanctions (fines, deprivation of bonus), administrative and even criminal prosecution.
If the violation identified falls under the criminal or administrative code, law enforcement agencies should be involved in the case. An official investigation is also opened in cases where the offender refuses to pay financial compensation for the leak of personal data.
Openness and professionalism in how an organization handles a personal data breach reduces the likelihood of losing customers. This is important for companies in the healthcare, pharmaceutical, services, and IT sectors, where there is a significant risk of customer churn in such situations.