Cybersecurity Indulgence

rabiakhatun

In early November, the court upheld the claims of 13 clients of the Yandex delivery service who suffered due to a leak of personal data. They will be paid 5 thousand rubles as compensation. Perhaps in the future, personal data subjects will receive similar compensation from insurance companies. The Ministry of Digital Development confirmed to RSpectr the discussion of the idea of ​​​​insurance of personal data operators against data leakage risks. "Options for a mechanism for compensating damage to personal data subjects are currently being considered," the ministry reported.

Insurance is an institution that promotes the emergence of civilized relations between consumers and service providers, which is why the insurance industry supports this initiative, insurance expert Maxim Danilov told RSpectr.

In his opinion,

the new type of insurance will contribute to improving the quality of the culture of storage, processing and protection of personal data, as well as compensation for damage to victims in the event of an insured event

But, the expert says, it is not yet content writing service clear how this mechanism will work. As an assumption, he compared the insurance of personal insurance operators with compulsory motor third-party liability insurance, and a cyber incident with a road accident.



– In case of leaks, there are also victims – subjects of personal data, and there is a culprit – the data operator. The injured party can apply for compensation not to the operator, but to the insurance company. There, on the basis of clear rules, compensation is paid to the victims.

In MTPL, there is a system of fines for the absence of a policy and bonus-malus coefficients are in place to change the amount of the premium that the client pays to the insurer depending on his history of insurance claims, he recalled.

In the same way, in the new system, a data operator can pay a small amount for insurance, but if he has a major leak, then the cost of the policy will increase the following year, the expert says.

The insurance system, through the bonus-malus coefficient mechanism, will stimulate personal data operators to develop cyber defense systems

At the same time, the system must be built in such a way that it is not profitable for the personal data operator not to comply with the legislation, emphasized Maxim Danilov.

Head of the Risk Management Department of Ingosstrakh-Investments Management Company Yuri Nogin also welcomes the idea of ​​insuring the risks of personal data leaks. In his opinion, if it is implemented

a new insurance market may be formed, and data leak insurance will be only one of its segments

Yuri Nogin, UK Ingosstrakh – Investments:

- It is difficult to talk about the volume of this market in rubles now, as much will depend on the mandatory nature of the new service. This issue has not yet been resolved, but it may happen, as cyber risks are currently in the focus of special attention.

At the same time, he explained to RSpectr, insurance against personal data leakage risks will not cover reputational risks and will not remove liability in the investigation of cyber incidents. In addition, insurers will carefully analyze the IT infrastructure and information security (IS) systems of their clients.

This will be an additional audit for many organizations and will lead to an increase in the number of personnel related to IT and information security in insurance organizations.

The proposed initiative will reduce the number of personal data leaks, especially in the banking and telecommunications segments, which will be able to afford such insurance, the expert believes. At first, it will be affordable for large companies, but over time it will become available to small enterprises, predicts Yuri Nogin.

A DARK MATTER

Insurance against leaks will not reduce their number - having paid for such a service, a company can pay less attention to protecting personal data, limiting itself to only basic requirements, according to lawyers, experts in the field of personal data and cybersecurity interviewed by RSpectr.

According to Artur Leer, managing partner of the law firm Lex Alliance, comparing a data leak to a traffic accident or a flooded apartment by neighbors is not entirely relevant.

Arthur Leer, Lex Alliance:

– Considering that PD does not have a material embodiment, it is not clear how to assess the amount of compensation for cases of leakage of such information. In addition, the data operator can transfer personal information for storage to a third party under the contract. This should also be taken into account when developing a new type of insurance.