Man
Professional
- Messages
- 3,106
- Reaction score
- 666
- Points
- 113
Personal data will receive a price tag: from 1000 to 50000 per leak.
Liability insurance for personal data operators, under which customers whose data is in the public domain can be compensated for "moral damage", can be implemented in Russia until the end of 2025. This information was reported to RBC by a representative of the All-Russian Union of Insurers (ARIA).
The idea of creating this type of insurance was first presented by the ARIA in October 2024, and last week the project was submitted for discussion in the Federation Council. The presentation was held as part of a round table with the participation of representatives of the Federation Council Committee on Constitutional Legislation and State Building, including First Deputy Chairman of the Committee Artem Sheikin.
Vladimir Novikov, Risk Director of SberInsurance and head of the ARIA working group on cyber insurance, said that the Federation Council is discussing the possibility of introducing this type of insurance as imputed - that is, voluntary, but mandatory for access to certain types of activities. At the same time, representatives of the ARIA clarified that the issue of compulsory insurance is not raised. There is also discussion about giving data operators, including information platforms and other data holders, the ability to choose forms of protection, such as a bank guarantee. To date, about five insurance companies have expressed interest in selling such a product, and their number may increase to ten.
The representative of the Bank of Russia clarified that the insurance project, which provides, among other things, for the possibility of making this type of insurance imputed, has not yet been submitted for consideration. He stressed that the position of the Central Bank will be determined after studying the project, adding that in its essence, insurance compensates for the consequences of insured events, but does not prevent them.
Terms and Conditions of Personal Data Insurance
SberStrakhovanie and VSK informed RBC of their intention to introduce a new type of insurance aimed at compensating for damage in the event of personal data leaks. At the same time, Absolut Insurance has so far refrained from launching such a product, referring to the lack of an unambiguous decision on reinsurance opportunities. Soglasie participates in the ARIA working group, which is discussing the project, but its representative did not answer the question about its readiness to offer this type of insurance. RESO-Garantia stated that it does not plan to deal with this area yet.
According to the ARIA presentation presented in the Federation Council, it is assumed that customers of companies whose data have been compromised will be paid compensation for "moral damage." The amount of such compensation depends on the type of leak: for the leakage of general personal data, such as name, date of birth, marital status, social status, property and income, compensation will be 1 thousand rubles. For the leakage of data of a special nature, such as political beliefs, religious views, nationality, health and intimate life, compensation will be 2 thousand rubles. In the event of a leak of biometric data, the amount of payment is set at 5 thousand rubles.
If the leakage of personal data leads to harm to the health or property of the client, the amount of compensation must correspond to the actual damage, but not exceed the limit of 50 thousand rubles. The total limit for such cases is 20% of the insured amount. In situations where the amount of damage exceeds the total insurance amount, the amount of payments will be distributed in proportion to the number of victims who applied for compensation.
The amount of the insured amount is calculated based on the amount of personal data stored by the company: 5 million rubles for companies working with less than 1 thousand personal data, 20 million rubles for processing up to 10 thousand records, 100 million rubles for companies with a data volume of up to 100 thousand, 500 million rubles for 1 million records and 1 billion rubles for companies. processing more than 1 million personal data.
Representatives of ARIA and business consider data breach liability insurance to be relevant, as it is in demand and provides universal approaches to protect companies from cyber risks. Insurance market experts assess the new type of insurance as promising. They believe that such a product will compensate for damage to persons whose data was lost or stolen, without litigation, which will significantly speed up the compensation process. In the absence of a policy, the data operator is forced to compensate for the damage caused to customers on its own.
However, a number of insurers point to the need to finalize the concept. It is important to be clear about what will be considered an insured event, as a breach can lead to various consequences, from serious damage, such as account fraud, to less significant ones, such as spam calls. In addition, the consequences of a leak may appear after a while, which also needs to be worked out.
Another problematic issue is the distinction between old and new leaks, as well as linking compensation to actual damage. Insurance companies believe that it is more correct to take into account not just the fact of leakage, but the specific damage caused. The occurrence of insured events occurs frequently, and the number of victims can be in the hundreds of thousands, which requires insurers to carefully check customers and effectively reinsurance.
Rosgosstrakh emphasizes that without clear answers to a number of questions, it is premature to talk about specific insurance products. In particular, questions remain unclear about the causes of insured events, the methodology for assessing damage, as well as the status of insurance (compulsory, imputed or voluntary).
The size of the proposed compensations also causes discussions among experts. Lawyers note that the amounts correspond to the average indicators of Russian judicial practice, but are significantly inferior to European standards, where compensation can reach 25-50 thousand rubles. At the same time, in Russian practice, there are already precedents for higher payments - up to 150 thousand rubles in special cases.
Source
Liability insurance for personal data operators, under which customers whose data is in the public domain can be compensated for "moral damage", can be implemented in Russia until the end of 2025. This information was reported to RBC by a representative of the All-Russian Union of Insurers (ARIA).
The idea of creating this type of insurance was first presented by the ARIA in October 2024, and last week the project was submitted for discussion in the Federation Council. The presentation was held as part of a round table with the participation of representatives of the Federation Council Committee on Constitutional Legislation and State Building, including First Deputy Chairman of the Committee Artem Sheikin.
Vladimir Novikov, Risk Director of SberInsurance and head of the ARIA working group on cyber insurance, said that the Federation Council is discussing the possibility of introducing this type of insurance as imputed - that is, voluntary, but mandatory for access to certain types of activities. At the same time, representatives of the ARIA clarified that the issue of compulsory insurance is not raised. There is also discussion about giving data operators, including information platforms and other data holders, the ability to choose forms of protection, such as a bank guarantee. To date, about five insurance companies have expressed interest in selling such a product, and their number may increase to ten.
The representative of the Bank of Russia clarified that the insurance project, which provides, among other things, for the possibility of making this type of insurance imputed, has not yet been submitted for consideration. He stressed that the position of the Central Bank will be determined after studying the project, adding that in its essence, insurance compensates for the consequences of insured events, but does not prevent them.
Terms and Conditions of Personal Data Insurance
SberStrakhovanie and VSK informed RBC of their intention to introduce a new type of insurance aimed at compensating for damage in the event of personal data leaks. At the same time, Absolut Insurance has so far refrained from launching such a product, referring to the lack of an unambiguous decision on reinsurance opportunities. Soglasie participates in the ARIA working group, which is discussing the project, but its representative did not answer the question about its readiness to offer this type of insurance. RESO-Garantia stated that it does not plan to deal with this area yet.
According to the ARIA presentation presented in the Federation Council, it is assumed that customers of companies whose data have been compromised will be paid compensation for "moral damage." The amount of such compensation depends on the type of leak: for the leakage of general personal data, such as name, date of birth, marital status, social status, property and income, compensation will be 1 thousand rubles. For the leakage of data of a special nature, such as political beliefs, religious views, nationality, health and intimate life, compensation will be 2 thousand rubles. In the event of a leak of biometric data, the amount of payment is set at 5 thousand rubles.
If the leakage of personal data leads to harm to the health or property of the client, the amount of compensation must correspond to the actual damage, but not exceed the limit of 50 thousand rubles. The total limit for such cases is 20% of the insured amount. In situations where the amount of damage exceeds the total insurance amount, the amount of payments will be distributed in proportion to the number of victims who applied for compensation.
The amount of the insured amount is calculated based on the amount of personal data stored by the company: 5 million rubles for companies working with less than 1 thousand personal data, 20 million rubles for processing up to 10 thousand records, 100 million rubles for companies with a data volume of up to 100 thousand, 500 million rubles for 1 million records and 1 billion rubles for companies. processing more than 1 million personal data.
Representatives of ARIA and business consider data breach liability insurance to be relevant, as it is in demand and provides universal approaches to protect companies from cyber risks. Insurance market experts assess the new type of insurance as promising. They believe that such a product will compensate for damage to persons whose data was lost or stolen, without litigation, which will significantly speed up the compensation process. In the absence of a policy, the data operator is forced to compensate for the damage caused to customers on its own.
However, a number of insurers point to the need to finalize the concept. It is important to be clear about what will be considered an insured event, as a breach can lead to various consequences, from serious damage, such as account fraud, to less significant ones, such as spam calls. In addition, the consequences of a leak may appear after a while, which also needs to be worked out.
Another problematic issue is the distinction between old and new leaks, as well as linking compensation to actual damage. Insurance companies believe that it is more correct to take into account not just the fact of leakage, but the specific damage caused. The occurrence of insured events occurs frequently, and the number of victims can be in the hundreds of thousands, which requires insurers to carefully check customers and effectively reinsurance.
Rosgosstrakh emphasizes that without clear answers to a number of questions, it is premature to talk about specific insurance products. In particular, questions remain unclear about the causes of insured events, the methodology for assessing damage, as well as the status of insurance (compulsory, imputed or voluntary).
The size of the proposed compensations also causes discussions among experts. Lawyers note that the amounts correspond to the average indicators of Russian judicial practice, but are significantly inferior to European standards, where compensation can reach 25-50 thousand rubles. At the same time, in Russian practice, there are already precedents for higher payments - up to 150 thousand rubles in special cases.
Source
