The Association of Big Data (ABD) has proposed amendments to Russia’s legal framework that would exempt businesses from criminal liability when investigating data leaks. Currently, companies operate “at their own risk” when probing breaches, as accessing leaked data could itself violate the law under Article 137.2 of the Criminal Code1. The draft legislation, backed by major tech firms like Yandex and Sber, aims to create a safe harbor for cybersecurity investigations while maintaining penalties for malicious actors.
Current Legal Risks for Breach Investigations
Since December 2024, Russia’s updated Criminal Code imposes severe penalties for unauthorized data handling: up to 4 years imprisonment for domestic leaks and 10 years for cross-border incidents with significant consequences2. This has created a legal gray area where security teams risk prosecution for standard investigative actions like accessing leaked databases to identify breach sources or assess impact. The ABD proposal specifically addresses this conflict by exempting two groups: companies investigating their own clients’ data leaks, and licensed cybersecurity firms meeting capital requirements (₽1B minimum, or ₽100M for specialized providers).
Technical Implications for Security Teams
The proposed amendments would legally permit several critical security operations that currently exist in a gray zone:
- Accessing and analyzing leaked data repositories to verify breaches
- Conducting penetration tests that involve handling real leaked credentials
- Sharing breach artifacts with licensed third-party responders
However, the capital requirements (₽1B for general firms, ₽100M for specialized cybersecurity providers) could exclude smaller players from legal protections3. This creates a potential market shift where enterprises may need to outsource investigations to larger, licensed providers rather than handling them internally or using boutique firms.
Operational Considerations
For organizations operating in Russia, the changes would require updates to incident response playbooks. Key procedural adjustments would include:
| Current Practice | Proposed Change |
|---|---|
| Ad-hoc leak verification | Formalized documentation of investigative steps |
| Internal investigations | Vetting external responders for license compliance |
| Unrestricted data handling | Strict chain-of-custody for leaked data |
The Ministry of Digital Development (MinTsifry) is currently reviewing the proposal, which aligns with broader legislative trends following November 2024 laws that increased penalties for data leaks4. Industry reactions remain mixed, with larger firms supporting the clarity while smaller providers express concerns about market consolidation.
Global Context and Comparisons
Similar legal tensions exist worldwide regarding breach investigations. The EU’s GDPR includes limited exemptions for “legitimate interests,” while U.S. laws like the CFAA have been interpreted to allow “authorized” security research. Russia’s approach appears more prescriptive, with explicit capital requirements rather than activity-based exemptions. This could create compliance challenges for multinational companies operating under conflicting regimes.
The ABD emphasizes that the amendments aim to distinguish between malicious leaks and legitimate security work5. As the proposal moves through review, organizations should monitor developments and prepare to adjust their Russian operations’ security and compliance frameworks accordingly.
References
- “ABD предложила освободить бизнес от уголовной ответственности за расследование утечек”, vc.ru
- “Расследующий утечки данных бизнес могут освободить от уголовной ответственности”, Forbes Russia
- “ИБ-бизнес выведут из-под действия закона”, Kod.ru
- Federal Law No. 123-FZ of November 30, 2024, Official Gazette
- “Законопроект об освобождении бизнеса от ответственности за расследование утечек”, Habr
