Personal data transferred: in the Russian Federation, they are preparing to launch insurance against data leaks

Russia wants to introduce guaranteed payments to victims of personal data leaks. The system can work like this: operators will be required to insure risks or create a fund for payments, the violation will be recorded by Roskomnadzor, and citizens will be able to apply for compensation at Public Services. Currently, out of the millions of victims, only dozens of people are seeking payments. At the same time, in the eight months of 2025, the number of leaks increased by 60% (to 103), Roskomnadzor reported. The new insurance mechanism may be operational as early as 2026, the union expects. How much the victims will be able to receive is in the Izvestia article.

How can personal data leakage insurance work?

Russia is preparing to launch insurance against personal data leaks. Strengthening the responsibility of operators of such data has been discussed for several years. In 2024, the Federation Council proposed to introduce compulsory insurance for such companies so that victims could receive compensation for moral and property damage in case their information was compromised. However, the law will not work in this form, the All-Russian Union of Insurers (VSS) explained.

They explained that only the court can determine the amount of damage. Now it works the same way — people can file a lawsuit if their data is leaked, but out of the millions of victims, only dozens of people seek compensation. Moreover, they mostly receive up to 5,000 rubles. The union proposed to introduce guaranteed payments to all victims. Representatives of the VSS sent a letter to the Federation Council addressed to Artyom Sheikin, the document is at the disposal of Izvestia.

The union proposed to determine the range of victims after leakage cases and establish a fixed amount of compensation for people depending on the type of compromised information (for example, biometric, special categories). They also believe that it is necessary to consolidate the agency responsible for fixing violations and develop a mechanism for how people will receive compensation.

The system can work as follows. Each personal data operator should be required to insure their liability or create a special fund for payments. Roskomnadzor can record leaks and determine the number of victims, the VSS suggested. They explained that the agency is already doing this, but sometimes people don't even know that information about them has been compromised. Now operators are only punished with fines (which go to the budget), but the victims themselves receive nothing.

Russians need to be notified about this, according to the union. Either insurance companies or the National Insurance Information System (NSIS), a subsidiary of the Central Bank, can do this. Then the victims will be able to apply for payment. Moreover, it is easiest to organize this through the "State Services", according to the VSS. Information on a government portal will be more trustworthy than a letter from an insurer offering to receive money, which may be perceived as a trick by fraudsters.

Yandex.Weather in the domain: fraudsters have begun to actively substitute payment details for companies

The number of such incidents has increased by a quarter in a year.

By clicking the "button" on "Public Services" people will be able to receive compensation — at the first stage it can be set within 5 thousand rubles. If a person believes that he has suffered more serious damage, then he will be able to go to court. Right now, the payment system is not actually working — operators do not insure their responsibility to people.

In Roskomnadzor, Izvestia was informed that they were also ready to consider the initiative in the form of a draft regulatory act upon admission.

Liability insurance for personal data operators may start operating as early as 2026, the head of the VSS, Yevgeny Ufimtsev, told Izvestia. Sberbank Insurance noted that they are ready to offer such a policy to customers. The product can be launched within three to six months after the legislation is finalized, said Vladimir Novikov, the company's risk director.

He stressed that victims of personal data leaks must necessarily receive compensation. At the initial stage, the amount of payments can range from 1 to 5 thousand rubles, but it is necessary to provide for the possibility of increasing them. At the same time, the service should really be launched on "Public Services". Victims would receive an automatic notification about the possibility of receiving compensation. Then they would be able to receive payment by one click, explained Vladimir Novikov.

How much money can victims of personal data leaks receive?

During the year, the number of personal data leaks increased by 60%. In January–August 2025, 103 (50.9 million records) were recorded, Roskomnadzor told Izvestia. For the same period last year, there were 64 of them (but for 105.0 million records).

The Ministry of Digital Affairs is constantly improving regulation in the field of personal data, the agency told Izvestia. On May 30, 2025, the law on increasing turnover penalties for leaking such information came into force. There were no repeat cases after that. Therefore, there is no need to strengthen responsibility yet, the press service noted.

Consultations with the industry and interested departments should be held for the possible introduction of a damage compensation mechanism, the ministry added.

Guaranteed payments in case of personal data leaks are a significant initiative, says Alina Rostoshinskaya, Head of the Corporate Responsibility Insurance and Financial Lines Department at Absolut Insurance. In her opinion, a fund for payments can become a tool for fulfilling this idea.

The tightening of the responsibility of personal data operators is global in nature and this trend is fully justified. It automatically encourages operators to increase their attention to data protection, the expert emphasized. However, in her opinion, the measures still need to be worked out.

Database of submissions: leaks of personal information from universities increased by 36%

How best to protect yourself from identity theft

The NSIS will not be able to notify victims if a person has not taken out insurance (because he will not be in the system), so the notification mechanism needs to be organized differently, says the head of the NSIS Nikolai Galushin. The victim should seek compensation from the operator who leaked the information, and if he has a policy, he should contact the insurer.

In addition, compensation must be paid in proportion to the damage. If a person has suffered in the amount of 1 million, then he should not receive 5 thousand, he believes.

Alexey Yanin, Managing Director for Ratings of insurance and investment companies at Expert RA, agreed with this. He wondered if our personal data was really worth like three cups of coffee in a not very expensive Moscow coffee shop (about 1 thousand). On the other hand, something is better than nothing, and tougher responsibilities for personal data operators may encourage them to invest in cybersecurity and data protection. At the same time, liability insurance tariffs need to be clearly worked out, the expert noted.

Almost all companies with full-time employees are now operating. But they can also include even sole proprietors, said Alla Khrapunova, Deputy director of the Fund for Borrowers' Rights. In her opinion, it is now important for such organizations to focus on protecting the security contour of their stored data, rather than on payments.

At the same time, it is necessary to strengthen the fight against the illegal use of this data, says Sergey Khudyakov, co-owner of insurance broker Mains. Many people face intrusive calls and fraud attempts using social engineering techniques on a daily basis. It is these real consequences that must be dealt with first.