A personal data (PD) breach exposes a business not only to financial loss but also to serious reputational damage. Incidents arise not only from external cyber-attacks; a significant share stems from internal errors, procedural violations, and actions (or omissions) of contractors who were granted access to IT infrastructure or PD. The key question is: who bears liability if the breach is caused by a contractor?

Who is liable before the state?

The decisive factor is the status of the personal data operator (the entity that determines the purposes, scope, and means of PD processing). The operator is responsible for lawful processing, data security, and the protection of data subjects’ rights.
If a breach occurs due to a contractor’s fault, the operator remains liable before state authorities. It is the operator who pays administrative fines and interacts with regulators and data subjects.

At the same time, the operator may recover liquidated damages and/or losses from the contractor under civil law. The services agreement should expressly set out the contractor’s liability for PD breaches and compensation mechanisms, including an indemnity under Article 406.1 of the Civil Code of the Russian Federation and contractual penalties.

Mandatory notification to Roskomnadzor

The law requires the operator to notify Roskomnadzor of a PD breach within the prescribed time and to conduct and submit the results of an internal investigation.

• Notification deadline: within 24 hours from the moment the operator, Roskomnadzor, or any third party becomes aware of the breach. No extensions are provided: the deadline runs on weekends and public holidays.

• Investigation report: submit the results to Roskomnadzor within 72 hours after the notification.

Complaints about an alleged breach may be filed by competitors, consumers, or public organizations; Roskomnadzor may request information from the operator and require an official report.

Administrative liability as of 30 May 2025

Effective 30 May 2025, administrative penalties were tightened for PD violations, including failure to notify or late notification of a breach. Fines may reach RUB 3 million:

• for officials of state/municipal bodies and non-profits: RUB 400,000–800,000;

• for sole proprietors and companies: RUB 1,000,000–3,000,000.

Practical steps to mitigate risk

• Update your PD processing policy and information security regulations to include concrete procedures for detecting, preventing, and remediating breaches.

• Contract for protection: in service agreements with contractors, fix liability for PD security, prompt incident notification duties, and loss/penalty recovery.

• Document an incident response plan: roles and ownership, evidence collection and validation, preparation and dispatch of notifications to Roskomnadzor, communication to affected data subjects, and the workflow for the internal investigation.

Source: Federal Law No. 420-FZ of 30.11.2024.