Vyacheslav Khayryuzov heads the digital business and data privacy practice in the Noerr Moscow office, and advises clients in the technology, retail and media sectors. He is experienced in international IT and software law, data privacy and regulatory issues, as well as commercial, IP and media law issues in Russia. He represents national and international clients, from start-ups to large corporations.
Vyacheslav was recommended for TMT in Russia in The Legal 500 EMEA in 2016, 2017 and 2018, which stated: ‘Noerr’s Vyacheslav Khayryuzov has an excellent knowledge of privacy and data protection law and provides advice that considers business needs.’ Chambers Europe also states: ‘Sources note he is clear in his assessment of possible risks and very practical’. Since 2012, he has been named among the world’s leading lawyers in TMT by Who’s Who Legal. The Who’s Who Legal Russia Special Report described Vyacheslav, among other things, as ‘simply fantastic’ and having a ‘brilliant way with clients’. He has also been listed among the best lawyers for IT Law in Russia in Best Lawyers 2014–2019 and the Russian lawyers ranking Kommersant.
GTDT: What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Vyacheslav Khayryuzov: The topic of cybersecurity is becoming more and more important in Russian discussions. The first issue that comes to mind is the alleged Russian hacking of the US presidential elections. The US media reported that the US administration contemplated an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election. According to the media at least, the CIA has been asked to deliver options to the White House for a cyber operation designed to harass and ‘embarrass’ the Kremlin leadership.
Other infamous cybersecurity issues were the WannaCry and Petrwrap/Petya ransomware attacks. Major Russian and Western companies working in Russia were paralysed by the attacks for several days.
All these security issues have supported calls for Russia’s internet infrastructure to be protected. As a consequence, on 26 July 2017, Russia adopted Federal Law No. 187-FZ ‘On the Security of Critical Information Infrastructure of the Russian Federation’. The law sets out the basic principles for ensuring the security of critical information infrastructure, the related powers of the Russian state bodies, as well as the rights, obligations and responsibilities of persons owning facilities with critical information infrastructure, communications providers and information systems providing interaction with these facilities.
The elements of the critical information infrastructure are understood to be information systems, telecommunication networks of state authorities as well as such systems and networks for the management of technological processes that are used in the state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. All these industries are considered critical for the economy and should be protected against any cyberthreats. The law requires the implementation of protection measures, assigning the category of protection (in accordance with the by-laws) and then registering with the Federal Service for Technical and Export Control, which will be in charge of the supervision in this field. Businesses currently have many questions for the authorities about this law, which is very broadly drafted. The most pertinent is whether the law applies to the relevant business or not, since even internal LAN networks under its general rules may be considered critical information infrastructure. However, the authorities say that this is an incorrect interpretation. The lack of enforcement practice also does not help clarify the situation.
Another legislative initiative in Russia was the banning of virtual private network (VPN) services that do not cooperate with the government, for instance, in relation to copyright, data protection or other law infringements. With effect from 1 November 2017, Russia enacted the new bill on this subject. The main targets of the bill are obviously notorious anonymisers such as Tor. However, the ordinary business can also be affected. One of the main questions yet to be clarified is whether VPNs used by businesses would also be restricted in their use. The bill contains an exemption that can be interpreted as being that if an entity uses a VPN tool, the entity needs to define the users of the tool (eg, which employees can use the tool – such as in an internal IT policy) and use it only for the purposes of its business. If this understanding is correct, then this exemption may be useful for the business community. The law has so far never been enforced in practice by the authorities and, therefore, the questions still remain.
There are also other various initiatives related to regulation of big data and even the creation of the Infocommunication Code, which would codify the relevant aspects of information law including cybersecurity issues that are currently sporadically regulated by different laws.
GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
VK: This is an interesting topic, since Russian data breach notification rules here differ from European rules, for instance, and sometimes it is difficult to see the logic of these rules. It is generally accepted in Russia that Russian data protection law was greatly inspired by European laws. This is obvious from a high-level reading of the Russian law on personal data. However, it appears that the concept of data breach notification was simply misunderstood by Russian lawmakers. As a result, there is no data breach notification requirement under Russian law, at least as it is understood in some other jurisdictions. As part of the Russian data protection law, there is a requirement to notify individuals and the data protection authority on the resolved breach if a breach was found by an individual or the data protection authority and they requested that it be resolved. Data operators must notify individuals whose data was breached or the data protection authority (if the request to resolve the breach comes from it). This means that the authority or the individual needs to know that there was a breach. And what happens if they do not know? Practically speaking, this means that companies can relax and do nothing – at least in this respect, as other Russian rules on data protection are fairly burdensome – unless they are requested by the authority or by an individual to notify them of the resolved breach.
GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
VK: The biggest issues are not fines or other regulatory consequences, as some might assume. Dealing with the Russian data protection authority in the event of a data security incident may be cumbersome and result in fines (which are fairly small – up to approximately US$1,000), but not more than that. Obviously, the biggest threat is a potential damage to reputation. In May, the WannaCry attack infected thousands of computers worldwide, and some law firms started to share their expertise in cybersecurity compliance, offering solutions for affected companies. After the mentioned attack of Petya on a major US law firm it may well be that clients in future will think twice before asking it for cybersecurity advice. The damage to the firm’s reputation is obviously considerable and yet be quantified. On the other hand, it is obvious that in the modern world it is practically impossible to stay 100 per cent protected from any cybersecurity threats. Even companies that consider cybersecurity of utmost importance are still vulnerable to cybersecurity attacks merely because they use information technology in their daily business.
GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
VK: As a rule, Russian companies need to ensure that their systems in Russia are compliant with the technical requirements of the Federal Security Service of Russia (FSB) and the Federal Service for Technical and Export Control of Russia (FSTEC). Normally, it is advisable that the formation of a Russian IT environment and related IT compliance procedures be implemented with the assistance of a Russian company specialising in IT security and with an FSTEC licence to perform works related to data security (protection of confidential information). An IT security company can also assist with preparing a set of internal documentation: internal documents on technical issues of personal data protection, description of the IT security infrastructure and the measures to be taken by the company to prevent data breaches (eg, threat models, technical assignments). They could also advise on which hardware and software needs to be installed to ensure data security. Obviously, at this stage of development of IT technology it is highly advisable not to rely on one’s own IT resources, but rather call in an outsourced provider of IT security services and let professionals build the company’s data security ‘walls’.
There is no data breach notification requirement under Russian law,
at least as it is understood in some other jurisdictions.
GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud-hosting environment?
VK: The main concern is the infamous data localisation. Owing to the recent data localisation law, the collection of personal data from Russians and further direct storage in a cloud located abroad is no longer permitted.
The law created a new procedure restricting access to websites violating Russian laws on personal data and imposed a requirement to store the personal data of Russian citizens on servers located in Russia (this obviously gives a huge boost to the development of the Russian data centre industry).
The personal data of Russian citizens must be stored and processed using databases located in Russia. The requirement can be complied with by placing the website database with the personal data of Russians in a Russia-based data centre or server. This Russian database must be primary, and the foreign cloud has to be the ‘secondary’ database (ie, only a partial or full (mirroring) copy of the primary Russian database). This essentially means that the initial hosting must be located in Russia. For some time the data localisation requirements were barely enforced. However, in 2016, a major case involving LinkedIn attracted a great deal of public attention. A Russian district court upheld a claim by the Russian data protection authority (Roscomnadzor) seeking restriction of access to LinkedIn in Russian territory. The court found LinkedIn was storing and processing the personal data of Russian citizens on servers located outside Russia. On this basis, the court declared LinkedIn to be in violation of the personal data laws and ordered Roscomnadzor to take steps to restrict access to LinkedIn. Currently, LinkedIn remains blocked in Russia.
One other topic for concerns are the amendments to the Russian Information Law, which finally came into force on 1 July 2018. The amendments directly affect Russia’s telecom and internet industries. In particular, mobile operators need to store recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (eg, messengers) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year. In addition, the amendments require any such communications to be provided to Russian police and intelligence at their request and the installation of special systems used for investigation purposes or to ‘reconcile the use of software and hardware with the authorities’ as well as to provide the security authorities with decryption keys if the messages are encrypted.
The amendments have already resulted in occasional blockings (such as BlackBerry Messenger); however, owing to the limited popularity of such messengers, the enforcement cases did not attract much attention. Everything then changed with a case regarding one of the most popular messengers in Russia – Telegram.
Telegram has frequently commented in the press that it is unable to provide decryption keys because of the nature of end-to-end encryption technology, while the FSB believed this is technically possible. Telegram refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld Roscomnadzor’s request to block access to Telegram. On 16 April 2018, Roscomnadzor reached out to telecoms operators, requesting that they commence blocking the messenger. All Russian telecoms operators are obliged to block access to the relevant resources.
Telegram’s lawyers appealed this decision without success. As of April 2018, Roscomnadzor has been trying to block Telegram using its IP address, which seems to be an ineffectual strategy. Telegram decided to disobey the court decision and defy Roscomnadzor (luckily, it has no actual presence in Russia) and started jumping from one IP address to another. At one time, Roscomnadzor was blocking millions of IP addresses, which caused interruptions to many internet services (including those hosted on the Amazon and Google networks) and caused negative critics of Roscomnadzor by other authorities, the internet ombudsman and businesses. The case is ongoing and Telegram is still available despite Roscomnadzor’s actions.
Collection of personal data from Russians and further direct storage in a cloud located abroad is no longer permitted.
GTDT: How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
VK: The Russian government is very keen to combat cybercrime and is even imposing various rules in the laws aimed at increasing the cybersecurity of businesses. For instance, all companies dealing with personal data must apply certain technical and organisational measures aimed at protecting data and also use software certified by Russian authorities.
Any computer fraud, unauthorised data accesses or creation of malicious software may result in criminal liability. However, the number of real cases of hackers being convicted is fairly low. The reason for this is unclear and certainly gives rise to speculation.
Russia refused to ratify the Council of Europe’s Convention on Cybercrime and, based on the discussions within the Russian government, it appears that the convention will not be ratified by Russia. The Russian government’s officials claimed that they do not agree with the convention’s provisions providing for the sanctioned access of one member state to computer data stored on the territory of another member state without the prior consent of the latter. The officials justify this on grounds of national security.
State officials have said that Russia’s approach to combating cybercrime consists of ‘the prompt and adequate cooperation of law enforcement authorities of different countries, as well as of the non-admission of investigations on a foreign territory without the notification of the law enforcement authorities of the state concerned’. Moreover, the authorities believe that Russia is considering promoting an approach that provides for the development of a global convention on combating crimes in the information sphere instead of the Budapest Convention, which only applies regionally and will not be fully effective. Following a proposal put forward by Russia, in May 2010 the UN Commission on Crime Prevention and Criminal Justice established an intergovernmental expert group to draft proposals to improve the international legal framework in this sphere.
Mobile operators need to store the recordings of all phone calls and the content of all text messages for a period of six months.
GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
VK: Apart from standard confidentiality and privacy precautions such as encrypted data rooms and non-disclosure agreements, companies entering into M&A deals in Russia should consider personal data transfer issues before starting the due diligence process. As mentioned, owing to the recent data localisation law, the collection of personal data of Russian citizens and further direct storage in a cloud located abroad is no longer permitted. Therefore, a potential foreign purchaser should double check whether personal data (for instance, of the employees of the target company) is stored in a Russian primary database and whether the relevant consent given by such employees to the seller allows for the transfer of their data to the purchaser. Violation of these rules may result in fairly negative consequences for the purchaser, since in certain circumstances Russian data protection authorities can even block access to the purchaser’s website as a part of their enforcement actions.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Because every cyberattack is unique and there are many different, rapidly emerging cyberthreats, there is no standard approach for selecting the best legal adviser. The following attributes could be useful:
- Russian market knowledge and close cooperation with IT security firms. Furthermore, lawyers can only be valuable in cybersecurity practice if they cooperate with a team of IT security specialists, preferably licensed by the Russian FSTEC.
- Fast response by lawyers and IT specialists 24/7/365 can be crucial in a cyberattack. Look for a reliable partner who can help build cybersecurity (including legal organisational and technical IT measures) from scratch or help fine-tune procedures to the Russian market.
- Look at the law firm’s portfolio of completed cybersecurity risk management projects.
- Perform a threat modelling exercise and expose the whole team (IT, PR, finance, legal) to a mock cyberattack to see how it would be dealt with in real life.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
Russian laws (not just on privacy and cybersecurity) are changing rapidly. This fast changing regulatory environment is a big problem for businesses on the one hand, since they need to adjust quickly to the unstable legal framework, and, on the other hand, it makes advising on this issue very interesting. Since 2014, Russia has adopted many new privacy and cybersecurity laws. Most of these laws were rough and not fit for use and even law enforcement agencies struggled to interpret the rules and clarify to businesses what future enforcement would be like. Advising in such circumstances is like stumbling around in the dark, trying to find the right answers, cooperating with the authorities and tracking all the latest enforcement cases. This all makes advising on privacy and cybersecurity fairly complex, but extremely interesting.
How is the privacy landscape changing in your jurisdiction?
The data localisation law now requires storage of Russian citizens’ personal data on servers located in Russia. In June 2016, the Russian parliament adopted the Federal Law ‘On Amendment of the Federal Law On Counterterrorism and Related Laws of the Russian Federation Establishing Additional Counterterrorism and Public Security Measures’ (known as the Yarovaya Law). These amendments introduced changes to Russian legislation related to telecommunications and the internet. For instance, the law requires Russian communications service providers to store all information on their customers’ and internet users’ communications in Russia for specified periods.
The substitution of foreign software imports is another trend. The Russian government has created a register of Russian software and requires state agencies to purchase Russian software instead of foreign software, unless the authorities can prove the software has no equivalent in Russia.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Cybersecurity threats in Russia are generally similar to those elsewhere in the world. DDoS attacks and ransomware attacks are very common on the market and companies need to be prepared for them. On the other hand, the authorities are creating many obstacles to the regulation of privacy and cybersecurity and this should also be considered a point of risk for businesses. Companies coming to do business in Russia should also realise that data access requests from various state agencies (not only state security agencies) are not uncommon and the extent of the information that can be given to the authorities should always be considered carefully; this is where the advice of a competent lawyer is particularly useful.