Data breaches must be reported and will be fined
This post is over 5 years old, it may be out of date.
As of January 1, 2016, organizations are obliged by law to report data leaks. If you notice that you have access to personal data that you shouldn’t have, you have to report that, e.g. to C&CZ and/or CERT-RU. If you yourself are working with personal data, you need to do that securely. Unsecure handling of personal data could lead to a huge fine. In the near future, extra attention will be given to informing and involving the RU community w.r.t. this issue.