Cyber-Attacks And Data Breaches: Compliance Tactics For Organizations

image

To write this post, all you need is to be registered or password on Mondaq.com.

Cyber-attacks and data breaches pose major risksto companies, with financial and reputational effects. Making sure data stability requires both responsibility and sophisticated technology. Take a look at the necessary steps required under the PDPL and TPC on January 28 to protect personal data and reduce risks in the digital world.

Cyber-attacks are currently a major issue for businesses because they can cause major financial and reputational damage. These problems can take various forms, including AI-driven problems, hacking, ransom, and nation-state cyber-attacks. InTürkiye, the protection of personal data affected bycyber-attacks is primarily regulated by the Personal DataProtection Law ( “PDPL” ). As the PDPL has stated, businesses can take specific actions to defend themselves from these problems and counteract their impact. Additionally, theTurkish Penal Code ( “TPC” ) prescribessanctions for the unlawful acquisition of personal data. This article provides an overview of cyber-attacks and the necessary actions businesses should get in response to information vulnerabilities.

New Cyber Problems

According to the IBM Cost of a Data Breach Report20241, the regular price of a data breach is then up to4.88 million USD. Among industries most affected by information breaches, thehealthcare business ranks first, followed by the banking sector. Thenumber of cyber-attacks has been steadily increasing, withsignificant destruction to businesses. According to the Report of Centerof Strategic &amp, International Studies2 ( “CSIS” ), notable incidents from 2024include:

    October 2024: Egyptian agentstargeted UAE state firms, using a secret to stealsensitive credentials.

  • September 2024: Russian cyberspies attacked Mongolian state sites, stealing browsercookies.
  • July 2024: A faulty Windowsupdate by CrowdStrike caused a global IT outage, disruptingairlines and hospitals, and costing Fortune 500 companies$ 5.4billion.
  • March 2024: Microsoftreported that Russian thieves accessed its source code and internalsystems, targeting senior managers.

Punishment imposed by the TPC

Cyber-attacks usually result in significant information vulnerabilities. These offenses fall under the purview of the TPC, including unlawfully recording or obtaining personal data ( Article 136), unlawfully destroying or destroying data ( Article 138 ), and other offenses. These acts are punishableby incarceration:

  • Personal data that is unjustly recorded

According to Article 135 of the TPC, unjustly recording personal data is punishable by 1 to 3 years in prison, with a 50 % fine increase for delicate categories of data.

  • Fraudulently obtaining or giving information

Content 136 addresses the unconstitutional giving, transmission orobtaining of private data. A person who unjustly gives, conveys, or obtains personal data may face prison of 2to 4 years. The penalty to be imposed may be increased if the crime involves theinsertion of an organ or other object into the body recorded during the stage of the criminal investigation. The victim of the crime of physical abuse will receive statements and images of the victim of the crime of physical abuse.

  • Non-Destruction of Data

Companies may preserve personal data in accordance with relevantlegislation, and while they can build loyalty periods intheir policies, this interval may reach six months, as perArticle 11 of the Rules on Deletion, Destruction, orAnonymization of Personal Data. Failure to destroy data after the constitutionally mandated period has expired is punished by imprisonment in the range of one to two years, with additional penalties if the data may be deleted or destroyed in accordance with the Criminal Procedure Law.

Public officials or those who use their job to commit a crime are subject to harsher sanctions under Article 135 and 136. Inaddition, under Article 140 of the TPC, legitimate companies may besubject to certain security measures are imposed on as a result ofthe above-mentioned crimes.

Steps to Take When Data is Breached

The data controller must inform the affected data subjects and the Personal Data Protection Board (” Board” ) when personal data is compromised. According to the Board ‘sdecision3 dated 24.01.2019 ( Decision No. The information controller is required to inform the Board by 2019/10 within 72 hours, or as soon as possible. The notification to the Board must besubmitted using the Personal Data Breach Notification Form, whichcan be accessed online at https ://ihlalbildirim.kvkk .gov.tr/.

In cases where full information is not immediately available, the data controller may provide data slowly, withoutundue wait. The Board has recently assessed a bank for breaking the 72-hour date, citing factors like uncertainty regarding the information being shared and inadequate understanding of the incident. The lender had consulted related departments, privately assessed the necessity of notification, and used these factors in its defense for the delay. The Board affirmed that these factors did not constitute true justifications for the delay, pointing out that notification can be made gradually as the situation becomes more clear. 4 Thus, the 72-hournotification period begins when the fear of a data breacharises.

The reasons for the delay may be explained to the Board if the information controller is unable to notify the Board within 72 hours for a reasonable explanation.

Making a data warehouse that includes information on the root cause of the breach and the actions taken is essential to keeping track of all findings relating to the data breach. The Board may request this history.

Data Breach on the Part of the Data Processor

If the data breach occurs on the information computer’s area, thedata controller may be informed immediately. Given the short72-hour period, quick action is important for businesses. Thedata computer may contact the data controller as soon as possible, as the information controller is responsible for the breachnotification.

Data Breach by a Data Controller staying overseas

The Board’s decision specifies that the data controller must inform the Board if the breach affects data subjects who reside in Turkey or if the data subjects receive goods and services offered in Turkey. The guidelines for local devices should be the same.

Financial and Moral Restrictions

Following a data breach, failing to notify the Board and the data subjects can result in fines ranging from 204, 285 Test to 13, 620 Test, and 402 Attempt. 5 Beyond monetary fines, companies may sufferreputational destruction, as the Board does submit the details of thebreach on its website.

According to Article 15/5 of the PDPL, the Board may establish an operational fine and a directive decision, requiring the company to take preventative steps within 30 days. When the Board examines a warning of a data breach, it may go beyond the alert itself to investigate the matter. For example, it does exofficio observe all control activities of the company, notlimited to the subject matter of the warning. If the companyfails to comply, it may face additional fines ranging from 340, 476TRY to 13, 620, 402 TRY6 for failure to fulfil thedecisions taken by the Board and from 204, 285 TRY to 13, 620, 402TRY7 for failure to fulfil the obligations regardingdata security.

What Requirements Are Made Under the PDPL?

The data controller must take all necessary technical and administrative measures to stop unauthorised processing and access to personal data in order to ensure the protection and security of personal data. Data processors and datacontrollers must make sure that personal information is not used or disclosed for purposes other than those that are permitted by the PDPL.

To minimize the risk of data breaches, companies should conductregular internal audits, risk analyses, and maintain personal dataprocessing inventories. Employees should be trained to handle databreaches, and corporate policies should be developed to addressthese situations. For managing data breaches and protecting the company’s reputation, effective corporate communication and crisis management are also necessary.

Conclusion

Cyber-attacks result in significant data breaches that not onlyaffect a company’s finances but also its reputation. The data controller is required to provide the necessary documentation in the event of a data breach in order to prepare this information for the Board’s review. Timely notification to the Board ( within 72 hours ) and to affected data subjects ( as soon aspossible ) is essential for maintaining both security andreputation. Companies can mitigate the impact of data breaches byimplementing regular audits, risk analyses, personal dataprocessing inventories, employee training, and effective crisismanagement strategies, all while complying with PDPL and TPCrequirements.

Footnotes

1. ( Cost of a Data Breach Report 2024, 2024 )

2. ( Significant Cyber Incidents Since 2006, 2024 )

3. ( Announcement Regarding the PersonalData Protection Board Decision Dated on January 24, 2019 and Numbered 2019/10Regarding the Procedures and Principles of BreachNotification ( Only in Turkish ), n. d. )

4. ( Summary of the Decision of the Personal DataProtection Board dated 07/05/2020 and numbered 2020/359″ Abouta bank’s data breach notification” ( Only in Turkish ), n. d. )

5. Based on the revaluation rate, the annual changes that are mentioned in this article may apply to violations. Theamounts provided are based on the 2025 rate.

6. Based on the revaluation rate, the annual changes that are mentioned in this article may apply to violations. Theamounts provided are based on the 2025 rate.

7. Based on the revaluation rate, the annual changes that are mentioned in this article may apply to violations. Theamounts provided are based on the 2025 rate.

The content of this article is intended to serve as a general guide for the subject matter. Specialist advice should be soughtabout your specific circumstances.

Leave a Comment