Cyber-Attacks and Data Breaches: Compliance Strategies for Companies

28.01.2025

Contents

Cyber-attacks are a significant concern for companies today, as they can lead to substantial financial and reputational losses. These attacks can take various forms, including AI-driven attacks, phishing, ransomware, and nation-state cyber-attacks. In Türkiye, the protection of personal data affected by cyber-attacks is primarily regulated by the Personal Data Protection Law (“PDPL”). Companies can take certain actions to protect themselves from these attacks and mitigate their impact, as outlined by the PDPL. Additionally, the Turkish Penal Code (“TPC”) prescribes sanctions for the unlawful acquisition of personal data. This article provides an overview of cyber-attacks and the necessary steps companies should take in response to data breaches.

Recent Cyber Attacks

According to the IBM Cost of a Data Breach Report 2024[1], the average cost of a data breach is now up to 4.88 million USD. Among sectors most affected by data breaches, the healthcare sector ranks first, followed by the finance sector. The number of cyber-attacks has been steadily increasing, with significant damage to companies. According to the Report of Center of Strategic & International Studies[2] (“CSIS”), notable incidents from 2024 include:

  • October 2024: Iranian agents targeted UAE government agencies, using a backdoor to steal sensitive credentials.

  • September 2024: Russian cyber spies attacked Mongolian government websites, stealing browser cookies.

  • July 2024: A faulty Windows update by CrowdStrike caused a global IT outage, disrupting airlines and hospitals, and costing Fortune 500 companies $5.4 billion.

  • March 2024: Microsoft reported that Russian hackers accessed its source code and internal systems, targeting senior executives.

Sanctions under the TPC

Cyber-attacks often result in significant data breaches. These breaches can fall under the scope of crimes covered by the TPC, including unlawfully recording personal data (Article 135), unlawfully giving or obtaining data (Article 136), and the non-destruction of data (Article 138). These crimes are punishable by imprisonment:

  • Unlawfully Recording Personal Data

Article 135 of the TPC stipulates that unlawfully recording personal data is punishable by 1 to 3 years of imprisonment, with the penalty increased by half for sensitive categories of data.

  • Unlawfully Giving or Obtaining Data

Article 136 addresses the unlawful giving, dissemination or obtaining of personal data. A person who unlawfully gives, disseminates, or obtains personal data shall face imprisonment of 2 to 4 years. If the crime involves statements and images of the victim of the crime of sexual abuse by inserting an organ or other object into the body recorded at the stage of the criminal investigation, the penalty to be imposed shall be increased.

  • Non-Destruction of Data

Companies must retain personal data in accordance with relevant legislation, and while they can establish retention periods in their policies, this period cannot exceed six months, as per Article 11 of the Regulation on Deletion, Destruction, or Anonymization of Personal Data. Failure to destroy data after the expiration of the legally prescribed period is punishable by imprisonment ranging from 1 to 2 years, with penalties increased if the data must be eliminated or destroyed under the Criminal Procedure Law.

Public officials or those exploiting their profession to commit the crime under Article 135 and 136, face harsher penalties. In addition, under Article 140 of the TPC, legal entities may be subject to specific security measures are imposed on as a result of the above-mentioned crimes.

Steps to Take When Data is Breached

When personal data is breached, the data controller must notify the affected data subjects and the Personal Data Protection Board (“Board”). According to the Board's decision[3] dated 24.01.2019 (Decision No. 2019/10), the data controller must notify the Board within 72 hours at the latest from the date of learning of the breach, and data subjects must be notified as soon as possible. The notification to the Board must be submitted using the Personal Data Breach Notification Form, which can be accessed online at https://ihlalbildirim.kvkk.gov.tr/.

In cases where full information is not immediately available, the data controller may provide information gradually, without undue delay. The Board has previously fined a bank for failing to meet the 72-hour deadline, citing reasons such as uncertainty regarding the information shared and incomplete understanding of the incident. The bank had internally evaluated the necessity of notification, consulted relevant units, and referenced these reasons in its defence for the delay. However, the Board ruled that these reasons did not constitute valid excuses for the delay, emphasizing that notification can be made progressively as the situation becomes clearer.[4] Therefore, the 72-hour notification period begins when the suspicion of a data breach arises.

If the data controller cannot notify the Board within 72 hours for a justifiable reason, the reasons for the delay must be explained to the Board.

It is essential to record all findings related to the data breach, which means creating a data inventory that includes information on the root cause of the breach and the measures taken. This record may be requested by the Board.

Data Breach on the Part of the Data Processor

If the data breach occurs on the data processor's side, the data controller must be informed immediately. Given the short 72-hour timeframe, prompt action is critical for companies. The data processor must notify the data controller as soon as possible, as the data controller is responsible for the breach notification.

Data Breach by a Data Controller Residing Abroad

If the data controller is based abroad, the Board's decision clarifies that the data controller must notify the Board if the data breach affects data subjects residing in Türkiye or if the data subjects benefit from products and services offered in Türkiye. The notification should follow the same principles as for domestic controllers.

Financial and Moral Sanctions

Failure to notify the Board and data subjects after a data breach can result in fines ranging from 204,285 TRY to 13,620,402 TRY.[5] Beyond financial penalties, companies may suffer reputational damage, as the Board may publish the details of the breach on its website.

The Board may impose an administrative fine, along with an instruction decision under Article 15/5 of the PDPL, requiring the company to make corrective actions within 30 days. When the Board investigates a data breach notification, it may expand the scope of its inquiry beyond the notification itself. For example, it may ex officio examine all processing activities of the company, not limited to the subject matter of the notification. If the company fails to comply, it may face additional fines ranging from 340,476 TRY to 13,620,402 TRY[6] for failure to fulfil the decisions taken by the Board and from 204,285 TRY to 13,620,402 TRY[7] for failure to fulfil the obligations regarding data security.

Actions Required Under the PDPL

To ensure the protection and security of personal data, the data controller must take all necessary technical and administrative measures to prevent unlawful processing and access. Data controllers and data processors must ensure that personal data is not disclosed or used for purposes other than those specified in the PDPL.

To minimize the risk of data breaches, companies should conduct regular internal audits, risk analyses, and maintain personal data processing inventories. Employees should be trained to handle data breaches, and corporate policies should be developed to address these situations. Effective corporate communication and crisis management are also essential for handling data breaches and protecting the company's reputation.

Conclusion

Cyber-attacks result in significant data breaches that not only affect a company's finances but also its reputation. In the event of a data breach, the data controller is required to document the breach and the measures taken, keeping this information ready for the Board's review. Timely notification to the Board (within 72 hours) and to affected data subjects (as soon as possible) is essential for maintaining both security and reputation. Companies can mitigate the impact of data breaches by implementing regular audits, risk analyses, personal data processing inventories, employee training, and effective crisis management strategies, all while complying with PDPL and TPC requirements.


References

Announcement Regarding the Decision of the Personal Data Protection Board Dated 24.01.2019 and Numbered 2019/10 Regarding the Procedures and Principles of Personal Data Breach Notification (Only in Turkish). (n.d.). Retrieved from Personal Data Protection Authority: https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi

Cost of a Data Breach Report 2024. (2024). Retrieved from IBM: https://www.ibm.com/reports/data-breach

Significant Cyber Incidents Since 2006. (2024). Retrieved from Center for Strategic and International Studies (CSIS): https://csis-website-prod.s3.amazonaws.com/s3fs-public/2024-11/241114_Significant_Cyber_Events.pdf?VersionId=x077LxbEUZ9.EQb8yEUMcTa5ebhzQHQe

Summary of the Decision of the Personal Data Protection Board dated 07/05/2020 and numbered 2020/359 “About a bank's data breach notification”(Only in Turkish). (n.d.). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/Icerik/7028/2020-359


[1]  (Cost of a Data Breach Report 2024, 2024)

[2] (Significant Cyber Incidents Since 2006, 2024)

[3] (Announcement Regarding the Decision of the Personal Data Protection Board Dated 24.01.2019 and Numbered 2019/10 Regarding the Procedures and Principles of Personal Data Breach Notification (Only in Turkish), n.d.)

[4] (Summary of the Decision of the Personal Data Protection Board dated 07/05/2020 and numbered 2020/359 “About a bank's data breach notification”(Only in Turkish), n.d.)

[5] The fines mentioned in this article for violations are subject to annual changes based on the revaluation rate. The amounts provided are based on the 2025 rate.

[6] The fines mentioned in this article for violations are subject to annual changes based on the revaluation rate. The amounts provided are based on the 2025 rate.

[7] The fines mentioned in this article for violations are subject to annual changes based on the revaluation rate. The amounts provided are based on the 2025 rate.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent