Cybersecurity 2024 - Part 4

6. Ability to Monitor Networks for Cybersecurity

6.1 Cybersecurity Defensive Measures

While there are no provisions that explicitly restrict network and website access monitoring, there are Turkish Constitutional Court decisions and DP Board resolutions that set forth principles for employers regarding accessing and/or monitoring their employees’ work computers, work mobile phones and other electronic devices. For such access/monitoring to be performed:

• — employers must inform their employees beforehand;

• — employers must have a legitimate purpose for accessing/monitoring the devices; and

• — the accessing and/or monitoring must be proportionate to the legitimate purpose.

These principles can be used by analogy to similar activities, network monitoring and other cybersecurity defensive measures.

Moreover, the Internet Law requires hosting service providers and internet service providers to retain traffic data for one year at minimum (there is ambiguity regarding the retention period for hosting service providers in the relevant by-law).

Access providers must retain access logs that are required records for two years.

These entities are required to disclose this data to public prosecutors or other competent administrative authorities when requested.

Restrictions on Accessing and Sharing Insurance Data

The Insurance and Private Pension Regulatory and Supervisory Authority (the “Insurance Authority”) issued the By-Law on Insurance Data in 2022. The measures determined for the specified insurance data are as follows:

• — data sharing with institutions, organisations and data centres other than member institutions is carried out through protocols signed by the Insurance Information and Surveillance Centre (the “Centre”) and upon approval of the Insurance Authority; and

• — the Centre determines the authorised users with access to the data in the general database and the content of the data they can access upon approval of the Insurance Authority.

For data protection-related measures, please see 3.3 Legal Requirements and Specific Required Security Practices.

6.2 Intersection of Cybersecurity and Privacy or Data Protection

Cybersecurity and data protection are fundamentally linked and compatible disciplines, since both work towards the same goals and implement similar regulations and techniques.

However, there is always the risk of extreme cybersecurity precautions leaning towards excessive monitoring. Further down the line, this might cause damage to the data protection rights of the data subjects whose data is being processed within the scope of cybersecurity activities.

Thus, related actors and institutions should aim to establish and maintain a balance between these two disciplines.

7. Cyberthreat Information Sharing Arrangements

7.1 Required or Authorised Sharing of Cybersecurity Information

VERBIS is an open-to-public registry demonstrating the data-processing activities of controllers that have an obligation to register with this system.

The information to be disclosed to VERBIS includes technical and organisational measures adopted by the controller with respect to data protection.

Please also see 5.8 Reporting Triggers.

The TR-CERT, operated by ICTA, requires covered bodies (particularly operators in critical sectors) to notify of cyber-incidents directly. The TR-CERT also publishes a list of known vulnerabilities through its official website.

7.2 Voluntary Information Sharing Opportunities

Controllers and processors are free to share information with other people and organisations, if it is necessary for performing their legal obligations or for carrying out their business activities.

However, when sharing information, controllers and processors must comply with their obligations arising from relevant data protection and cybersecurity legislation and legal contracts, especially non-disclosure agreements (NDAs), if any.

ICTA has an active contact point for accepting notification and denunciation from third parties. The authority welcomes voluntary information sharing.

8. Significant Cybersecurity and Data Breach Regulatory Enforcement and Litigation

8.1 Regulatory Enforcement or Litigation

ICTA does not usually publish cybersecurity fines through public mediums and prefers to keep such information confidential. However, an administrative fine decision is publicly available, dated 2022, where ICTA fined:

• — a company operating in web design, trade mark registration and software services, in the amount of TRY1,142,902.20; and

• — a company operating in hosting services, in the amount of TRY2,133,417.44.

This was for failure to take measures for the security precautions mentioned in ICTA’s communications, and failure to fulfil the obligations determined by ICTA regarding national cybersecurity activities and protection against cyber-attacks.

Furthermore, DP Authority decisions are not public unless the DP Authority publishes them or a summary thereof. The following are some recent summaries that the DP Authority published on its website related to lack of technical measures.

Decision Regarding an Airline Business

The data subject saw personal data of other passengers on the check-in page accessed with a surname and Passenger Name Record (PNR) combination owing to the airline company assigning the same PNR number to several passengers. The DP Board imposed an administrative fine of TRY300,000 for failure to adopt necessary technical and administrative measures and for failure to notify the data breach.

Decision Regarding an E-commerce Company

The address and contact information of a third party with a similar name to the data subject was on the package of the product delivered by the e-commerce company, owing to a “cross barcoding error”. The DP Board imposed an administrative fine of TRY75,000 for failure to adopt necessary technical and administrative measures.

8.2 Significant Audits, Investigations or Penalties

Please see 8.1 Regulatory Enforcement or Litigation.

8.3 Applicable Legal Standards

Applicable legal standards are explained through the text where applicable.

8.4 Significant Private Litigation

There is no major publicly known private litigation concerning cybersecurity.

8.5 Class Actions

Class actions are not applicable in Turkish Law.

9. Cybersecurity Governance, Assessment and Resiliency

9.1 Corporate Governance Requirements

Responsibilities of the Board of Directors (BoD)

The TCC addresses the responsibilities of the BoD, which must act in the best interest of the company and its shareholders under a broad duty of care. These broad responsibilities are deemed to include overseeing and approving cybersecurity policies and strategies to protect the company’s information assets and systems from cyber threats.

The BoD is the competent and responsible body for adopting adequate technical and organisational measures under the DP Law in connection with the company’s personal data-processing activities.

In the payment services sector, the Communiqué on Data Sharing in Payment Services obliges organisations to ensure the security of information systems and to hold the BoD accountable for the management thereof. The BoD must conduct an annual risk assessment on information systems and submit the report on the results of this assessment to the TRCB by the end of January each year.

Appointment of a Chief Information Security Officer (CISO)

There are no specific provisions requiring the appointment of a CISO. However, in practice, companies occasionally appoint one.

Appointment of a CISO may be regarded as an organisational measure under the DP Law to ensure the security of personal data, as well as falling within the broad responsibilities of the BoD.

Training Requirements and Certifications

There is no overarching legislation providing a cybersecurity training requirement for the BoD or company personnel in the private sector.

However, in the public sector, public institutions (eg, especially regulatory bodies or sector-specific institutions) have specific regulations for the qualifications of their personnel.

Guidelines for sectoral and institutional CERTs also involve capacity and qualification requirements for their personnel and list the mandatory training thereof.

Risk Assessments

For companies operating in critical infrastructure sectors, certain pieces of sectoral legislation require periodic risk analysis to ensure the safety of these infrastructures.

For example, the By-Law on Cybersecurity Competency Model in the Energy Sector grants authority to the Energy Sector Regulation Board to define principles and procedures of the security analysis for industrial control systems risks. Regular vulnerability assessments and penetration tests are among the technical measures that are recommended by the DP Authority. Please see 3.3 Legal Requirements and Specific Required Security Practices.

Standards for Recovery and Resiliency

There are no required standards for recovery and resilience actions to be taken after a cyber-attack. However, as an international standard, the ISO/IEC 27031 has been translated into Turkish law by the TSI as the “Guidelines for information and communication technology readiness for business continuity”.

The By-Law on NIS in the E-Communications Sector sets forth an obligation to submit a report to ICTA that includes a business continuity plan. The DP Authority also recommends regular data back-up.

Please see 3.3 Legal Requirements and Specific Required Security Practices and 4.3 Critical Infrastructure, Networks, Systems and Software.

10. Due Diligence

10.1 Processes and Issues

Carrying out due diligence over a target organisation is based on the legal basis of “legitimate interest”.

When requesting and sharing personal data during a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration.

10.2 Public Disclosure

The relevant capital markets regulations impose an obligation on companies carrying out a public offering to state the risks of the business beforehand. Although there is no specific requirement to state cybersecurity risks, they should be mentioned during a public offering, if known.

The information submitted to VERBIS is publicly available, including “technical and organisational measures” adopted for the security of personal data.

For information about notifying the affected persons, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

11. Insurance, Artificial Intelligence and Other Cybersecurity Issues

11.1 Further Considerations Regarding Cybersecurity Regulation

In Türkiye, cybersecurity insurance has not been regulated as a mandatory obligation. However, some insurance companies residing in Türkiye issue cybersecurity insurance policies, and most warrant the following protections:

• — administrative fines regarding personal data;

• — data protection damage;

• — cyber-ransom damage;

• — information security and secrecy responsibility;

• — network security responsibility;

• — data breach costs;

• — business interruption insurance; and

• — legal expenses.

The DTO’s National Artificial Intelligence Strategy for 2021–2025 is a framework document outlining strategic priorities, goals and measures. The strategic priorities are as follows:

• — training AI experts and increasing employment in the field of AI;

• — supporting research, entrepreneurship and innovation;

• — broadening access opportunities to quality data and technical infrastructure;

• — taking regulatory actions to expedite socioeconomic compliance;

• — strengthening co-operation at the international level; and

• — expediting structural and workforce transformation.

• ---

  * Originally published by Chambers & Partners on 14 March 2024.