Recently, the Turkish Personal Data Protection Board ("Board") published two rulings regarding the notifications of privacy breaches made by an insurance company and a company that operates in health sector. Both cases were evaluated within the scope of the requirement that the data controller takes all necessary technical and administrative measures to ensure the appropriate level of data security to ensure the protection of personal data. The Board, considering the measures taken to ensure protection of personal data, has made a different assessment for those two cases.
With this respect, the Board evaluated that company operating in the health sector has taken technical and administrative measures taken before the breach occurred such as keeping access logs regularly, implementation of penetration tests every year, using strong firewalls, taking extra security measures for personal data transferred via paper, arranging the relevant documents in a document format with a degree of confidentiality, and ensuring the security of backed up personal data, as well as training the employees regarding the data breach. The Board has also taken into consideration that after the data breach was detected, a data breach response procedure was immediately implemented specific to the case at hand, the ineffective access attempts were reported to the senior management and the company's Personal Data Protection Committee immediately, and a data security team was established instantly. As per the detailed evaluations mentioned above, the Board assessed that the breach was not caused by the data controller's lack of precaution, that the data controller had noticed the breach in a short time, the persons affected by the breach were notified within three working days as required by law, and stated that the possibility of the breach to have negative consequences for the data subject was low and the data affected by the breach is easily accessible in the public domain. Consequently, the Board ruled that there is no need to impose sanctions because that the data controller has taken all the reasonable technical and administrative measures under the law.
On the other hand, the Board has evaluated the same measures to ensure data security, it has ruled against the insurance company. The breach in question was occurred by a cyber-attack on the test server by entering the system because of multiple login attempts from the user login screen of the data controller's website. In this regard, the data controller has notified the Board that the database was deleted from the company’s server as of a result of unauthorized access and a new database containing ransom requests was uploaded, and the person(s) who carried out the cyber-attack may have copied the personal data during the mentioned attack. The Board evaluated whether all reasonable technical and administrative measures were taken and concluded that;
- The required annual penetration test was not applied to the test server subject to the data breach,
- The data controller did not comply with measures stipulated in its IT Data Security and Data Breach Procedure,
- The passwords used by the data controller were not complex and strong enough therefore the attacker has successfully logged into the system after only 7 attempts,
- Neither secure communication methods (such as SSL, VPN) nor strong authentication methods (such as Two-Factor Authentication) were used when accessing the test server as pre-breach measures,
- The possibility of the breach to have negative consequences for the data subjects was quite high since the data included significant information such as ID number,
- Although the negative effects of unauthorized access could be reduced by encryption of the breached data, the data controller had also failed to take such measures.
In addition, the Board stated that if the data controller had performed the test procedures without saving the personal data in the database as the existing technological conditions provide such an option, no personal data breach would have occurred in the case of a cyber-attack. Pursuant to the mentioned evaluations, the Board determined that the necessary technical and administrative measures were not taken to ensure data security as required under the law and imposed an administrative fine to the data controller.
In short, with these two recent rulings evaluating the application of same administrative and technical measures, it is possible to say that the Board examines each case in its specific features thoroughly and the data controllers take both before and after a breach occurs matters.
Simge Kılıç, Nihan Ünal