Limitation of Technical Measures for KVKK

It has been almost 4 years since the Personal Data Protection Law (Law) came into force. The fact that an administrative fine of up to 1.8 million TL may be imposed for failure to comply with the obligation to register with the Data Controllers Registry VERBIS was the most important motivation that pushed companies to learn about this issue. However, of course, the law does not only impose the obligation to be registered. Ultimately, it is possible to avoid this risk by registering in the registry and keeping it updated. However, the ceiling amount of administrative fines that can be imposed for failure to fulfill the data controller’s obligations regarding data security, regulated in Article 12 of the Law, is the same as not being registered in the registry, and eliminating this risk is not as easy as registration in the registry.

Obligations of the data controller regarding data security regulated in Article 12 of the Law; To prevent and preserve personal data from unlawful processing and unlawful access. It must take all necessary technical and administrative measures to ensure the appropriate level of security to ensure these.

The definition of all kinds of technical and administrative measures covers a very broad field. After all, every measure taken has a cost. What happens if we have taken all the precautions we deem necessary but still experience a data breach? How can a measure be identified that is not necessary, and what kind of problems will it cause if it later turns out to be necessary?

Board decisions made and published by the relevant Personal Data Protection Board can be guiding in finding answers to these questions. However, the subject of this article will be limited to the events related to the personal data held by the data controller and the technical measures taken regarding this. Because most of the Board decisions that impose administrative fines arise from the deliberate practices of the data controller. For example, collecting more personal data than necessary or using it for purposes other than purpose. The way to avoid these is to avoid data processing that is determined to be unlawful by having sufficient knowledge and experience in the protection of personal data. Some errors are non-technical and are due to incorrect planning or non-compliance with business processes. These decisions are also beyond the scope of the article.

In a decision of the Board

“When the security measures stated to have been taken by the company before the breach and the list of malware sent in the notification annex are examined; Attackers can move horizontally on the systems and affect the Customer Loyalty System (CLS), Online Business Service Platform (EBSP), website admin console (iRedeem), Customer Information System (CIS). “It is an indication that the safety measures taken were not carried out and the security measures taken were insufficient” (Cathay Pacific Airway, 16.05.2019, 2019/144)

An administrative fine of 450,000 TL was imposed for not taking the necessary security measures.

“It was determined that the attacker entered the Starwood network by installing a command prompt on the web server, and after gaining access to the web server, the attacker installed a trojan horse (RAT) that provided remote access to the web server, the attacker then installed additional tools that collected credentials and then accessed other devices on the Starwood network.” “The failure to detect that it used its credentials and internal network connectivity to gain access is an indication of the inadequacy of the technical and administrative measures taken” (Marriott International, 16.05.2019, 2019/143).

In his decision, where his statements were included, he also imposed a fine of 1,100,000 TL due to the failure to take security measures.

In both of these examples, penalties were given because security measures were not taken or implemented properly. However, the Board also has decisions that impose penalties in cases where security measures are in place.

The health report of Şenol Güneş, who was injured in the head during the eventful Fenerbahçe-Beşiktaş Turkish Cup match, was spread on social media. The board launched an ex officio investigation and fined the hospital. The report was transferred outside as an image, not over the network. A photo of the screen of the other device was taken with a mobile phone and then shared. As far as I know, there is no technical measure that can prevent the screenshot of a mobile phone from being photographed. I heard that it is not possible to take photos with a mobile phone on the monitors used in military facilities with high security, but those monitors are ultimately private and this solution would be a very expensive solution.

Another example is about a bank. As it is known, the security levels of banks are very high and they try to take all kinds of technical and administrative measures for information security. In the Board’s decision dated 26.11.2019 and numbered 2019/352

“Although it is stated that the Data Leak Detection/Prevention System exists for e-mails sent by employees outside the Bank, there is a personal data leak from the corporate e-mail that caused the violation in question and the measures taken are not sufficient to prevent this violation,

The bank stated as a technical precaution that “If e-mails containing credit card numbers are intended to be sent outside the Bank, if the number of cards is above a certain number, this e-mail is quarantined and cannot be sent”, and that the measure is at a level that can be easily overcome by malicious people regarding such violations,

Identity card, balance, ID, contact, credit card number, etc. of persons affected by the breach. information was leaked and fake documents were prepared using this information, thus facilitating high-amount fraud activities,

“The specified measures do not prevent large amounts of money withdrawals and issuance of false documents without the customer’s knowledge.”

The bank was given an administrative fine of 70,000 TL for not taking the necessary technical and administrative measures to ensure data security. In this case, the bank that is responsible for the data has the necessary software, but it was penalized due to the deficiency that was said to be caused by its construction.

Is there really a deficiency?

Security measures, whether data-related or life-related, have consequences such as making life difficult. Extra steps are added for tasks that can be done in a short time. If these steps are increased too much, life will become unbearable.

Personal data is obtained, stored, transferred and destroyed. Security measures make this difficult. There must be such a level that neither security is compromised nor processing becomes difficult. Unfortunately, such a world does not exist. Decision makers have to make a decision about the number and intensity of security measures and how difficult it will be to do business. And of course, there is cost and risk analysis. How much money can be spent or what will be the budget?

Another question is, how can precautions be taken against risks that we are not yet aware of? For example, what can be done against zero-day vulnerabilities, for which there is no precaution other than installing patches when discovered?

First of all, this should be known. No matter what technical or administrative measures are taken, it is not an option for the Board not to impose an administrative fine when a data breach occurs. Because the occurrence of a violation is a result that shows that all necessary technical and administrative measures have not been taken. If we accept that all necessary technical measures have been identified, the cost of implementation will be very high. In this case, the realization of the risk will become preferable.

The benefit of taking precautions in case of data breach will be effective in determining the penalty to be imposed by the Board. The more precautions are taken, the lower the penalty will be. But of course it will not be able to go below the lower level.

Another option is to not notify the Board and relevant persons of detected data breaches. Not reporting a data breach has become an option, as the penalties stipulated in the GDPR in the European Union are up to 4% of global turnover. A similar situation may be valid for our country, but it should not be forgotten that if the data breach is detected by the relevant persons and reported to the Board, the possible penalty will be much higher than the penalty sought to be avoided.

Hunting. Hasan Selçuk TURAN

Who is Hasan Selçuk TURAN?