Turkish Data Protection Regulation Update By Regulatory Authority: Technical And Administrative Measures To Be Taken

On February 15, the public announcement of the Personal Data Protection Board (the "Board") regarding the Technical and Administrative Measures Recommended to be Taken by Data Controllers Regarding User Security was published.

In the aforementioned announcement, when the data breach notifications that have recently been submitted to the Personal Data Protection Board are evaluated; It has been observed that the user account information used to log in to the websites of data controllers operating in various sectors such as finance, e-commerce, social media and gaming is publicly published on some websites. It has been stated by the Board that it has been determined that the said data controllers, who obtained the aforementioned user accounts, actively access the websites without the knowledge of the users, and that the data of the relevant persons can be viewed within this scope.

In addition, at different times, personal data obtained from the systems of data controllers or by using security vulnerabilities in end-user computers are illegally shared and offered for sale for an economic value; in the meantime, it was also stated that this data could be circulated, archived by malicious people and remarketed as larger data sets.

In order to prevent the above-mentioned and commonly experienced data breaches or to reduce the possibility of negative consequences on the data subjects in case of occurrence, to the data controllers of the Board;

• Establishing two-factor authentication systems and presenting them to their users as an alternative security measure from the membership application stage,
• In case of logging in on different devices other than the devices that provide frequent access to the users' accounts, the login information must be sent via e-mail/sms etc. ensuring that the relevant persons are forwarded to their contact addresses,
• Protecting applications with HTTPS (Hypertext Transfer Protocol Secure) or in a way that provides the same level of security,
• Using secure and up-to-date hashing algorithms to protect user passwords against cyber-attack methods,
• Limiting the number of unsuccessful login attempts from the IP (Internet Protocol Address) address,
• Ensuring that the relevant persons can view their information about at least the last 5 successful and unsuccessful login attempts,
• Reminding the relevant people that the same password should not be used on more than one platform,
• Establishing a password policy by data controllers and ensuring that users' passwords are changed periodically or reminding the relevant persons about this issue,
• Preventing newly created passwords from being the same as old passwords (at least the last three passwords), using technologies such as security codes (CAPTCHA, four processes, etc.) that distinguish computer and human behavior when logging into user accounts, limiting the IP addresses that are allowed to be accessed,
• Ensuring that the passwords that are entered into the systems of data controllers must be at least 10 characters in length, and that strong passwords are created by using upper- and lower-case letters, numbers and special characters together,
• If third-party software or services are used to log into the systems of data controllers, regular security updates of these software and services are carried out and necessary controls are made,

such that it recommended that they take the appropriate ones by making their own risk assessments among technical and administrative measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.