The Personal Data Protection Board (“the Board”) has recently made an exemplary decision that contains assessments important for data controllers. In the present case, the matter concerned a pharmaceutical company in possession of sensitive personal data, who was fined for their negligence in inadequately protecting and backing up data held. This may come as an important decision especially for companies that due to the nature of their activities may end up holding sensitive personal data and be fined unless they satisfy a certain duty of care. The decision was published on the website of the Board on 09.08.2021.
The Board’s decision of 16.06.2020 no. 2020/463 concerns a data breach notification by a data controller operating in the pharmaceutical industry, which stated that the attack was carried out by the employee of the company from whom the data controller had been receiving cyber security support via the IP address of the company, and that the employee of the company that committed the breach was also a former employee of the data controller. Upon examination of the data breach notification, the Board made the following evaluations:
A multinational company working on sensitive personal data should perform penetration tests and risk analyses for such attacks, identify threats, close security gaps, and take measures to ensure data security by tracking log records, and not doing so is against Article 3.2 of the Personal Data Security Guide; “…It is necessary to regularly check security software messages, access control records and other reporting tools, take action on warnings from these systems, and regularly perform vulnerability scans and penetration tests in order to protect information systems against known vulnerabilities and evaluations should be made according to the results of the tests on the emerging security vulnerabilities. …”
The deletion of the data by the data controller in the Data Domain server where the backup files of the servers are stored constitutes a violation in terms of the statements under Article 3.6. of the Personal Data Security Guide; “…there could be malware that forces the data controller to pay a ransom. It is recommended to develop data backup strategies to ensure personal data security against such malicious software. On the other hand, backed up personal data should be accessible only by the system administrator, and data set backups should be kept out of the network. Otherwise, you may be faced with the use of malware on data set backups or the deletion and destruction of data…”
Considering the above evaluations, an administrative fine of 125 000 TL was imposed on the data controller who did not take the necessary technical and administrative measures to ensure data security within the framework of Article 12(1) of the Personal Data Protection Law, taking into account the unfair content of the fault, fault attributable to the data controller, and the economic conditions of the data controller.
Moving on from the fine that was imposed on the data controller, the Board went on to consider whether the violating company had acted promptly in notifying and thus mitigating the damage. In notifying the company employees affected by the violation and making a general announcement made on their web page for the benefit of persons other than the company employees affected by the violation, the data controller was found to be in compliance with the Law in terms of data controller’s obligation to notify the violation "as soon as possible”. The time frame of “as soon as possible” in the wording of the Law was established in the Board’s decision of 24.01.2019 and no. 2019/10 to mean the 72-hour period immediately following the company’s awareness of the breach. This requirement was found to be satisfied in this case and the company was accordingly not fined on this point.
This decision draws attention to the obligation on data controllers to pay great attention to backing up and keeping sensitive personal data, which might apply to certain industry sectors more than others due to ordinary nature of business. Nevertheless, it is evidently the responsibility of a data controller to take all necessary steps to prevent penetration and to back up data held in order to prevent unwanted situations such as where stolen data could be used as leverage against the data controller who has now lost the data. With this decision the Board has unequivocally demonstrated the importance they place on taking the utmost care when keeping personal data, including cyber security. Consequently, this might ultimately mean that even if data controllers take some precautions albeit not quite enough, the fact of a cyber-attack will not absolve the data controller of the finding of fault and consequently a fine. Prompt notification, on the other hand, will save the company from having to pay a further fine.