Information Note on Technical and Administrative Measures for User Security Recommended by the Turkish Board of Protection of Personal Data
On February 15, 2022, by taking into account the data security breaches, the Board of Protection of Personal Data (“Board”) published an announcement regarding the technical and administrative measures recommended for data controllers to ensure user security within the scope of Article 12 of the Personal Data Protection Law (“Law”).
We would like to highlight that it is not obligatory to take the following measures, but it is recommended by the Board that the data controllers choose and implement the measures they think that will be appropriate according to their data processing activities. However, taking these measures will reduce the risk of a possible data breach and thus the risk of being subject to sanctions due to a data security breach within the scope of the Law.
As a result of the evaluations regarding the data breach notifications made to the Board recently; the Board stated that the user account information (username and passwords) used to access the websites of data controllers operating in various sectors such as finance, e-commerce, social media and gaming are publicly published on some websites and it has been observed that the third parties who obtain the information of the data subjects can access the websites of the data controllers without the knowledge or consent of the data subjects and personal data can be accessed in such manner.
In addition, it is stated that personal data obtained from the systems of data controllers or obtained by using security vulnerabilities in end-user computers can be offered for sale for an economic value, such data can be re-marketed as large data sets, and all of these cause unlawful sharing of data.
The Board is of the opinion that the above-mentioned violations occur due to the failure of the data controllers to take all or some of the technical and administrative measures.
In order to reduce the risks of data security breaches, the Board has published the following advisory technical and administrative measures to be taken by the relevant data controllers:
- Establishing two-factor authentication systems and presenting this to users as an alternative security measure from the membership application stage,
- In case of logging in on different devices other than the devices that provide frequent access to the users’ accounts, sending the login information via e-mail/sms etc. and ensuring that contact addresses are forwarded to the relevant persons,
- Protecting applications with HTTPS (Hypertext Transfer Protocol Secure) or in a way that provides the same level of security,
- Using secure and up-to-date hashing algorithms to protect user passwords against cyber-attack methods,
- Limiting the number of unsuccessful login attempts from the IP (Internet Protocol Address) address,
- Ensuring that the relevant persons can view their information about at least the last 5 successful and unsuccessful login attempts,
- Reminding the relevant people that the same password should not be used on more than one platform,
- Establishing a password policy by data controllers and ensuring that users’ passwords are changed periodically or reminding the relevant persons about this issue,
- Preventing newly created passwords from being the same as old passwords (at least the last three passwords), using technologies such as security codes (CAPTCHA, four processes, etc.) that distinguish computer and human behavior when logging into user accounts, limiting the IP addresses that are allowed to be accessed,
- Ensuring that the passwords entered into the systems of data controllers must be at least 10 characters long, and that strong passwords are created for the combination of upper and lower case letters, numbers and special characters,
- If third-party software or services are used to log into the systems of data controllers, regular security updates of these software and services and performing necessary controls.
You can access the full text of the announcement from the link below (in Turkish):