The Personal Data Protection Authority (“Authority”) published a public announcement on February 15 2022, regarding technical and administrative measures to be taken by data controllers, in order to prevent data breaches and decrease the possible negative consequences against increased data breaches. The announcement has been effected in the view the recent data breach notifications to the Authority.
The Authority recommended that the following technical and administrative measures to be taken by the relevant data controllers into consideration when applicable:
- Establishing two-factor authentication system and presenting them as an alternative security measure to the users starting from the membership application stage,
- Sending login information to the data subjects via email/text message etc., in case the users log in to their accounts from different devices,
- Taking applications under protection via HTTPS or another tool that provides the same security level
- Using secure and up-to-date (hashing) algorithms
- Limiting the number of unsuccessful login attempts from the IP address
- Ensuring data subjects to view information regarding at least five successful and unsuccessful log in attempts
- Reminding the data subjects that the same password should not be used on more than one platform
- Creating a password policy, providing that passwords are changed periodically or reminding this issue to data subjects,
- Preventing new passwords from being the same as old passwords (at least the last three passwords)
- Using technologies such as security codes (CAPTCHA, four processes etc.) that distinguish computer and human behavior during logins
- Limiting IP addresses that are allowed to be accessed
- Ensuring that passwords entered into the systems contain at least 10 characters, upper-lower case letters, numbers and special characters and
- Updating and controlling systems regularly, if third-party software or services are being used to log in to the systems
As a result, the Authority emphasized the importance of taking several technical and administrative measures by reminding that “the controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data,prevent unlawful access to personal data and ensure the retention of personal data.” within the framework of paragraph (1) of Article 12 of the Personal Data Protection Law No. 6698. Therefore, we recommend data controllers to take the measures listed above into consideration.