Legal Matters, Privacy

The Danger of Reporting a Data Breach

Although this story occurs outside of the United States and United Kingdom, it details governmental cybersecurity actions that should concern citizens everywhere. The Turkish government is proposing a law to empower their recently conceived Cybersecurity Directorate. Prior to this proposal, Turkey mirrored the United States by lacking comprehensive federal cybersecurity framework legislation. This law would enact cybersecurity protections while going a step further: including provisions that would make it a criminal act to report on data breaches.

Article 16 of the law states that any individual who creates a perception that there has been data breach, when one has not occurred, shall be imprisoned for two to five years. On its surface, this seems to be a strong deterrent against public panic and confusion; however, with the burden of proof on the individual (e.g., journalists), there is speculation that this article is really aimed at discouraging reporting on data breaches whatsoever. Previously, data breaches have compromised millions of Turkish citizens’ personal information, and without the work of independent journalists, these breaches would have received far less attention than they did. Additionally, a 2022 disinformation law has already led to more than 60 investigations of journalists—this article is poised to increase the number of names on that list.

Moreover, experts are also concerned that this law does not protect individual privacy so much as it empowers the Turkish government to collect data from public institutions and critical infrastructure providers. There is a reasonable concern that this capability will quickly lead to unchecked governmental surveillance on citizens, due to vague definitions surrounding the terms “cyber threat” and “critical infrastructure.” The law also establishes a Cybersecurity Council, which will be tasked with overseeing national cybersecurity strategies while possessing the authority to impose restrictions on digital services. However, because this Council will report directly to the president, many believe that it will instead be a mouthpiece for Turkey’s executive branch.

With parliamentary debates on the bill ongoing, the head of the Republican People’s Party, Aşkın Genç, criticized the legislation, arguing: “This law does not make our country more resilient to cyber threats; it grants the executive branch unlimited powers. If freedoms are suspended under the guise of security, what we have is not security but authoritarianism.” Although the bill has not yet passed, it appears as though it will be signed into law. Cybersecurity advocates around the world will be observing Turkey closely to see what comes from this law and to what extent the Turkish government suppresses reports on cybersecurity breaches.