IT & Artificial Intelligence Law
Corporate Legal Liability for Cybersecurity Breaches in Turkey
Published 14 July 2026·6 min read
Att. Mona Hukuk Editorial Team - Antalya · Antalya Bar Association
A cyberattack is never merely a technical crisis; it is a source of layered legal liability. Companies often overlook the consequences that extend beyond notifying the Data Protection Board: compensation claims from customers, criminal proceedings against the attacker, administrative fines, and the accountability of the board of directors. This guide moves past the 72-hour notification duty under Turkey's Personal Data Protection Law (KVKK) — which we address in a separate guide — to explain the real legal risks a cybersecurity breach creates for companies, framed around the Turkish Code of Obligations (TBK) and the Turkish Penal Code (TCK).
Notification Is Only the Beginning
The breach notification required under KVKK art. 12 is not the sole consequence of an incident. Having filed the notification does not release the company from compensation owed to customers, from criminal proceedings against the perpetrator, or from an administrative fine. These consequences run on independent legal tracks: notification is an administrative-law duty; compensation is a private-law obligation; and a criminal investigation is pursued ex officio by the prosecutor. A post-breach strategy must therefore be far broader than completing a notification form.
Compensation Liability Toward Customers and Data Subjects
Customers whose data is exposed may claim compensation from the company for the material and moral harm they suffer. Such a claim has two possible legal bases.
Contractual liability: Where a service relationship exists between the company and the customer and the contract contains an express or implied undertaking on data security, TBK art. 112 applies. Under this provision, if an obligation is not performed properly, the debtor must compensate the creditor's loss unless it proves that no fault can be attributed to it. The crucial point is the reversal of the burden of proof: the customer need not prove the company's fault; the company must prove that it took the necessary security measures and was free of fault.
Tort liability: Where there is no contractual relationship, TBK art. 49 provides that whoever causes damage to another through a faulty and unlawful act must remedy that damage. Inadequate security infrastructure, unpatched systems, or neglected access controls can establish the company's fault. In addition, the "employer's liability" under TBK art. 66 may arise: an employer can be held liable for damage its employee causes to third parties while performing work, and escapes liability only by proving that it exercised due care in selecting and supervising the employee and in organizing the workflow of the enterprise.
The Criminal Dimension: Offenses Under the TCK
The criminal-law dimension of a cybersecurity breach primarily targets the perpetrator. Three key provisions of the TCK (Law No. 5237) stand out:
- TCK art. 243 — Accessing an information system: Anyone who unlawfully enters all or part of an information system, or continues to remain there, faces up to one year of imprisonment or a judicial fine. If the data in the system is destroyed or altered as a result, the penalty rises to between six months and two years.
- TCK art. 244 — Hindering or disrupting a system, destroying or altering data: Anyone who hinders or disrupts the operation of an information system faces one to five years; anyone who damages, destroys, alters, renders inaccessible, or transfers data elsewhere faces six months to three years. If the act is committed against a bank, a credit institution, or a public body's system, the penalty is increased by half.
- TCK art. 136 — Unlawfully giving or obtaining data: Anyone who unlawfully gives, disseminates, or obtains personal data faces two to four years of imprisonment.
Although these offenses primarily target the attacker, the company is not wholly untouchable. An employee or manager who intentionally or through gross negligence facilitates the breach may amount to participation in the unlawful disclosure of data; the deliberate transfer of personal data to third parties may become the subject of an investigation under art. 136 for company officers as well.
Administrative Fines and Cyber Insurance
Administrative sanction is a third consequence, separate from compensation and criminal penalty. Under KVKK art. 18, a data controller that fails to meet its data-security obligations may face administrative fines running into the millions, revalued each year by the statutory revaluation rate. Breaching the notification duty and failing to take data-security measures are distinct categories of violation and may be penalized separately.
Against this stack of risks, cyber insurance is an increasingly common risk-management tool. A well-structured policy can cover breach response costs, forensic investigations, third-party compensation claims, and in some cases defense costs relating to administrative fines. Policies, however, contain significant exclusions; intent, gross negligence, or failure to meet declared security standards may be left outside coverage.
Corporate Governance: Preparing Before a Breach
The most effective way to reduce liability lies in measures taken before a breach. Preparing an incident response plan, encrypting data, restricting access privileges, and conducting regular penetration tests are decisive for both technical resilience and legal defense. Board-level oversight of cybersecurity and the documentation of decisions and measures taken are critical in proving, where necessary, that the company and its directors were free of fault. A written record of the measures adopted forms the basis of the exculpatory evidence under both TBK art. 112 and art. 66.
Frequently Asked Questions
Our company notified the Data Protection Board; is there anything else we need to do? Yes. Notification is only an administrative duty. The risk of compensation to customers, potential criminal proceedings, and administrative fines do not end with notification; they require a separate legal strategy.
If the attack was carried out by an outside hacker, is the company still liable? It may be. The perpetrator's criminal liability does not extinguish the company's compensation liability toward customers. If the company cannot prove that it took the necessary security measures and was free of fault, it may remain liable for damages.
Can the company be held responsible for a leak caused by an employee? Yes. Under TBK art. 66, an employer is liable for damage its employee causes to third parties while performing work; it can escape liability only by proving that it exercised due care in selection, supervision, and workflow organization.
Does cyber insurance cover all losses? No. Policies vary in scope and exclusions. Intent, gross negligence, or failure to meet promised security standards may fall outside coverage; legal review before purchasing the policy is important.
How Mona Hukuk Can Help
Cybersecurity breaches create layered liability that begins with notification and extends into compensation and criminal law. At Mona Hukuk, we assist companies with preparing incident response plans, post-breach legal risk assessment, defense against customer compensation claims, representation in criminal proceedings, and legal review of cyber insurance policies.
For consultancy in Antalya, you can write to contact@monahukuk.com or call +90 (242) 606 14 32.
Want a weekly digest of developments in Turkish law?
Official Gazette notices, court decisions and legislative changes — delivered weekly. Free, unsubscribe at any time.
Related Articles
IT & Artificial Intelligence Law
.tr Domain Disputes in Turkey: A Guide for Foreign Brands
2 Jul 2026 · 6 min read
Read articleIT & Artificial Intelligence Law
Software Escrow Agreements Explained: Turkey Guide 2026
22 Jun 2026 · 6 min read
Read articleIT & Artificial Intelligence Law
Registering with VERBİS: Turkey's Data Controller Guide
9 Jun 2026 · 6 min read
Read article