Emin Çelik & Partners Emin Çelik & PartnersTechnology Law
TR Get Started

Home / Insights

Ransomware Attacks: The Legal Liability of Companies

Legal ArticlesJune 3, 20267 min readAv. Emin Çelik
Ransomware Attacks: The Legal Liability of Companies

Short answer: In a ransomware attack, your company is not only a victim — it is also a party with legal obligations. From the moment you learn of the attack, you must notify the KVKK Board of a data breach within 72 hours, report the cyber incident to the Cybersecurity Presidency without delay, inform affected individuals, and be able to document that you had implemented the required security measures before the attack. Neglecting any one of these is a separate ground for sanction, and the fines can run into the millions of lira.

Why does the victim company get fined?

At first glance this seems contradictory: a company that has been attacked, whose data has been encrypted, and whose operations have ground to a halt, ends up paying a fine on top of everything else. But the law is not concerned with the attack itself — it is concerned with the company's obligations before and after the attack. A data controller is required to implement all technical and administrative measures necessary to prevent unlawful access to personal data (KVKK Art. 12(1)). A successful attack is often treated as a presumption that these measures were inadequate, and in Board investigations, the company will be asked to document its inventory of measures.

In the Board's established practice, deficiencies such as never having conducted penetration tests, not keeping access logs, running outdated software, or lacking network segmentation regularly appear as the grounds for an administrative fine. In other words, the fine is not imposed because you were attacked — it is imposed because you left the door open to the attack and then failed to meet your subsequent obligations.

The first 72 hours after an attack: a legal roadmap

In ransomware cases, while the technical team focuses on recovering systems, the legal clock that is also running is often forgotten. Yet the process must proceed as follows:

1. Detect and document the incident. The moment the breach is discovered is the starting point for every deadline. Documenting this moment and every subsequent step with timestamps forms the foundation of your defence before both the Board and the Presidency.

2. KVKK notification (72 hours). If the encrypted or exfiltrated data includes personal data (customer records, employee personnel files, patient information), notification to the Board is mandatory within 72 hours. Even where ransomware has only encrypted the data without exfiltrating it, this is treated as unlawful access to the data, triggering the notification duty.

3. Cybersecurity Presidency notification (without delay). Under Article 7(1)(b) of Law No. 7545, the cyber incident must be reported to the Presidency without delay. This duty applies regardless of whether personal data was involved in the incident.

4. Informing the affected individuals. Individuals whose data was affected must be notified as soon as reasonably possible, with content meeting the Board's minimum requirements.

What happens if two of these four steps are neglected? Separate fines are imposed both under Article 18(1)(b) of the KVKK (TRY 204,285–13,620,402 as of 2025) and under Article 16(10) of the Cybersecurity Law (TRY 1,000,000–10,000,000). Current scholarship holds that, because the notification duties differ in content and addressee, real concurrence applies here — meaning the fines are cumulative.¹ A scenario where hospital systems are encrypted and no notification is made at all is treated in the literature as the textbook example of this double sanction.

Is paying the ransom lawful?

This is the most sensitive question clients ask. Turkish law contains no express provision prohibiting the payment of a ransom — but the matter is not that simple. If the payment recipient turns out to be linked to a sanctioned entity (particularly given that US OFAC and EU sanctions regimes directly affect international payment channels), the payment itself can create serious risk. A payment also does not guarantee that the data will be returned or will not be leaked, and in proceedings before the Board it can be read as an implicit admission that security measures were inadequate. From a corporate governance perspective, an undocumented ransom payment without a recorded rationale can also become the subject of liability disputes down the line. This decision must always be taken with legal advice, at board level, and with documented reasoning.

Liability beyond the fines

Administrative fines are only the visible tip of the iceberg. Other legal risks awaiting companies after a ransomware attack include:

  • Compensation claims: Individuals whose data was leaked may bring claims for non-pecuniary damages against the data controller. In incidents affecting hundreds of thousands of people, this item alone can exceed the administrative fine.
  • Contractual liability: Breach of security commitments in data processing agreements with customers and business partners can trigger penalty clauses and termination.
  • Director liability: Where decisions not to make necessary investments are documented, board members' liability toward the company itself may become an issue.
  • Criminal law dimension: Filing a criminal complaint against the attackers under Articles 243 et seq. (unauthorized access to an information system) and Articles 135-136 (offences relating to personal data) of the Turkish Criminal Code both preserves your legal rights and formally documents the company's status as a victim.

What to do before an attack happens

Legal preparedness for ransomware cannot be separated from technical preparedness. At a minimum: maintain an up-to-date, tested incident response plan; pre-designate notification templates and authorized signatories; regularly document your inventory of measures (penetration test reports, log policies, backup procedures); clarify breach-notification timelines for processors in your data processing agreements; and check that your cyber insurance policy aligns with your notification duties.

When an attack comes, the difference between a prepared company and an unprepared one is often measured in a seven-figure fine.

Sources

  1. Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
  2. Law No. 6698 (KVKK), Art. 12, 18; Law No. 7545 on Cybersecurity, Art. 7, 16; Turkish Criminal Code No. 5237, Art. 135-136, 243.
  3. Personal Data Protection Authority, Guide to Personal Data Security (Technical and Administrative Measures).
  4. Dülger, Murat Volkan, Personal Data Protection Law, Istanbul.

Need legal support on this topic?

Get in touch for an assessment tailored to your company's situation.

Schedule Consultation

← All articles