What key laws exist in terms of obligations as to the maintenance of cybersecurity?
The DPA, in conjunction with subsidiary legislation established under it, provides legal provisions on the technical and organisational measures which must be implemented by controllers and processers in order to prevent, apart from unlawful processing, accidental destruction or loss. Such a framework provides for security obligations which need to be implemented by processors of personal data. It is also pertinent to note that the General Data Protection Regulation (the ‘GDPR’) is to become directly applicable in 2018, which means that Malta will have to comply with any further obligations to cater for cybersecurity which the GDPR may impose.
The ECNSR require any undertaking authorised to operate a public communications network to ensure the security and integrity of networks from any threats, vulnerabilities or incidents. An entity providing publicly available electronic communications services over public communications networks must do all that is necessary to ensure availability of such services, should there be a catastrophic network breakdown.
Other sector specific legislation provide for measures to be taken in order to ensure proper information security. With respect to qualified trust service providers, which provide various electronic services, the eIDAS Regulation places obligations on such providers to ensure a high level of security by implementing appropriate technical and organisational measures, taking into account the latest technological developments. The eIDAS Regulation, inter alia, requires providers to ensure that measures are taken to minimise and prevent the impact of security and further provides that stakeholders are to be informed of adverse effects, in the event of any security incident.
In the remote gaming sector the Remote Gaming Regulations, Subsidiary Legislation 438.04 of the Laws of Malta, require service providers to adhere to information security requirements and are subjected to certain testing and audit processed by the Malta Gaming Authority where they must prove that security measures which are proportionate to the risks were implemented.
With respect to the Financial sector, in particular the Financial Institutions Act, Chapter 376 of the Laws of Malta and the Banking Act, Chapter 371 of the Laws of Malta both provide a rather general obligation that the institution in question must have sufficient procedures to identify, manage, monitor and report any risks and appropriate internal control mechanisms. In addition to this, service providers in the financial sector are being increasingly expected to set up an internal audit function, in order to assess the appropriateness of such financial service provider’s internal policies and procedures, including information security and risk management strategies, and the organisation’s compliance with such policies.
Cybersecurity is primarily a private matter and responsibility for organisations and other entities. However, certain laws and regulations prescribes duties relating to cybersecurity.
The Personal Data Act Section 13 prescribes that the data controller and the data processors shall, by means of planned and systematic measures, ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data. To that end, the aforementioned parties shall document their data system and security measures. Such documentation shall be available to the employees of the aforementioned parties, as well as the Data Protection Authority and the Privacy Appeals Board. Furthermore, the Regulation on the Processing of Personal Data of 15 December 2000 no. 1265 Chapter 2 imposes several duties on the data controller with regard to risk assessments, security revisions or other organisational, physical, procedural or technical measures suitable for preventing the loss, misuse, unauthorised access, disclosure, or modification of any personal data.
Other laws and regulations providing similar requirements on cybersecurity are the Electronic Communications Act and Act no. 10 of 20 March 1998 on Preventive Security Service (The Security Act).
There is no specific law on cybersecurity under Turkish Law however there are cybersecurity obligations and obligations to establish a data security management system in sector specific regulations such as the Electronic Communications Law, Banking Law, Law on Regulation of Electronic Commerce.
Further, Pursuant to Law on Protection of Personal Data w. no 6698, data controllers are under an obligation to keep personal data secure and take necessary measures to prevent illegal access to such data.