Cyber Incident Response: 72-Hour Checklist for Legal Teams

Introduction

Cyber incidents are today a "when, not if" risk category for virtually every organization. The majority of the legal cost of an incident—ransomware, data breach, insider sabotage, supply chain attack—is determined by decisions made within the first 72 hours. Within this window, Turkish Data Protection Law (KVKK) notification deadlines begin, evidence security is established or lost, and communication discipline is founded for internal and external stakeholders.

This article maps hour-by-hour the actions a legal team must follow in a cyber incident. The aim is not to resolve individual cases; rather, it ensures organizations have a pre-event "runbook" framework in place.

Pre-Incident — Preparation

How the 72-hour window will be managed is actually designed before the incident occurs. Key documents the legal team must maintain:

• Incident response policy and board approval — who may initiate the incident, communication flows, mechanism for external advisor engagement.
• Incident response runbook — guidance defining technical, legal, communications, and management dimensions hour by hour.
• Communication templates — institutional notification draft, data subject announcement draft, employee communication message, public disclosure, customer communication.
• Pre-arranged external advisors — digital forensics firm, external law firm, crisis communications agency, and insurance broker contacts, ready to phone at incident time.
• Evidence security matrix — how specific data will be collected, how chain of custody will be protected, how attorney-client privilege will be preserved.

First 4 Hours — Detection and Initiation

The time between incident detection and legal team involvement should be as brief as possible.

• Document the incident — initial detection time, detection method, detecting person, initial indicators.
• Convene the incident response committee — technical (CISO / IT security), legal (in-house counsel / external firm), communications, operations, senior management representative.
• Initial impact assessment — which systems are affected, which data is at risk, who are the data subjects, which jurisdictions are implicated (any international scope)?
• Initiate evidence security — isolate log records, take forensic snapshots of affected systems, prevent random deletion or restart.
• Establish attorney-client privilege framework — conduct internal investigation under legal team management, mark email communications as "privileged & confidential."
• Secure decision-making foundation for mandatory response decisions — does shutting down the affected system create operational, litigation, or contractual risk?

4-24 Hours — Scope Determination and Notification Preparation

The true scope of the incident begins to be resolved within this window; the Turkish Data Protection Law (KVKK) 72-hour notification deadline is also triggered within this timeframe.

Turkish Data Protection Law (KVKK) 72-hour notification obligation

The Authority's decision dated 24 January 2019, No. 2019/10, establishes the data controller's obligation to notify the Authority within 72 hours of becoming aware of a personal data breach. Notification requires a structured file containing the nature of the breach, categories affected, numerical impact, probable consequences, and measures taken and to be taken.

The 72 hours is continuous calendar time—weekends or holidays do not suspend the notification deadline. The interpretation of "becoming aware" is a critical point of debate in practice: is it when the indication is first noticed, or when the conclusion that a breach has occurred is reached? The recommended practice is to start the clock from when the indication is noticed and—even if the breach is later determined not to have occurred—actively continue notification preparation.

Questions for scope analysis

• Which personal data were affected? (identity, contact, financial, health, biometric, location, etc.)
• How many data subjects were affected? Estimated or exact number?
• Did data leak, was it disclosed, or was it merely accessed? What is the level of unauthorized processing?
• Was encryption broken? Is pseudonymization effective?
• Is the incident ongoing or contained?
• Was data transferred internationally? Which country?

Notification preparation must proceed in parallel

While preparing notification, the technical team may still be investigating scope. In this situation, notification to the Authority may be made in two stages: initial notification (with available information), supplementary notification (as scope clarifies). The Authority typically views a delayed or incomplete initial notification more favorably than no notification at all.

24-48 Hours — Stakeholder Communication

Notification to data subjects

The Turkish Data Protection Law (KVKK) requires notification to data subjects where the breach "is likely to result in a high risk to the rights and freedoms of the affected individual." Notification must:

• Be written in clear and plain language,
• Explain which data were affected,
• Describe potential consequences (identity theft, financial loss, communication fraud),
• Describe protection measures taken and recommended,
• Clearly provide the organization's contact channel.

The timing of data subject notification should coincide with or follow shortly after Authority notification; notification delayed several days after creates reputational loss and invites Authority scrutiny.

Parallel regulatory processes

Depending on the organization's sector, the incident may require notification to multiple regulators:

• For banks and payment institutions: Banking Regulation and Supervision Agency (BRSA) / Central Bank of Turkey (CBRT),
• For electronic communications operators: Information and Communication Technologies Authority (BTK),
• For capital markets actors: Capital Markets Board (SPK),
• For insurance companies: Insurance and Private Pension Regulation and Supervision Authority (SEDDK),
• For health sector: Ministry of Health,
• For critical infrastructure operators: under the Cyber Security Law (No. 7545), the Presidency of Turkey Cyber Security Organization.

Notification timelines and formats vary by sector; a parallel calendar should be prepared in advance.

Customer and business partner communication

Corporate customers, suppliers, and business partners may be contractually obligated to be informed. Data processing agreements (DPA) typically impose an obligation on the data controller to notify the data processor within a specified timeframe (usually 24-48 hours) of a data breach. Notification commitments in these contracts must not be missed.

Employee communication

The timing of incident disclosure is critical both for employee morale and crisis management. Employees should be clearly informed of the incident's existence, steps the organization is taking, and individual precautions (password changes, phishing alerts).

48-72 Hours — Authority Notification and Legal Decision

Authority notification via portal module

Turkish Data Protection Law (KVKK) notification to the Authority is made via the Authority's data breach notification module. Documents typically included with notification:

• Explanation of the breach,
• Root cause analysis (completed portion to date),
• List or range of affected data subjects,
• Data categories,
• Immediate measures taken,
• Medium and long-term measures to be taken,
• Date and text of data subject communication.

Report to the Office of the Chief Public Prosecutor

If the incident constitutes an external attack, insider sabotage, data theft, or one of the computer crimes under Turkish Penal Code Articles 243-246, consideration should be given to filing a criminal complaint with the Office of the Chief Public Prosecutor. The criminal complaint should:

• Be submitted together with evidence obtained in the internal investigation,
• Be prepared in compliance with Code of Criminal Procedure (CMK) procedures,
• Include technical documentation of the incident,
• Consider victim participation on behalf of the customer if personal data rights have been harmed.

Internal investigation and discipline

If the incident is internally caused (employee negligence or intentional breach), the disciplinary process must proceed in parallel with—but separate from—the investigation; results of examination conducted under attorney-client privilege should not be distributed in early phases.

Post-Incident — Process After 72 Hours

Incident response does not end at 72 hours; the post-incident phase consists of the following items.

• Supplier recourse — if supplier fault lies at the root of the incident, contractual recourse, damage allocation, and—if necessary—litigation.
• Insurance claim file — notification timelines in the cyber insurance policy, evidence list, and incident documentation are submitted to the insurer.
• Authority supplementary notifications — when root cause analysis is complete and measures are concrete, supplementary notification is sent to the Authority.
• Data subject follow-up communication — closure communication to data subjects when the incident is resolved.
• Board of directors report — formal record of the incident for the board's responsibility under Turkish Commercial Code (TTK) No. 6102.
• Lessons and improvement — post-incident evaluation report, runbook updates, awareness training, policy revisions.
• Authority administrative sanction process — if the Authority initiates investigation, prepare defense; if necessary, pursue administrative law remedies against Authority decision.

Frequently Made Errors

Errors commonly encountered in practice often stem from the absence of a runbook and tabletop exercises.

• Tendency to conceal the incident: Management's desire to protect reputation causes the incident to be downplayed, resulting in missed 72-hour notification deadlines and much heavier sanctions from the Authority.
• Evidence destruction: Rapid cleanup of affected systems, deletion of suspicious emails, loss of logs through rotation. The rule that nothing be touched before digital forensics arrives must be announced within the organization.
• Communication outside attorney-client privilege: Internal communications on social platforms, notification emails sent to third parties, may later surface as evidence.
• Defensive language in notification: Notification to the Authority or data subject that is overly defensive and filled with excuses makes the organization appear more culpable, not more reasonable.
• Delay in insurance notification: Most cyber insurance policies have short notification periods; delay results in loss of indemnification rights.

Conclusion

Cyber incident response is not a technical exercise; it is a discipline that brings technology, law, communications, and management to the same table. At the center of this discipline lies a well-prepared runbook, pre-defined communication templates, and active employee awareness. The difference between panic-driven decisions when an incident arrives and proceeding methodically from the runbook; this difference determines whether the organization stands or falls when the incident ends.

Practical advice for legal teams: conduct a tabletop exercise once per year with cyber security and communications teams. Working through scenarios allows decisions to become reflex when a real incident occurs, and it is the only way to learn in advance how to use the 72 hours.