Article 15(1) of the Personal Data Protection Act provides that "the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected." In the case of the incident in question, according to Article 14(2) of the Law, if the institution can prove that it has taken appropriate technical and organizational measures for personal data protection, it may be exempted in part or completely of its responsibilities.