{"title":"现在不要告诉他们(或者根本不要)——根据NIS指令和GDPR负责任的披露安全事件","authors":"S. Schmitz-Berndt, Stefan Schiffner","doi":"10.1080/13600869.2021.1885103","DOIUrl":null,"url":null,"abstract":"ABSTRACT In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.","PeriodicalId":53660,"journal":{"name":"International Review of Law, Computers and Technology","volume":"10 1","pages":"101 - 115"},"PeriodicalIF":0.0000,"publicationDate":"2021-02-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR\",\"authors\":\"S. Schmitz-Berndt, Stefan Schiffner\",\"doi\":\"10.1080/13600869.2021.1885103\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"ABSTRACT In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.\",\"PeriodicalId\":53660,\"journal\":{\"name\":\"International Review of Law, Computers and Technology\",\"volume\":\"10 1\",\"pages\":\"101 - 115\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-02-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Review of Law, Computers and Technology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1080/13600869.2021.1885103\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"Social Sciences\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Review of Law, Computers and Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1080/13600869.2021.1885103","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"Social Sciences","Score":null,"Total":0}
Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR
ABSTRACT In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
