现在不要告诉他们(或者根本不要)——根据NIS指令和GDPR负责任的披露安全事件

Q1 Social Sciences

International Review of Law, Computers and Technology Pub Date : 2021-02-11 DOI:10.1080/13600869.2021.1885103

S. Schmitz-Berndt, Stefan Schiffner

{"title":"现在不要告诉他们(或者根本不要)——根据NIS指令和GDPR负责任的披露安全事件","authors":"S. Schmitz-Berndt, Stefan Schiffner","doi":"10.1080/13600869.2021.1885103","DOIUrl":null,"url":null,"abstract":"ABSTRACT In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.","PeriodicalId":53660,"journal":{"name":"International Review of Law, Computers and Technology","volume":"10 1","pages":"101 - 115"},"PeriodicalIF":0.0000,"publicationDate":"2021-02-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR\",\"authors\":\"S. Schmitz-Berndt, Stefan Schiffner\",\"doi\":\"10.1080/13600869.2021.1885103\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"ABSTRACT In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.\",\"PeriodicalId\":53660,\"journal\":{\"name\":\"International Review of Law, Computers and Technology\",\"volume\":\"10 1\",\"pages\":\"101 - 115\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-02-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Review of Law, Computers and Technology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1080/13600869.2021.1885103\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"Social Sciences\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Review of Law, Computers and Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1080/13600869.2021.1885103","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"Social Sciences","Score":null,"Total":0}

引用次数: 4

摘要

在本文中，我们从法律和技术的角度，批判性地分析了在安全和隐私事件的情况下，根据NIS指令和GDPR通知第三方的时间表。虽然需要减轻个人立即遭受损害的风险，需要及时通知数据主体，但在某些情况下，可能有理由延迟通信，例如，服务提供商需要分析当前的攻击，以防止进一步的攻击并评估全面影响。此外，我们认为GDPR和NISD中的通知义务具有不同的保护目标，这些目标可能在特定事件的背景下发生冲突。由于它们是由同一事件触发的，它们可能包含冗余，这具有协同作用的潜力，主管当局应加以利用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR

ABSTRACT In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Review of Law, Computers and Technology Social Sciences-Law

CiteScore

3.70

自引率

0.00%

发文量