ABSTRACT
This chapter discusses numerous case studies, dealing with liabilities in case of data leakage, unintentional publication of privacy-relevant data, harm to reputation, or harm due to inappropriate mitigation measures. The collecting, processing, and sharing of security-relevant information that contains personal data must abide by data protection law. Collecting information about potential cyber threats helps authorities gain critical information about the national risk situation and potential threat scenarios. The legal issues need to be considered when the Computer Security Incident Response Teams (CSIRTs), cyber situation center, or competent authority that shares the information is a public authority. According to the Network and Information Security (NIS) Directive, one of the tasks of CSIRTs is to establish cooperative relations hips with the private sector. European Union (EU) Member States have certain leeway in the implementation of the NIS Directive. Thus, national laws implementing the NIS Directive might foresee the possibility to transfer the notification duty to service providers.
