|
Article 14
|
When the competent authority, an agency receiving reports on the implementation of cyber security maintenance plans as specified in Article 14 of the Act, or a central competent authority in charge of the relevant sector becomes aware of a major cyber security incident, the announcement of necessary information and response measures pursuant to Paragraph 5 of Article 17, and Paragraph 5 of Article 24 of the Act must include the following details: the time when the incident occurred or was discovered, the cause, the extent of impact, the control status, and the subsequent improvement measures.<br/>The following circumstances regarding necessary content and response measures related to the preceding paragraph and the incident shall not be publicly announced:<br/>1. The information involving business secret or relating to business operation of individual, juristic person or group, of which the disclosure might infringe upon right or other legitimate interest of the government agency, individual, juristic persons or group; unless it is otherwise provided by law, or necessary for public welfare, or necessary for the protection of the lives, bodies or health of the people, or with consent of the party involved.<br/>2. Other circumstances under which cyber security information should be kept confidential, should be restricted on or prohibited from disclosure thereof.<br/>Where the necessary content and response measures related to the incidents in Paragraph 1 contain cir-cumstances that should not be disclosed, only the other parts may be announced.
|