Cybersec Update #3: What and whether CSIRT should know about confidential information?
Reporting cybersecurity incidents is one of the most frequently discussed issues in the context of the amended UKSC and the NIS2 directive. Timeliness is nothing new here – since GDPR we have been accustomed to reporting incidents within specific timeframes. The new cybersecurity regulations will introduce a three‑stage reporting system: early warning (24h), incident notification (72h), and periodic and final reports. But what about legally protected information, which may be crucial for CSIRT in handling the incident, while at the same time constituting a trade secret? Where is the line between the obligation to cooperate and the protection of business confidentiality?
New obligation to report incidents
The amendment to UKSC and the NIS2 directive impose on essential and important entities the obligation to report in three stages. An early warning must be submitted within 24 hours of detecting the incident, a full incident notification within 72 hours, and then periodic and final reports on incident handling must be submitted.
We should already be accustomed to the timeliness of reporting breaches, at least since GDPR. However, the amendment introduces an additional dimension – the issue of sharing legally protected information with the competent CSIRT.
How to protect confidential information when reporting to CSIRT
On the one hand, detailed information about the incident allows CSIRT to act effectively in handling vulnerabilities and coordinating responses to threats. On the other hand, such information may contain data constituting trade secrets or other legally protected information, the disclosure of which may harm the organization’s interests.
What does the UKSC amendment say about this? An essential or important entity should mark in the early warning information that constitutes legally protected secrets, including trade secrets. This is a key protective mechanism that allows balancing security with the protection of business interests.
CSIRT powers and limitations in data use
The competent CSIRT may request the reporting entity to supplement the information provided, including confidential data. However, it must do so only to the extent necessary to perform its statutory tasks.
Importantly, CSIRT has been prohibited from using such information for purposes other than those arising from its statutory competences. This is an additional safeguard to protect reporting entities from unauthorized dissemination of their confidential data.
When information constitutes a trade secret
Whether certain information constitutes a trade secret should be determined by meeting the conditions set out in the Act on Combating Unfair Competition (UZNK). The key factor is the actions taken by the entrepreneur to maintain the confidentiality of this information.
What actions are these? It depends on the specific circumstances of each case. They will certainly include both technical and organizational measures (such as access control, encryption, monitoring), as well as typical legal solutions (confidentiality clauses in contracts, regulations, security policies) aimed at protecting this information.
Preparation before an incident occurs
The decision to implement measures to protect confidential information should be made much earlier than at the stage of reporting an incident to CSIRT. Perhaps we will never have to report an incident to CSIRT, but going to court in a case of unfair competition by a contractor or former employee – that is a much more likely scenario.
Therefore, proper designation and protection of trade secrets is not only a matter of compliance with the new NIS2/UKSC2 regulations, but a broader strategy for protecting the business values of the organization. It is worth taking care of these aspects today, before the urgent need to apply them arises.
