The Indian Information Technology Act, 2000 ("IT Act") designates the Indian Computer Emergency Response Team ("CERT-In") to serve as the national agency for safeguarding cyber space in India. CERT-In can requisition information from entities targeted by cyber security attacks. Until now, the enforcement of compliance with the obligations on private entities to report cyber security incidents to CERT-In has been sporadic. Now, the Directions introduce compliances which may compel companies to revise their reporting strategy. These Directions shall be applicable from June 28, 2022.
A copy of the Directions can be accessed here.
The Directions introduce the following key compliances:
- Synchronisation of ICT system clocks: All
service providers, intermediaries, data centres, and body
corporates ("Entities") are required to
connect to the Network Time Protocol
("NTP") Server of National Informatics
Centre ("NIC") or National Physical
Laboratory ("NPL"), or with NTP servers
traceable to the NTP servers of NIC/NPL, for synchronization of
their information and communication technology
("ICT") system clocks. Entities with
cross-border ICT infrastructure may use 'time sources'
other than NPL and NIC as long as they do not deviate from the
NPL/NIC.
- Cyber security incident reporting: All
Entities are now mandated to report cyber security incidents to the
CERT-In within 6 hours of noticing an incident or
upon being informed of such an incident. Earlier, the requirement
was to report 'within a reasonable timeframe', so
as to leave scope for action. (That said, the consequences of not
reporting the cyber security incident and complying with CERT-In
requests continues to remain the same as under Section 70(B) of the
IT Act i.e., imprisonment (in egregious cases) and/or fine up to
INR 100,000). The cyber security incidents include (inter
alia) unauthorized access of IT systems/data; compromise of
critical systems; data breach; data leak; identity theft and
phishing; malicious malware affecting cloud computing systems,
softwares related to big data, block chain, virtual assets, drones,
additive manufacturing, AI/ML; cyber threats/attacks to social
media accounts, payment systems, IoT devices; etc. (Please refer to
Annexure I of the Directions for the complete list of instances
classified as a cyber security incident).
- Record-keeping:
- Store logs locally: All Entities have been
mandated to enable the logs of their ICT Systems and maintain them
securely for a rolling period of 180 days in
India. This information is to be submitted while reporting a cyber
security incident or when required by CERT-In.
- Maintain information on customers: Data
Centres, Virtual Private Service Providers (VPS), Cloud Service
Providers and Virtual Private Network Service Providers (VPN
Service) are now required to maintain certain information
pertaining to customers (such as names of subscribers/customers, IP
addresses allotted to members, contact details and ownership
pattern of the subscribers/customers, etc.) for a period of
5 years.
- KYC records: Virtual asset service providers
and exchange providers (such as NFT Platforms and Cryptocurrency
Exchanges) are mandated to keep a record of all information
obtained as a part of Know Your Customer
("KYC"), and transactions data (e.g., IP
addresses, account details, etc.) for a period of 5
years. (Please refer to Annexure III of the Directions for
details of the KYC information to be maintained).
- Store logs locally: All Entities have been
mandated to enable the logs of their ICT Systems and maintain them
securely for a rolling period of 180 days in
India. This information is to be submitted while reporting a cyber
security incident or when required by CERT-In.
- Point of Contact: All Entities have to designate a Point-of-Contact to act as a liaison between the Entity and the CERT-In. Details of such point of contact are to be intimidated to the CERT-In.
What this means for you
Businesses will be tasked with the responsibility to report cyber security incidents, store specified information, and furnish it when required. Companies will need to formulate standard operating procedures in response to a cyber security incident/threat, formulate record-retention policies, etc. As a knock-on effect, contractual confidentiality obligations towards customers/end-users may have to be revised in light of the data disclosure duties under these Directions.
It is yet to be seen if these Directions are implemented "as is" in 2 months' time, or if it is met with any pushback by stakeholders.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.