India has over 700 million active internet connections and is the fastest-growing market for digital technologies. This has created a large pool of digitally vulnerable targets and increased the possibility of cyber-attacks by malicious actors. The problem has only increased due to the pandemic as it has resulted in a heavier reliance on technologies for work from home, payments etc. Therefore, the Indian Computer Emergency Response Team (CERT-in) was set up in 2013 by the central government under section 70B of the Information Technology Act, 2000 as the national agency that users could turn to when issues relating to cybersecurity arose. The original CERT-in rules only mandated reporting certain cybersecurity incidents but the recently issued directions on 28th April have not only doubled the number of incidents that need to be mandatorily reported but also amended several other provisions. The new directions cast a wide compliance net to the organizations it applies.
Service providers, body corporates, intermediaries, data centres, and government organizations (hereafter entities) are mandatorily required to report specific cyber-security incidents within 6 hours of noticing such incident or after an incident has been brought to notice. They also prescribe a particular format for the report available on the CERT-in website. The information the agency seeks may not be available within the prescribed time limit and may only contain unconfirmed information and raw data dumps. This time frame is also considerably short compared to the global standard of 72 hours and it may be noted that the Joint Parliamentary Committee on the data protection bill, 2019 also recommended a similar time frame (72 hours). The specific incidents that need to be reported are mentioned in annexure 1 and have more than doubled from those in the original CERT-in Rules. These include Data Breaches, attacks on the internet of things (IoT) devices, unauthorized access to social media accounts, and tech buzzwords like attacks/malicious activities relating to “Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones”. But they also include incidents that happen on a regular/daily basis like Spoofing and phishing attacks and network scans, and cybersecurity experts have raised concerns about whether the organization is required to report each incident separately. The requirement to report such incidents that the IT departments are capable of handling themselves places an excessive burden and costs on the entities and may also leave CERT-in inundated with trivial issues and incapable of dealing with serious incidents when they happen. Also, the directions make no mention of notifying the data subjects whose data is affected by such a cyber-security breach/incident.
The entities are mandated to act or provide information/assistance to CERT-in when asked. There is no clarity on the type of information that may be sought which also allows the agency to seek information not only when an incident occurs but to take ‘preventive and protective actions’ which leaves room for malicious interpretation. Any non-compliance to such an order would be considered non-compliance with the directions themselves and may attract penalties, as discussed below. Further, the entities are required to appoint a point of contact that will handle all the communications with the agency.
Data localization and retention
According to the new directions, entities must mandatorily maintain a log of their Information and Communications Technology (ICT) systems for 180 days and these logs must be stored within the Indian jurisdiction. These logs are to be provided when an incident occurs or when they are sought by CERT-in. There is no clarity on what information these logs need to comprise. Retaining data for such an extended period would lead to additional costs for the entities and the requirement to maintain the logs within the Indian jurisdiction would mean that cloud-based entities which otherwise do not have a physical presence in India would need to maintain localized logs or face penalties.
Subscriber data collection
“Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” need to record and maintain “accurate information” of subscribers for 5 years or longer when mandated by law after cancellation or withdrawal of registration.
- Validated names of subscribers/customers hiring the services
- Period of hire including dates
- IPs allotted to / being used by the members
- Email address and IP address and time stamp used at the time of registration / on-boarding
- The purpose of hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers hiring services
This direction could cause concerns both for the VPN service provider and their users as the main objective of using a VPN is to maintain user privacy and confidentiality while they surf the internet. Several organizations use VPNs as a secure way to store and transfer confidential information over the internet. They also help protect the identities of journalists, whistleblowers, and activists over the internet in countries where the government tries to suppress dissent. Also, VPNs as a privacy-advancing tool fall under the protection of the fundamental right to privacy expounded by the supreme court in the Right to Privacy/Aadhar Judgement. Combined with the direction (iii) these logs would become subject to information that needs to be furnished by entities when ordered by CERT-in and will lead to dilution of user privacy.
KYC requirements for the VDA ecosystem
Virtual asset service providers, exchanges, and custodian wallets need to mandatorily maintain the Know Your Customer (KYC) information obtained along with the records of financial transactions and other information like, but not limited to, IP addresses, transaction ID, Public keys, and nature and amounts of transfers from which individual transactions can be reconstructed. This data needs to be stored for 5 years to ensure adequate cyber-security measures to protect customer data, economic rights, and fundamental rights because of the growing demand for virtual assets. As of now, only financial service providers like banks and security exchanges are needed to collect KYC information. There is also no clarity as to which entities this provision applies.
Synchronization with NTP
Entities are required to connect with the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or other traceable NTP servers. Global entities are allowed to use different time sources, but they need to be in sync with the NTP, and time sources should not deviate from the NPL/NIC. This is done to ensure accurate time stamps when collecting data on cyber incidents. Though whether NTP has enough servers to meet the demand of so many entities remains to be seen.
Non-compliance with the direction may lead to punitive action under section 70B (7) of the IT Act, 2000 which can extend up to 1-year imprisonment or a fine of up to INR 1,00,000. Though entities have a safeguard in the form of section 70B (8) which provides that no court shall take cognizance of an offense by an entity unless the complaint is made by a CERT-in Officer. And before the complaint is filed it goes through a two-fold check by the Director-General and a review committee for the same.
The 2022 directions cast a wide regulatory and compliance net for the entities in these sectors as they are broadly worded. The need to report incidents within 6 hours, maintain localized system logs, and sync with the NTP creates excessive obligations and might make it difficult for entities to function in a legally compliant manner if they want to continue working within the Indian jurisdiction. Further, VPN providers might completely leave the Indian market considering the new directions ask them to go against what is fundamentally their purpose. Considering, that non-compliance has penal consequences CERT-in should allow the stakeholders enough time to not only make necessary queries about the changes but also to make necessary changes to meet compliance. The new directions come into force 60 days after their notification, but it remains to be seen if they can withstand judicial scrutiny as they essentially amend the CERT-in rules, something which can only be done by the parliament through legislation and not by the direction of the Ministry of Electronics and Information Technology.
Author(s) Name: Akshit Chaudhary (Faculty of Law, Delhi University)