India’s New Breach Notification And Cybersecurity Requirements: An Update
The Indian Computer Emergency Response Team (“CERT-In”), India’s cybersecurity regulator, released a set of directions on security incidents on April 28, 2022. Issued in the wake of rising cybersecurity incidents and attacks in India, the directions on “information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet” (hereafter, “Directions”) introduce strict breach notification and security requirements. Scheduled to come into effect on June 27, 2022, these Directions — complimented by a set of frequently asked questions, issued by CERT-In on May 18, 2022 — overhaul existing security incident reporting and cybersecurity requirements.
Earlier Position
Historically, organisations were mandatorily required to report specific types of cybersecurity incidents to CERT-In. However, there were no penalties for non-compliance, and failure to report such incidents was commonplace.
What Now?
CERT-In has issued the Directions under Section 70B(6) of the Information Technology Act, 2000. Under this provision, the regulator has the right to call for information and issue directions in connection with the management of cybersecurity incidents. A failure to comply with such calls for information or directions is punishable with both, imprisonment of up to 1 year and a fine which may extend to INR 1,00,000.
Applicability
Like most data privacy laws, the Directions apply to service providers, intermediaries, data centres, body corporates, and government organisations. This scope effectively ensures that all government agencies and organisations engaged in commercial or professional activities are bound by the Directions’ requirements.
Another notable aspect of the Directions is its extraterritorial impact: they apply to organisations that are not based in India if such organisations offer services in India or use computer resources, networks, or systems in India. In addition, while not expressly stated, a close reading indicates that the Directions will also apply to organisations that process personal data that arises out of India.
Breach Notification Requirements
Organisations bound by the Directions must mandatorily report the occurrence of specific types of cybersecurity incidents that fulfil the following criteria to CERT-In within 6 hours of knowledge of such incident:
(a) the incident is of a severe nature and occurs on any part of a public information infrastructure;
(b) the incident involves a data breach or a data leak;
(c)the incident is a part of larger-scale cybersecurity incidents; or
(d) the incident impacts the safety of human beings.
A list of the mandatorily reportable incidents is annexed to this note, and its scope is wide: it includes cybersecurity incidents (for example, unauthorised access to IT systems, DoS and DDoS attacks, and compromise of critical information and infrastructure (none of which need to involve a breach or compromise of personal data)), as well as data breaches and leaks.
Experienced cybersecurity lawyers believe that the FAQs have muddied the waters on the harm-based criteria slightly: it appears that the regulator does not intend to exempt organisations that suffer incidents that do not meet the criteria described above from the reporting requirement completely, but offer a relaxation on the timeline instead. While any other reading would be inconsistent with the spirit of the Directions, we expect further clarity from CERT-In on this topic.
The organisation that is “affected” by a relevant cybersecurity incident must report such incident. If there are multiple entities affected by a cybersecurity incident, each entity will be obliged to report the incident within 6 hours of knowledge of the incident. The obligation to report an incident cannot be contractually transferred or eliminated: therefore, unlike many other jurisdictions, controllers and processors will both be required to report incidents to CERT-In.
Appointing POCs
Organisations are required to designate a single point of contact (“PoC”) to liaise with CERT-In. The contact details and the designation of PoCs must be provided to CERT-In in a specified format, as should updates and changes to such details. In the absence of clarity on qualification or residency criteria for PoCs, we recommend appointing PoCs based in India to ensure compliance with the prescribed timelines is both, manageable and practical.
Information Requests
CERT-In has the right to require organisations to provide information and otherwise provide assistance for the promotion of cybersecurity awareness and mitigate security incidents. Failure to do so would be deemed to be non-compliance with the Directions.
Impact on Data Centres, VPS Providers, VPN Providers, and Cloud Service Providers
Data centres, virtual private server providers, virtual private network service providers, and cloud service providers (none of which terms are defined) are required to maintain the following information:
(a) Names of subscribers or customers using their services;
(b) Purposes for which services are used;
(c) Ownership patterns of the subscribers or customers;
(d) Timeline for the subscriber’s or customer’s use of the service; and
(e) IP addresses allotted to or otherwise used by such persons.
These entities must also maintain such information for at least 5 years after the expiry of the relationship with such subscriber or customer.
While this provision will undoubtedly create significant operational challenges for businesses (and, no doubt, impact the business model underpinning offerings like VPNs), the provision also raises concerns about the privacy of subscribers and customers. However, CERT-In has clarified that it will seek access to such information only on the occurrence of cybersecurity incidents and requires organisations to implement reasonable security practices and procedures to safeguard such data.
Impact on Players in the Cryptocurrency and Digital Asset Ecosystem
Many technology law firms have realised that the existing legal landscape on cryptocurrencies and digital assets is in a state of flux. Apart from entities regulated by the Reserve Bank of India, players in the crypto ecosystem are not statutorily required to conduct know your customer (“KYC”) checks prescribed by regulators on their users.
Under the Directions, however, virtual asset service providers, virtual asset exchange providers, and custodian wallet providers must maintain all information obtained as a part of KYC processes and financial transaction records for 5 years. The entities — virtual asset service providers, virtual asset exchange providers, and custodian wallet providers — are presently undefined. Though ambiguously worded, it appears that the Directions require such entities to also conduct KYC checks on their users.
Apart from KYC information and financial transactions, these entities are obliged to maintain transaction records in a manner in which individual transactions can be reconstructed and identified including details of IP addresses, timestamps, time zones, transactions IDs, public keys, addresses, the nature of the transaction, and underlying amounts.
Technical Measures and Localisation
All organisations are required to enable and maintain logs all of their information systems and store such logs for a rolling period of 180 days. Organisations will be required to provide these logs while reporting any security incident to CERT-In, or when requested to do so by CERT-In. While these logs must be stored in India, CERT-In has clarified that logs may also be stored outside India, provided that the obligation to provide these logs within CERT-In’s requested timelines are complied with. The regulator’s intent here appears to be to permit the storage of logs outside India (for example, through mirroring) as long as the original logs are maintained in India.
In addition, organisations are also required to connect to (a) NTP servers of the National Informatics Centre (“NIC”, an office under the Ministry of Electronics and Information Technology) or the National Physical Laboratory (“NPL”, the measurement standards laboratory in India), (b) servers traceable to NIC’s or NPL’s NTP servers, or © NTP servers that use the same time sources as NIC’s NPL’s NTP servers. As a general rule, organisations must ensure that time sources of their NTP servers do not deviate from NIC or NPL’s time sources.
Next Steps
The view taken by several data privacy law firms is that while an effective and robust breach notification system was much needed in India, the Directions give rise to certain areas of concern. Primarily, the operational challenges to meet a 6-hour notification window are extremely high (and impractical, considering the nature of information, infrastructure, analysis, and advice required to make a responsible notification).
Similar to the approach taken with the data protection bill, many organisations appear to be adopting a wait-and-see approach to tackling compliance with these Directions. However, as a leading Indian law firm with extensive expertise within this practice area — our advice, at this stage and in the absence of clarifications from the regulator, would be to implement processes that enable organisations to meet the notification timelines with the preliminary information available at the time of reporting, appoint PoCs, and commence with compliance to ensure the technical requirements of the Directions are met. We expect practical advice and further clarifications from the regulator and will keep you posted on updates.
ANNEXURE
Mandatorily Reportable Incidents
This blog has been adapted from an article authored by associates of Spice Route Legal, a leading Indian law firm with an industry focus on technology, energy and life sciences.
