(Mallika Noorani & Anushka Chaturvedi)
In the previous few months, there have been instances of countless data breaches. As a result of these breaches, the information of Indian users may be accessible to malicious parties via the Internet. Such cybersecurity incidents have not been limited to private businesses alone. According to a parliamentary statement from the Minister of State for Electronics and Information Technology (MeitY) dated 1 April 2022, CERT-In reported a total of 48,285 government-related cyber security incidents in 2021. In a situation characterised by an inadequate legal framework, a lack of transparency, and a significant danger of privacy infringement, CERT-In’s intervention was crucial.
The Indian Computer Emergency Response Team (CERT-In) issued certain directions on April 28, 2022, in accordance with Section 70-B (6) of the Information Technology Act, 2000 (IT Act) about information security policies, procedures, prevention, response, and reporting of cyber events. These directives have resulted in a significant extension of the scope of the obligations compared to the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (Rules).
The Directions
The directions will come into effect 60 days from April 28, 2022, and will apply to “service providers, intermediaries, data centres, body corporate, and government organisations.” Companies are obligated to disclose cybersecurity incidents, specifically those enlisted within the directions, to CERT-In within 6 hours of discovering them. The legislation also compels organisations to offer CERT-In with “information or any other such assistance to CERT-In that may contribute to cyber security mitigation actions and better cyber security situational awareness.” Additionally, companies are required to designate a single point of contact for communication with CERT-In, as well as to keep logs on all ICT systems for 180 days in a secure format. These logs must also be provided at the time an incident is reported as per these directions and when ordered/ directed by CERT regardless of any incident.
The rule also requires extensive documentation for services such as data centres, virtual private server (VPS) providers, cloud service providers, and VPN services. Customer identification, when subscriptions were active, IP addresses assigned to them, contact numbers, and other information would be stored for 5 years by these services.
The notification also places virtual assets under the jurisdiction of the Ministry of Finance’s financial regulations and mandates that they maintain all information obtained as part of Know Your Customer and records of financial transactions for 5 years to ensure cyber security in payments and financial markets.
The notification requires system administrators to connect to Network Time Protocol servers administered by the National Informatics Centre or the National Physical Laboratory, “or with NTP servers traceable to these NTP servers,” in order to ensure system synchronisation across India.
Concerns
While the overarching focus towards a comprehensive cyber incident reporting and security regime is reasonable, certain sections have generated concerns among industry watchers and cyber security professionals in the absence of clarity from CERT-In. CERT-In has struggled for some time to obtain information and incident reports from service providers, intermediaries, and corporations in accordance with its rules and mandate under section 70B(4) of the IT Act. This affected its ability to gather, analyse, and disseminate information on cyber events and to coordinate incident responses and emergency actions. So, it turned to the instructions, which oddly fail to distinguish between the incident’s scope and character. Some cyber incidents are far more frequent and occur often. A company may get hundreds of phishing emails, and the work required to notify each recipient would significantly increase compliance costs.
CERT-In has urged the aforementioned organisations to “…mandatorily enable logs on all their ICT systems..” under Direction 4. A lack of clarity on the scope of “all their ICT systems” gives rise to a number of concerns, such as the government having access to or companies holding more data than necessary. Clarification of such a word would implement internationally acknowledged principles of purpose limitation and data minimization. In addition, the phrases “Data Centres,” “Virtual Private Server (VPS) providers,” “Cloud Service providers,” and “Virtual Private Network Service (VPN Service) providers” are not specified in Direction 5. Similarly, there are no definitions for terminology such as “service providers,” “intermediaries,” and “body corporate”.
The types of cyber incidents that must be reported by the entities listed in Direction 1 have significantly grown since the 2014 directives. CERT-In fails to clarify or comment on the majority of these new additions once again. While “data breach” and “data leak” have been included as independent types of cyber incidents in the annexure, they are inadequately defined and the differentiation is unclear.
Compliance Requirements
Concerns regarding the collection and storage of data beyond purpose or need are exacerbated by the requirements of “mandatorily enabling logs of all… ICT systems and maintaining them securely for a rolling period of 180 days” under Direction 4 and “maintenance of data for 5 years or longer, as mandated by law after any cancellation or withdrawal of registration” for specific categories of data required for registration with the government under Direction 5. Such restrictions violate widely acknowledged rules of “storage limitation” in relation to data processing. The ambiguity surrounding the time frame and the absence of justification for extending it could result in severe privacy violations. In addition, certain service providers, such as Signal, and VPNs, such as Proton, assert that they do not keep records due to their commitment to privacy. As a result of these requirements, many service providers might be compelled to leave the Indian market.
Through the phrase, “…must mandatorily enable logs of all their ICT systems…and the same shall be retained inside the Indian jurisdiction,” CERT-In imposes on the aforementioned businesses onerous soft data localisation requirements, wherein a copy of the data must be stored in India. This is cause for concern since data localisation can inhibit innovation and the free flow of data across international borders. In addition, increased compliance costs would discourage international firms from bringing their services and goods to India. This could prevent Indian users from gaining access to these services.
The data retention and localization requirements outlined in the directives raise grave concerns about state-sponsored mass monitoring. In addition, the service provider must provide real-time or near-real-time information for protective and preventative cyber incident activities, as well as for cyber incident responses. Such regulations have the potential to enable mass surveillance in the absence of adequate oversight and a data protection system that protects against misuse.
Conclusion
There is a 60-day buffer (which ends on 28th June 2022) before the implementation of these compliances begins. Given the scope of the renovation, this timeframe may be inadequate. Many companies may need to relocate their servers globally and increase their storage capacity. Moreover, the recruitment of new personnel for compliance may take significantly longer. Six months would be a reasonable timeframe, allowing the organisations to effectively move to the new system. The penalties for noncompliance are severe (including up to one year of imprisonment and monetary fines). While the intent of the Directions are certainly well meaning, to ensure they are implemented and rolled out effectively, the government must examine the concerns raised and devise a reasonable time frame for compliance.