Recently, the Indian Computer Emergency Response Team (‘CERT-IN’) released a new set of Directions on April 28[1] (‘Directions’) under Section 70B(6) of the Information Technology Act, 2000 (‘Act’) relating to reporting of cyber security incidents and additional measures towards protection of the IT and internet ecosystem in India. These Directions, applicable to intermediaries,[2] data centers, certain service providers, body corporates and Government organizations (collectively ‘Covered Entities’) form the second piece of guidance on CERT-IN after the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013[3] (‘CERT-IN Rules’).
Tightening breach reporting and associated obligations
The Directions tighten existing breach reporting and related maintenance obligations which exist under the CERT-IN Rules and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘Intermediary Guidelines’). Some of these key obligations include:
- Stringent timelines for reporting: While the CERT-IN Rules and Intermediary Guidelines provide for mandatory reporting at the earliest without undue delay, the Directions provide for a more stringent timeline of 6 (six) hours for reporting cyber incidents from being aware of such breaches by way of email, phone or fax in the format specified by CERT-IN[4]. While the format remains unchanged, the timeline is now stricter with no express indication for any additional time that may be required for procuring or gathering more details. Non-compliance with the Direction may lead to punitive action under Section 70B(7) including fines and imprisonment.
- Expansion of reportable incidents: The Directions expand the types of cyber security incidents reportable under the CERT-IN Rules and include certain additional types of incidents such as attacks, malicious activities affecting internet of things (IOT) devices, digital payment systems, servers, networks or applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, addictive manufacturing, drones, artificial intelligence and machine learning. This expansion of the ambit of reportable incidents may impact many sectors and lead to a flow of direct and flow-down reporting obligations, in the absence of any impact thresholds.
- Maintenance of ICT logs for six months within India: In yet another instance of ‘soft’ localization (where transfer is not prohibited presumably, with local storage requirement), the Directions have introduced a mandatory requirement upon Covered Entities to maintain logs of information and communication systems securely for a rolling period of 180 (one hundred and eighty) days within India and provide the same to CERT-IN along with reporting of any incident or as and when solicited. It also appears unclear as to what records are required to be maintained under the Directions, as the term ‘logs of all their ICT systems’ seem overbroad and presumably burdening, especially if entities do not have a physical presence in India.
- Information solicitation and safeguards: The CERT-IN Rules had provided for information solicitation powers for officers of CERT-IN of the rank of Deputy Secretary, apart from a procedure to review the conduct and compliance of entities pursuant to directions issued by CERT-IN by a review committee (similar to the review committee constituted under the Telegraph law[5]) prior to filing complaint[6] under Section 70B(8) for prosecution and liability. The said safeguards are not expressly provided under the Directions. If not applicable, the Directions appear to have subverted the safeguards[7] prevalent under the CERT-IN Rules and may be critically viewed in light of the proportionality requirements in the three-step test[8].
- Synchronization of ICT clocks: Covered Entities are required to ensure synchronization of their ICT clocks with Network Time Protocol of National Informatics Centre (‘NIC’) or National Physical Laboratory (‘NPL’). Entities using ICT infrastructure spanning across multiple time zones may use accurate and standard time zones apart from these, however, the time source must not deviate from NPL or NIC.
New obligations for VPN/VPS Providers and Virtual Asset Providers
The Directions introduce de-novo obligations which are not provided under the CERT-IN Rules or the Intermediary Guidelines. These obligations are applicable to providers of virtual private networks (‘VPN’), virtual private servers (‘VPS’), cloud services (especially those providers having servers located in India), virtual asset services, virtual asset exchange services and custodian wallet services in relation to preservation of identifiable customer and transactional or usage records and associated activities.
VPS, VPN and cloud service providers are now required to maintain accurate customer records relating to ‘validated’ names of customers or subscribers, period of hire, IP addresses allocated, email addresses, IP addresses and timestamp used at the time of registration and onboarding, purpose of sharing services, ‘validated’ address and contact numbers and ownership pattern of subscribers for a period of 5 (five) years or longer as mandated after cancellation or withdrawal of registration. It remains unclear as to whether it is applicable to both providers based in and outside India, or whether it would only apply to such providers who may have servers located in India. The Directions also do not provide any details as to how the validation mechanism would have to be implemented. These requirements may also threaten user anonymity which may be a significant subscription motive for VPN users.
From an unexpected quarter, the Directions introduce know-your-customer documentation requirements in accordance with documentation specifics provided in Annexure III for virtual asset service providers, virtual asset exchange providers and custodian wallet providers [defined in the Report of the Financial Action Task Force[9] (‘FATF Report’), as they are not defined by the Ministry of Finance as yet], apart from maintaining records of financial transactions for a period of 5 (five) years to ensure cyber security in payments and financial markets. Transaction records are required to maintained in such a manner that retrieval of individual transaction records may be facilitated with identifiable information of parties and IP addresses, timestamps, public keys, amounts and other information, so as to almost facilitate, originate and associate a transaction with a transactor.
The Direction issued by the CERT-IN not only aims to tighten the regulatory framework on breach reporting and secure the internet ecosystem, but also appears to fortify a legal basis of intelligence gathering through a widened ambit of Covered Entities. Given that the legal validity of the Directions has not been addressed as yet, it would be interesting to track the responses of industry and regulators to the Directions, with initial reactions of many VPN providers such as Nord, ProtonVPN, Windscribe and others reportedly considering relocating servers outside India in response to the Directions.[10]
[The authors are Senior Associate and Partner, respectively, in the Data Protection practice team at Lakshmikumaran & Sridharan, New Delhi]
[1] Directions under Section 70B(6) dated April 28, 2022, available at https://cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
[2] Section 2(1)(w), Information Technology Act, 2000.
[3] Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, available at https://www.meity.gov.in/writereaddata/files/G_S_R%2020%20%28E%292_0.pdf
[4] Format for Reporting Incidents to CERT-IN, available at https://cert-in.org.in/PDF/certinirform.pdf
[5] Rule 419A, Telegraph Rules, 1951.
[6] Rule 18, Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013
[7] Rule 19, Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013
[8] Justice (Retd.) K. S. Puttaswamy & Ors. v. Union of India, (2017) 10 SCC 1.
[9] Updated Guidance for a risk-based approach: Virtual Assets and Virtual Asset Service Providers: FATF October 2021: available at https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf
[10] VPN cos contemplate service continuity after new govt regulation, available at https://timesofindia.indiatimes.com/business/india-business/vpn-cos-contemplate-service-continuity-after-new-govt-regulation/articleshow/91384575.cms
