INDIAN GOVERNMENT DEFERS DIRECTIONS ON REPORTING CYBER INCIDENTS AND DATA COLLECTION FOR MSME TO SEPTEMBER 25,2022
Indian Computer Emergency Response Team (CERT-In) under Ministry of Electronics and Information Technology (MeitY), Government of India, which is the national agency appointed by Central Government for performing specified functions in the area of Cyber Security in terms of provisions of Section 70B of the Information Technology Act, as amended (“IT Act”), vide Notification dated June 27, 2022[1], has extended timelines for enforcement of Cyber Security Directions of April 28, 2022 (“Directions”)[2] relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. The enforcement date of June 27, 2022 is now extended till September 25, 2022 for Micro, Small and Medium Enterprises (MSMEs)[3] and also for implementation of mechanism for validation of subscribers/customers details by Data Centres, Virtual Private Server (“VPS”) providers, Cloud Service providers and VPN Service providers. Further, the requirement relating to the aspects of registration and maintenance of “Validated names of subscribers/customers hiring the services” and “Validated address and contact numbers” by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers incorporated at paragraph no.(v) a.& f of CERT-In’s Directions, to the said limited extent, will now become effective on September 25, 2022.
The development is significant as the Directions are applicable to service providers, intermediaries, data centres, body corporate, VPS providers, Cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organizations, in other words, any entity whatsoever, in the matter of cyber incidents and cyber security incidents. The Directions require the covered service providers to have thorough compliances including reporting obligations, log keeping requirements, reporting to cyber security incident timeline, collection of user information and provide this data to CERT-In if demanded in case of a cybersecurity incident etc. Significantly, the Directions have been reported to be vehemently objected by the Industry stakeholders, the trade bodies such as Software Alliance (BSA), multiple industry bodies, tech companies, business advocacy organisations, cloud service providers and other service providers on the ground that it could hurt “commercial operations, investments and R&D activities” of businesses. In fact, owing to the imposition of data retention requirements, reporting requirements, data localisation mandate and other compliances, many leading global VPN service providers such as Nord VPN, Surfshark, Express VPN, etc. decided to remove their servers from India citing onerous compliance with the Directions.
Background
India’s Information Technology Act, 2000 (“IT Act“) provides legal framework to address issues relating to electronic communication and security breaches of information technology infrastructure. Under the IT Act, ‘Indian Computer Emergency Response Team’ (CERT-In)[4] is the national agency for cyber security incident response and proactive measures for prevention of cyber incidents in the Country[5]. In January 2014, the Indian government enacted the CERT-In Rules to deal with the incidents of cyber breaches. Rule 9[6] of the CERT-In Rules broadly lays down the services to be provided by CERT-In. Rule 12 of CERT-In Rules require any individual, organisation or corporate entity affected by cyber security incidents to report to CERT-In[7].
The following types of cybersecurity[8] incidents are listed in the Annexure to Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013[9] (the “CERT-In Rules“) which need to be mandatorily reported to CERT-In as early as possible to leave scope for action:
- Targeted scanning or probing of critical networks or systems
- Compromise of critical information or system
- Unauthorized access of IT systems or data
- Defacement of websites or intrusion into websites and unauthorized changes, such as inserting malicious codes or links to external websites
- Malicious code attacks such as spreading viruses, worms, Trojans, Botnets or Spyware
- Attacks on servers such as Database, Mail and DNS or network devices such as Routers
- Identity theft, Spoofing and phishing attacks
- Denial of service (DoS) and Distributed Denial of service (DDoS) attacks
- Attacks on critical infrastructure, SCADA systems and wireless networks
- Attacks on applications such as e-governance and e-commerce
The format and procedure for reporting of cybersecurity incidents have been provided by Cert-In on its official website https://www.cert-in.org.in.
CERT-In Rules provide that individuals, organisations or corporate entities affected by Cyber Security Incidents may report cyber security incidents to CERT-In except the list of ten (10) types of cyber security incidents which are mandatorily reported to CERT-In as early as possible to leave scope for action. The incidents include Unauthorized access of IT systems or data, attacks on servers such as Database, Mail and DNS or network devices such as Routers which may be wide enough to cover the incident of ransomware faced by companies. CERT-In Rules also provide that service providers, intermediaries, data centres and body corporates MUST report Cyber Security Incidents to CERT-In “within a reasonable time of occurrence or noticing the incident”. What is meant by reasonable time has not been provided in the CERT-In Rules and remains open for interpretation[10].
Thus, the CERT-In Rules, originally though, lacked clarity on the time period within which a cyber incident was to be reported, the Directions (to be now effective on September 25, 2022), on the other hand, make this requirement more stringent by providing that all covered entities must report any cyber incident within within six (6) hours of noticing or being brought to notice of such incident to the CERT-In.
Ranjan Jha, Partner
OFFICES:
- E-38 Lower Ground Floor, Greater Kailash Part – I (Opposite Indus Biznotel), New Delhi – 110048, India
- B-21, LGF, East of Kailash, New Delhi – 110065, India
- T-39, Kensington Park Plots-2, Jaypee Wish Town, Sector 131, NOIDA 201 304, Uttar Pradesh, India
Web: www.anhadlaw.com
Email: delhi@anhadlaw.com
Disclaimer: The contents of the above publication are based on understanding of applicable laws and updates in law, within the knowledge of authors. Readers should take steps to ascertain the current developments given the everyday changes that may be occurring in India on internationally on the subject covered hereinabove. These are personal views of authors and do not constitute a legal opinion, analysis or interpretation. This is an initiative to share developments in the world of law or as may be relevant for a reader. No reader should act on the basis of any statement made above without seeking professional and up-to-date legal advice.
[1] https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf
[2] https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
[3] notified by Ministry of Micro, Small & Medium Enterprises, Government of India vide notification no. 2020 S.O. 1702(E) dated 1st June 2020 in exercise of the powers conferred by sub-section (1) read with sub-section (9) of section 7 of the ‘Micro, Small and Medium Enterprises Development Act, 2006.
[4] CERT-In has been constituted by Ministry of Communication & Information Technology, Government of India vide notification dated October 27, 2009 in terms of the provisions of section 70B (1) of the IT Act.
[5] Section 70B of the IT Act empowers CERT-In to act as a national agency for collection, analysis and dissemination of information on cyber incidents; forecast and alerts of cyber security incidents; emergency measures for handling cyber security incidents; coordination of cyber incidents response activities; issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; and other functions relating to cyber security. It is further empowered, under Section 70B (6) of the IT Act, to call for information and give directions to service providers, intermediaries, data centres, body corporate and any other person for carrying out the abovementioned activities.
[6] 9. Services.- CERT-In shall broadly provide following services:-
- response to cyber security incidents;
- prediction and prevention of cyber security incidents;
- analysis and forensics of cyber security incidents;
- information security assurance and audits;
- awareness and technology exposition in the area of cyber security;
- training or upgrade of technical know-how for the entities covered under Rule 10 and sub-rule (2) of Rule 11;
- scanning of cyber space with respect to cyber security vulnerabilities , breaches and malicious activities.
[7] 12. CERT-In operations.–
(a) Reporting of incidents: Any individual, organisation or corporate entity affected by cyber security incidents may report the incident to CERT-In. The type of cyber security incidents as identified in Annexure shall be mandatorily reported to CERT-In as early as possible to leave scope for action. Service providers, intermediaries, data centres and body corporate shall report the cyber security incidents to CERT-In within a reasonable time of occurrence or noticing the incident to have scope for timely action.
The details regarding methods and formats for reporting cyber security incidents, vulnerability reporting and remediation, incident response procedures and dissemination of information on cyber security are published on the website of CERT-In www.cert-in.org.in and are updated from time to time.
(2) CERT-In shall exchange relevant information relating to attacks, vulnerabilities and solutions in respect of critical sector with National Critical Information Infrastructure Protection Centre.
[8] Rule 2(1)(g) of CERT-In Rules defines ‘cyber incident‘ as “any real or suspected adverse event that is likely to cause or causes an offence or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, systems, services or networks resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource, changes to data or information without authorisation; or threatens public safety, undermines public confidence, have a negative effect on the national economy, or diminishes the security posture of the nation”.
Rule 2(1)(h) of CERT-In Rules defines ‘cyber security incident‘ as “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation”.
[9] Notified and published vide notification dated January 16,2014 by the Central Government in exercise of the powers conferred by clause (zf) of sub-section (2) of section 87 read with sub-section (5) of section 70B of the IT Act, 2000
[10] Supreme Court in India in the judgment of “Veerayee Ammal V. Seeni Ammal”, 2001(4) RCR(Civil) 625: (2002)1 SCC 134) has held that the word “reasonable” has in law prima facie meaning of reasonable in regard to those circumstances of which the person concerned is called upon to act reasonably knows or ought to know as to what was reasonable. It may be unreasonable to give an exact definition of the word “reasonable”. The reason varies in its conclusion according to ideosyncrasy of the individual and the time and circumstances in which he thinks. The dictionary meaning of the “reasonable time” is to be so much time as is necessary, under the circumstances, to do conveniently what the contract or duty requires should be done in a particular case.