India - A new and onerous cyber security framework, with breach reporting obligations

India’s cyber security body has issued new directions containing a broad range of new obligations including an obligation to notify security breaches within six hours and to keep detailed logs of network activity. We look at the implications of these changes.

The Indian Computer Emergency Response Team

India does not have a general personal data law and a large part of the current regulatory framework relating to protection of personal data is derived from the Information Technology Act, 2000 (“IT Act”) and associated rules, regulations and directions issued under the IT Act.

Under section 70B of the IT Act, the Indian Computer Emergency Response Team (“CERT-IN”) has been appointed as the nodal agency for addressing various matters relating to cyber security incidents including collection, analysis and dissemination of information relating to cyber security incidents. The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) issued under Section 70B(5) further describes CERT-IN’s role including the current requirements relating to reporting of cyber security incidents to CERT-IN.

New cyber security Directions

CERT-IN on 28 April 2022 issued directions under the IT Act relating (“Directions”). These Directions are effective from 27 June 2022, 60 days from the date of its issuance.

The Directions were criticised for several reasons, including their onerous requirements, the implications on privacy rights and their general ambiguity. In response, the Government issued statements clarifying that the purpose of the Directions was only to develop a framework to enable a coordinated response and emergency measures in case of cyber security incidents and the purpose was not to violate the privacy or undertake broad-based surveillance.

The Government has also, on 18 May 2022, issued a 28 page FAQs to “explain the nuances” of the Directions “with a view for enabling a better understanding of the various stakeholders in order to seek compliance to promote Open, Safe & Trusted and Accountable Internet in the country”. While the FAQs clarify some aspects of the Directions, they also make it clear the Government expects organisations to comply with the Directions in their current form and, as things stand, they are unlikely to be diluted further.

Who do the Directions apply to?

The Directions apply almost universally to all service providers, intermediaries, data centres, body corporates and government organisations, who must comply with its requirements (“Regulated Entities”).

The FAQs also clarify that Regulated Entities include body corporates outside India, in respect of the matter of cyber incidents and cyber security incidents, if they provide services to Indian customers.

Additional obligations apply to specific categories of Regulated Entities such as data centres, virtual private server providers, cloud service providers and virtual private network services providers and virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time).

Mandatory reporting of cyber incidents to CERT-IN

One of the most significant obligations imposed by the Directions is the obligation to mandatorily report identified cyber incidents to CERT-IN within six hours. This is a major shift from the current more relaxed reporting obligations as set out in the CERT-In Rules. The reporting requirements under the Directions are described below:

What has to be reported? Cyber incidents as listed in Annexure I of the Directions have to be reported to CERT-IN. Annexure 1 lists 20 such incidents (when compared to the 11 incidents listed in the CERT-In Rules).

The FAQs further illustrate each type of cyber incident and appear to add an additional qualitative threshold. In particular, read with the Directions, it appears the reporting obligation is limited to incidents mentioned in Annexure 1 that are:

  • cyber incidents and cyber security incidents which are of a severe nature on any part of the public information infrastructure including backbone network infrastructure (e.g., denial of service, distributed denial of service, intrusion, spread of computer contaminant including ransomware);
  • data breaches or data leaks;
  • large scale or frequent incidents such as intrusion into computer resources, website etc.;
  • cyber incidents impacting the safety of human beings.

Who has to report? All Regulated Entities have an obligation to report cyber incidents, including those outside India. The FAQs have specifically clarified that “any entity which notices a cyber security incident” (for example, in a situation where multiple parties are affected or where an entity’s data stored in a third party’s system is affected) must report the same to CERT-IN and the obligation to report cannot be transferred, indemnified or dispensed with. Since any cyber incident is likely to involve more than one Regulated Entity, multiple reporting of the same incidents seems to be very likely (and maybe even desired by CERT-IN).

By when? The Directions specify that all cyber incidents must be reported within six hours of “noticing such incidents or being brought to notice about such incidents”. This is a very onerous requirement and is likely to be frequently breached. The FAQs seem to have diluted the obligation by providing the following:

  • A Regulated Entity has to only provide the information to the extent available at the time of reporting (i.e., within the six hour timeframe) and additional information can be reported later within ‘reasonable time’. The term ‘reasonable time’ is ambiguous and it is hoped that it will be interpreted in a practical manner as reporting within such time as possible for the Regulated Entity after obtaining necessary and/or relevant information relating to the cyber incident.
  • Even in the case of incidents that have not been reported for a long time, the obligation to report will be triggered within six hours of noticing the incident or the incident being brought to the attention of the Regulated Entity. The FAQs then clarify that, based on an analysis of the reported incidents, the gaps in security processes can be analysed to enhance the ability of the organisation to detect and mitigate the incidents in a timely manner.

What is the format for reports? Cyber incidents must be reported in the format provided on the CERT-IN website at www.cert-in.org.in which will be updated from time to time.

Provision of information to CERT-IN

The Directions reinforce CERT-IN’s right to obtain information from Regulated Entities. Under the Directions, when required by order or direction of CERT-IN, the Regulated Entity must take action or provide information or assist CERT -IN in a manner which may contribute towards cyber security mitigation actions and enhanced cyber security awareness. The order or direction by CERT-IN may include the format of the information that is required and the timeframe within which it is required, and failure to provide this information would be a non-compliance.

While the FAQs clarify that CERT-IN will only seek information in case of cyber security incidents on a case-by-case basis, concerns have been raised that this provision does not set quantitative or qualitative threshold for the type of information that CERT-IN can seek, which could enable CERT-IN to seek a wide range of unrelated information as well, considering its wide statutory functions.

Maintenance of data logs in India

All Regulated Entities must enable logging of their ICT systems and maintain them securely in India for a rolling period of 180 days. This information is required to be provided to CERT-IN while reporting a cyber security incident or when ordered/directed by CERT-IN.

The exact logs needed depend on the sector in which the organisation is and the FAQs name the following logs as illustrative logs - firewall logs, intrusion prevention system logs, SIEM logs, web/database/mail/FTP/proxy server logs, event logs of critical systems, application logs, ATM switch logs, SSH logs, VPN logs. The FAQs, however, specifically clarify that this list of logs is not exhaustive.

The FAQs are unclear on the obligation to store logs within India – FAQ 35 states that logs may also be stored outside India as long as such logs are made available to CERT-IN in reasonable time which could be interpreted as a relaxation to the data localisation requirement in the Directions. However, FAQ 36 states that logs of foreign service providers and foreign parts of financial transactions have to be stored in India itself. Given the general trend towards data localisation, it seems unlikely that there is any intent to dilute the data localisation obligation imposed through the Directions.

The obligation of maintaining logs and records of financial transactions in the Indian jurisdiction, on even foreign service provider offering services to users in India, is quite onerous. It will mean significant costs for foreign companies as these companies will have to hire data centres or cloud service providers with Indian servers to maintain such logs; and storage in India is typically more expensive than in other parts of the world.

Other obligations

The Directions also include a range of other significant new obligations.

Designation of Point of Contact – Each Regulated Entity must designate a point of contact to interface with CERT-IN, whose details must be reported in the format prescribed in Annexure-II of the Directions. CERT-IN has also clarified that this obligation applies to foreign service providers offering services to Indian users as well.

Recording of Data – Data centres, virtual private server providers, cloud service providers, and virtual private network (“VPN”) service providers must record the following information ‘accurately’ for a period of five years or longer, as required, after any cancellation or withdrawal of the registration:

  • Names of customers hiring the services
  • Hiring Period
  • IP addresses assigned to members
  • The email address, IP address, and time stamps used at the time of registration
  • Hiring Purpose
  • Contact information and Addresses (validated)
  • Ownership pattern of customers i.e., basic information about the customers and brief particulars of key management.

VPN service provider means any entity that provides “Internet proxy like services” through the use of VPN technologies to general internet subscribers/users. This restricted definition relieves the corporates or enterprises using VPNs who are, as per the definition, now not required to maintain their customer data.

Additional compliance on virtual financial services providers – Virtual asset providers, virtual asset exchange providers and custodian wallets have additional compliances and are required to record all information gathered as a part of Know Your Customer (“KYC”) updates as well as financial transactions for a period of five years.

For the purposes of KYC, these virtual financial service providers are required to refer to directions issued by Reserve Bank of India (“RBI”), Securities and Exchange Board of India (“SEBI”) and Department of Telecommunications. Information pertaining to transaction records must be accurate and kept in such a way that individual transactions can be reconstructed, and for this purpose the information to be recorded is to include parties to the transactions, the IP addresses, nature, amount, and date of transaction.

Obligation to connect to the Network Time Protocol – All Regulated Entities must either connect to the Network Time Protocol Server of National Informatics Centre or National Physical Laboratory, or servers which are traceable to the above servers for synchronisation of all their information communication technology system clocks. The FAQs have clarified that Regulated Entities can also use other accurate and standard time sources if they conform to the abovementioned servers. The FAQs provide further detail about this obligation.

Sanctions

Failure to furnish information to CERT-IN, or failure to comply with the Directions, is punishable with up to one year in prison and/or a fine of up to one lakh rupees (~£1,000), as per Section 70B(7) of the IT Act.

Enforcement under the IT Act has generally been quite lax and we are not aware of any instance of action having been taken for a failure to report a cyber security incident under the CERT-In Rules. Therefore, while section 70B(7) of the IT Act contemplates punishment in the form of imprisonment as well, there is nothing to suggest that it will actually be enforced in practice. The Government has tried to relieve concerns about sanctions by stating in the FAQs that the power to impose penal sanctions will be exercised reasonably and when the non-compliance is deliberate.

Conclusion

India is in dire need of a more robust framework for identifying, reporting, and addressing incidents of cyber security breaches including a clear legal framework for the same and it is heartening to see that the Government is focusing on this issue. However, the way this is being achieved appears to be quite disorganised and runs the risk of not really meeting the ultimate goal, i.e., an open, safe, trusted and accountable internet, as stated in the FAQs.

In addition to sectoral reporting requirements (i.e., to SEBI, RBI and Insurance Regulatory and Development Authority, where relevant), reporting will have to be made under the CERT-In Rules and the Directions (as clarified by the FAQs). Some of the clarifications given through the FAQs have the impact of diluting the regulatory obligations under the Directions. Even though the FAQs expressly clarify that it is not a legal document, it will be interesting to see how this interplay between the Directions and FAQs will play out in practice.

The cyber incident reporting obligation as currently specified in the Directions could result in huge volume of reports (multiple reporting of the same incident) and several which may be incomplete without any classification based on severity. The Government will need to consider whether beyond increasing the compliance cost and obligations of the Regulated Entity and the Government (to review and act based on the reports submitted to it), it will achieve the ultimate objective of ensuring an open, safe, trusted and accountable internet.

Several organisations have indicated their inability to comply with these requirements especially those relating to retention and disclosure of personal data and have even indicated that they may need to reconsider conducting business in India if these requirements are mandatory. Based on the FAQs and subsequent public comments from the Government (the Union Minister of State for Electronics and Information has stated that those who cannot comply with the Directions can pull their services out of India), it does not appear that the Government intends to back down or dilute these obligations significantly in the short term.

Accordingly, since the Directions are intended to be effective from 27 June 2022, from an organisational perspective and to avoid any actions for non-compliance, a Regulated Entity would do well to focus on and develop a framework (including changes to technology) for reporting cyber incidents as required under the Directions.

By Deepa Christopher and Riya Shah, Talwar Thakore & Associates

Linklaters has a best-friends relationship with Talwar Thakore & Associates (TT&A), a leading Indian law firm.