The Ministry of Electronics and Information Technology (“MeitY”) has released a document in response to queries received by CERT-In regarding its Cyber Security Directions on IT Practices, Response, and Reporting of Cyber Incidents (“Directions”) published on 28th April 2022.
Key highlights of the clarifications made by MeitY:
Applicability of the Directions
The Directions apply to service providers, intermediaries, data centres, body corporate, Virtual Private Server (VPS) providers, Cloud service providers, VPN Service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organizations. The Directions do not apply to individual citizens.
Types of incidents that need to be reported to CERT-In
The document provides illustrative explanations for various types of incidents that are required to be reported.
Notification of Incident by Social Media Intermediaries
The document clarifies that all organizations or corporate entities, including intermediaries affected by cyber security incidents, need to mandatorily report the incidents provided in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) and the Directions. It is also imperative for intermediaries to report those cyber security incidents that are not mentioned in the CERT-In Rules or Directions, considering the severity, nature, and impact of the incident.
Transferability of Obligation to Report
Where a cyber security incident affects multiple parties, any entity which notices the incident shall report to CERT-In and the obligation of reporting the incident is neither transferrable nor indemnified or dispense with.
Individuals’ Right to Privacy
The document clarifies that the Direction does not affect the right to informational privacy of individuals as the Directions do not envisage the seeking of information from service providers by CERT-In on a continuous basis. CERT-In may, however, seek information from service providers in cases of cyber security incidents for discharge of its statutory obligations. The document further states that service providers are bound to protect the information of their users through reasonable security practices and procedures.
Directions and Confidentiality Obligation
The document clarifies that the obligation to report cyber security incidents to CERT-In is a statutory one under Section 70B of the IT Act, 2000 and overrides any confidentiality clause in a contract with a customer.
Applicability of Directions to Foreign Companies
The document clarifies that the Directions apply to any entity, whatsoever in the matter of cyber security incidents. Service providers, intermediaries, data centres, and body corporate offering services to the users in India shall designate a Point of Contact to liaise with CERT-In. Any service provider offering services to the users in India needs to enable and maintain logs and records of financial transactions in the Indian jurisdiction
Duration of Reporting Incidents
If all the information required in the CERT-In incident reporting form is not available within 6 hours of noticing the incident, the entity may provide information to the extent available at the time of reporting and provide CERT-In with additional information later within a reasonable time.
Confidentiality of Consumer Data
The requirement of service providers, intermediaries, and body corporate in respect of the protection of confidentiality of consumer data before the issuance of the Directions will continue to be in force without change.
Meaning of VPN Service Provider
For the purpose of the Directions, VPN service providers mean any entity that provides “Internet proxy like services” through VPN technologies, standard or proprietary, to general Internet subscribers/users. The Directions do not apply to Enterprise/Corporate VPNs.
Storage of Logs
The document clarifies that logs may be stored outside India also as long as the obligation to produce the logs to CERT-In is adhered to by entities within a reasonable time.
Request of Logs by Authorities
An officer of CERT-In not below the rank of Deputy Secretary to the Government of India may request logs from entities for carrying out the functions provided in Section 70B(4) of the IT Act, 2000.
Synchronization of ICT System Clocks
A typical cyber incident involves multiple computer systems within as well as across entities. Without an accurate time stamp, re-creating an accurate sequence of events may become challenging and cause serious hindrance while handling cyber incidents. Moreover, security technologies also rely heavily on specific patterns and correlation rules that are often based on the time parameter. Unsynchronized clocks across systems could result in the failure of security systems as well as the entity’s ability to act on proactive alerting/advisory of CERT-In as well as other agencies. Therefore, it is required to synchronize ICT system clocks.
Disclaimer: This legal update is the copyright of Reina Legal LLP. The update is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation.