TMT LawsCERT-In Directions, 2022: A Step Towards safer Cyberspace

INTRODUCTION

The rapid advancement in technology providing easier access to the internet at a larger scale had made sharing and accessing data including personal data faster and easier than ever before., which has made Data one of the primary and most important assets for any organization.

The rapid growth in technology, profound customer demand, higher tech savvy personnel, enabling framework policy, and Digital India Initiative has resulted in inclusion of more and more people within the ambit of this digital world, resulting in shifting of everything towards Digitalization. However, with the rise in shift towards Digitalization, fueling the growth of Digital Economy in India. The concern with respect to data breach and cyber-crimes also rises.

Data breaches and cyber-attacks have become quite rampant in India. As per reports from the Ministry of Electronics and Information Technology (“MeitY”), nearly seven lakh cases of cyber-attacks were reported until June 2022, which shows none of the sector is immune from the dangers of Cybersecurity. Therefore, data protection is of paramount importance in India

In the light of recent data breaches in popular companies like Domino’s, Unacademy, Air India etc. The Central Government considering the high need of data protection in India, with the help of MeitY has set up an Indian Computer Emergency Response Team (“CERT-In”) to address serious problems that India has had lately faced with respect to rise in cyber crime, data theft and compromise of data.

In this article we attempt to discuss the purpose for which CERT-In was established, the recent directions issued by MeitY for CERT-In, what will it entail, who will be covered what will be its implication and whether it will help curb the cybercrimes in India.

THE PURPOSE OF ESTABLISHING CERT-In 

The Central Government with the agenda of curbing cyber crimes in India, established CERT-In in 2004 as the national agency responsible for dealing with cyber incidents and undertaking emergency measures for handling such incidents.

Until the year 2021, the CERT-In has been highly criticized for its lackluster approach on reported cybercrime incidents. However, since 2021, it has taken pro-active stance to seek more information and require reporting of incidents to affected individuals, as the lack of adequate and relevant information on cyber incidents significantly impacts the risk assessment and mitigation exercises.

CERT-In DIRECTIONS, 2022

The CERTI-In on 28.04.2022 vide No.20(3)/2022-CERT-In has issued new directions in consonance with its powers provided under Section 70-b of the Information Technology Act, 2000 (“IT Act”) with the intention of improving cybersecurity by incorporating stringent provisions with respect to breach reporting, data retention, data collection, data localization for security purposes to create a safe and trusted internet space.

The objective of the CERT-In Direction is –

• augmenting and strengthening India’s cyber security resilience;

• bridge the gap of reporting cyber incident information that is essential to carry out analysis, investigation and coordination on occurrence of a cyber incident; and

• preserve sovereignty and integrity of India as well as prevent commission of any offence using computer resource.

THE APPLICABILITY

The CERT-In Directions will be applicable on the following entities –

a. Service providers – such as telecom service providers, network service providers, internet service providers, web-hosting service providers, cloud service providers, and cryptocurrency exchanges and wallets’

b. Intermediaries – such as social media platforms, search engines, and e-commerce platforms;

c. Body corporate – which include any company, firm or proprietorship;

d. Data centers – which store and process large quantities of private and public data; and

e. Government bodies

THE DIRECTIONS

The CERT-In have laid down the following directions, in order to create a safer cyberspace in India –

1. Reporting – It is mandatory for all the entities to report cyber incidents enlisted in the Directions, within a period of 6 (six) hours of noticing such incidents or being brought to notice about such incidents.

2. Synchronization – It is mandatory for all the entities falling with the ambit of these directions to connect with the Network Time Protocol (“NTP”) Server of the National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”) or with NTP servers traceable to these NTP servers for synchronization of all information and communication technology (“ICT”). However, the entities with ICT infrastructure spread across multiple countries, such as cloud service providers, can use accurate and standard time sources other than NPL and NIC, as long as there is no deviation from these government designated clocks.

3. Data Retention – It is mandatory for all the entities falling within the ambit of these directions to enable logs of all their ICT systems and retain them securely for a period of 180 days. within the jurisdiction of India The CERT-In having powers to requisition them on demand.

4. Virtual Asset Companies to maintain KYC – It is mandatory for the virtual asset service providers, virtual asset exchange providers and custodian wallet providers to maintain all information obtained as a part of Know Your Customer (KYC) and records of financial transactions for a period of five years.

5. Data Localization – It is mandatory for the Data Centers, Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network Service (“VPN Service”) providers, are required to register the following accurate information about their customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration.

6. Designated Contact – It is mandatory for the entities falling within the ambit of these directions, to designate a point of contact, with whom CERT-In will interact and provide information and compliance guidelines.

7. Power to command action and/or call information – The CERT-In, under the ambit of these directions have power to issue orders to the entities falling within the ambit of these directions to take action or provide information that assists CERT-In to prevent, pre-empt or address cyber incidents.

In case the entities fail to furnish the information as required or any non-compliance with the same may invite punitive action under Section 70-B(7) of the IT Act and other laws, as applicable. Section 70-B(7) of the IT Act provides for punishment with imprisonment for a term which may extend to 1 year or a fine which may extend to INR 1,00,000 or both.

CHALLENGES 

1. Flawed Incident Reporting Timeline – The stakeholders falling within the ambit of these directions have contended that such a stringent timeline is both unrealistic and ineffective in contrast to the earlier requirement of reporting “as early as possible”. Although, expediting the reporting of incident is crucial to prevent loss. However, a one-size-fits-all formula cannot be applied, as the time for effective tabulation and calculation of breach would depend on the scale of the company, breach, etc. Furthermore, there is no clarity as to the threshold, severity and scale of the incidents to be reported to CERT-In.

2. Restricting Innovation – The requirement of maintaining data logs within the Indian jurisdiction is a cause of concern, as de facto-data localization will hamper innovation, as it the free flow of data across borders will be strictly restricted. Further, the compliance cost would adversely be increased for companies as they will be required to maintain server to store data in India.

3. Risk of Surveillance – with the increase of data retention by the entities and they being accessible by the centre would lead to more monitoring by state and thus would strengthen state surveillance, which is something which the centre has been alleged to do in recent years. It has also been contended that the provisions of data localisation and retention would put the citizen’s data under more risk of being breached and thus would be against the purpose of the directive.

4. Incorrect one size fits all approach – The mandatory requirement of maintaining a server log for all the ICTs for a period of 180 days and additionally VPNs and virtual asset management companies to collect and store information of Indian users for up to five years, is an extremely broad approach, as instead of specifying what logs are necessary, such as security logs, and what entities are essential and important for India based on a proper risk assessment, all things are covered in this directions, which will create a huge pool of log information. This will be a significant hurdle for small and medium enterprises (SMEs) who might not have the financial resources or have the capacity to maintain such enormous archives of their logs. This could have the unintended consequence of suppressing innovation and allowing only large tech companies to be able to operate in India.

AMLEGALS REMARKS

India has witnessed an alarming number of cybersecurity and data theft related incidents in recent years. A direct result of these data breaches and incidents is that Indian users personal data is available to third parties over the Internet for nefarious use. Therefore, there was a high need of such directions to be implemented to address such cybersecurity issues in an effective and stringent manner.

The CERT-In Directions will help establish a comprehensive Cyber incident reporting system and cybersecurity mechanism. However, there is need for great caution, as increase of data retention by the entities and that being accessible by the Government will have higher probability of being monitored,  which the Government has been alleged to do in recent years. Further, the provisions of data localization and retention would put the citizen’s data under more risk of being breached and thus would be against the purpose of the directive.

Furthermore, it has been witnessed time and again that such regulations have been introduced citing national security and public interest without having any accountability for the same and the situation becomes even more concerning owing to the fact that there is no roust framework for data protection in India.

In light of the above it is essential that the fallacies present in the CERT-In directions must be addressed first in order to achieve the desired goal of creating a safer cyberspace in India.

– Team AMLEGALS 

For any queries or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or himanshi.patwa@amlegals.com.