• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

New Cybersecurity Rules In India Impose Strict Reporting Requirements and Steep Penalties

July 11, 2022 By Kim Peretti and Kristen Bartolotta

The Indian Computer Emergency Response Team (“CERT-In”) issued Directions on April 28, 2022 “to strengthen the cybersecurity in the country” and that has significant implications for the cybersecurity landscape. Effective June 27, 2022, the Directions, among other requirements, impose a strict 6-hour timeline for notice of a cybersecurity incident and expands the types of cybersecurity incidents that must be reported on. These Directions effectively amend the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) issued under Section 70B(5) of the IT Act.

The broadly worded Directions apply to most businesses operating in India, with the notification provision applying to any “service provider, intermediary, data centre, body corporate and Government organization.” All such entities must report “cyber incidents” to CERT-In within 6 hours of “noticing such incidents or being brought to notice about such incident.” This effectively amends the CERT-In Rules, which required reporting of certain cyber incidents to CERT-In “as early as possible to leave scope for action.” While CERT-In created a standard form that entities may use for notice, the Directions state that notice to CERT-In can be made via email, phone, or fax. Further, the Directions note that the details regarding method and format of how an entity may report cyber incidents are posted on the CERT-In website and may be updated from time to time.

What constitutes a “cyber incident” is also expanded by the Directions. While the 2013 CERT-In Rules listed 10 types of incidents on which reporting was mandatory for any affected entity, the Directions have doubled the types of incidents that trigger mandatory reporting. Annexure I of the Directions includes a list of 20 types of incidents for which reporting is mandatory within the 6-hour window (the first two bullets of which were required reporting under the previous rules). This list includes:

  • Targeted scanning or probing of critical networks or systems
  • Defacement of a website or intrusion into a website and making unauthorized changes
  • Fake mobile Apps
  • Unauthorized access to social media accounts
  • “Suspicious activities” affecting cloud computing systems or servers, networks and systems related to block chain and virtual assets, systems and servers related to machine learning, among other various systems, servers, software, networks, and applications.

Reporting on these incidents does not trigger on severity or actual impact to data, networks, or systems. Rather, an entity must only “notice” or be “brought to notice” the incident for reporting to CERT-In to be required. For example, under this new requirement, an entity that notices a fake mobile app imitating its real mobile app may have to report the incident to CERT-In within 6 hours, regardless of any indication as to whether a consumer or the entity has suffered harm.

When providing notice to CERT-In, entities are expected to provide basic information on the incident. The form includes sections where the entity can identify the type of incident, provide information on the affected system, and briefly describe the incident. Notably, the form has a check box option to indicate whether the individual is reporting on behalf of the affected entity or is reporting an incident that affected a different entity. CERT-In further clarified in the FAQs that supplemental information may be required if the entity is able to provide only limited information in the initial report.

The Directions further allow CERT-In to seek information and issue orders to an entity both in the context of an incident, and to take “protective and preventative actions.” Non-compliance with such an order or request is treated as noncompliance with the Directions, which is criminally punishable pursuant to sub-section 7 of section 70B of the IT Act, 2000. The consequences of noncompliance by any service provider, intermediary, data centre, body corporate or person can include fines of up to one lakh of rupees, or up to one year of imprisonment. The Directions do not indicate which corporate officers or employees could be imprisoned for noncompliance. However, the FAQs state that CERT-In will exercise its enforcement power reasonably and only when noncompliance is deliberate.

In addition to the expanded reporting requirements, the Directions include requirements on maintenance and disclosure of logs and, for certain entities such as VPN and cloud service providers, maintaining and registering certain information on their customers and customer use of services.

Filed Under: Cybersecurity, Data Breach, Digital Crimes, Enforcement, International, Regulation, Uncategorized Tagged With: CERT-In, cybersecurity, Data Breach Notification, India

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Kristen Bartolotta

Kristen Bartolotta is an associate in Alston & Bird’s Privacy, Cyber & Data Strategy Team. She advises clients on managing privacy and cyber risk, breach investigations and response, transactional diligence, and emerging technologies. Kristen also advises on privacy and security compliance at the state, federal, and international levels.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.