On April 28, 2022, the Indian Computer Emergency Response Team (“CERT-In”) under the Ministry of Electronics and Information Technology issued extensive directions to service providers, intermediaries, companies, firms, and government organisations (collectively, “Entities”, and each an “Entity”) specifying various ‘cyber security directions’ that they are required to follow (“Directions”)[1].
While the Directions have been issued by way of CERT-In’s power under Section 70B(6) of the Information Technology Act, 2000 (“IT Act”) read with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“Rules”)[2], their requirements are far reaching, and, in addition to enhancing an existing breach reporting mechanism, they also create a de-facto know your customer (“KYC”) regime for certain types of Entities.
As has often been the case with recent enactments[3], the Directions have been accompanied by much consternation[4], necessitating CERT-In to publish ‘Frequently Asked Questions on Cyber Security Directions of 28.04.2022’ (“FAQs”)[5]. The following is our analysis of some of the key requirements under the Directions along with the clarifications provided through the FAQs.
Coverage
The Directions apply to service providers, virtual private server providers, virtual private network (“VPNs”) service providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers, intermediaries, data centers, bodies corporate and government organisations.
While ‘intermediaries’[6] and ‘bodies corporate’[7] have been defined under the IT Act, ‘social media intermediaries’[8] have been defined by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”). The Directions, however, fail to clarify what any of the other categories mean and leave the doors open for other ministries to do so.
The IT Act extends to all computer resources, persons or entities located in India as well as to Entities processing data of Indian persons. The position has also been reiterated in the FAQs, which state that the Directions apply to “any entity whatsoever, in the matter of cyber incidents and cyber security incidents”[9] but do not apply to individual citizens[10]. Further reference has been made to Section 1 and Section 75 of the IT Act[11]. It therefore appears that to the extent an incident affects users in India or involves a computer, computer system or computer network located in India, the same will have to be reported to CERT-In.
Reporting
Entities are mandatorily required to report cyber security incidents to CERT-In within 6 (six) hours of noticing such incidents or being brought to notice about such incidents.
Reportable incidents under the Directions are defined broadly and include, unauthorised access to systems, data breaches, data leaks, malicious code attacks, identity thefts, spooling or phishing attacks, attacks affecting applications/software relating to big data, blockchain, virtual assets, custodian wallets and unauthorised access to social media accounts. The FAQs clarify that a vulnerability[12] (i.e. an existence of a flaw or weakness in hardware or software of a computer resource that can be exploited resulting in their adverse or different functioning other than the intended functions) need not be mandatorily reported.
In relation to the reporting requirement itself, the FAQs mandate any Entity (“whether such Entity is a consumer facing business, back end partner or outsourcing partner”) which notices[13] the cyber security incident, to report it.
In conjunction with the broad definition of ‘cyber security incidents’, this expansion raises troubling questions around what happens when service providers and clients disagree on the occurrence (e.g. was access unauthorised?) or manner of reporting (e.g. should reporting include sensitive logs?) of an ‘incident’.
Also concerning is the assertion of the FAQs that this reporting obligation may not be “transferred, indemnified or dispensed with”[14].
Under the Directions, Entities are required to designate a point of contact (“POC”) to act as an interface with CERT-In and receive orders and directions from it. The FAQs clarify that Entities offering services to Indian users without any physical presence in India will also be required to designate such a POC[15].
Logs
The Directions require Entities to maintain logs of ‘ICT systems’ for 180 (one hundred and eighty) days on a rolling basis. While the IT Act defines (in broad terms) communication systems, and information and computer systems, the intent of the new term appears to be to cast an even wider net with no guidance from the FAQs.
Further, whereas the Directions require logs to be maintained within India, the FAQs specify that while logs may be stored outside India so long as they are made available to CERT-In upon request[16], records of financial transactions must be maintained within India[17]. It is interesting to note the diverging stand that the FAQs take with respect of the jurisdiction where logs may be stored and the effect of such divergence, given their advisory nature.
Subscriber Data
The Directions require virtual private server providers and VPN service providers, data centers and cloud service providers to collect certain information in relation to customer accounts, and store it for at least 5 (five) years after such accounts are closed.
This includes ‘validated’ names, addresses and contact numbers of customers, and their ownership patterns, along with usage details such as IP addresses allotted, email addresses and time stamps used at the time of registrations, purpose of hiring the service and period of hiring.
The FAQs clarify that the above requirement is with regard to VPN service providers that provide internet proxy like services through the use of VPN technologies, standard or proprietary, to general internet subscribers and do not apply to enterprise and corporate VPNs[18].
Further the FAQs clarify that ‘ownership patterns’ can be read to mean basic information about customers and subscribers such as whether the customer is an “individual, partnership, association, company, etc. along with brief particulars of their key management”[19]. This is a welcome reading, as a requirement to determine ownership or even beneficial ownership would have proved very onerous.
For Entities which deal with virtual assets, including virtual asset service providers, virtual asset exchange providers and custodian wallet providers, the Directions create a mandatory KYC regime, aligned with the existing processes applicable to various regulated entities like financial institutions and telecom providers. In addition to KYC information, records of financial transactions, for a period of 5 (five) years are required to be maintained by such Entities.
In this regard, the FAQs provide two welcome clarifications:
A. That CERT-In will not seek information from Entities on a continuous basis, and will only do so in case of cyber security incidents and cyber incidents, for discharge of statutory duties[20]; and
B. That for financial transactions, the records of the entire transaction need to be maintained in India[21].
Time Protocols
The Directions require Entities to connect to Network Time Protocol (“NTP”) servers and synchronise all ‘ICT system’ clocks. Entities with infrastructure across several geographies can use other standard time sources, but such standard cannot deviate from NTP.
While the FAQs clarify that Entities are not required to set system clocks in Indian Standard Time and may instead use the UTC time stamp provided by NTP, they do not provide any clarification on how Entities would ensure nil deviation from NTP while using other time sources[22].
The FAQs clarify that customers in cloud environments may continue using the native cloud time services[23].
Penalties
Non-compliance with the Directions or failure to furnish information to CERT-In may result in invocation of the penal regime under Section 70B (7) of the IT Act or other applicable law.
Under the IT Act and Rules, upon such non-compliance, the concerned officer (who has issued the direction/ requested information) must notify the Director General, CERT-In of the same. A review committee to review and report on the non-compliance is thereafter required to be set up, following which the Director General, CERT-In can file a complaint before a court, which in turn may impose imprisonment for a term up to 1 (one) year or with fine up to INR 1,00,000 (Indian Rupees One Lakh only), approximately USD 1,300 (United States Dollars One Thousand Three Hundred only) or both.
However, the FAQs specify that the power to order penalties will be exercised reasonably and only on occasions when the non-compliance is deliberate[24], which is a welcome development in a regime that still remains onerous, and in places, unclear.
For further information, please contact:
Arun Prabhu, Partner, Cyril Amarchand Mangaldas
arun.prabhu@cyrilshroff.com
[3] The Intermediary Guidelines that were published last year have been subject of widespread protests, and the staying of several operative portions by courts. For further details on stay of certain operative portions, please see here and here.
[4] The Directions have already been a matter of discontent amongst stakeholders, as can be seen here and here.
[6] Section 2(w) of the IT Act defines an ‘intermediary’ as an entity which collects, stores, processes, transmits or provides services in relation to any electronic records and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.
[7] Explanation (i) of Section 43A of the IT Act defines ‘body corporate’ to mean any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.
[8] Rule 2 (w) of the Intermediary Guidelines define a ‘social media intermediary’ as an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.
[9] FAQ 27 of the FAQs.
[10] FAQ 7 of the FAQs.
[11] Section 1(2) of the IT Act states: ‘It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention thereunder committed outside India by any person’.
Section 75(1) of the IT Act states: ‘Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention thereunder committed outside India by any person irrespective of his nationality’.
Section 75(2) of the IT Act states: ‘For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India’.
[12] Rule 2(p), Rules.
[13] FAQ 13 of the FAQs.
[14] FAQ 13 of the FAQs.
[15] FAQ 29 of the FAQs.
[16] FAQ 35 of the FAQs.
[17] FAQ 36 of the FAQs.
[18] FAQ 34 of the FAQs.
[19] FAQ 33 of the FAQs.
[20] FAQ 20 of the FAQs.
[21] FAQ 36 of the FAQs.
[22] FAQ 40 of the FAQs.
[23] FAQ 42 of the FAQs.
[24] FAQ 23 of the FAQs.
