Limiting Un(CERT-In)ty
Introduction
The Indian Computer Emergency Response Team (CERT-In), the national agency appointed under the Information Technology Act, 2000 (IT Act) for performing cyber security functions, had in April 2022 published directions relating to information security practices, procedure, prevention, response, and reporting of cyber incidents for safe & trusted internet (Directions). The Directions were released with the objective of enhancing and strengthening the cyber-security framework in the country. The Directions read with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (2013 Rules) forms the cyber security framework to be followed by body corporates, data centers, service providers and other intermediaries operating in India (Covered Entities).
The Directions were met with criticism from certain sections of the industry, primarily due to the onerous compliance requirements imposed by it, coupled with ambiguity relating to entities to whom the Directions would be applicable. Upon the coming into effect of the Directions, a few of the compliance requirements to be followed by the Covered Entities are: (a) report cyber-incidents to the CERT-In within 6 hours of becoming aware of such incident; (b) respond to any information requests received from CERT-In; (c) maintaining in India, a log of all their information and communication technology systems for a rolling period of 180 days; and (d) designate a point of contact in India. Additionally, compliance requirements have also been prescribed for virtual private network (VPN) and other similar service providers requiring these entities to maintain user data for a period of at least 5 years. Similarly, service providers facilitating transactions in virtual assets, including cryptocurrency, have been mandated to maintain all information obtained during KYC checks, and in relation to financial transactions facilitated by it, for a period of 5 years.
Clarifications by CERT-In
In response to the criticisms received, and to clarify certain aspects of the Directions, CERT-In has now released ‘FAQs’ on 18 May 2022 (FAQs) with the objective of enabling better understanding of, and compliance with the Directions. We have listed below a few key clarifications provided under the FAQs:
a. The FAQs have clarified that: (i) the term ‘body corporate’ shall have the meaning as per section 43A of the IT Act, which includes a company, firm, sole proprietorship or other association of individuals engaged in commercial or professional activities; (ii) the Directions will not apply to any individual citizens; (iii) ‘intermediaries’ will have to comply with the Directions, the 2013 Rules as well as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediaries Rules).
b. In addition to the above, the FAQs also clarify that the extra-territorial nature of the IT Act will similarly apply to the Directions, and that the Directions will apply to even those entities that are not present in India, but cater to Indian users. Such entities will be required to designate a point of contact in India to liaise with CERT-In.
c. To address the privacy concerns raised by users, CERT-In has clarified that information requests will be made only by officers above the rank of deputy secretary to the government of India, and that information requests will be linked to cyber-security incidents, and no information will be requested by CERT-In from Covered Entities under continuing arrangements. However, the FAQs simultaneously state that the statutory requirements related to reporting of cyber security incidents will prevail over any contractual confidentiality obligations undertaken by the Covered Entities, thereby creating additional privacy apprehensions for the users.
d. With respect to the stringent timelines of 6 hours for the reporting of cyber security incidents, the FAQs state that the Covered Entities may provide information readily available with them within such time period, and additional information may be reported later within a reasonable period of time.
e. Another industry concern prior to the release of the FAQs was whether the requirement for registration of VPN and similar service providers and the user information with CERT-In, would also apply to enterprise or corporate VPN service providers. The FAQs have clarified that VPNs being used to provide secured access to the employees of a corporate entity will not be required to register themselves with CERT-In, and only entities providing proxy services to general internet users will be required to comply with this registration requirement.
f. The FAQs have diluted the requirement of maintaining logs of IT systems in India, by stating that such logs may be stored outside India, as long as entities are able to produce such logs before the CERT-In upon the receipt of a request, within reasonable time periods.
g. The FAQs have also provided detailed explanations to each of the incidents identified as cyber-security incidents under annexure 1 of the Directions, and the same will provide additional guidance to the Covered Entities in relation to the nature of incidents that are required to be reported to CERT-In.
h. Through the FAQs, CERT-In has attempted to placate concerns with respect to the maximum punishments (up to one year imprisonment) and fine (up to INR 1 lakh) that may be imposed upon any non-compliance with the Directions. The FAQs state that the power to penalize will be exercised in a reasonable manner, and only on occasions where the non-compliance with the Directions is deliberate in nature.
Our thoughts and recommendations
Due to the absence of a comprehensive law on data protection in India, and a continuous increase in instances of cyber security breaches in the country, CERT-In has stepped in by way of the Directions, to attempt to strengthen the country’s cyber security framework. However, a primary criticism of the Directions that the FAQs have failed to rectify, is the all-encompassing applicability of the Directions, and requirements in relation to reporting of any kind of cyber-security incident. The all-encompassing nature of the Directions will have the effect of imposing substantial financial compliance as well as manpower costs on smaller businesses, who will be required to implement comprehensive information technology frameworks to satisfy the requirements of the Directions.
The FAQs have also failed to appreciate that the requirement of maintaining IT logs for a rolling period of 180 days, may be against the principle of ‘storage limitation’ as per which personal data should not be stored by organisations for longer than necessary. In fact, the requirement of storing of personal data pursuant to the Directions may inadvertently result in greater instances of privacy violations.
Additionally, while the FAQs have provided a few clarifications and relaxations with respect to the Directions, it must be noted that the FAQs do not have the force of law, and the relaxations provided by the FAQs may not be implemented in a uniform manner.
While the Directions and the FAQs are steps in the right direction, prior to the coming into effect of the Directions from 27 June 2022, CERT-In may consider introducing impact thresholds above which entities may be required to mandatorily report cyber-security incidents. For instance, under the Intermediaries Rules, the government has notified a threshold of 5 million users for a social media intermediary to be considered as a significant social media intermediary, and such significant social media intermediaries are required to follow additional and more stringent compliance requirements. This may ensure that no compliance requirements are created with respect to non-material cyber-security incidents, and that smaller businesses are also spared from incurring compliance costs, wherever not required. Accordingly, a relook at the Directions prior to implementation is necessary to strike a balance between prevention of cyber-security breaches and the practicality of the compliance requirements being imposed to prevent such breaches.
Author: Tanuj Modi
The information contained in this document is not legal advice or legal opinion. The contents recorded in the said document are for informational purposes only and should not be used for commercial purposes. Acuity Law LLP disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.