This post is authored by Raj Shekhar, a fourth-year student from National University of Study and Research in Law, Ranchi
The Indian Computer Emergency Response Team (“CERT-In”), on 28th April 2022, issued new directions (“Directions 2022”) under the powers conferred to it by Section 70B(6) of the Information Technology Act, 2000 (“IT Act”). The Directions 2022 have sought to improve cyber-security by incorporating stringent provisions ranging from breach reporting to data retention for security purposes. Owing to its status as the national agency for the upkeep of cyber security, as per provisions of Section 70B of the IT Act, the CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation (“Entities”). However, while the Directions 2022 have received applause from many cyber security experts owing to the expedited and stringent measures for blocking and identifying cyber security threats, there have been criticisms on grounds of privacy infringement, over-regulation, etc. as well. In light of the same, this article tries to evaluate the criticisms and analyse if the Direction are ushering us into a solely optimistic cybersecurity and data regime.
The CERT-In Directions, 2022: A Brief Overview
The Directions 2022 are all set to come into effect after 60 days following the date of its issuance, i.e. 27th June 2022. The Directions 2022 can be seen as a successor to the CERT-In Advisory CIAD-2021-0004 released on 20th January 2021. The Advisory required affected entities to immediately notify users/customers who could be affected with details of information breached, actions being undertaken by such affected entities to address the problem and how they can reach out to CERT-In for any queries. In a nutshell, the Directions 2022 obligate the following:
- Reporting of Incidents within 6 hours: The Directions 2022 make it mandatory for all the entities to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents.
- Synchronisation of Information and Communication Technology (“ICT”) System Clocks: For synchronisation of all their ICT systems clocks, all entities are mandated to connect to the Network Time Protocol (“NTP”) Server of the National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”) or with NTP servers traceable to these NTP servers. Relaxation has been provided to those ICT infrastructures which span across multiple geographical locations by allowing them to use accurate and standard time sources other than NPL and NIC, as long as their time source does not deviate from NPL and NIC.
- Retention of Data Logs: All entities are to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days.The same has to be maintained within the Indian jurisdiction, with the CERT-In having powers to requisition them on demand.
- Virtual Assets Industry Players to Retain KYC and Other Data: Virtual asset service providers, virtual asset exchange providers and custodian wallet providers have to maintain a mandatory record of KYC Data of all its customers along with records of financial transactions, including information relating to the identification of the relevant parties involved in the transactions such as IP addresses, along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transactions, and the amounts transferred.
- Point of Contact: The Directions 2022 mandate the entities to designate a Point of Contact to interface with CERT-In.
- Retention of Data: All the Data Centres, Virtual Private Server (“VPS”) providers, cloud service providers and Virtual Private Network Service (“VPN Service”) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration.
- Penalty Provisions: The Directions 2022 specify that any failure to furnish the information as required under the Directions 2022 or any non-compliance with the same may invite punitive action under Section 70-B(7) of the IT Act and other laws, as applicable. Section 70-B(7) of the IT Act provides for punishment with imprisonment for a term which may extend to 1 year or a fine which may extend to INR 1,00,000 or both.
Reading Between the Lines: Implications of the Directions 2022
While the six-hour reporting requirements, localising system logs and syncing all systems to Indian NTP seem to be precautionary in nature, the experts are concerned regarding their consequences. To better understand these concerns, it becomes pertinent to have an analysis of the same.
- Ambiguity Regarding Scope: CERT-In has mandated the entities to “…mandatorily enable logs of all their ICT systems…”. However, guidelines silence on defining “all their ICT systems” leads to various concerns such as the government having access to or enterprises storing more data than necessary. Additionally, phrases such as “Data Centres”, “VPS providers”, “Cloud Service providers” and “VPN Service providers”, “service providers” and “body corporate” are missing too. In the present instance, this could lead to over-retention of data which shall run contrary to the international principles of purpose limitation and data minimisation.
- De-Facto Data Localisation: As has been the trend, the Directions 2022 can be seen as an attempt to introduce soft-data localisation in India. The requirement of maintaining data logs within the Indian jurisdiction is a clear indicator of this. While the Personal Data Protection bill already lays great emphasis on data localisation, the Directions 2022 have made this stance even clearer. Such a measure is a great cause for concern as data localisation can stifle innovation and the free flow of data across borders. Further, the compliance cost bore by these players would adversely affect the Indian user of such services by increasing their expenditure.
- Risk of State Surveillance: The Directions 2022 have mandated all the entities to maintain a server log for all their ICTs for a period of 180 days and additionally mandated VPNs and virtual asset management companies to collect and store information of Indian users for up to five years; which is being seen by some experts as yet another attempt at state surveillance.
- A Flawed 6-Hour Reporting Formula: While expediency in reporting data loss incidents is considered a prerequisite to preventing loss, a one-size-fits-all formula cannot be applied. It is logically deducible that the time for effective tabulation and calculation of breach would depend on the scale of the company, breach, etc. The current requirements of expedient reporting within 6 hours could lead to events where the assessment of such data breach impact could suffer. Hence, a revisionary approach to a customised time limit depending on scale, size, etc. needs to be taken into consideration.
- Rights of Data Principal: The Directions 2022 have indeed made it mandatory on the part of the data fiduciaries to report incidents of a breach to CERT-In. No such obligation has been cast upon them when it comes to informing the data principal. The absence of such provisions begs the question of why the actual victims of a cyber-attack or data breach have to be kept in the dark? Further, the absence of any redressal mechanism which the data principal could opt for only makes the situation worse.
Directions 2022: Towards the Dream of a Safer Cyberspace?
The Directions 2022 are part of the larger efforts of the government agencies aimed at introducing a comprehensive cyber incident reporting and cybersecurity mechanism. However, at the same time, the above analysis makes it clear that concerns regarding the Directions 2022 by CERT-In are legitimate. It has been seen time and again that such regulations citing national security and public interest without having any accountability for the same have been introduced by the government. The situation becomes even more concerning owing to the fact that India lacks a comprehensive data protection law. While it is indeed true that the Directions 2022 have enhanced the legal obligations on cyber incident reporting than was originally envisaged under the IT Act and the Rules, the court’s role in interpreting the deviations from existing provisions in IT Act contained in these directions would be an interesting development to keep track of. With the departure of giants like Nord VPN and other popular players putting forth their resentment to comply, it remains to be seen how the regulator and the industry will respond to the new regime.