NEW DELHI :
All Indian companies must report any form of a cybersecurity incident to the Indian Computer Emergency Response Team (Cert-In) within six hours of detection, the government said on Thursday, setting a deadline for reporting such events for the first time.
The ministry of electronics and information technology (Meity) directive, which takes effect on 28 June, also expands the range of cyber incidents that need to be reported to 20 categories, including defacement of websites, unauthorized access to social media, data breach and data leaks.
However, penalties under Section 70B of the Information Technology (IT) Act, 2000, for not responding to notices from Cert-In remain unchanged—Imprisonment of up to one year and a fine of up to ₹1 lakh. The new rules also require virtual asset service providers, such as cryptocurrency exchanges, to maintain five-year logs of know-your-customer (KYC) data and information on every financial transaction so that individual transactions can be reconstructed in case of a cyber incident. Some experts termed the new regulations “excessive” and “overreaching”.
N.S. Nappinai, a Supreme Court advocate and founder of cyber safety organization Cyber Saathi Foundation, said companies are now mandated to align their time servers with the network time protocol (NTP) server of India’s National Informatics Centre (NIC).
Companies use time servers to connect to a reference server—in this case, the NTP of NIC—and provide this time data to the rest of the server infrastructure. The same is used to coordinate time stamps across a company’s overall connected infrastructure.
“This is being done so that companies can no longer play around with timelines of data breaches that happen or state time differences to escape regulation,” Nappinai said.
Akash Karmakar, a partner at law firm Panag & Babu, said there is no “risk of harm threshold” in India. “Internationally, such a threshold is used to classify serious and non-serious breaches, which is something that this new directive can help establish in India. The ones with a higher risk of harm will have the mentioned six-hour window in India to disclose cyber incidents,” Karmakar said.
Karmakar added that the directive also seeks to create a “class of reportable incidents and companies in high risk of harm category, which would be responsible for these incidents.” However, he also said the categories have been defined with “very broad strokes” and are “overreaching”.
“There are no specifics on what defines a data breach or a data leak. Even in terms of compromised social media accounts, there has to be some definition in terms of parameters that can and cannot be disclosed within six hours. Social media firms, for instance, would find it impossible to constantly disclose information on such breaches within six hours,” he added.
Pavan Duggal, an advocate and cyber law expert, said this is the first time the government issued directives on cyber law “of this magnitude and nature.” He further added, “India presently does not have a dedicated cyber security law, and the IT Act, 2000, only dealt with some aspects of it. The new rules bring every company in India under scrutiny and require logs of ICT servers to be maintained for a rolling period of 180 days for transparency and accountability.”
“By a single stroke of secondary legislation, the government has offered umbrella cyber security directions for all companies. These directions could be game-changing in their perspective and amplitude and could be a turning point in providing a robust legal framework for promoting cyber security,” Duggal added.
However, it remains to be seen if the rules are proportionate and appropriate to the causes they seek to address. Nappinai said the rules will be “tested on the anvil of Puttaswamy’s three golden rules – is there a law supporting the rule, is there a legitimate basis, and if it is proportionate.”