The Ministry of Electronics and Information Technology (MEITy) recently issued directions to augment and strengthen cyber security in the country (Directions) . These Directions apply to service providers, intermediaries, data centres, companies and government organisations and any non-compliance in this regard may invite grave consequences. These Directions will come into effect from 27 June 2022.

BACKGROUND

The Central Government had appointed ``Indian Computer Emergency Response Team (CERT)`` vide notification dated 27 October 2009. As per provisions of Section 70B (4) of the Information Technology Act 2000 (IT Act), CERT is the national agency for performing certain functions in the area of cyber security, such as (a) Collection, analysis and dissemination of information on cyber incidents; (b) Forecast and alerts of cyber security incidents; (c) Emergency measures for handling cyber security incidents; (d) Coordination of cyber incidents response activities; etc.

CERT is empowered and competent to call for information and give directions to the service providers, intermediaries, data centres, body corporate and any other person for carrying out the activities enshrined in sub-section (4) of Section 70B of the IT Act.

DIRECTIONS:

These Directions are issued under Section 70B (6) of the IT Act. They are as follows:

• The service providers, intermediaries, data centres, body corporate and Government organisations shall designate a ``Point of Contact`` to interface with CERT in respect of cyber incident response, protective and preventive. All communications from CERT seeking information and providing directions for compliance shall be sent to the said Point of Contact. The details of a Point of Contact shall be submitted in the format specified in Annexure II of the Directions.

• Any service provider, intermediary, data centre, body corporate and Government Organisation shall mandatorily report cyber incidents to CERT within 6 hours of noticing such incidents or being brought to notice about such incidents. The incidents can be reported to CERT-In via email (incident@cert-in.org.in), Phone (1800- 11-4949) and Fax (1800-11-6969). The details regarding methods and formats of reporting cyber security incidents is also published on the website of CERT-In www.cert-in.org.in and will be updated from time to time.

• All service providers, intermediaries, data centres, body corporate and Government Organisations are mandatorily required to enable logs of all their ICT systems and maintain them securely for a period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT along with reporting of any incident or when ordered / directed by CERT.

• Data Centres, Virtual Private Server providers, Cloud Service providers and Virtual Private Network Service providers shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer as mandated by law after any cancellation or withdrawal as the case may be: (a) Validated names of subscribers/customers hiring the services; (b) Period of hire including dates; (c) IPs allotted to / being used by the members; (d) Email address and IP address and time stamp used at the time of registration / on-boarding (c) Purpose for hiring services; (d) Validated address and contact numbers (e) Ownership pattern of the subscribers / customers hiring services.

• The virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of 5 years. This is in view of the growth of virtual assets and to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom.

• With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.

PENALTY FOR NON-COMPLIANCE

It must be noted that a failure to comply with the Directions can invite punitive action under Section 70B (7) of the IT Act which may go up to INR 100,000 or imprisonment for a term up to 1 year or both.

TYPES OF CYBER SECURITY INCIDENTS

Following are the types of cyber security incidents that are mandatory to be reported by service providers, intermediaries, data centres, body corporate and Government organisations to CERT:

• Compromise of critical systems/information

• Unauthorised access of IT systems/data

• Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.

• Data breaches and data leaks

• Unauthorised access to social media accounts

• Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications

MHCO Comment :The aforesaid Directions issued by MEITy are a great step towards safer and secure digital-India, though we still have a long way to go. With growing usage and storage of data and exchange of information online, there has always been a need for a mechanism to ensure that the data/information is safe and not exposed to unauthorised access or breaches. It is pertinent to note that the Directions will apply to most, if not all, organisations in India regardless of the quantum of data collected/stored by them. However, it will be interesting to see the implementation and enforcement of these Directions over the next few months.

This update was released on 10 Jun 2022.

The views expressed in this update are personal and should not be construed as any legal advice. Please contact us directly on +91 22 40565252 or legalupdates@mhcolaw.com for any assistance.

Legal Update Team
MANSUKHLAL HIRALAL & COMPANY
Advocates, Solicitors and Notaries
T: +91 22 40565252
Mumbai Office: Surya Mahal, 2nd Floor, 5, Burjorji Bharucha Marg, Fort, Mumbai-400 023, India
Delhi Office: Block C-9, Lower Ground Floor, Jangpura Extension, New Delhi - 110 014, India
www.mhcolaw.com

"Noted lawyer in the Real Estate practitioner from India" - Chambers & Partners

Please consider the environment before printing this email

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. This communication may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or action taken relying on the contents is prohibited and may be unlawful. If you have received this communication in error, or if you or your employer does not consent to email messages of this kind, please notify the sender immediately by responding to this email and then delete it from your system. No liability is accepted for any harm that may be caused to your systems or data by this message.