In 2021 alone, 5 major companies were claimed to have suffered data breaches in India. This included brands like Facebook, Upstox, Air India, MobiKwik and Dominos.[1] By the end of 2021, India was 3rd in the world in data breaches.[2] According to a report 1 out of every 5 people affected from data breach globally, is an Indian.[3]

In February 2022, while speaking at the launch of IBM’s security command centre in Bengaluru, Rajeev Chandrasekhar (Union Minister of State for Electronics and IT) formally revealed that the government is working on comprehensive laws to prevent corporations from hiding security and data breaches.[4]

As on April 28, 2022, the Indian Computer Emergency Response Team (“CERT-In”) has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000 (“IT Act”). These directions will become effective after 60 days (i.e., in June 2022).[5]

CERT-In serves as the national agency for performing various functions in the area of cyber security in the country and continuously analyses cyber threats and handles cyber incidents tracked and reported to it. It also regularly issues advisories to organisations and users to enable them to protect their data/ information and ICT infrastructure. [6]

Following directions are issued to augment and strengthen the cyber security in the country[7]:

(i) All service providers, intermediaries, data centres, body corporate and Government organisations are required to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC.

(ii) Any service provider, intermediary, data centre, body corporate and Government organisation is required to mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. The types of cyber security incidents that are mandatorily to be reported are:

  • Targeted scanning/probing of critical networks/ systems
  • Compromise of critical systems/ information
  • Unauthorised access of IT systems/ data
  • Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
  • Malicious code attacks such as spreading of virus/ worm/ Trojan/ Bots/ Spyware/ Ransomware/ Cryptominers
  • Attack on servers such as Database, Mail and DNS and network devices such as Routers
  • Identity Theft, spoofing and phishing attacks
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
  • Attacks on Application such as E-Governance, E-Commerce etc.
  • Data Breach
  • Data Leak
  • Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
  • Attacks or incident affecting Digital Payment systems
  • Attacks through Malicious mobile Apps
  • Fake mobile Apps
  • Unauthorised access to social media accounts
  • Attacks or malicious/ suspicious activities affecting Cloud computing systems/ servers/ software/ applications
  • Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
  • Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning

(iii) When required by order/ direction of CERT-In, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider/ intermediary/ data centre/ body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.

(iv) The service providers, intermediaries, data centres, body corporate and Government organisations are required to designate a Point of Contact to interface with CERT-In. The details of the Point of Contact are required to be sent to CERT-In in the specified format. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.

(v) All service providers, intermediaries, data centres, body corporate and Government organisations are mandatorily required to enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same are required to be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.

(vi) Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following information accurately (and maintain the same for at least a period of 5 years) after any cancellation or withdrawal of the registration as the case may be:

  • Validated names of subscribers/ customers hiring the services
  • Period of hire including dates
  • IPs allotted to / being used by the members
  • Email address and IP address and time stamp used at the time of registration / on-boarding
  • Purpose for hiring services
  • Validated address and contact numbers
  • Ownership pattern of the subscribers / customers hiring services

(vii) The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) are mandatorily required to maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of 5 years so as to ensure cyber security in the area of payments and financial markets.

For the purpose of KYC, the Reserve Bank of India (RBI) Directions 2016 / Securities and Exchange Board of India (SEBI) circular dated April 24, 2020 / Department of Telecom (DoT) notice September 21, 2021 mandated following procedures:

I. Any of following Officially Valid Document (OVD) as a measure of identification procedure:

  • The passport
  • The driving licenses
  • Proof of possession of Aadhaar number
  • The Voter’s Identity Card issued by the Election Commission of India
  • Job card issued by NREGA duly signed by an officer of the State Government
  • Letter issued by the National Population Register containing details of name and address
  • Validated phone number
  • Trading account number and details

II. Bank account number and bank details for the purpose of KYC for business entities (B2B), documents mentioned in the Customer Due Diligence (CDD) process prescribed in Reserve Bank of India Master Direction – Know Your Customer (KYC) Direction, 2016 (as updated from time to time) are to used and maintained.

III. With respect to transaction records, accurate information is required to be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.

[1] Please see https://www.91mobiles.com/hub/5-major-data-breaches-india-2021/

[2] Please see https://timesofindia.indiatimes.com/business/india-business/india-3rd-in-data-breaches-till-nov/articleshow/88328816.cms

[3] Please see https://timesofindia.indiatimes.com/business/india-business/india-3rd-in-data-breaches-till-nov/articleshow/88328816.cms

[4] Please see https://economictimes.indiatimes.com/tech/technology/new-regulations-to-put-onus-on-organisations-to-report-security-breaches/articleshow/89779622.cms

[5] Please see https://www.cert-in.org.in/Directions70B.jsp

[6] Please see https://www.pib.gov.in/PressReleasePage.aspx?PRID=1820904

[7] Please see https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf