Inside India’s New 6 Hour Cybersecurity Incident Notification Requirement

When a computer incident occurs, there are often strict timelines of notification required. There has been a recent trend towards shortening the time a company has before it must notify. The EU’s GDPR has a 72 hour notification requirement if personal information is disclosed. In the United States, the Transportation Security Administration now requires notification within 24 hours for security events involving certain critical infrastructure.

Not to be outdone, in India, the Indian Computer Emergency Response Team (CERT-In) now requires a notification 6 hours after a cybersecurity incident for most types of incidents and for most entities that do business in India. Additionally, there are several proactive security measures required, including retention of 180 days of logs and 5 year retention of data elements and identifiers for certain technology and financial providers such as data centers, VPN providers, and payment providers who deal with virtual payments and virtual assets (including cryptocurrency and blockchain-enabled technologies).

Notification Rule

CERT-In published these new requirements in a new direction, No. 20(3)/2022-CERT-In, on April 28, 2022 (found here). The new direction requires that any service provider, intermediary, data center, body corporate and government organization shall “mandatorily report cyber incidents . . . within 6 hours of noticing such incidents or being brought to notice about such incidents” to CERT-In. This rule becomes effective on June 27, 2022.

This new 6 hour reporting requirement supplements the prior rule of “as soon as possible” that was published in Rule 12(1)(a) of The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (available here).

This rule applies to all list of 20 types of security events and incidents, including data breaches, data leaks, denial of service attacks, targeted scanning of critical systems, identity theft, and fake mobile apps.

This list, provided in Annexure I of the direction, is quite expansive and not well defined. Given the amount of events, and only 6 hours to notify, it becomes important for entities to have retained breach counsel supported by a retained forensic team ready 24 hours a day, 7 days a week to be able to quickly respond to any of these lists of items. Breach counsel will need to quickly confer with the forensic team to determine if one of the named events has occurred and quickly prepare the breach notification to CERT-In. The notification can be reported to CERT-In via email ([email protected]), phone (1800-11-4949) or, fax (1800-11-6969).

Following the notification to CERT-In, the entity must cooperate with CERT-In’s requests to further mitigate the event, including providing information to CERT-In that it requests, in the format CERT-In requests and in a timeframe dictated by CERT-In.

Other Proactive Measures

In addition to the 6 hour notification requirement, the direction also requires the following proactive measures be put in place:

• Entities must synchronize the time of their systems with the NTP Sever of the National Informatics Center (NIC) or National Physical Laboratory (NPL).

• Entities must enable logging and maintain those logs for 180 days within the Indian jurisdiction. They must also provide those logs upon request to CERT-In upon CERT-In’s request.

• Data centers, virtual private server providers, cloud service providers and VPN service providers must register and maintain certain information by all for a period of at least 5 years. The intent behind these requirements seems to be correlated to discovering the identity of attackers or other agents who use any of these services. The following list of items must be maintained:
  1. validated names of subscribers/customers hiring the services;
  2. period of hire including dates;
  3. IPs allotted to / being used by the members;
  4. email address and IP address and time stamp used at the time of registration / on-boarding;
  5. purpose for hiring services;
  6. validated address and contact numbers; and
  7. ownership pattern of the subscribers / customers hiring services.

• Virtual asset service providers, virtual asset exchange providers, and custodian wallet providers must maintain certain financial information (including collected identification records and technical transaction details) for a period of 5 years in a way to be able to reconstruct individual financial transactions. The technical data to retain for five years includes IP addresses, timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred. There is also a list of identification records that must be maintained when collected. These include:
  1. passport;
  2. driving license;
  3. proof of possession of Aadhaar number (a voluntary 12 digit identification number assigned to any Indian resident who enrolls);
  4. Voter’s Identity Card issued by the Election Commission of India;
  5. job card issued by NREGA duly signed by an officer of the State Government;
  6. letter issued by the National Population Register containing details of name and address;
  7. validated phone number; and
  8. trading account number and details and bank account number and bank details.

Conclusion

Entities who do business in India need review their security practices to conform with the requirements above and update their incident response plans, notification guidelines, and other policies and procedures to address these new changes. Additionally, entities should consider having breach counsel and a forensic investigator on retainer to make quick determinations and notifications needed to comply with the 6 hour deadlines and other elevated requirements. We recommend that forensic investigator be retained through legal counsel to increase the likelihood that legal advice, under appropriate attorney client privilege can be quickly obtained.

Other organizations who do business with Indian service providers or have Indian captive organizations need to understand if that Indian organization is planning to implement these changes by June 27, 2022. Additionally, regardless of what an organization’s contract with its Indian service provider states, this law will trump it. There is a strong chance that CERT-In may know about a breach of your organizations data when processed by an Indian firm before you do as the data’s controller. Additionally, CERT-In may be directing the investigation before you have had a chance to respond, including reviewing all the logs, and other retained information above. Therefore, it is important to understand how the Direction is being implemented at Indian service providers that handle your data.

Todd McClelland is the global head of McDermott Will & Emery’s Global Privacy & Cybersecurity Practice Group. He advises companies on complex, international legal issues associated with cybersecurity breaches and compliance, data privacy compliance, and data, technology, cloud and outsourcing transactions.

Brian Long is an associate in McDermott Will & Emery’s Technology & Outsourcing Practice focusing on transactional, regulatory, and cybersecurity matters. He advises both service providers and service recipients in technology transactions with special emphasis on reasonable security practices, managing and assessing cybersecurity risk, and responding to cybersecurity issues through proactive and reactive measures.

Jason Krieser is the co-head of McDermott Will & Emery’s Technology & Outsourcing Practice. He advises clients on all aspects of technology transactions, outsourcing matters, telecommunications and other complex commercial contracts, including artificial intelligence and robotic process automation arrangements. He works closely with the Firm’s Global Privacy and Cybersecurity team on all technology matters.