Law GovLaw Gov

    Subscribe to Updates

    Get the latest legal news from from all around the world directly to your inbox.

    What's Hot

    Clifford Chance Plucks BBC Talent for Newly Created UK Inclusion Role 

    August 8, 2022

    History Makers and Innovators: The American Lawyer Industry Awards Finalists Announced

    August 7, 2022

    Associates Expect Their Tech To Work, And Partners Had Better Use It Too

    August 7, 2022
    Facebook Twitter Instagram
    Law GovLaw Gov
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    SUBSCRIBE
    • Home
    • News
    • Law Firms
    • Legal Technology
    • Law Practice
    • Litigation
    • Regulation
    Law GovLaw Gov
    Home » Inside India’s New 6 Hour Cybersecurity Incident Notification Requirement

    Inside India’s New 6 Hour Cybersecurity Incident Notification Requirement

    May 25, 20226 Mins Read Regulation
    Facebook Twitter Pinterest LinkedIn Reddit WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest WhatsApp Email

    When a computer incident occurs, there are often strict timelines of notification required. There has been a recent trend towards shortening the time a company has before it must notify. The EU’s GDPR has a 72 hour notification requirement if personal information is disclosed. In the United States, the Transportation Security Administration now requires notification within 24 hours for security events involving certain critical infrastructure.

    Not to be outdone, in India, the Indian Computer Emergency Response Team (CERT-In) now requires a notification 6 hours after a cybersecurity incident for most types of incidents and for most entities that do business in India. Additionally, there are several proactive security measures required, including retention of 180 days of logs and 5 year retention of data elements and identifiers for certain technology and financial providers such as data centers, VPN providers, and payment providers who deal with virtual payments and virtual assets (including cryptocurrency and blockchain-enabled technologies).

    Notification Rule

    CERT-In published these new requirements in a new direction, No. 20(3)/2022-CERT-In, on April 28, 2022 (found here). The new direction requires that any service provider, intermediary, data center, body corporate and government organization shall “mandatorily report cyber incidents . . . within 6 hours of noticing such incidents or being brought to notice about such incidents” to CERT-In. This rule becomes effective on June 27, 2022.

    This new 6 hour reporting requirement supplements the prior rule of “as soon as possible” that was published in Rule 12(1)(a) of The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (available here).

    This rule applies to all list of 20 types of security events and incidents, including data breaches, data leaks, denial of service attacks, targeted scanning of critical systems, identity theft, and fake mobile apps.

    This list, provided in Annexure I of the direction, is quite expansive and not well defined. Given the amount of events, and only 6 hours to notify, it becomes important for entities to have retained breach counsel supported by a retained forensic team ready 24 hours a day, 7 days a week to be able to quickly respond to any of these lists of items. Breach counsel will need to quickly confer with the forensic team to determine if one of the named events has occurred and quickly prepare the breach notification to CERT-In. The notification can be reported to CERT-In via email ([email protected]), phone (1800-11-4949) or, fax (1800-11-6969).

    Following the notification to CERT-In, the entity must cooperate with CERT-In’s requests to further mitigate the event, including providing information to CERT-In that it requests, in the format CERT-In requests and in a timeframe dictated by CERT-In.

    Other Proactive Measures

    In addition to the 6 hour notification requirement, the direction also requires the following proactive measures be put in place:

    • Entities must synchronize the time of their systems with the NTP Sever of the National Informatics Center (NIC) or National Physical Laboratory (NPL).
    • Entities must enable logging and maintain those logs for 180 days within the Indian jurisdiction. They must also provide those logs upon request to CERT-In upon CERT-In’s request.
    • Data centers, virtual private server providers, cloud service providers and VPN service providers must register and maintain certain information by all for a period of at least 5 years. The intent behind these requirements seems to be correlated to discovering the identity of attackers or other agents who use any of these services. The following list of items must be maintained:
      1. validated names of subscribers/customers hiring the services;
      2. period of hire including dates;
      3. IPs allotted to / being used by the members;
      4. email address and IP address and time stamp used at the time of registration / on-boarding;
      5. purpose for hiring services;
      6. validated address and contact numbers; and
      7. ownership pattern of the subscribers / customers hiring services.
    • Virtual asset service providers, virtual asset exchange providers, and custodian wallet providers must maintain certain financial information (including collected identification records and technical transaction details) for a period of 5 years in a way to be able to reconstruct individual financial transactions. The technical data to retain for five years includes IP addresses, timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred. There is also a list of identification records that must be maintained when collected. These include:
      1. passport;
      2. driving license;
      3. proof of possession of Aadhaar number (a voluntary 12 digit identification number assigned to any Indian resident who enrolls);
      4. Voter’s Identity Card issued by the Election Commission of India;
      5. job card issued by NREGA duly signed by an officer of the State Government;
      6. letter issued by the National Population Register containing details of name and address;
      7. validated phone number; and
      8. trading account number and details and bank account number and bank details.

    Conclusion

    Entities who do business in India need review their security practices to conform with the requirements above and update their incident response plans, notification guidelines, and other policies and procedures to address these new changes. Additionally, entities should consider having breach counsel and a forensic investigator on retainer to make quick determinations and notifications needed to comply with the 6 hour deadlines and other elevated requirements. We recommend that forensic investigator be retained through legal counsel to increase the likelihood that legal advice, under appropriate attorney client privilege can be quickly obtained.

    Other organizations who do business with Indian service providers or have Indian captive organizations need to understand if that Indian organization is planning to implement these changes by June 27, 2022. Additionally, regardless of what an organization’s contract with its Indian service provider states, this law will trump it. There is a strong chance that CERT-In may know about a breach of your organizations data when processed by an Indian firm before you do as the data’s controller. Additionally, CERT-In may be directing the investigation before you have had a chance to respond, including reviewing all the logs, and other retained information above. Therefore, it is important to understand how the Direction is being implemented at Indian service providers that handle your data.

    Todd McClelland is the global head of McDermott Will & Emery’s Global Privacy & Cybersecurity Practice Group. He advises companies on complex, international legal issues associated with cybersecurity breaches and compliance, data privacy compliance, and data, technology, cloud and outsourcing transactions.

    Brian Long is an associate in McDermott Will & Emery’s Technology & Outsourcing Practice focusing on transactional, regulatory, and cybersecurity matters. He advises both service providers and service recipients in technology transactions with special emphasis on reasonable security practices, managing and assessing cybersecurity risk, and responding to cybersecurity issues through proactive and reactive measures.

    Jason Krieser is the co-head of McDermott Will & Emery’s Technology & Outsourcing Practice. He advises clients on all aspects of technology transactions, outsourcing matters, telecommunications and other complex commercial contracts, including artificial intelligence and robotic process automation arrangements. He works closely with the Firm’s Global Privacy and Cybersecurity team on all technology matters.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    UK’s New AI Regulatory Approach Diverges From EU, But Shares Common Principles

    August 5, 2022

    Ex-Jones Day Partner Found In Contempt of Court in Ocado Battle

    August 3, 2022

    Hogan Lovells’ German M&A Compliance App Underscores Broader Automation Push

    August 3, 2022

    Ex-Cooley Associate Banned From Profession Following Fraud

    July 30, 2022

    Kirkland Fields Two Teams for €3B Private Equity Deal

    July 29, 2022

    Judging The Line Between Incompetence and Dishonesty

    July 27, 2022

    Leave A Reply Cancel Reply

    Don't Miss
    Law Practice

    History Makers and Innovators: The American Lawyer Industry Awards Finalists Announced

    Francesco MazzagattiAugust 7, 20220

    The American Lawyer has chosen the finalists for its annual Industry Awards, selecting from more…

    Associates Expect Their Tech To Work, And Partners Had Better Use It Too

    August 7, 2022

    State Bar Plows Ahead With ‘Regulatory Sandbox’ Proposal Despite Lawmakers’ Concerns

    August 6, 2022

    Former Supreme Court of Canada Judge to Lead Review of Embattled Hockey Canada

    August 5, 2022

    Subscribe to Updates

    Get the latest legal news from from all around the world directly to your inbox.

    Our Picks

    Linklaters, Gibson Dunn Advise as NBA Star LeBron James Takes Stake in German Bicycle Maker

    August 5, 2022

    Suciu Popa, Dentons, and NNDKP Advise on Romgaz Acquisition of ExxonMobil Subsidiary

    August 5, 2022

    Tuca Zbarcea & Asociatii Advises Mol Romania on Opening Two Motorway Service Stations

    August 5, 2022

    Crash Kills Fox Rothschild Partner, 33, Remembered for Kindness, Community Service

    August 5, 2022
    Law Gov
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact
    • Guest Post
    • Terms & Conditions
    © 2022 Law Gov. All rights reserved. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.