CERT-In Releases FAQ's on Directions On Cyber Security

The Indian Computer Emergency Response Team (“CERT-In”) (an agency operating under the Ministry of Electronics and Information Technology, Government of India) recently released a document, consisting of 44 frequently asked questions (“FAQs”), in a bid to clarify the new directives (dated April 28, 2022) relating to “information security practices, procedure prevention, response and reporting of cyber incidents for Safe & Trusted Internet” (“Directions”) issued by it under the Information Technology Act, 2000 (“IT Act”).

The Directions primarily target crypto-entities and Virtual Private Network (VPN) providers and inter alia require them to collect and store user data for a period of 5 years, amongst observation of other compliances, as mentioned in more detail here.

The FAQs inter-alia affirm that all “service providers, intermediaries, data centres, body corporate, virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset, service providers, virtual asset exchange providers, custodian wallet providers and government organizations” (the “Entities”) are required to comply with the Directions within sixty days (from the date of notification of the Directions), and that failure to comply (with the Directions) will subject the Entities to penal consequences (viz. imprisonment for a period of up to 1 year or fine of up to 1 lakh, or both).

It is, however, provided thereunder that the Directions will not apply to individuals or to “enterprise/corporate VPNs” (viz. entities which are not providing VPN services to Internet subscribers/users). In simpler words, the Directions seem to imply that entities which deploy VPNs for their internal functioning or as part of their internal infrastructure (without the facility of extending the same to general subscribers/users), would be exempt from complying with the Directions. To this end, the FAQs clarify that all references to a “VPN service provider” (in the Directions) will pertain to entities providing “Internet proxy like services” through “the use of VPN technologies, standard or proprietary, to general Internet subscribers/users.”

The FAQs also affirm that Entities with “ICT infrastructures spanning multiple geographies may use accurate and standard time source other than National Physical Laboratory (NPL) and National Informatics Centre (NIC)” provided their time source cannot deviate from NPL and NIC.” Similarly, it is provided that “if any entity operates their own NTP service (using NTP server or any other device), which synchronizes with time sources other than native cloud time services, the NTP Servers of NPL, NIC or other accurate and standard time sources may be used as long as the accuracy of time is maintained” as long as it is ensured that “if time source other than NIC/NPL, if used, shall not deviate from NPL and NIC.”

Notably, the FAQs have clarified that the Directions have extra-territorial application. It is clarified thereunder that the Directions apply to foreign Entities in all matters concerning cyber incidents and cyber security incidents. The FAQs have clarified that all Entities offering services to Indian users are required to designate a Point of Contact (to interact with CERT-In concerning the compliance of the Directions) even if such Entities do not have a physical presence in India; and further, any entity, if offering services to the users in India, is required to maintain logs and records of financial transactions conducted in India (which can be requisitioned by CERT-In). It is also clarified that such logs/records may be stored outside India as long as these are promptly provided to CERT-In, as and when directed.

For reference, under the Directions, logs are required to be maintained for 180 days and cyber incidents required to be reported within 6 hours (of occurring of such incidents or being brought to notice thereof). The FAQs (and the Directions) provide a list of the kind of incidents required to be reported.

Further, it is clarified under the FAQs that all Entities which are “intermediaries” under the IT Act, must report cyber security incidents and share information with CERT-In in the manner provided under the IT Act, in particular, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) framed thereunder, in addition to reporting the cyber security incidents mentioned under the Directions.

For reference, an “intermediary” means "…any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.”.

Importantly, the FAQs provide that the obligation upon the Entities to report cyber incidents to CERT-In is statutory in nature and will thus override any contractual obligations of the Entities, such as confidentiality obligations restraining disclosure of user data.

Lastly, it is observed the FAQs seek to address certain key concerns relating to the Directions (such as privacy of users, data security and possibility of data breaches). To this end, the FAQs simply state that the Directions do not affect the right to privacy of individuals. It is clarified that CERT-In will seek information from the Entities on case-to-case (and not a continuous) basis, in relation to cyber security incidents and cyber incidents. It is also clarified that the Entities must observe reasonable security practices and procedures (as prescribed under prevailing data security laws in India) to protect the data of users.