The Union Ministry of Electronics and Information Technology has instructed companies to report incidents of cybersecurity breach to the Indian Computer Emergency Response Team (Cert-In) within six hours of detection.
In its directive issued on April 28, the ministry delineated a range of cyber incidents across 20 categories. This includes defacement of websites, hacking of social media site, data breach and data leaks among others.
Issuing a set of new guidelines, the ministry mandated virtual asset service providers to keep five-year logs of know-your-customer (KYC) data as well as information on every financial transaction to enable Cert-In to reconstruct a cybercrime in the event of a breach.
No changes, however, have been effected in Section 70B of the IT Act, 2000, under which those who do not respond to notices from Cert-In can face up to one year in jail while being fined up to ₹1 lakh.
Reports said, under the new rules, companies have been asked to sync their time servers with the network time protocol (NTP) server of the National Informatics Centre (NIC). A time server (either local network time server or internet time server) notes actual time from a reference clock and disseminates it to clients through a computer network.
The decision, experts say, has be taken to prevent companies from tinkering with timelines of data breaches or state time differences to escape regulation.
While many have called the ministry’s directives, particularly the six-hour-deadline to report data breach, “excessive” and “overreaching,” others say it is a beginning, given that India doesn’t have a dedicated law for cyber security.
“Internationally, such a threshold is used to classify serious and non-serious breaches, which is something that this new directive can help establish in India. The ones with a higher risk of harm will have mentioned six-hour window in India to disclose cyber incidents,” Akash Karmakar, a partner at law firm Panag and Babu told Mint.
Calling the government’s definition of data breach vague, he says the new rules fail to clearly categorise the “class of reportable incidents and companies in high risk or harm category,” and instead give them “broad strokes”.
“There are no specifics on what defines a data breach or a data leak. Even in terms of compromised social media accounts, there has to be some definition in terms of parameters that can and cannot be disclosed within six hours. Social media firms, for instance, would find it impossible to constantly disclose information on such breaches within six hours,” he added.