CERT-IN's Cyber Security Breach Reporting: An Update

The Indian Computer Emergency Response Team (CERT-In) was constituted in 2004 under section 70B of the Information Technology Act, 2000. It is the national nodal agency that responds to cyber security threats within the country and is under the Ministry of Electronics and Information Technology, Government of India. Recently, CERT-In released a direction [1] relating to information security practices, procedures, prevention, response and reporting of cyber security threats.

Key Features of the Cyber Security Breach Reporting Directions 

 

Mandatory Reporting

The direction mandates all service providers, government organisations, data centres, intermediaries and body corporates to mandatorily report within 6 hours of noticing or being brought to notice of any cyber incident. Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for a list of cyber security incidents that needed to be reported mandatorily by these entities mentioned above. The rules had previously listed 10 different types of cyber security incidents which need to be mandatorily reported. Apart from these 10 types, the new direction has also categorised data breaches, data leaks, attacks on IoT, and payment systems, fake mobile apps, unauthorised access to social media accounts and attacks or suspicious activities affecting software/servers/systems/apps relating to big data, blockchain, virtual assets, 3Dand 4D printing, drones as cyber security incidents which should be mandatorily reported. 

 

 

Point of Contact

All service providers, intermediaries, data centres, body corporates and Government organisations shall appoint a point of contact within their organisation, who shall ensure effective coordination with the CERT-In. The name and other details of the point of contact shall be sent to CERT-In and the entity should also ensure that it is updated every now and then when there is a change.

 

 

Log Retention and Data Localisation Requirement

The direction mandates all entities mentioned in the direction to mandatorily maintain and secure logs of their ICT systems for a period of 180 days. All such logs should be stored within the jurisdiction of the country and the same should be handed over to the CERT-In in the event of a cyber security incident or any order or direction from CERT-In.

 

 

Registration of Information

The direction has mandated data centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information with CERT-In. All these entities are required to maintain such information for a period of 5 years or longer duration as mandated by law, even after the cancellation or expiration of the registration. The following information is required to be registered with CERT-In:

  • Validated names of subscribers/customers hiring the services.
  • Period of hire, including dates.
  • IPs allotted to/being used by the members.
  • Email address and IP address and time stamp used at the time of registration/on-boarding.
  • The purpose of hiring services.
  • Validated address and contact numbers.
  • Ownership pattern of the subscribers/customers hiring services.

 

KYC Requirement

This decade has witnessed the rise of cryptocurrencies across the globe and most countries, including India, still lack a dedicated framework to regulate this space. These new directions from CERT-In intend to regulate and streamline some aspects of this exponentially expanding sector. The directions mandate that virtual asset service providers, virtual asset exchange providers and custodian wallet providers to obtain KYC information from their customers. Further, these entities are also obligated to record all their financial transactions for a period of 5 years. Entities are also directed to maintain information about the IP addresses along with timestamps and time zones, transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred. 

 

 

Integration into ICT System

The direction calls on data centres, body corporates and government organisations to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) for synchronisation into the ICT system. Moreover, where ICT infrastructure of the entities are scattered in multiple locations, the entities are free to use accurate and standard time sources other than NPL and NIC.

 

Non-compliance

In the event that the above-mentioned entities fail to adhere or comply with these directions issued by CERT-In, they shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to one lakh rupees or with both under subsection (7) of section 70B of the IT Act, 2000.

 

Conclusion

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a corporate body in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared with the CERT rules 2013, the new directions have an expanded scope and applicability as well as a significantly increased compliance bracket for entities.

The European Union enacted the EU Directive on Security of Networks and Information Systems (called the NIS Directive), which supervises the cyber security of European markets. Unlike the present directive, the scope and applicability of the NIS directive are much larger. Certain critical sectors such as energy, transport, water, health, digital infrastructure, finance, and digital service providers such as online marketplaces, cloud and online search engines are all required to comply with these directives.

CERT-In has provided the entities with a 60-day window to comply with the directions. The increased compliance requirements and the added cost that comes along with such compliance will make smaller entities anxious. Hence, the effectiveness of these directions can only be judged with the passage of time. Significant concern can also be placed on the fact that these new directions will merely add to the compliance burden rather than improve the cyber security environment of the country.

References:

[1] https://www.cert-in.org.in/Directions70B.jsp

Image Credits: Image by Pete Linforth from Pixabay

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a body corporate in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared to the CERT rules 2013, the new directions have an expanded scope and applicability and a significantly increased compliance bracket for entities.

POST A COMMENT

Privacy Shield 2.0: Cue for EU-India Data Transfer Mechanism?

Since the implementation of GDPR standards across the EU, data transfer between other countries and the EU has become a widely debated complex issue across the world. Article 44 of GDPR permits the transfer of personal data outside the EU, only when the recipient country has an equivalent level of security to protect the personal data of EU citizens, as guaranteed by the General Data Protection Regulation (GDPR). The biggest dilemma that many countries across the globe face is that they either lack a national legislation on data privacy or if they do have one in place, it may not be considered at par with the standards set by GDPR. Such a situation creates a genuine legal obstacle to the transfer of personal data between the EU and those countries.

Conceptualization of the Privacy Shield

 

Over the years EU and various other countries have developed certain mechanisms to tackle these obstacles created by requirements mentioned under Article 44. Standard contractual clauses (SCC), binding corporate rules (BCR) are such instruments that the countries and corporates have adopted for the transfer of personal data.

The United States of America lacks a comprehensively dedicated legislation for data privacy.  However, the country has many sectorial legislation and regulations ensuring the privacy protection of individuals, yet, the EU has consistently ruled that the USA does not guarantee an equivalent level of protection.  Safe Harbour Framework, one such additional mechanism agreed upon between the Governments of the EU and USA defines a series of principles to be followed and adopted by companies for the transfer of personal data.

US companies were required to self-certify these principles mentioned under the safe harbour framework and the US regulators would in turn enforce such framework within their limits and jurisdictions.  In 2013, Edward Snowden rocked the world with some lethal revelations about various global surveillance programs run by the NSA. In light of such a disclosure, an Austrian citizen named Max Schrems filed a complaint stating that the US does not provide adequate protection of personal data against such mass surveillance undertaken by authorities. The European Court of Justice (“ECJ/ Court”), noted that the US could allow any national security, public interest argument and law enforcement requirement to prevail over the Safe Harbour framework. Hence, the ECJ concluded that the safe harbour decision was invalid, as it interfered with the fundamental rights of an EU citizen. This decision is widely known as Schrems I.

After courts invalidated the safe harbour decision, the European Commission and the US Department of Commerce came up with the Privacy Shield framework for the continued transfer of data from the EU to the US.  US Corporations who intend to receive personal data from the EU self-certify before the Department of Commerce that they will adhere to certain principles recognised in the Privacy Shield. These principles were developed by the US Department of Commerce in consultation with the European Commission.

This led Max Schrems to again file a complaint challenging the validity of the privacy shield and the use of SCCs by companies to bypass the requirements of adequate protection stipulated by Article 44 of the GDPR on the ground that US investigation agencies have unlimited access rights of personal data retained with USA corporations neither Privacy Shield nor SCCs prevents those rights. Accordingly, it was argued that Privacy Shield or SCCs does not ensure the privacy rights of EU citizens. This case soon came to be known as Schrems II. The Court of Justice of the European Union (CJEU) examined the US’s Foreign Intelligence Surveillance Act and the surveillance programmes that such provisions allow and found that US agencies have wider access rights on every data retained with USA corporations and Privacy Shield in any manner takes away these rights of USA investigative agencies.   CJEU accordingly invalidated the EU-US privacy shield mechanism. 

The judgment in Schrems II had led to a major deadlock between US-EU economic relations, particularly concerning the transfer of data. With no approved mechanism in sight, companies found it difficult to transfer data for achieving their business obligations. On 25th March 2022, the EU commission and US government announced that they had agreed in principle on a new framework for the purpose of cross border transfer of data, known as Privacy shield 2.0. The new framework promises to provide benefits to both sides of the Atlantic and ensure that a balance is created between the new safeguards and the national security objectives of the US, which will ensure the privacy of EU personal data.

The text of this new framework has not been released.  The press note released by the White House contains a few details that the framework might incorporate. It states that intelligence collection might be undertaken only where it is necessary to advance legitimate national security objectives and in no way should impact the protection of privacy and civil liberties[1]. In addition, the US intelligence agencies will adapt procedures to ensure effective oversight of new privacy and civil liberties standards[2]. Moreover, a proposal to set up an independent Data Protection Review Court has been mooted for EU individuals seeking claims and damages for breach of their personal data by the US Government. The proposal also details that the adjudicating members or individuals shall be chosen from outside the US Government.

If Privacy shield 2.0 does pass the test laid down by the European courts, experts believe that this could trigger an estimated $7.1 trillion economic relationship between the US and the EU. Hopefully, Privacy shield 2.0 will be able to provide a predictable, effective and lasting remedy for transferring personal data from the EU to the USA.

 

 

Data Transfer between EU and India

 

The above discussions and mechanisms have a significant relevance in relation to data transfer between the EU and India. The Indian investigation and intelligence agencies have similar powers to their US counterparts in terms of their right to access or demand or conduct searches in any Indian enterprises and collect all relevant data required.  The fundamental right to privacy recognised in the Puttuswamy case is not absolute. Further, as per Article 19(2) of the constitution, the state can impose reasonable restrictions on the exercise of fundamental rights in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.

Moreover, Section 69, of the IT Act, 2000 provides the Central and State government with the power to intercept or monitor any information stored in a computer resource provided such information is required for:

  • In the interests of India’s sovereignty and integrity.
  • Defence of India,
  • State’s security,
  • To maintain friendly relations with other nations, or
  • To maintain public order, or
  • For preventing incitement to the commission of any cognizable offence relating to the above, or
  • For investigation purposes

The above provisions are similar to the rights available to US investigative agencies. For the same reasons, the Schrems II judgment and Privacy Shield mechanisms are relevant while considering EU-India data transfer.

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. Unfortunately, neither of the Governments has taken any urgency to initiate the formulation of rules similar to the Privacy Shield. It is worthwhile to consider whether the new Privacy Shield 2.0 could be considered and replicated in India.  If both the governments can demonstrate their intent, the groundwork for a contusive business environment for data transfer between the two sovereigns can be initiated. 

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. 

POST A COMMENT

The Metaverse and its Numerous Concerns

There is a lot of buzz being generated around the “Metaverse,” which can be defined as a virtual reality-based shared digital world in which users (through their “avatars”) can enjoy three-dimensional, multi-sensory experiences. This rapidly-evolving, technology-driven paradigm is a huge shift away from the present, where digital interactions are based on text, audio and two-dimensional images/videos. The excitement around the Metaverse is due to the immense possibilities that exist around how it can be used for social interactions, commerce, media & entertainment, education, manufacturing, healthcare, defense etc. Not surprisingly, many companies, even in India, are investing in Metaverse capabilities.

While the potential for metaverse cannot be denied, it is just as important to recognize and acknowledge that there are several grey areas around this paradigm. If timely actions to prevent the misuse of the metaverse are not taken by the global community, we run the serious risk of opening a new Pandora’s Box. And once the proverbial genie is released from the bottle, it is virtually impossible (pun intended) to put it back inside.

The Potential Dangers of the Metaverse

 
What are the biggest fears surrounding the Metaverse? Concerns have been expressed from different quarters around issues relating to the privacy, safety and well-being of people who are active in the metaverse. In the current scenario, people use social platforms to connect with each other. If someone with whom I do not wish to engage seeks to connect with me in a basic digital world, I can easily deny the friend request. Even after having granted them permission initially, I can choose to block such persons. During the time they have permission to engage with me, the worst that can happen is that they send unwanted texts, audio messages or images and videos.

This is bad enough, but in the metaverse, the kind and nature of obscene or harmful content will change drastically; consequently, so will the impact of such material and experiences on vulnerable segments of society. 

For example, in the metaverse, it is quite possible for complete strangers to enter someone else’s personal space – without the latter being aware of who the former is. Given the multi-sensory capabilities of the metaverse, which includes haptic technology (the sense of touch), the experience and impact can be far worse. Arguably, the metaverse (as it exists currently) lends itself more easily to bullying, sexual abuse or intimidation. Indeed, there have been recent media reports that some VR-based games that are accessible to young children contain inappropriate content. 

AI-driven deep fakes can further muddy the waters by creating and distributing patently false content that is almost impossible to detect as fake. There is enough fake information circulating on Whatsapp as it is, think of the danger of content that purportedly shows politicians or others saying things designed to inflame emotions.

NFTs will be key to the evolution and growth of the metaverse, providing owners of physical assets such as paintings and IPR such as rights to music, movies etc. new avenues to monetize them at scale. Cryptocurrencies and tokens are likely to form the principal currency in the metaverse, powering commerce and payments. As of now, cryptocurrencies are anonymous and independent of mainstream banking and financial systems. 

In the absence of regulations that are uniformly enforced globally, such parallel payment systems can be easily misused for illegal and immoral activities and transactions, including child sexual abuse. It is likely that fraud and crimes will increasingly crisscross between the current digital world and the metaverse (and perhaps the physical world), making them harder to detect and bring the perpetrators to book.

Addressing the Issues Surrounding Metaverse 

 

A multipronged approach is key to addressing the potential dangers of the metaverse. It is vital to frame appropriate legislation and arm various regulatory agencies with the power to catch and punish violators is vital. The basic premise around legislation has to be this: if something is illegal or against the law or generally accepted social mores in the “real”, physical world, it must be treated the same way in any parallel “virtual reality” based universe.

However, legislation alone cannot secure the metaverse. It will be essential to hold creators of content and platforms that enable distribution and access responsible for violations. The metaverse infrastructure needs to be designed with more intent to put in place appropriate safety mechanisms right at the beginning. As a global society, we must learn from our experiences with the downsides of social media platforms (false information, cyber-bullying, digital fraud etc.) and take preemptive actions that can prevent problems before they become common. This is significant because changing processes after people have grown accustomed to them is never easy; also, some damage may have already occurred. It may also be necessary to think of ways to incentivize good behaviour in the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance, therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner. The UN system is supposed to be the primary keeper of international order. A number of events over the past couple of decades have painfully driven home the point that the UN architecture needs an urgent and major overhaul. As part of this exercise, it may be useful to establish a new global body tasked with the responsibility of overseeing and governing the metaverse. Regional political/economic blocs must be encouraged to ensure that their members comply with rules and regulations related to the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance; therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner.

POST A COMMENT