Introduction
India has witnessed an unprecedented increase in data breaches over recent years, with both public and private sectors facing increasing threats and security issues. These data breaches have exposed sensitive personal information, including financial details, healthcare records, and Aadhaar data, affecting millions of citizens. This impact of data breach in India is not limited to the privacy concern anymore. Businesses are exposed to significant reputational harm, erosion of consumer confidence and potential financial liabilities.
Legal Compliance
Concerned Authorities: In India, data breach is handled by two authorities namely
· Data Protection Board under Digital Personal Data Protection Act, 2023
· CERT-In under the Information Technology Act, 2000
Data Protection Board under the Digital Personal Data Protection Act, 2023:
The DPDP Act, which came into force in 2023, delineates several key functions for the Data Protection Board, which is yet to be formed. The Board will be responsible for ensuring compliance with data protection regulations, with the authority to impose penalties for violations. In the event of a data breach, it will direct data fiduciaries on measures to mitigate the impact and prevent future breaches. Additionally, the Board will serve as a grievance redressal forum for individuals affected by data breaches or violations of their data privacy rights. The DPDP Act, 2023 significantly enhances the framework for breach notifications in India by establishing clear responsibilities for data fiduciaries, introducing dual reporting requirements, and imposing strict penalties for non-compliance. The Act also imposes dual reporting obligations, organizations must report breaches not only to the Data Protection Board of India but also to the CERT-In within six hours, as required by the Cyber Security Directions[1].
CERT-In:
At present, the sole authority responsible for handling data breaches is CERT-In (Computer Emergency Response Team- India). CERT-In is a nodal government agency created under the Information Technology Act, 2000, responsible for collecting, analysing, and disseminating information on cyber incidents, issuing forecasts, alerts, and guidelines, and coordinating response activities. Recently CERT-In, issued new directives to address rising cybersecurity threats, enforcing strict measures for information security and incident response. Now, under Section 70B (6) of the Information Technology Act, 2000, non-compliance can result in fines and imprisonment. These directives impact IT service providers, intermediaries, data centres, and corporate entities (Covered Persons).
ICT CLOCK Synchronization
Covered Persons and government entities are required to synchronize all their information and communications technology (ICT) system clocks with the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or servers traceable to these sources. This synchronization is crucial for timestamping and determining the sequence of events during a cyber incident.
6-Hour Reporting Window for Cyber Incidents
All Covered Persons and government organizations are required to report any cyber incidents within 6 hours of becoming aware of such incidents. The new Directions introduce a stricter 6-hour reporting window, which may be challenging for Covered Persons to meet. CERT-In requires the report to be submitted in a specific format with all necessary information included in the report, including remedial measures.
Powers of CERT-IN
CERT-In is authorized to issue orders to Covered Persons in response to cyber incidents, requiring specific actions, information, or assistance for cybersecurity mitigation. All Covered Persons and government organizations must appoint a Point of Contact (POC) for communication with CERT-In. While it's unclear if this POC can be from a group entity outside India, it is unlikely, given the Ministry of Information’s stance. The POC increases accountability and could face personal liability for non-compliance with the Directions.
Requirements Of Log Retention
All Covered Persons and government entities must keep logs of their ICT systems for at least 180 days in India. These logs should be available for incident reports or if CERT-In requests them. This rule takes away some flexibility in choosing how long to keep logs. Even organizations not based in India but using ICT systems here must store logs locally. This requirement can be a financial burden, especially for small and medium-sized businesses, which may need to pay for log storage services or invest in advanced security systems.
User Data Collection and Retention
The Directions require data centres, VPN providers, and cloud service providers to retain specific subscriber information for at least five years after service use, including names, IP addresses, and verified contact details. Similarly, virtual asset service providers must keep KYC data and financial transaction records for five years. However, unclear requirements for data accuracy may impose financial and operational burdens, while the retention period conflicts with data minimization practices. Organizations will also need to enhance security measures for retained data, complicating cybersecurity objectives.
Conclusion
Corporations and entities handling personal data should reassess their information security systems, with larger organizations needing dedicated compliance teams and smaller ones facing financial strain. It is important to have appropriate company policies drafted by professionals and any entity handling data should have internal audits of their policies and systems from time to time.
Comments