Net breach alert in 6 hours
The government has made it mandatory for all government and private agencies, including internet service providers, social media platforms and data centres, to report within six hours any cyber security breach incident to nodal agency Indian Computer Emergency Response Team (CERT-In).
A CERT-In statement said the entities must maintain a log book of all their ICT (Information and Communication Technology) systems for a rolling period of 180 days. This should be maintained within the Indian jurisdiction. The log should be provided to CERT-In along with reporting of any incident or when directed by the computer emergency response team.
Besides, data centres, virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN Service) providers need to register the accurate information related to subscriber names, customer hiring the services, ownership pattern of the subscribers and maintain them for five years or a longer duration as mandated by the law.
“Many times during LEA (Law Enforcement Agency) requests and investigations, we have seen cases of non-storage or availability of data and proper records with intermediaries and service providers. These guidelines will streamline the date records to be maintained and proper reporting of security incidents to CERT-In,” said Jiten Jain, director of Digital Lab of Voyager Infosec.
CERT-in said “the failure to furnish the information or non-compliance with the directions, may invite punitive action under sub-section (7) of the section 70B of the IT Act, 2000 and other laws”.
The IT Act states that failure to comply “shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both”.
CERT-in will serve as the national agency in the area of cyber security under the Information Technology (IT) Act, 2000, the ministry of electronics and IT (MeitY) said .
“These directions will become effective after 60 days. These directions shall enhance overall cyber security,” it said. There have been several incidents of data breach in Indian entities that have led to leak of personal data of crores of individuals.