India’s Latest Cybersecurity Directions Burden Businesses Far and Wide
By Lakshmi Gopal, Muciri Law, PLLC
On April 28, 2022, the Indian Ministry of Electronics and Information Technology’s (MeitY) Computer Emergency Response Team (CERT-In) issued new Directions related to ongoing augmentation of India’s cybersecurity regime. The 2022 Directions will come into effect in June, sixty days after their issuance, and will extend to entities merely offering services to users located in India. Noncompliance with the Directions is punishable with imprisonment extending to one year, a fine of one hundred thousand rupees (approximately 1,250 USD), or both. The Directions have been met with strong resistance from the business community, with companies threatening to pull out of India because the Directions violate fundamental principles of rule of law.
Faced with industry demand for adherence to rule of law principles, in May, CERT-In issued Clarifications. Though these lack legal effect, they have softened the impact of the Directions on business, including by stating that punitive powers “will be exercised reasonably and on occasions when the non-compliance is deliberate.” At the same time, the Clarifications confirm the troubling scope of the Directions and inadequately address their effect on privacy rights and on ease of doing business for small businesses.
As of now, the 2022 Directions contain five major obligations. First, the Directions require a broad list of covered entities to report certain kinds of cyber incidents to CERT-In within six hours of noticing them. Building on CERT-In’s 2013 Rules, Annexure I of the 2022 Directions adds twenty new kinds of cyber incidents that mandate reporting within six hours, including data breaches, data leaks, and unauthorized access to social media accounts. The Clarifications list additional criteria that would trigger reporting of incidents within the stipulated six-hour time and state that entities should additionally report incidents not specifically listed in the Rules or Directions, after considering “their nature, severity and impact.”
Second, the Directions require covered entities to maintain logs of all their Information Communications and Technology (ICT) systems for a rolling period of 180 days (six months). Such logs are to accompany each mandatory cyber incident report and must be produced as otherwise required by CERT-In. Further, covered entities must provide CERT-In “any such assistance,” “which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.” Finally, entities, including those which merely offer services to the users in India, must maintain a “Point of Contact” as liaison to CERT-In for all “such purposes.”
Third, covered entities are required to synchronize their servers with one of the two authorized Indian national servers. Notably, the Directions permit covered entities with ICT infrastructure “spanning multiple geographies” to use other “accurate and standard time source[s],” while holding them liable to ensure no deviation from either of the two authorized sources. According to the Clarifications, business customers in cloud environments have an option to use the native time services offered by the Cloud to synchronize their clock or they can also set up their own NTP server within their cloud environment.
While the Directions list these first three obligations as belonging to “service providers, intermediaries, data centres[sic], body corporate and Government organisations[sic],” the Clarifications state that the Directions apply to “all entities in so far as reporting of a cyber incident is concerned” and to “any entity only in the matter of cyber incidents and cyber security incidents.” According to the Clarifications, reporting obligations cannot be shared or transferred and extend to even those entities that merely offer their services to users in India.
Fourth, the Directions require data centers, virtual private server (VPS) providers, cloud service providers, and virtual private network service (VPN) providers to register “accurate” private information about any and all of their users to be maintained for a minimum of five years after cancellation or withdrawal of registration. Private information to be maintained by such providers includes validated names and contact details, duration and patterns of use of services, any IPs allotted or used, and the user’s purpose for accessing the services. Commentators have argued that such obligations effectively end anonymity in online speech, undermining the freedom of speech of individuals and businesses alike. The Clarifications state that the Directions do not cover enterprise/corporate VPNs and that under the Directions, VPNs are defined as providing “Internet proxy like services” through the use of VPN technologies to general Internet subscribers/users.
Fifth, the Directions impose upon “virtual asset service providers, virtual asset exchange providers and custodian wallet providers” the same “know-your-customer” obligations imposed on companies regulated by India’s financial sector regulators.
Future developments remain difficult to predict, as the international business community and Indian civil society continue to seek redress against the staggering breadth and impact of the Directions in an increasingly surveillance-oriented regulatory environment and as the Government continues to aggressively defend its current approach to cyber security. With increasing risk for minorities and dissenters in India, businesses owned by minorities and those advancing opinions out of favor with the current regime should exercise particular caution when operating in India.