FAQs on cybersecurity directive adds fresh concerns

Key points

• Logs can be stored abroad: “The logs may be stored outside India also as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time,” the FAQs state.
  • This is a confusing and contradictory statement because it goes directly against the directive which states that the logs “shall be maintained in Indian jurisdiction.”
• Exceptions to syncing time with NPL, NIC servers: One of the most controversial provisions of the directive was the requirement for companies to sync their system clocks with the time provided by the National Informatics Centre (NIC) or the National Physical Laboratory (NPL). The government has now clarified that some companies like cloud service providers can use their own time sources.
  • Regardless, the clarification still raises questions because of the wording that the time “shall not deviate” from NIC/NPL time servers, which is technically impractical to achieve. Read More
• The directive applies to foreign companies as well: It was unsure if foreign companies with no physical presence in India were bound by the rules, but the government has clarified that the rules apply regardless of jurisdiction as long as Indian consumers are being served. Read More 
• Corporate VPNs not subject to the rules: The directive requires VPN providers to maintain information about their customers such as contact details, the purpose of hiring, and IP addresses, and also store logs for 180 days, among other requirements. But these do not apply to corporate or enterprise VPN servers, MeitY clarified. Read More

Reporting of cybersecurity incidents

• Intermediaries have to also report incidents not specified in the directive: As part of the IT Rules, 2021, intermediaries, including social media intermediaries, must report cyber security incidents to CERT. The FAQs state that these intermediaries must also report those types of cyber security incidents which are not mentioned in the Annexure of the directive after “considering the nature, severity and impact of the incident.”
  • This is a broad mandate and it’s not clear why such a burden is placed on intermediaries alone and not other entities covered by the directive. There is also no clarity on what are the other type of cybersecurity incidents that the government is referring to because the list in the directive is itself quite lengthy.
• More details on reportable incidents: In addition to being lengthy, the reportable incidents mentioned in the directive are broad and not specific. For example, one of the reportable incidents is “Attacks on applications such as E-Governance, E-Commerce etc.” The FAQs document provides an explanation for each of the reportable incidents to give more context.
  • But this alone does not address the concerns raised by cybersecurity experts who pointed out that some of the incidents are impractical to report because of the sheer volume in which they occur.
• Method of reporting will be updated from time to time: Experts had complained that CERT relied on an outdated format (PDF) for receiving incident reports, and pointed out that modern cybersecurity incidents are better reported in machine-readable formats. To this, the government responded that the methods and format for reporting will be updated from time to time. But this is a vague statement for a concern that can and should be addressed right away.
• When multiple parties are involved, whoever notices an incident must report: In response to the question: Where multiple parties are ‘affected’ by a cyber security incident, for example – consumer-facing business and its back-end partner, who needs to report when the attack has occurred on the servers of outsourcing partner but data of the consumer-facing business is compromised? Can it be a joint reporting to CERT-In? Can it be contractually agreed on who bears the reporting obligation?; MeitY responded that any entity which notices the cyber security incident should report to CERT-In and that the obligation of reporting a cyber incident is neither transferrable nor indemnified or dispensed with. If an entity spots a cyber security incident that affected their data stored in a third party’s systems, it needs to be reported as well.
• Vulnerability reporting is a voluntary process: Whereas cyber security incidents have to be mandatorily reported, the reporting of a vulnerability as a standalone or in isolation, unconnected with any cyber security incident is not mandatory, the FAQs state.
• What if the required information to report an incident is not available within 6 hours? The reporting form by CERT asks for a list of information about the incident that is being reported, if all that information is not available within 6 hours, the same can be reported later “within reasonable time to CERT-In,” the FAQs state.

Privacy and CERT-In data use policy

• Right to Privacy is not affected because CERT only requires information when necessary: The FAQs state the right to informational privacy of individuals is not affected by the directive. “These directions do not envisage seeking of information by CERT-In from the service providers on continuation basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case to case basis, for discharge of its statutory obligations to enhance cyber security in the country. The service providers are bound to protect the users’ information by following reasonable security practises and procedures,” MeitY stated.  
  • The response by MeitY does not quell concerns raised by privacy advocates, who pointed out that requiring logs and customer information from VPN, cloud service, and data centre providers may disclose the personal information of users and could be used for surveillance. Even in the statement above, the government has given itself considerable leeway in when it can access companies to share data. For example, it states the government can seek information in case of cyber security incidents or cyber incidents, but a cyber incident is very broadly defined in the CERT-In Rules, 2013.
• Disclosure of information governed by CERT-In Rules: The FAQs document states that the disclosure of information by CERT-In is governed by Rule 13 of CERT-In Rules, 2013, which has some safeguards as to when CERT can disclose details of the company affected by an incident.
  • There is still no clarity on how CERT will use the data shared with it, who it might share the data with, and for how long it will keep the data. For example, in response to another question on how CERT-In will ensure chain-of-custody of information provided, the government merely states that CERT will work in accordance with the 2013 Rules, without elaborating on what that means.
• Directive overrides contractual obligations: The CERT-In directive overrides any contractual obligation that companies might have with customers regarding the confidentiality of data. “The obligation of reporting of Cyber Security incidents to CERT-In as enshrined in Section 70B of the IT Act, 2000 read with CERT-In Rules, 2013 is statutory in nature and overrides any confidentiality clause in any contract by virtue of the provisions of section 81 of the IT Act, 2000,” the FAQs state.
  • There are, once again, fresh concerns here, because we do not know how CERT will use or share any confidential data.
• Foreign privacy laws must be adhered to: If logs contain personally identifiable information of data subjects of a foreign data protection regime such as GDPR with an extraterritorial application, then the requirements in respect to the protection of confidentiality of the customer data prior to the issuance of the directive is in force, the FAQs state. This appears to be an indirect way of saying respect foreign privacy laws.

Customer information to be collected by VPN, cloud service, data centre providers

• Clarity on what ownership structure means: The directive requires VPN, cloud service, and data centre providers to collect information on the ownership structure of their users, but it wasn’t clear what that meant. The FAQs clarify that ownership structure pertains to basic information such as the type of user (individual, partnership, association, company) and brief particulars of key management.

The consultation process for the cybersecurity directive

• Industry stakeholders were consulted: While there was no public consultation before the issuance of the directive, MeitY stated that consultations with the industry and government organisations were held from time to time, based upon which the draft directions were framed. Subsequently, CERT-In held a stakeholder consultation in March 2022 towards the finalisation of the directions, MeitY said. MediaNama had reached out to some stakeholders (Google, Amazon Web Services, Microsoft) asking if they were consulted and what was their feedback, to which Microsoft responded by saying that they had no comment to make, while the other two companies are yet to respond.