Companies in India are facing a six-hour data breach reporting deadline following the introduction of new regulations by the country’s computer emergency response team, CERT-In.
The new rules will apply to key components of the Indian network and IT infrastructure, including service providers, data centers, government agencies, and corporations. The reporting window is narrower than in other major economies: in the EU, GDPR violations are reported within 72 hours. Events can be reported by phone, fax, or email.
Companies subject to the rule must keep logs for 180 days after the event. Specific sectors, including data centers, cloud service providers, and VPN operators, must register and maintain specific customer information for at least five years, including names, IPs, and reasons for using the service.
Similarly, cryptocurrency services are responsible for maintaining ‘Know Your Customer (KYC) records. CERT-In has released a list of 20 types of events (PDFs) that companies must report within six hours. These include malware and ransomware attacks; Identity theft, spoofing, and phishing attacks; And data breaches and data leaks.
The list also includes unauthorized access to social media accounts and attacks or suspicious activity affecting cloud computing services, blockchain, robotics, albums, 3D printing, or drones.
All organizations covered by the command must synchronize their systems with the network time (NTP) servers maintained by the National Informatics Center of India or the National Physical Laboratory, or synchronize the NTP servers with those systems to facilitate log data analysis for CERT. -In.
Companies that fail to comply can face penalties under the Indian IT Act, 2000.
Announcing the new regulations, the Indian Ministry of Electronics and IT said, “CERT has identified some areas that could interfere with incident analysis” and these rules will ensure “overall cyber security posture and secure and reliable Internet” in the country…
RV Raghu, Director, Versatilist Consulting India and ISACA Ambassador to India, hailed the announcement as “a great step forward in strengthening the overall cyber security attitude of Indian companies towards better data and customer protection”.
