Industry pushes back against India’s data security breach reporting requirements

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Opposition is building to India’s recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy.

The rules were introduced without fanfare in late April by CERT-In, the nation’s government-run computer emergency response team that has responsibility for incident management and wider infosec guidance.

CERT-In requires Indian organizations to report more than 20 types of infosec incidents within six hours of discovery – and it rates a ransomware attack, detection of a potentially malicious network probe, and a hijacked social media account on the same level of seriousness.

Other requirements include the capture and retention of VPN users’ personal information and even the IP addresses used to access the services. Organisations are also required to retain log files for 180 days and share them with CERT-In if the team deems them necessary for an investigation.

Indian organizations were given just sixty days to be ready for the requirements. As they apply to some very large entities, such as datacenter operators, achieving readiness is non-trivial.

Concern about the rules has been voiced within and outside India, the latter typified by global tech lobby group the Information Technology Industry Council (ITI) sending CERT-In a letter [PDF] that suggests the six-hour reporting requirement is not feasible, and is also not aligned with global best practice of 72-hour reporting.

The ITI stated that the 180-day logfile requirement is not best practice, and suggested that the list of reportable incidents is

Read more

Explore the site

More from the blog

Latest News