Government to press ahead with strict cybersecurity rules despite industry concerns

The Centre on Wednesday said there is no change in upcoming cybersecurity rules which mandate social media, technology companies and cloud service providers to report data breaches within six hours.

"The government has given more than adequate time for virtual private network service providers, or VPNs, data centres, cloud service providers, or enterprises, to comply with new directions on reporting of cyber security breaches," said Rajeev Chandrasekhar, Minister of State for Information Technology at the release of frequently asked questions for cybersecurity incidents issued last month.

The Centre's directions for VPN companies or data centres to report security breaches within six hours of the incident coming to light are more relaxed than global standards, with some countries mandating immediate reporting, he said.

In April, The Indian Computer Emergency Response Team issued a directive in April asking tech companies to report data breaches within six hours of "noticing such incidents" and to maintain IT and communications logs for six months.

Also Read | CERT-In's new law gets VPN users and service providers worried

The directive also said cloud service providers and virtual private network (VPN) companies to retain the names of their customers and IP addresses for at least five years, even after they stop using the company's services.

However, companies have raised concerns within the industry citing high cost and compliance burdens.

Those unwilling to comply with the directives may well have to rethink their India business plans, the Minister said adding that "if the entities do not comply, the government will have to take appropriate action."

Also Read | Government proposes new law to make social media firms accountable

The Minister released a set of FAQs on the directions issued. The government also said that non-compliance will attract penalties under a section of the IT Act. It also clarified that corporate or enterprise VPNs do not fall under the category of “VPN service providers" and that it would be applicable to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers."

"Almost every enterprise today is connected to the internet and is heavily digitised. Therefore, we think mandatory reporting is absolutely important for us as government and industry to keep the Internet open and safe and trusted," Chandrasekhar said.