Home

Mandatory Reporting of Cyber Security Incidents In India

December 8, 2021

By Rupin Chopra and Apalka Bareja

Cyber security incidents and breaches have seen an uptick in the entire world, and India is not too far behind on the trend. From Q1FY19 to Q1FY20, there was an increase of 37% in data breaches and cyber-attacks in India.[1] This year alone saw massive setbacks to user privacy and internet security, as companies such as Upstox, Mobikwik, BigBasket, and AirIndia suffered from data leaks. One of the most prominent breaches, however, happened with Domino’s India – as in April 2021, personal data including names, emails, mobile nos. and order details of over 18 crore people that used the Domino’s app were freely available on the internet to see and use.[2] If these large companies face cyber security attacks on a regular basis, one can only imagine how many small breaches and incidents go unnoticed, or even hidden.

Countering and preventing these attacks is of utmost importance, as more and more of our life goes digital. While India is not at the forefront of regulatory mechanisms for cybersecurity, a number of laws are in place to ensure that reasonable security practices are maintained and cyber security incidents do not go shrouded in secrecy.

The Indian Computer Emergency Response Team

Section 70B to the Information Technology Act, 2000 (“the Act”) provides for the formation of an agency called the Indian Computer Emergency Response Team, or “CERT-In”. As per Section 70B(4), this agency shall serve as the national agency for performing a range of functions in the area of cyber security –

  • collection, analysis and dissemination of information on cyber incidents;
  • forecast and alerts of cyber security incidents;
  • emergency measures for handling cyber security incidents;
  • coordination of cyber incidents response activities;
  • issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
  • such other functions relating to cyber security as may be prescribed.

The functioning and duties of CERT-In have been provided under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“the Rules”). Notably, these rules state CERT-In to be a part and under the administrative control of the Department of Electronics and Information Technology, Ministry of Communications and Information Technology. It shall function on a twenty-four hour basis on all days of the year including government and gazetted holidays.

Mandatory Reporting of Cyber Security Incidents

A cyber security incident, i.e. any real or suspected adverse event in relation to cyber security that violates an explicit or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation”,[3] under the scheme of the Rules, is to be reported to CERT-In.

Rule 12(1)(a) reads as under –

Reporting of Incidents: Any individual, organisation or corporate entity affected by cyber security incidents may report the incident to CERT-In. The type of cyber security incidents as identified in Annexure shall be mandatorily reported to CERT-In as early as possible to leave scope for action. Service providers, intermediaries, data centers and body corporate shall report the cyber security incidents to CERT-In within a reasonable time of occurrence or noticing the incident to have scope for timely action.”

The following incidents are listed in the Annexure that are to be mandatorily reported –

  • Targeted scanning/probing of critical networks/systems
  • Compromise of critical systems/information
  • Unauthorised access of IT systems/data
  • Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites, etc.
  • Malicious code attacks such as spreading of virus/worm/Trojan/Botnets/Spyware
  • Attacks on servers such as database, mail and DNS and network devices such as routers
  • Identity theft, spoofing and phishing attacks
  • Denial of Service (Dos) and Distributed Denial of Service (DDoS) attacks
  • Attacks on critical infrastructure, SCADA Systems and wireless networks
  • Attacks on application such as e-governance, e-commerce, etc.

Yet, despite mandatory reporting requirements, the consequence for non-compliance of this rule is unclear. There exist no penalties within the Rules themselves. The only semblance of a penalty is in Section 44(b) to the Act, which provides for a maximum five thousand rupee fine per day for failing to furnish documents within the required timeframe as specified. For the purposes of Rule 12, however, no timeframe is provided whatsoever. A ‘residuary penalty’ clause also exists within the Act, which allows a maximum penalty of ₹25,000.

Additionally, there exists no threshold to define an incident either. A mother secretly using her child’s phone could be termed “unauthorised access of IT systems”, as could a server breach as well. Terms such as “compromise of critical systems/information” are vague and unclear. In the absence of any definitions to the terms mentioned in the Annexure, it leaves huge scope for misinterpretation.

Intermediaries

Under the latest Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Rule 3(1)(l) provides that the intermediary shall report cyber security incidents and share related information with CERT-In. Failure to abide by this regulation may result in revocation of classification as an intermediary, consequently losing safe harbour status.

Conclusion

Despite being in the shadows, there does exist a clear legal obligation for corporates to report cyber security incidents to CERT-In. However, the incentive to abide by the requirement seems to be too low, while the cost for admitting to a large scale cyber security incident may be higher.

Mere requirement for keeping reasonable security practices and procedures in today’s age is insufficient. As hackers and infiltrators become more sophisticated, it is important to understand where such ‘reasonable’ practices failed. Hence, emphasis on reporting is of utmost importance for consumer safety and privacy.

[1] Singh A, “India Sees 37% Increase in Data Breaches, Cyber Attacks This Year” (The Week November 17, 2020) <https://www.theweek.in/news/biz-tech/2020/11/17/india-sees-37-increase-in-data-breaches-cyber-attacks-this-year.html> accessed December 6, 2021.

[2] Tech Desk, “Dominos Data Breach: Name, Address, Other Details of over 18 Crore Orders Leaked” (The Indian Express May 25, 2021) <https://indianexpress.com/article/technology/tech-news-technology/dominos-data-breach-name-address-other-details-of-over-18-crore-orders-leaked-7328416/> accessed December 6, 2021.

[3] Rule 2(h), Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

Suyash Bajpai, Intern at S.S. Rana & Co. has assisted in the research of this article.

For more information please contact us at : info@ssrana.com