India's Aggressive Six-Hour Cyber Incident Notification Requirement
Starting today, companies doing business in India must report cybersecurity incidents to the Indian government within six hours of being made aware of such incidents, one of the most aggressive notification timelines to date. The directive broadly defines “incidents” to include traditional data breaches, denial of service attacks, phishing attacks, and other events that may result in unauthorized access or disruption to electronic systems. Additionally, the directive broadly applies to almost any organization doing business in India.
Notwithstanding this broad requirement, the Indian Computer Emergency Response Team (CERT-In), which is the agency charged with cybersecurity, is specifically interested in cyber incidents that impact or could impact infrastructure inside India. For example, if a company headquartered in India suffers a cyber incident in another country that does not impact the Indian entity in any way, the reporting requirement would not apply. To facilitate this reporting requirement, CERT-In has published a lengthy Incident Reporting Form but has acknowledged in the directive’s FAQs that entities may only have limited information in their initial report, and may need to provide supplemental information at a later date..
The requirement is part of a new cybersecurity directive from the Indian government, which also imposes additional record retention requirements and requires entities to assist in CERT-In investigations into cyber incidents upon request. The directive requires companies to retain system logs, including firewall logs, proxy server logs, and application logs, for 180 days. In the event of a cyber incident impacting a company, or one of its partners or vendors, CERT-In may exercise compel disclosure of such logs.
Additionally, data centers, cloud service providers, VPN providers, and similar entities must now report and maintain for five years certain information, including the names and contact information of its customers. Likewise, virtual asset providers are now required to maintain certain “Know Your Customer” data, which would allow them to reconstruct individual transactions. Finally, all covered entities must also synchronize their system clocks for their Indian operations with CERT-In’s systems.
The penalties for non-compliance with the new directive are fines up to one lakh of rupees, or approximately $1,300.00. The directive also allows for up to one year of jail time but does not indicate which employees or directors could be imprisoned or other details.
However, it is important to note that, in the past, CERT-In has not been aggressive in seeking penalties, and enforcement of any penalties would require CERT-In to petition the Indian courts to review the matter. Per the CERT-In FAQs associated with the directive, the power to enforce penalties will be “exercised reasonably and on occasions when the non-compliance is deliberate.”
Companies should consider both their own reporting obligations and those of any third-party partners. For example, if a service provider in India has a reportable incident, given the quick reporting window and broad applicability, it is possible that CERT-In could become aware of the incident and be able to access a company’s logs through their investigatory authority before the company is even aware of the incident. As a result, contractual and enforceable notification obligations between and among business partners, service providers, and vendors is essential.
In addition, companies that have a presence in India or that use service providers in India should consider the retention of breach counsel and forensics experts proactively so that they can quickly respond to any security incidents that arise.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.