The Ministry of Electronics and Information Technology (MeitY) has ordered virtual private network (VPN), data centres, VPS, intermediaries and crypto exchanges to collect and store user data for five years.
According to reports, the MeitY has given companies 60 days to make appropriate arrangements for securely storing user data. The new laws will come into effect starting July 27.
"Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be", reads a release published by MeitY.
The new directives from India’s Computer Emergency Response Team (CERT-in), the government’s nodal agency for detecting and responding to cyber incidents, said: “The failure to furnish the information or non-compliance with the ... directions, may invite punitive action.”
"This direction will become effective after 60 days from the date on which it is issued", which means the new rule will come in to effect by July 27, 2022.
The companies in question will have to maintain all customer information for five years or longer (as mandated by law), even after “any cancellation or withdrawal of the registration” by a customer.
“With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” it adds.
Service providers, intermediaries and data centres are also ordered to report any type of cyber security incidents to the CERT-in.
Types of cyber security incidents mandatorily to be reported to CERT-In:
1. Targeted scanning/probing of critical networks/systems
2. Compromise of critical systems/information
3. Unauthorised access of IT systems/data
4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
5. Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers
6. Attack on servers such as Database, Mail and DNS and network devices such as Routers
7. Identity Theft, spoofing and phishing attacks
8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
9. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
10. Attacks on Application such as E-Governance, E-Commerce etc.
11. Data Breach
12. Data Leak
13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
14. Attacks or incident affecting Digital Payment systems
15. Attacks through Malicious mobile Apps
16. Fake mobile Apps
17. Unauthorised access to social media accounts
18. Attacks or malicious/suspicious activities affecting Cloud computing systems/servers/software/applications
19. Attacks or malicious/suspicious activities affecting systems/ servers/networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
20. Attacks or malicious/ suspicious activities affecting systems/servers/software/ applications related to Artificial Intelligence and Machine Learning