India’s 6-Hour Data Breach Reporting Rule (Clearly Explained)

On April 28, 2022, the Indian Govt. issued strict new guidance regarding Cybersecurity Incident Reporting that drastically shrinks the data breach reporting deadline for many organizations in India.

Despite growing industry concerns, compliance burdens, and higher cybersecurity costs, the new security directive will force organizations across India to report cyber incidents, infosec, and data breaches to CERT-In (the Indian Computer Emergency Response Team) within a mere six-hour deadline of “noticing such incidents.”

This tightened cybersecurity guidance follows the introduction of new rules and regulations by CERT-In. Additionally, the entities and organizations covered by the rules must securely maintain IT and communications logs of all ICT systems for six months (180 days).

The directive states that all cybersecurity reports should be submitted to CERT-In, along with other instances of such incidents regarding cybersecurity, as requested by the agency.

Text on screen reading - Is your business at risk of a data brreach? Find out.

Six Hours to Report a Cybersecurity Incident

The short timespan is insufficient to establish the proper procedures and measures required to deliver a detailed six-hour reporting after an incident occurs.

Indian organizations can send incident reports via email, phone, or fax. However, it’s uncertain how these analog mediums would improve analysis gaps.

Before this guidance was enforced, reporting and notifying that a cyber incident had occurred was only required “within a reasonable time” after being identified. Now, the reporting window is significantly shorter than those in the EU or USA.

For instance, the EU’s GDPR (General Data Protection Regulations) mandates that cybersecurity/data breaches be reported within 72 hours, which is 66 hours more—enough for a fully detailed and effective breach analysis.

See our checklist for tracking GDPR compliance.

Additionally, via the CIRCIA (Cyber Incident Reporting for Critical Infrastructure) Act of 2022, the USA stipulates either a 72- or a 24-hour (depending on the nature of the attack) required incident reporting time frame for companies, critical infrastructure sectors, and government organizations.

List of Incidents Required to be Reported

CERT-In has issued a list of cyber incidents (PDF) that all service providers, intermediaries, data center operators, companies, and government organizations must report within CERT-In’s designated six-hour window.

The list has a total of 20 incident types:

  1. Targeted scanning/probing of critical networks/systems;
  2. Compromise of critical systems/information;
  3. Unauthorized access to IT systems/data;
  4. Defacement of website or intrusion into a website and unauthorized changes (such as inserting malicious code links to external websites, etc.);
  5. Malicious code attacks (such as the spreading of viruses, worms, trojans, bots, spyware, ransomware, or crypto miners);
  6. Attacks on servers (such as databases, mail, DNS, and network device such as routers)
  7. Identity theft, spoofing, and phishing attacks;
  8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;
  9. Attacks on applications (such as E-Governance, E-Commerce, etc.);
  10. Attacks on Critical Infrastructure, SCADA and operational technology systems, and Wireless networks;
  11. Data breaches;
  12. Data leaks;
  13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers;
  14. Attacks or incidents affecting Digital Payment systems;
  15. Attacks through Malicious Mobile Apps;
  16. Fake mobile Apps;
  17. Unauthorized access to social media accounts;
  18. Attacks or malicious/suspicious activities affecting cloud computing systems/servers/software/applications;
  19. Attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D Printing, additive manufacturing, and drones.

High-priority cyber security incident types like ransomware attacks and data breaches should be taken seriously and reported within the 6-hour mark.

Learn why Vendor Risk Management is critical for Indian businesses.

On the other hand, low-priority incidents like website defacement or unauthorized use of social media accounts aren’t worthy of a swift report because they’re not as crucial as the others but still fall under this new rule.

Other instances are vaguely worded, like "Attacks or malicious/suspicious activities affecting Cloud computing systems/servers/software/applications," in which the threshold should also be more specific or clarified.

List of India’s Infrastructure Affected by the New Rules

The new cybersecurity rules apply to critical parts of India’s network and IT infrastructure, including:

  • Cloud service providers;
  • Internet service providers
  • Data centers;
  • Technology companies;
  • IT organizations;
  • Intermediary, body, corporate, and government organizations;
  • and even social media.

These organizations and entities must report any cybersecurity incidents to CERT-In within six hours after detection.

The same applies to other incidents that third parties have reported. Service providers must ensure incoming tips for potential attacks are processed, evaluated, and confirmed.

Learn why vendor risk management is important for businesses in India.

Section 70B of the Information Technology Act, 2000

These new measures and directions are now a part of Indian law (PDF). They’ve already been integrated into section 70B of “The Information Technology Act, 2000 relating to information security practices, procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet.”

According to the Indian Information Technology definitions (PDF) (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties), a “cyber incident” is defined as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or data changes, information without authorization.”

The new rules came into force in late June, only 60 days after the announcement. All organizations that fail to comply with the new directive may face penalties set out under India’s IT Act, 2000.

Newly Identified Gaps in Cyberattack Analysis

In the press release by MEITY, India’s Ministry of Electronics and IT stated that “CERT-In has identified certain gaps causing hindrance in incident analysis.” The national infosec agency guarantees that an extremely short deadline is necessary because of this.

The director at Versatilist Consulting India and ISACA Ambassador in India, RV Raghu, hails the announcement as “a great step towards improved data and customer protection.” He believes that the rules can significantly strengthen the cybersecurity posture of Indian enterprises and ensure a safe & trusted Internet.

“Reporting incidents can lead to the sharing of information, preventing the rise of systemic risks and leading to a stronger ecosystem,” he stated in a report for the Daily Swig.

Similarly, India’s Junior IT Minister and tech entrepreneur Rajeev Chandrasekhar supports the new data breach reporting rule. He adds that technology companies have an obligation to know who is using their services, and there will be no change to these rules.

He argues that India is being generous, as some countries mandate immediate reporting on the spot. Chandrasekhar told reporters, “If you don’t want to go by these rules, and if you want to pull out, then frankly... you have to pull out.“

Learn about the average cost of a data breach in India.

Other Changes

While the six-hour data breach reporting rule stole the limelight, India’s 70B addition to The Information Technology Act, 2000 has other ramifications. 

Maintaining KYC (Know Your Customer) Records

Data centers, cloud service providers like Amazon, virtual private servers, virtual private networks, VPN service providers, and other operators are obliged to register and retain the data and info of customers for five years, even if they no longer use their services. Here’s a list of what they’re supposed to keep:

  • Validated names of subscribers/customers hiring the services;
  • Validated contact numbers and addresses;
  • IP addresses;
  • Emails;
  • Period of hire dates and time stamps of registration/on-boarding;
  • Reasons for engaging service use;
  • Ownership patterns;
  • and other information/data on customers.

Learn the difference between VPNs and Proxy Servers.

Similarly, the crypto sector comprising virtual asset exchanges, custodian wallet providers, and various cryptocurrency services must maintain a KYC (know your customer) records policy and financial transactions for five years. This is a tell-tale sign that Indian authorities are cracking down on cryptocurrency money laundering schemes.

Synchronizing Systems to NTP Servers

The Indian entities that are covered by the new directive are also obliged to synchronize their systems to NTP Servers (network time protocol servers), which are provided and maintained by India’s National Informatics Centre (NIC) or that of the National Physical Laboratory (NPL) and synchronize their system clocks with them.

The reason for these reporting requirements was not explained, but presumably, it’s for better coordination and to make it easier for CERT-In to log and analyze the data reports.

The National Informatics Center, which holds most Govt. servers, has previously been a target of multiple phishing attacks in which the emails, IDs, and personal data of Indian Government officials have been compromised.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?