Virtual Private Server (VPS) providers, cloud service providers and VPN service providers. These guidelines have been issued under Section 70B of the Information Technology Act, 2000. However, the new guidelines are not privacy-friendly and may hamper data security, increasing other implications as a result. Non-compliance may invite penal action.

PRIVACY CONCERNS OVER CERT GUIDELINES

1. While it is crucial to enhance cyber security, asking data centres and service providers to register and retain some of the metadata may not solve the purpose. Also, the guidelines mandate retention of five years’ data, which requires large infrastructural investments and operational issues. 2. With the implementation of the Financial Action Task Force recommendations for KYC, mandating virtual asset service providers to maintain KYC information is excessive. Additionally, KYC guidelines presently allow financial service providers to collect more information than they require in order to stay compliant. However, there are recurring issues in the KYC processes in the country, making it even more difficult for law enforcement agencies to complete any investigation with the support of KYC data. Since the process altogether is in need of a significant overhaul, directing companies to maintain KYC data will not support the goal of reducing cyber security incidents.

MARKET-LEVEL IMPLICATIONS

1. The categorization of incidents mandated for reporting to CERT-In seems overbroad. Currently, multiple categories could potentially qualify as cyber security incidents and induce mandatory reporting for all. This will add pressure on companies’ internal operations and increase funding pressures associated with hiring more human resources and establishing basics for ensuring compliance with the mandate. Moreover, the large number of incident reports would complicate the process of gathering any practical intelligence. 2. Making metadata retention compulsory by VPN service providers impacts their regular business as the trust quotient has a possibility of getting compromised. In addition, compromising VPN would also affect the operations of Indian enterprises which use VPN. 3. Though reporting the breach is crucial, integrated timestamping will give businesses only six hours to report cyber incidents, which would huge cause operational hurdles for firms as they would also be involved in damage management, aside from their regular operating activities. In many cases, the breach and its extent could take days or even longer to detect. Therefore, it is difficult to grasp the full degree of the actual violation and its severity within six hours, as a result of which victims of the incident will receive an unfiltered data dump. This also contradicts some laid-down international standards. 4. Mandating service providers to retain data for five years increases privacy risks and leads to the imposition of high financial costs on businesses. This could hurt the overall IT infrastructure and IT-enabled services and products as some players may need to incorporate new systems to collect and store data. Also, the broad window of five years is a significant opening for data leaks to take place instead of minimizing such breaches. Validation of subscribers’ personal information mandated through CERT-In directions would also increase operating costs for start-ups and data centres as they install new infrastructure and processes for the first time to comply with this mandate. 5. Requesting the VPN service provider to furnish data like IP address and timestamp used at the time of registration of the users might cause even more severe security implications for individuals and businesses trying to use a secure connection over unsecured internet infrastructure.

THE WAY FORWARD

For a short term, retention of specific data might prove effective in curbing cyber threats. However, such efforts are bound to be challenged in the absence of stringent disclosure policies. Excessive data retention violates the fundamental rights of the individual, the foremost being the right to privacy. The guidelines have been issues without public consultation with relevant stakeholders. Consequently, several unwarranted provisions have been included in the policies. The directions still lack clarity on how to notify a user in the event of a data breach. Without finetuning these systemic flaws, the guidelines may fail to harbour any support from stakeholders and instead might aid the occurrence of what they have been issued to curb- cybersecurity incidents. ABOUT SNS Secure Network Solutions (SNS) provides a quantifiable, risk-based approach to building a global structure of cybersecurity infrastructure based on internationally recognized frameworks and practices. We have been providing services and catering to clients across industries for the last 22 years. Write to us at [email protected] or visit us at www.snsin.com.