Government asks VPN providers to comply with rules
NEW DELHI: The Union Government has given more than adequate time to virtual private network, or VPN, service providers, data centers, cloud service providers or businesses to comply with new guidelines on reporting cybersecurity breaches, State Information Technology Minister Rajeev Chandrasekhar said when posting the Cybersecurity Incident Frequently Asked Questions published last month.
The minister said the Indian government’s instructions for VPN companies or data centers to report security breaches within six hours of revealing the incident are more lenient than global standards, with some countries requiring immediate reporting.
In April, India’s Computer Emergency Response Team (CERT-In) ordered data centers and technology companies to report data breaches within six hours of noticing incidents and to keep computer and communication logs for six months. It had also mandated cloud service providers and VPN companies to retain customer names and IP addresses, along with other details, for at least five years.
Chandrasekhar said those unwilling to comply with the guidelines may well have to rethink their business plans in India.
“Government has said very clearly on many occasions on all matters relating to rule making, there is no possibility for anyone to say that we will not follow the laws and rules of India. If you don’t have the logs, start managing the logs. so if you want to withdraw, frankly, this is the only opportunity you have to withdraw,” the minister said.
He noted that the burden of progressive compliance was low.
The guidelines also stipulated that service providers, intermediaries, data centers and legal persons providing services to users in the country should designate a point of contact to liaise with CERT-In, in case they do not would have no physical presence in India.
The government released the instructions because its current set of rules governing cybersecurity, which were released in 2011, did not include mandatory reporting and therefore needed an upgrade.
In a series of FAQs on the instructions issued, the government clarified on Wednesday that failure to comply will result in penalties under a section of the Information Technology Act. It also clarified that enterprise or corporate VPNs do not fall under the category of “VPN service providers” and would apply to entities that provide “Internet proxy-type services through the use of VPN technologies, standard or proprietary, to general Internet subscribers.”
“This basically indicates that enterprise VPN service providers may not be required to enable logs or retain customer data as prescribed in the guidelines,” said Rishi Anand, Partner at DSK Legal.
“The Indian Internet’s size-shape scale was drastically different from the 80 million Indians online today. Almost all businesses today are internet-connected and highly digitized. Therefore, the risks represented in 2022 are significantly different from the risks in 2011. Therefore, we believe that mandatory reporting is absolutely important for us as government and industry to keep the internet open, safe and trustworthy,” Chandrasekhar said.
The minister added that a VPN provider, data center operator, cloud provider or company is obligated to know the users of the infrastructure and if there is a cyber breach detected by one users, it is mandated to produce the data necessary to take action. He also noted that if entities do not comply, the government will have to take appropriate action, but did not specify what action the government will take.
The Minister added that the instructions were separate from the Data Protection Act which essentially creates a legislative framework for the privacy of the individual’s information.
“This is not an opt-out provision, many of the rules you will see over the next few months that will be developed to address the openness, security, trust and accountability issues of the internet. , and it will continue,” he said. .