Skip links

India slightly softens infosec incident reporting and data retention rules

India has slightly softened its controversial new reporting requirements for information security incidents and made it plain they apply to multinational companies.

The rules were announced with little advance warning in late April and quickly attracted criticism from industry on grounds including the requirement to report 22 different types of incident within six hours, a requirement to register personal details of individual VPN users, and retention of many log files for 180 days.

India’s government yesterday responded by publishing an FAQ [PDF] about the new rules.

Some of the guidance in the document will be welcome, for example the clarification that minor security incidents such as the takeover of a social media account are not subject to the six-hour reporting requirement. Instead, only “incidents of severe nature … on any part of the public information infrastructure including backbone network infrastructure”, data breaches, or events that endanger public safety must be reported at speed.

The requirement to use only a pair of Indian network time protocol (NTP) servers also appears to have eased, with the FAQ allowing use of other NTP servers that synch with the two approved Indian operators.

The document also spells out requirements for entities that may operate in India without having a physical presence in the nation. Such organisations must appoint a point of contact to liaise with India’s Computer Emergency Response Team (CERT-In), which administers the new rules. Non-Indian organisations may store data such as logfiles offshore, but are required to make it available to CERT-In.

The FAQ reiterates previous assertions that the new rules are needed to secure Indian industry, government, and society, and states they were devised after consultation with relevant stakeholders that began in early March 2022 – less than eight weeks before the rules were published.

But the document does not address criticism of the new rules. Objections to retention of data about VPN users and their activities are not addressed. The document instead explains the requirement as a national security imperative and dismisses privacy concerns. The technical burden of logfile retention is not addressed, other than with oblique references to requirements for resilience and security of files so that they can be provided to CERT-In.

The document does acknowledge that the new rules will see CERT-In likely collect a lot of personal information from incident reports, and that those reports will include descriptions of organisations’ IT systems that would be very valuable to certain parties. Assurances that CERT-In is bound by privacy laws, and governed by chain-of-custody requirements, are offered to those who worry about sharing information with the organisation.

But if offers no explanation about how CERT-In will use the documents it collects to analyse security incidents, a matter of interest as organisations are allowed to file reports in formats such as PDF or Fax that do not lend themselves to automated ingestion or analysis.

India’s Software Freedom Law Centre has expressed concerns the FAQ is not binding, making it poor guidance, and has vowed to seek information on who participated in the consultation process. VPN providers have again criticised the rules’ requirements, leading minister of state for electronics and IT Rajeev Chandrashekhar to suggest they should leave India if they don’t like its laws.

But CERT-In and minister Chandrashekhar aren’t budging – and the June 27 deadline for meeting the new rules’ requirements remains in place. ®