If a company fails to adhere to the new laws, the concerned officials will be imprisoned for up to a year.
- The MeitY has given companies 60 days to make appropriate arrangements for securely storing user data.
- MeitY’s new order also states that companies will continue to store and maintain a user’s records even after the user has deactivated their account or canceled the subscription.
- The Indian Computer Emergency Response Team (CERT-In) has also asked data centers and crypto exchanges to follow the new order passed earlier this month.
The Ministry of Electronics and Information Technology (MeitY) has ordered virtual private network (VPN) companies to collect and store user data for five years or longer. The order was announced in a bid to coordinate response activities and emergency measures concerning cyber security incidents. VPN companies will have to record the user’s home address, IP address and usage patterns.
The MeitY has given companies 60 days to make appropriate arrangements for securely storing user data. The new laws will come into effect starting July 27. If a company fails to adhere to the new laws, the concerned officials will be imprisoned for up to a year.
MeitY’s new order also states that companies will continue to store and maintain a user’s records even after the user has deactivated their account or canceled the subscription. The Indian Computer Emergency Response Team (CERT-In) has also asked data centers and crypto exchanges to follow the new order passed earlier this month.
Companies are also expected to maintain information as part of the Know Your Customer (KYC) and records of financial transactions for a period of five years. This is to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
Service providers, intermediaries and data centers are also ordered to report any type of cyber security incidents to the CERT-in. The government agency has listed 20 such vulnerabilities that need to be reported. These include targeted scanning or probing of critical networks/systems, compromise of critical systems or information, and unauthorized access of IT systems or data. Other vulnerabilities that MeitY wants service providers to report are as follows:
- Defacement of websites or intrusion into a website and unauthorized changes such as inserting malicious code links to external websites etc.
- Malicious code attacks such as the spreading of viruses/worms/Trojan/Bots/ Spyware/Ransomware/Crypto miners.
- Attack on servers such as databases, mail and DNS, and network devices such as routers.
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks.
- Attacks on Applications such as E-Governance, E-Commerce etc.
- data breach
- data leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incidents affecting digital payment systems
- Attacks through Malicious mobile Apps
- Fake mobile apps
- Unauthorized access to social media accounts
- Attacks or malicious/suspicious activities affecting Cloud computing systems/servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, drones.
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.