BackVPNs not ready to keep log data for 5 yrs can exit: Chandrasekhar
Govt has given them enough time to comply, and now they need to follow rules, minister says
PremiumNEW DELHI : The government has given more than adequate time for virtual private networks (VPNs), data centres, cloud service providers or enterprises to comply with its directions on reporting cybersecurity breaches, Rajeev Chandrasekhar, minister of state for information technology, said.
Speaking on Wednesday at the release of frequently asked questions (FAQs) on cybersecurity incidents, the minister said the direction for VPNs or data centres to report security breaches within six hours of the incident coming to light was more relaxed than global standards, whereas in some countries the mandate is to report it immediately. He said compliance within 60 days, of keeping log records for five years, was mandatory, and those unwilling to comply may well have to rethink their India business plans.
“The government has very clearly said repeatedly on all issues relating to rule-making, there is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and you don’t want to comply, then if you want to pull out, frankly, that is the only opportunity—you have to pull out." Chandrasekhar said the burden of incremental compliance was little.
The minister’s comments followed directions issued by Indian Computer Emergency Response Team (CERT-In) on 28 April regarding cybersecurity, data centres, VPN providers and crypto exchanges, which mandated VPN service providers to maintain logs including names of customers, IP addresses and other details for five years, beginning June 2022. Several VPN providers had objected to the directions, raising concerns around privacy of customers using their services.
The FAQs issued on Wednesday said non-compliance will attract penalties under the IT Act. It also clarified that corporate or enterprise VPNs do not fall under the category of “VPN service providers" and that it would be applicable to entities that provide “internet proxy-like services through the use of VPN technologies, standard or proprietary, to general internet subscribers".
“The FAQs come as a relief to corporates using VPNs, which are not subject to CERT directives and are not mandated to maintain customer data. However, the FAQs have not excluded the requirement to maintain ICT logs. The corporates which use VPNs to enable access by employees and other stakeholders into their IT system will benefit from this," said Rishi Anand, partner at DSK Legal.
The guidelines said service providers, intermediaries, data centres and body corporate offering services to the users in India shall designate a point of contact to liaise with CERT-In, in case they do not have a physical presence in the country.
The centre issued the new directions as its present set of rules governing cybersecurity, which were issued in 2011, did not include mandatory reporting and, therefore, had to be upgraded.
“The size, shape, scale, of the Indian internet was dramatically different from the 800 million Indians online today. Almost every enterprise today is connected on the internet and is heavily digitized and, therefore, the risks that are represented in 2022 are materially different from the risks of 2011. Therefore, we think mandatory reporting is absolutely important for us as government and industry to keep the internet open and safe and trusted," Chandrasekhar said.
The minister added that a VPN provider, data centre operator, cloud provider or enterprise is obliged to know the users of the infrastructure and, if there is a detected cyber breach from one of the users, it is mandated to produce data required for taking action. He also noted that if the entities do not comply, the government will have to take appropriate action, but did not specify the steps that the government might take.
The minister said the directions issued by CERT-In were separate from the proposed data protection law that creates a legislative framework for the informational privacy of the individual.
“This is not some exclusionary provision. You will see a large number of rule-making over the next months which will addresses openness, safety, trust and accountability issues of the internet, and that will continue," Chandrasekhar added.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!
