Organizations must report cyber security breaches within six hours: CERT-In

CERT-In has asked all government and private agencies, including internet service providers, social media platforms, and data centers, to mandatorily report cyber security breach incidents to it within six hours of noticing them.

The new circular, issued by the Indian Computer Emergency Response Team (CERT-In), mandates all service providers, intermediaries, data centers, corporates, and government organizations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days, and the same shall be maintained within the Indian jurisdiction.

The log should be provided to CERT-In along with reporting of any incident or when directed by the computer emergency response team.

The move will help in fighting cybercrime more effectively, minister of state for electronics and IT Rajeev Chandrasekhar said in a tweet, asking all companies and enterprises ''must mandatorily report cyber incidents to IndianCERT''.

CERT-In is empowered under section 70B of the Information Technology Act to collect, analyze and disseminate information on cyber security incidents.

CERT-In said that during handling cyber incidents and interactions with the constituency, it has identified certain gaps causing hindrance in the analysis of breach incidents.

''To address the identified gaps and issues to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response, and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000. These directions will become effective after 60 days,'' Cert-In said.

According to the latest order, data centers, virtual private server (VPS) providers, cloud service providers, and virtual private network service (VPN Service) providers need to register the accurate information related to subscriber names, customers hiring the services, ownership pattern of the subscribers, etc, and maintain them for five years or longer duration as mandated by the law.

''Many times during LEA (Law Enforcement Agency) requests and investigations, we have seen cases of non-storage or availability of data and proper records with intermediaries and service providers. These guidelines will streamline the data records to be maintained and proper reporting of security incidents to CERT-In,'' said Jiten Jain, Voyager Infosec director of digital lab.

There have been several incidents of data breaches in Indian entities that have led to the leak of personal data of crores of individuals.

Some companies continued to ignore alerts by cyber security researchers and acted only after the data was made public.

''End-user has the right to know if their data is loaded so that an individual can protect himself from fraud transactions, fake loans, ID misuse, etc. Government should also force companies to inform their users within 24 hours of the incident. Neither CERT-In nor companies inform users. We saw a lot of data breaches last year. None of them informed their users. As a result, cybercrime, financial fraud, and ID misuse have spiked,'' cyber security researcher Rajshekhar Rajaharia said.

He said that users are still unaware of whether their KYC (Know Your Customer) and financial data are safe or not.

(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)