CERT-In extends deadline to comply with new cyber security rules

|HT|

The Computer Emergency Response Team (CERT-In) has extended the deadline for the new cyber security directives that mandate virtual private network providers to store customer data for up to five years, giving them and micro, small & medium enterprises (MSMEs) time until September 25 to implement the rules. The rules, issued on April 28, were slated to kick into effect on June 26, sixty days after they were issued. In an order issued on June 27, CERT noted that MSME sought “reasonable time for generating capacity building required for implementation of these Directions”. “Also, additional time has been sought as well for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” CERT said in its notification.

It added that the “requirement relating to the aspects of registration and maintenance of validated names of subscribers/customers hiring the services and validated address and contact numbers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers…will become effective on 25th September, 2022”. Companies offering VPN or cloud services in India are required to collect, as well as maintain, extensive and “accurate” data of their consumers for five years under Union ministry of electronics and information technology’s (MeitY) cybersecurity policy will be held liable if they do not store the data as directed by the government, an official familiar with the matter said on Monday.

The official added that while there is no mandatory need to inform the ministry that they are complying with the directives, if the information regarding a particular case is sought by the government that the company fails to do so, it may face charges.

Union minister for electronics and information technology Rajeev Chandrasekhar earlier this month said that the companies must comply with the laws of the land or they can exit the Indian market. Defending the rules, the government said that the information will only be sought on a case-to-case basis, therefore not violating citizens’ right to privacy. ExpressVPN, one of the leading cloud service providers, has already announced that it is shutting its servers in India, becoming perhaps the first virtual private network (VPN) services provider to pare back operations in the country after the government’s cybersecurity agency CERT-In issued directives that require additional compliances.

The directive has been controversial and tech companies and experts have said it opens avenues for misuse by mandating VPN service providers to maintain detailed logs of their customers.

(Except for the headline and the pictorial description, this story has not been edited by THE DEN staff and is published from a syndicated feed.)