Scribd
Upload
109 views4 pages

Team. in Pursuance of The Said Provision, The Central Government Issued

This document discusses India's laws around mandatory reporting of cyber security incidents. It notes that under the Information Technology Rules, certain entities like service providers, intermediaries and data centers have an obligation to report incidents to CERT-In within a reasonable time. However, government departments do not explicitly have this same reporting requirement. The document also discusses how the Intermediary Guidelines require intermediaries to report incidents but there are no penalties specified for non-compliance. Given the increase in digital payments and cyber attacks, the government is reviewing the IT Act to address current needs around secure digital transactions and mobile banking.

Uploaded by

pravinsankalp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
109 views4 pages

Team. in Pursuance of The Said Provision, The Central Government Issued

This document discusses India's laws around mandatory reporting of cyber security incidents. It notes that under the Information Technology Rules, certain entities like service providers, intermediaries and data centers have an obligation to report incidents to CERT-In within a reasonable time. However, government departments do not explicitly have this same reporting requirement. The document also discusses how the Intermediary Guidelines require intermediaries to report incidents but there are no penalties specified for non-compliance. Given the increase in digital payments and cyber attacks, the government is reviewing the IT Act to address current needs around secure digital transactions and mobile banking.

Uploaded by

pravinsankalp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

1 | Page

As per section 70-B of the Information Technology Act, 2000 (the IT Act)
the Central Government has the power to appoint an agency of the
government to be called the Indian Computer Emergency Response
Team. In pursuance of the said provision, the Central Government issued
the Information Technology (The Indian Computer Emergency Response
Team and Manner of Performing Functions and Duties) Rules, 2013 (the
CERT Rules) which provide the location and method of functioning of
the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the
CERT Rules gives every person, company or organisation the option to
report cyber security incidents to the CERT-In. It also places an obligation
on them to mandatorily report the following kinds of incidents as early as
possible:

Targeted scanning/probing of critical networks/systems;

Compromise of critical systems/information;

Unauthorized access of IT systems/data;

Defacement of website or intrusion into a website and unauthorized


changes such as inserting malicious code, links to external websites,
etc.;

Malicious code attacks such as spreading of


virus/worm/Trojan/botnets/spyware;

Attacks on servers such as database, mail, and DNS and network


devices such as routers;

Identity theft, spoofing and phishing attacks;

Denial of Service (DoS) and Distributed Denial of Service (DDoS)


attacks;
2 | Page

Attacks on critical infrastructure, SCADA systems and wireless


networks;

Attacks on applications such as e-governance, e-commerce, etc.

According to CERT Rules theres an obligation imposed on service


providers, intermediaries, data centres and body corporates to report
cyber incidents within a reasonable time to allow CERT-In to take
necessary action.

This mandatory obligation of reporting incidents majorly covers within its


ambit the private sector entities; however, it is notable that prima facie
the provision does not impose any obligation on government entities to
report cyber incidents unless they come under any of the expressions
service providers, data centres, intermediaries or body corporate.

This would mean that if the data kept with the Indian Navy regarding any
of their Warships in electronic form is hacked in a cyber incident, then
there is no statutory obligation under the said Rules on it to report the
incident. It is pertinent to mention here that although there is no
obligation on a government department under law to report such an
incident, such an obligation may be contained in its internal rules and
guidelines, etc. which are not readily available.

Incident Reporting under Intermediary Guidelines

Section 2(1)(w) of the IT Act defined the term intermediary in the


following manner;

intermediary with respect to any particular electronic record, means any


person who on behalf of another person receives, stores or transmits that
record or provides any service with respect to that record and includes
3 | Page

telecom service providers, network service providers, internet service


providers, web hosting service providers, search engines, online payment
sites, online-auction sites, online market places and cyber cafes.

Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules,


2011 (the Intermediary Guidelines) also imposes an obligation on any
intermediary to report any cyber incident and share information related to
cyber security incidents with the CERT-In however speedy reporting of
such incidents, especially by banks has not happened in the past. Since
neither the Intermediary Guidelines nor the Information Technology Act
specifically provide for any penalty for non-conformity with Rule 3(9)
therefore any implementation action against an intermediary for not
reporting a cyber security incident would have to be taken under section
45 of the said Act imposing a penalty of Rs. 25,000/-.

With Demonetization in picture large number of citizens have opted for


digital payments, giving rise to more such incidents in past few months
and not only payment gateways and banks are under the threat but even
social media is another target as observed recently when the Twitter
accounts of Congress vice president Rahul Gandhi's, official account of
Indian National Congress, liquor baron Vijay Mallya, journalists Barkha
Dutt were hacked by the so-called hacker group legion, and this group
also stated that some of indias popular e-wallet firms server have been
compromised and attacked at the base level.

Therefore, Ravi Shankar Prasad identified this situation as very critical and
stated in an interview that all digital payment firms have been asked to
report any unusual movement immediately to CERT, and that the ministry
of electronics and IT has started review of the IT Act keeping in mind the
current need and demand of digital payments and mobile banking which
werent prevalent 16 years ago, when the Act initially came into force.
4 | Page

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy