Security News > 2022 > May > Industry pushes back against India's data security breach reporting requirements

Opposition is building to India's recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy.

Concern about the rules has been voiced within and outside India, the latter typified by global tech lobby group the Information Technology Industry Council sending CERT-In a letter [PDF] that suggests the six-hour reporting requirement is not feasible, and is also not aligned with global best practice of 72-hour reporting.

India's Internet Freedom Foundation has offered an extensive criticism of the regulations, arguing that they were formulated and announced without consultation, lack a data breach reporting mechanism that would benefit end-users, and include data localization requirements that could prevent some cross-border data flows.

The foundation also points out that the privacy implications of the rules - especially five-year retention of personal information - is a very significant requirement at a time when India's Draft Data Protection Bill has proven so controversial it has failed to reach a vote in Parliament, and debate about digital privacy in India is ongoing and fierce.

Venkatanarayanan also pointed out that the rules' requirement to report incidents as trivial as port scanning has not been explained - is it one PDF per IP address scanned, or can one report cover many IP addresses? CERT-In said it wanted the new reporting to improve its analytical capabilities, but has not explained how analog reports - faxes are also allowed - will help it to build a better incident database.

The Register has contacted India's Ministry of Electronics and Information Technology, CERT-In's parent organization, seeking comment on the criticism above.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/10/india_infosec_rules_criticised/