Security News > 2022 > May > India slightly softens infosec incident reporting and data retention rules

India has slightly softened its controversial new reporting requirements for information security incidents and made it plain they apply to multinational companies.

The rules were announced with little advance warning in late April and quickly attracted criticism from industry on grounds including the requirement to report 22 different types of incident within six hours, a requirement to register personal details of individual VPN users, and retention of many log files for 180 days.

Some of the guidance in the document will be welcome, for example the clarification that minor security incidents such as the takeover of a social media account are not subject to the six-hour reporting requirement.

Non-Indian organisations may store data such as logfiles offshore, but are required to make it available to CERT-In. The FAQ reiterates previous assertions that the new rules are needed to secure Indian industry, government, and society, and states they were devised after consultation with relevant stakeholders that began in early March 2022 - less than eight weeks before the rules were published.

The technical burden of logfile retention is not addressed, other than with oblique references to requirements for resilience and security of files so that they can be provided to CERT-In. The document does acknowledge that the new rules will see CERT-In likely collect a lot of personal information from incident reports, and that those reports will include descriptions of organisations' IT systems that would be very valuable to certain parties.

VPN providers have again criticised the rules' requirements, leading minister of state for electronics and IT Rajeev Chandrashekhar to suggest they should leave India if they don't like its laws.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/20/cert_in_rules_faq/