India asks custodian crypto wallets, VPNs to store user data for five years

Starting June 28, all companies in India will have to compulsorily report any form of cyber incident to the Indian Computer Emergency Response Team (Cert-In) within six hours of detecting it, according to a new directive issued on Thursday by the Ministry of Electronics and Information Technology (Meity). The directive also requires VPN providers, custodian crypto wallets (as used by most crypto exchanges) and other service providers to mainstain customer data for a period of five years.

The directive significantly expands the range of cyber incidents that need to be reported to 20 categories including defacement of websites, unauthorised access to social media, data breach, and data leaks. 

It also narrows down on the time period allowed to companies to report breaches. However, the new directive would not change the civil and criminal penalties that are already laid down by Section 70B of the Information Technology (IT) Act, 2000. The penalties amount to imprisonment of up to one year and a fine of up to Rs 1 lakh, if they fail to respond to notices served to the companies by Cert-In. 

The new rules also require virtual asset service providers, such as cryptocurrency exchanges in India, to maintain five-year logs of know your customer (KYC) data and information on every financial transaction in such a manner that individual transactions could be reconstructed in case of a cyber incident. 

While the new regulations are more stringent in nature and could potentially classify companies that face a higher risk of harm, the laws also appear to be “excessive” and “overreaching”, say experts. 

N.S. Nappinai, advocate at the Supreme Court of India and founder of cyber safety organisation, Cyber Saathi Foundation, said that one of the key facets of the new rules lie in mandating companies to align their time servers with the network time protocol (NTP) server of India’s National Informatics Centre (NIC). 

Time servers are used by companies with information and communications technology (ICT) infrastructure to connect to a reference server – in this case the NTP of NIC – and provide this time data to the rest of the server infrastructure. The same is used to coordinate timestamps across a company’s overall connected infrastructure. 

“This is being done so that companies can no longer play around with timelines of data breaches that happen, or state time differences to escape regulation,” Nappinai said. 

Akash Karmakar, partner at law firm Panag & Babu, said that in Indian cyber security parlance, there is no “risk of harm threshold” at the moment. “Internationally, such a threshold is used to classify serious and non-serious breaches, which is something that this new directive can help establish in India. The ones with higher risk of harm will have the mentioned six-hour window in India to disclose cyber incidents,” Karmakar said. 

Karmakar added that the directive also seeks to create a “class of reportable incidents and companies in high risk of harm category, which would be responsible for these incidents.” However, he also said that the categories have been defined with “very broad strokes”, and are “overreaching”. 

“There are no specifics on what defines a data breach, or a data leak. Even in terms of compromised social media accounts, there has to be some definition in terms of parameters that can and cannot be disclosed within six hours. Social media companies, for instance, would find it impossible to constantly disclose information on such breaches within six hours,” he added. 

Pavan Duggal, advocate and cyber law expert, said that this is the first time that the government has issued directives on cyber law “of this magnitude, nature and amplitude.” He further added, “India presently does not have a dedicated cyber security law, and the IT Act, 2000 only dealt with some aspects of it. The new rules bring every company in India under scrutiny, and require logs of ICT servers to be maintained for a rolling period of 180 days for transparency and accountability.” 

“By a single stroke of secondary legislation, the Indian government has offered umbrella cyber security directions for all companies. These directions could be game-changing in their perspective and amplitude, and could be a turning point in the legislative history of India in providing a robust legal framework for promoting cyber security,” Duggal added. 

However, going forward, it also remains to be seen if the new rules are proportionate and appropriate to the causes that they seek to address. Nappinai said that the new rules will be “tested on the anvil of Puttaswamy’s three golden rules – is there a law supporting the rule, is there a legitimate basis, and if it is proportionate.” 

“Previous Cert-In rules were disproportionate, but nobody addressed this issue so far. Now, chances are that these rules will finally come under judicial review,” she added.