Cert-In cyber rules could cause more breaches in India: Surfshark study

The Indian government’s latest set of cyber security rules, that were notified by the Ministry of Electronics and Information Technology (Meity) on April 28, can cause more loss of data of Indian citizens to cyber breaches – according to a report on the matter by Dutch virtual private network (VPN) services provider, Surfshark. The latter stated in its report that over the past 18 years, over 250 million usernames and passwords belonging to Indian users have been breached online, making India the sixth most breached nation worldwide in terms of cyber incidents.

Surfshark was one of the multiple VPN service providers that were available for Indian users, prior to the establishment of the latest cyber rules in the country. Under these new rules, any company operating in India has been asked to notify the government about facing a cyber breach of any form – within six hours of realizing it themselves. The rules also require companies that operate cryptocurrency wallets and VPNs to maintain user logs for a period of five years.

In response to these rules, VPN providers have expressed their opposition, stating that logging and storing of user data goes against one of the core purposes of using VPNs – privacy. On June 8, Surfshark announced that it would be shutting down its physical servers in India, in face of the new law in the country. Fellow VPN providers, NordVPN and ExpressVPN, had already announced their intent to suspend services in the country, unless the data collection provision under the new Cert-In directive was revoked.

The new rules come into effect this month, on June 28.

These rules, according to Surfshark, could create potential for even greater data breaches in India. The company claimed in its study that 18 out of every 100 Indians have already faced some form of cyber breach already, since the first logged cyber breach in the world in 2004. It further added that with Cert-In’s data collection directive, India also requires mandating adoption of stringent and sophisticated data protection tools.

Gytis Malinauskas, legal head of Surfshark, said in a statement, “Collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”