CERT In Rules on data breach notification etc for MSMEs

Posted on June 28, 2022 by Vijayashankar Na

On 28th April 2022, the Government of India notified certain requirements under Section 70B of ITA 2000/8 regarding information security practices to be followed by all IT system owners.

Subsequently, a detailed FAQ was also published by CERT IN.

These regulations were applicable to all service providers, intermediaries, data centers, body corporates and Government organizations.

The regulation were to come into effect 60 days from the date of the notification. In other words, the regulation became effective from the morning of 27th June 2022.

Now the CERT-IN has notified that in respect of MSMEs as defined under the notification of the MSME ministry dated 1st June 2020, the regulations shall become effective only from 25th September 2022.

At the same time, data centers, VPS providers, cloud service providers, and VPN companies to have been given additional time (till September 25) for the implementation of mechanisms relating to the validation aspects of the subscribers/customers’ details.

According to the definition of MSME under this notification, it refers to

i) A micro enterprise where the investment in Plant and Machinery or Equipment does not exceed one Crore rupees and turnover does not exceed Rs 5 crore rupees

ii) A small enterprise where the investment in Plant and Machinery or Equipment does not exceed ten crore rupees and turnover does not exceed fifty crore rupees.

iii) A medium enterprise where the investment in Plant and Machinery or Equipment does not exceed fifty crore rupees and turnover does not exceed two hundred and fifty crore rupees.

It may be recalled that the guidelines require the following to be in place:

  1. All entities shall ensure that their time source is synchronized to the NC/NPL time source
  2. All entities report data breach within 6 hours
  3. Act in accordance with the directions of CERT-In if any
  4. Enable logs of all ICT systems and maintain them securely for a rolling period of 180 days
  5. Shall preserve the service registration information for a period of 5 years or longer as mandated by law after termination of registration and such information shall include
    1. Validated names of subscribers/customers hiring the services
    2.  Period of hire including dates
    3.  IPs allotted to / being used by the members
    4.  Email address and IP address and time stamp used at the time of
      registration / on-boarding
    5.  Purpose for hiring services
    6.  Validated address and contact numbers
    7.  Ownership pattern of the subscribers / customers hiring services
  6. The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.

For more details kindly refer to the FAQ document.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.