What CERT-In clarifications mean and how they can affect you

Representative image

A few days back, the government released a clarification document on the April 28 directions of the Indian Computer Emergency Response Team after concerns regarding privacy and additional compliance requirements for body corporate were raised.

The document, which is in the format of FAQs, clarified, among many other things, that corporate and enterprise virtual private networks will not be required to maintain logs of customers as laid down in the April 28 directions. The directions will just apply to general internet users who use commercially available VPNs (virtual private networks).

CERT-In also clarified that the mandate to report cybersecurity incident within six hours cannot be bypassed because of contractual obligations of a company.

However, what do these clarifications mean for an end user or a company and how would it affect? We explore this further below in our interaction with experts in the corporate cybersecurity, legal and civil society sectors.

How would the mandate of keeping logs of citizens affect general users?

The clarifications by CERT-In say that the directions do not empower the agency to seek information such as details of customer using a VPN and so on randomly. While dismissing concerns regarding privacy, the agency in the FAQ document had said it can seek information only on a case to case basis of cybersecurity incidents, and that only an officer at the rank of deputy secretary or higher can ask for such information.

However, Supratim Chakraborty, a partner in the Corporate and Commercial Practice Group of Khaitan & Co, pointed out that Section 70 B of the IT Act, 2000 gives CERT-In a wide range of powers that goes well beyond the ambit of reporting cybersecurity incidents. And it's not just CERT-In who could ask for these logs, but law enforcement agencies can also do the same, Chakraborty added.

"The point of a VPN is to protect user information, like which user, what sites the user is visiting. If one goes ahead in implementing this direction, the government would have absolute drape over what users are doing across the internet in India. So to that extent, this is a big, big impact on ordinary users. And then there's no telling on how that information will be used,"Sumantra Bose, principal associate at Khaitan & Co, said.

Privacy concerns remain despite government's assurance: Rishi Anand, partner, DSK Legal, said, "In the absence of data protection legislation in India, the collection, use, processing and transfer of the personal data is definitely a concern from a privacy standpoint. The only legal framework which governs aspects of personal data privacy is SPDI Rules, 2011 which have been proven to be insufficient given the nature and manner of collection and use of personal data in the present digital age and new age businesses"

Similarly, Prasanth Sugathan, Legal Director at Software Freedom Law Center (SFLC.in), said, "There are major privacy concerns that arise from this. In the absence of a data protection law, storage of such data could compromise the Right to Privacy of citizens."

Did exemptions to corporate and enterprises VPN come as a relief?

Sachin Yadav, Partner, Forensic and Financial Advisory, Deloitte India, admitted that before the clarifications were issued by CERT-In, the mandate to maintaining logs for VPN was a point of concern among clients. Yadav also leads the digital forensics and incident response team for Deloitte India.

"That was a point of concern earlier, because even I got couple of queries from from our clients, and they were also concerned about this, whether they have to comply with this particular requirement. But I think its been clarified very well that enterprise level VPNs, which are internally used for organization, to, to have their employees log into their networks, that is not covered under this particular document.  However, in my personal view, it is highly recommended to organization to also preserve logs for this VPN connections that they offer to their employees to connect to their network."

CERT-In in its clarifications has pointed towards Section 81 of the IT Act 2000 which gives it power to override any contractual obligation of companies to not disclose cybersecurity incidents. Can there be legal tussles arising from this?

Experts Moneycontrol spoke to admitted that there can be resistance around this particular clarification provided in the FAQ document released by CERT-In a few days ago.

Chakraborty from Khaitan and Co explained the problem with an example: "For instance, I am the data controller, who provided data to a data processor. I can have some guardrails which may say that if there is any cybersecurity incident, and if there is any need to go to the regulator, then I would be the one who would frame the response. The data processor cannot randomly give some kind of input which can damage my business forever, right -- because they would not even know what happened at their end?"

The CERT-In directions from April 28 mandate that any cybersecurity incident has to reported within 6 hours of the body corporate noticing the incident. In the FAQ issued a few days back, CERT-In clarified that in cases where multiple parties are affected by cyber security incident, "any entity which notices the cybersecuriy incident shall report to CERT-In."

Yadav from Deloitte also conceded that there could be concerns around this aspect among companies. "I feel there could be some concerns around overriding confidentiality agreement with respect to organizations client. There would be some kind of resistance on this aspect." Yadav opined that the recent mandate by CERT-In needs to addressed in contracts, or senitisation be carried out about this particular directive.

Do the provisions of the CERT-In directions and the clarifications go beyond the ambit of the IT Act 2000?

"CERT has been categorically identified under Section 70B of the IT Act 2000 as a the national agency for performing various functions in the area of cyber security, and has the power to issue directions, advisory, procedures for the reporting of cyber incidents. Unless such power of CERT is constitutionally challenged, it is unlikely that these Directions will fail the test of being ultra-vires," Anand from DSK legal said.