RANSOME Cyber Attack - Incident Response Requirements in Indian Law by Affected Companies

RANSOME Cyber Attack - Incident Response Requirements in Indian Law by Affected Companies

Yesterday’s Ransome cyber-attack. There are legal & regulatory requirements on affected Indian companies to report cyber incident under Information Technology Act, RBI guidelines and telecom license conditions. The relevant reporting authority depends upon the nature of the business of the company. There are stringent penalties (including imprisonment) if such incidents are not reported in certain cases.

Incident Reporting under CERT Rules

In India, section 70-B of the Information Technology Act, 2000 (the “IT Act”) gives the Central Government the power to appoint an agency of the government to be called the Indian Computer Emergency Response Team. In pursuance of the said provision the Central Government issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT Rules”) which provide the location and manner of functioning of the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the CERT Rules gives every person, company or organisation the option to report cyber security incidents to the CERT-In. It also places an obligation on them to mandatorily report the following kinds of incidents as early as possible:

·         Targeted scanning/probing of critical networks/systems;

·         Compromise of critical systems/information;

·         Unauthorized access of IT systems/data;

·         Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;

· Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;

·         Attacks on servers such as database, mail, and DNS and network devices such as routers;

·         Identity theft, spoofing and phishing attacks;

·         Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;

·         Attacks on critical infrastructure, SCADA systems and wireless networks;

·         Attacks on applications such as e-governance, e-commerce, etc.

Incident Reporting under Intermediary Guidelines

Section 2(1)(w) of the IT Act defined the term “intermediary” in the following manner;

“Intermediary” with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “Intermediary Guidelines”) also imposes an obligation on any intermediary to report any cyber incident and share information related to cyber security incidents with the CERT-In. Since neither the Intermediary Guidelines not the IT Act specifically provide for any penalty for non-conformity with Rule 3(9) therefore any enforcement action against an intermediary failing to report a cyber security incident would have to be taken under section 45 of the IT Act containing a penalty of Rs. 25,000/-.

Incident Reporting under the Unified License

·         Clause 39.10(i) of the Unified License Agreement obliges the telecom company to create facilities for the monitoring of all intrusions, attacks and frauds on its technical facilities and provide reports on the same to the Department of Telecom (DoT). Further clause 39.11(ii) provides that for any breach or inadequate compliance with the terms of the license, the telecom company shall be liable to pay a penalty amount of Rs. 50 crores (Rs. 50, 00, 00,000) per breach.

A recent example of such an attack that we have seen from India is the recent data breach involving an alleged 3.2 million debit cards in India. In the case of this hack the payment processing networks such as National Payments Corporation of India, Visa and MasterCard, informed the banks regarding the leaks, based on which the banks started the process of blocking and then reissuing the compromised cards. It has also been reported that the banks failed to report this incident to the Computer Emergency Response Team of India (CERT-In) even though they are required by law to do so.

Courtesy: The Center for Internet & Society