Reporting window is 66 hours shorter than that stipulated under the EU’s GDPR

India to introduce six-hour data breach notification rule

Organizations in India face a six-hour data breach reporting deadline, following the introduction of new rules by the country’s computer emergency response team, CERT-In.

The new rules will apply to critical parts of India’s network and IT infrastructure, including service providers, data centers, government organizations, and corporations.

The reporting window is much shorter than those in other large economies: in the EU, the GDPR mandates that breaches are reported within 72 hours. Incidents can be reported by phone, fax or email.

Organizations covered by the rule must keep logs for 180 days after an incident.

Know your customer

Some sectors, including data centers, cloud service providers, and VPN operators, will also have to register and maintain certain information about customers, including names, IPs, and their reason for using services, for at least five years.

Similarly, cryptocurrency services will be obliged to maintain ‘know your customer’ (KYC) records.

CERT-In has issued a list of 20 types of incident (PDF) that organizations must report within the six-hour window. These include malware and ransomware attacks; identity theft, spoofing and phishing attacks; and data breaches and data leaks.


Read more of the latest cybersecurity news from India


The list also includes unauthorized access to social media accounts and attacks or suspicious activities affecting cloud computing services, the blockchain, robotics, additive manufacturing, 3D printing, or drones.

All organizations covered by the directive must synchronize their systems to network time (NTP) servers maintained by India’s National Informatics Centre or National Physical Laboratory, or NTP servers synched to those systems, presumably to make it easier for CERT-In to analyze log data.

Organizations that fail to comply may face penalties set out under India’s IT Act, 2000.

Announcing the new rules, India’s Ministry of Electronics and IT stated that “CERT-In has identified certain gaps causing hindrance in incident analysis”, adding that the rules would “enhance overall cyber security posture and ensure safe & trusted Internet in the country”.

RV Raghu, director at Versatilist Consulting India and ISACA Ambassador in India, hailed the announcement as “a great step towards improved data and customer protection which can also strengthen the overall cybersecurity posture of Indian enterprises.

“Reporting incidents can lead to the sharing of information, preventing the rise of systemic risks and leading to a stronger ecosystem,” he told The Daily Swig.

The new rules are due to come into force 60 days after their announcement, on April 28.


RELATED India’s Personal Data Privacy Bill: What does it mean for individuals and businesses?