India Requires Technology Companies And Cloud Service Providers To Report Violations Within 6 Hours

India's Junior IT Minister, Rajeev Chandrasekhar, (photo: twitter @Rajeev_GoI )

JAKARTA – The Indian government, on Wednesday 18 May, announced it would not amend its upcoming cybersecurity rules that compel social media, technology companies and cloud service providers to report data breaches quickly, despite growing industry concerns.

India's Computer Emergency Response Team issued a directive in April asking tech companies to report a data breach within six hours of "noticing such an incident" and to maintain IT and communications logs for six months.

They also mandate cloud service providers such as Amazon and virtual private network (VPN) companies to retain their customer names and IP addresses for at least five years. Even after they stop using the company's services.

The measures have raised concerns within the industry about the increased compliance burden and higher costs.

India's junior IT minister, Rajeev Chandrasekhar, said there would be no change despite concerns. He said technology companies have an obligation to know who is using their services.

India has tightened regulations on Big Tech companies in recent years, prompting resistance from industry and in some cases even tightening trade ties between New Delhi and Washington.

New Delhi says the new rules are necessary as cybersecurity incidents are reported regularly but the information needed to investigate them is not always available from service providers.

But the rule has caused widespread discontent. In closed-door meetings this week, many social media and tech company executives discussed strategies to urge New Delhi to delay the rule, according to a source with direct knowledge of the matter.

The source said European authorities require data breaches to be reported within about 72 hours. He also added that it was difficult to report incidents within six hours.

Chandrasekhar actually said India was generous, because several countries mandated reporting immediately.

The rules will take effect from the end of June. After it was announced, NordVPN, one of the largest VPN providers in the world, said it would remove its servers from India.

Privacy activists say the rules go against the idea of a VPN, which is to protect the identity of individuals such as whistleblowers from surveillance.

"If you don't want to follow these rules, and if you want to step down, frankly... you have to step down," Chandrasekhar told reporters, including Reuters.