The government has urged the Indian Computer Emergency Response Team (CERT-In) to direct virtual private network (VPN) service providers, cloud service providers and virtual private service providers to store user data for five years. It has been taken up after industry-wide discussions. In addition, guidance is needed to stop financial fraud that is currently happening in the digital world.
According to sources, it is difficult to track criminals involved in online financial fraud because most of them use VPN. When VPN providers begin storing users’ data, it can be used by law enforcement agencies to track a fraudster. “Information will be sought from VPN providers only when law enforcement needs details. Otherwise, they only need to save the data at their end. We don’t want all user data, “said Meity, a source in the Ministry of Electronics and IT.
In addition to protecting user data, CERT-In requires all government and non-government agencies, intermediaries, and data centers to report cyber security breaches within six hours of being notified. “All service providers, intermediaries, data centers, body corporates and government agencies will compulsorily activate logs of all their ICT systems and maintain them safely for 180 days rolling period and maintain it within Indian jurisdiction. These should be provided to CERT-In as soon as any incident is reported or instructed, “CERT-In said in its April 28 directive. These guidelines will take effect after 60 days.
The CERT-In acts as the national agency for performing various functions in the field of cyber security in the country in accordance with the provisions of Section 70B of the Information Technology Act, 2000. CERT-In calls for information from service providers, intermediaries, data centers and body corporates to coordinate response activities, as well as emergency measures related to cyber security incidents.
When handling cyber incidents, CERT-In has identified specific gaps that hinder incident analysis. To address the identified gaps, CERT-In has issued these guidelines under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000.