Tech firms criticise India’s new IT rules
INDIAN cybersecurity rules due to come into force later this month will create an “environment of fear rather than trust”, a body representing top tech companies has warned.
The Internet and Mobile Association of India (IAMAI), which represents firms including Facebook, Google and Reliance, wrote last week to India’s IT ministry criticising a directive on cybersecurity set out in April.
Among other changes, the directive from the Indian Computer Emergency Response Team (CERT) requires tech companies
to report data breaches within six hours of noticing such incidents and to maintain IT and communications logs for six months.
In the letter, IAMAI proposed extending the six-hour window, noting the global standard for reporting cyber-security incidents is generally 72 hours.
CERT, which comes under the IT ministry, has also asked cloud service providers such as Amazon and virtual private network (VPN) companies to retain names of their customers and IP addresses for at least five years, even after they stop using the company’s services.
Last Thursday (2), service provider ExpressVPN removed its servers from India, saying it “refuses to participate in the Indian government’s attempts to limit internet freedom”.
IAMAI’s letter follows one from 11 significant tech-aligned industry associations earlier this week, which said the new requirements made it difficult to do business in India.
New Delhi has said the new rules were needed as cybersecurity incidents were reported regularly but the information needed to investigate them was not always readily available from service providers.