Privacy espresso seriesResourcesJune 9, 2022New Indian Directive on Cybersecurity Incident reporting with Stephen Mathias from Kochhar & Co.

In this PrivacyEspresso, our Indian expert Stephen Mathias, Senior Partner at the Indian Law Firm Kochhar, head of the Firm’s Bangalore office and co-chair of the Technology Law Practice, provides us with a concise but insightful overview of the recently added data breach requirements in India.

Over the session, Stephen stressed the potential reasons behind creating a new set of rules.

First, the previous ones were quite vague in identifying when and if a reporting duty was present. Secondly, the definition of data breaches was too broad. These uncertainties led to a very low number of reported cases, and that’s why the Indian Computer Emergency Response Team (ICERT) decided to create new provisions in this regard.

In the new set of rules, we could identify some very relevant changes but also arising issues:

1. The time to make a data breach report to the authority has been diminished to just six hours, a timeframe that seems to be barely possible to respect.

2. Additionally, the new rules identify a long list of types of attacks to be reported. Still, it is worth noticing that many of these attacks are faced by companies almost daily, making the requirement cumbersome.

3. Another vital requirement is requiring systems to maintain logs. However, the law does not specify the types of logs, making it extremely difficult to comply with as there are many different logs.

According to Stephen, these requirements are not only focused on data protection but also on combating tax evasion and money laundering. However, the feasibility of such a strict set of rules is yet to be demonstrated.

Learn more about this complex topic by taking a #coffeebreak with Stephen and us; enjoy your #privacyespresso with us today!