Areas of Service
- Capital Markets
- Competition Law
- Fund Formation
- Human Resources Law (Employment and Labour)
- Intellectual Property
- International Dispute Resolution and Investigations Practice
- International Tax
- International Tax Litigation
- Joint Ventures
- Mergers & Acquisitions
- Private Client
- Private Equity Investment
- Sovereign Wealth Fund and Pension Fund
- Technology Law
- 5G Sector
- AgriTech Sector
- Artificial Intelligence
- Automation and Robotics Sector
- Crypto & Blockchain Cybersecurity
- Digital Health
- Digital Lending
- Food & Beverages
- Media & Entertainment
- Medical Devices
- Oil & Natural Gas
- Pharmaceutical and Life Sciences
- Quantum Computing
- Real Estate Investments
- Social Sector
- Space Exploration and Technology
Our Cybersecurity Law Expertise
The 21st century has seen a meteoric rise in the prevalence of the internet. The global move towards digitization in the last couple of years, has led to a sharp increase in the cyber security risks and attacks faced by businesses. Today, cyber security threats are considered an environmental, social and governance (ESG) concern. Socially responsible businesses are taking measures to protect their systems and their customer data. The government is also taking steps to promote better cyber security practices. Noting the rise in cyber security breaches and the need for a safe internet, the Indian Computer Emergency Response Team (CERT-In) issued directions on April 28, 2022 (Directions), which supplement the existing Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules). The Directions impose strict timelines for reporting of cyber security incidents and other obligations such as maintenance of computer system logs, KYC for customers of data centres, cloud service providers, etc. Subsequently, the Ministry of Electronics and Information Technology (MeitY), on May 18, 2022, issued a list of frequently asked questions (FAQs) on the Directions which provide clarifications on certain aspects of the Directions. The Directions came into force on June 27, 2022.
Nishith Desai Associates (NDA) has significant experience in providing strategic and legal advisory to clients in relation to cyber security reporting and other compliances. NDA has also led several efforts on the policy front in this space. Our cyber security team actively works with industry associations to make representations to the government to help shape the law in this space. We also frequently liaise with the government directly to discuss grey areas in the law and their impact on businesses.
Some of our original writings and thought leadership pieces focused on cyber security are below:
- India Revamps Rules On Mandatory Incident Reporting & Allied Compliances
- Cert-In Releases Faqs Explaining The Direction On Cybersecurity
- The Need For Cyber Security Due Diligence
- Reporting Cybersecurity Breaches In India - Is It Time To Overhaul The Law?
Scope of Services
Our Cybersecurity Law practice area encompasses the following areas:
Advisory on regulatory issues: NDA regularly advises across industry sectors on cyber security compliance requirements under current regulations. This includes applicability of laws, advice on reporting obligations, compliances and assessment of complex communications technology infrastructure of clients to advice on extraterritorial applicability of Indian cyber security laws.
Policy: We actively contribute to policymaking, touching upon multiple facets of various industry stakeholders. NDA has also been part of closed-door discussions with the government and provided significant inputs pertaining to recent legal updates in the cyber security space. The team frequently liaises with industry bodies as well to make representations to the government.
Data: NDA has a dedicated team specialising in data protection laws as well as other sector-specific data regulations such as financial data, geospatial data, health data, etc. We have advised clients across industries extensively on compliance requirements, documentation with third parties as well as internal policies and procedures.
Training on cybersecurity laws: We undertake comprehensive training sessions for clients to provide end-to-end strategy for data protection, security by design, compliance with cyber security obligations and reporting obligations in the event of a cyber security incident.
Litigation: NDA has a robust Dispute Resolution Practice with members having skill and expertise to represent clients in different forums ranging from administrative bodies to the Supreme Court.
Cyber Offences and Forensics: NDA has assisted clients in filing criminal complaints pertaining to cyber related offences and liaising with the relevant cyber cells. NDA has also assisted clients in liaising with cybersecurity forensics and audit organisations for conducting internal audits and investigations.
REGULATORY AND LEGAL FRAMEWORK APPLICABLE TO THE INDUSTRY/ SECTOR
CERT-In has been formed under Section 70B of the Information Technology Act, 2000 (“IT Act”). It is the national agency for performing the following functions in the area of cyber security:
- collection, analysis and dissemination of information on cyber incidents;
- forecast and alerts of cyber security incidents;
- emergency measures for handling cyber security incidents;
- coordination of cyber incidents response activities;
- issue guidelines, advisories, vulnerability notes and white papers relating to information
- security practices, procedures, preventation, response and reporting of cyber incidents;
- such other functions relating to cyber security as may be prescribed.
The CERT-In Rules issued under Section 70B(5) of the IT Act provide for certain reporting obligations for all entities, including individuals. While cyber security incidents are required to be reported as early as possible, entities may also report vulnerabilities to CERT-In. The CERT-In Rules inter alia also require entities to appoint a person of contact and provide information as and when directed by CERT-In.
Further, the Directions issued on 28 April 2022 impose a strict timeline of 6 hours for reporting certain incidents to CERT-In and introduces several compliance requirements for different types of entities, including intermediaries, service providers, data centres, virtual private network service providers, cloud service providers, as also other entities such as “virtual asset service providers” and “virtual asset exchange providers”. These requirements include maintenance of certain system logs, synchronisation of time across computer systems, as well as registering certain customer information for specific entities like cloud service providers and data centres.
Our detailed analysis on the Directions is available here, and our update on the FAQs released pertaining to the Directions is here.
Additionally, there may be certain sector-specific compliance requirements which may be applicable, such as compliance requirements with respect to sensitive personal data and information. Further, entities in the financial sector, depending on the nature of such entity, may be contractually or legally be required to comply with security standards established by the Reserve Bank of India. The proposed Data Protection Bill, 2021 also proposes to impose requirements on cybersecurity measures for entities.
Cybersecurity is a critical sector for entities across industries. The Government of India has emphasised on the importance of good practices in cybersecurity, which have also been codified to a certain extent under existing laws.