Technology Law AnalysisJuly 21, 2023 Cybersecurity guidelines for Government – How are private entities affected?The Indian Computer Emergency Response Team (“CERT-In”) and Ministry of Electronics and Information Technology (“MeitY”) have issued detailed Guidelines on Information Security Practices for Government Entities (“Guidelines”)1 in furtherance of the objective of creating a safe and trusted internet. This follows the broader directions on cybersecurity which were issued by CERT-In in April 2022 (“Directions”)2 (applicable to all service providers, intermediaries, data centres, body corporate and Government organisations), and the CERT-In Rules from 2013.3 Notably, the Guidelines are only applicable to Central government organisations and their associated organisations including all Ministries, Departments, Secretariats and Offices4, their attached and subordinate offices, all government institutions, public sector enterprises and other government agencies under their administrative purview (“Government Entities”). There are wide-ranging guidelines which have been prescribed for Government Entities ranging from measures to be taken for network and infrastructure security, identity and access management, securing cloud services, and user awareness and training. IMPACT ON PRIVATE PARTIES WHILE CONTRACTING WITH GOVERNMENT ENTITIESWhile the Guidelines apply primarily to Government Entities, they can have a considerable, although indirect, impact on private entities which contract with any Government Entities. The section on third party access and outsourcing are especially noteworthy. The key guidelines under this section are as follows:
Notably, the Guidelines require that in case of violation of the above obligations, the Government Entity should terminate the contract with the service provider, and the service provider would separately be liable under any laws which apply to such violation. KEY TAKEAWAYSIn light of the increase in cybersecurity attacks and incidents in the past few years, it is imperative that all organisations, whether a Government Entity or not, enhance their cybersecurity infrastructure and processes. The Guidelines in effect make many compliances indirectly applicable to private entities, by virtue of their contracts with Government Entities. Organisations which typically contract with such entities, or intend to contract with the Government in the future would need to closely assess these Guidelines and take necessary steps towards implementation. Such measures would include not only network and infrastructural ones, but even internal policy measures, with respect to data access and responsibilities. On the flip side, given that Government Entities will have the right to ask for and access extensive data of their vendors, the agreements should also contain adequate obligations for the Government Entity to protect such data. Hence, the obligations towards data protection and cybersecurity would need to be mutually imposed and enforced, although, it may be argued that the Government Entity would anyway be subject to such obligations by virtue of the Guidelines. Provisions such as the right to terminate in case of a cybersecurity incident are quite radical, and will affect contractual negotiations with Government Entities significantly. Private service providers would need to consider how best to protect their interest, e.g. by negotiating clauses such that termination is permitted only in case of negligence in implementing security procedures. Additionally, other measures to be taken by Government Entities may also have an impact on obligations of service providers. For e.g., the Guidelines restrict connections with third parties through ports, services, protocols, etc. and also require monitoring of all traffic to and from third party networks and systems. Hence, it is advisable for private entities to take stock of potential obligations which may be imposed on them as a result of these Guidelines and take steps towards preparation.
You can direct your queries or comments to the authors. 1Available at: https://ww w.cert-i n.org.in /PDF/gui delinesg ovtenti ties.pdf (Last visited on July 21, 2023). 2Available at: https:/ /www.ce rt-in.or g.in/D irecti ons70B .jsp (Last visited on July 21, 2023). Our analysis of the directions is available at: https:/ /www.da taguida nce.com /opinio n/india -strict er-cybe rsecuri ty-norm s-and-re porting. 3I.e., the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. 4As specified in the First Schedule to the Government of India (Allocation of Business) Rules, 1961 DisclaimerThe contents of this hotline should not be construed as legal opinion. View detailed disclaimer. |
|