The Ministry of Electronics and Information Technology (MeitY) has ordered virtual private network (VPN) companies to collect and store user data for five years or longer. The order was announced in a bid to coordinate response activities and emergency measures concerning cyber security incidents. VPN companies will have to record the user’s home address, IP address and usage patterns.
The MeitY has given companies 60 days to make appropriate arrangements for securely storing user data. The new laws will come into effect starting July 27. If a company fails to adhere to the new laws, the concerned officials will be imprisoned for up to a year.
MeitY’s new order also states that companies will continue to store and maintain a user’s records even after the user has deactivated their account or cancelled the subscription. The Indian Computer Emergency Response Team (CERT-In) has also asked data centres and crypto exchanges to follow the new order passed earlier this month.
Companies are also expected to maintain information as part of the Know Your Customer (KYC) and records of financial transactions for a period of five years. This is to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
Service providers, intermediaries and data centres are also ordered to report any type of cyber security incidents to the CERT-in. The government agency has listed 20 such vulnerabilities that need to be reported. These include targeted scanning or probing of critical networks/systems, compromise of critical systems or information, and unauthorised access of IT systems or data. Other vulnerabilities that MeitY wants service providers to report are as follows.
Defacement of websites or intrusion into a website and unauthorised changes such as inserting malicious code links to external websites etc.
Malicious code attacks such as the spreading of viruses/worms/Trojan/Bots/ Spyware/Ransomware/Crypto miners.
Attack on servers such as databases, mail and DNS, and network devices such as routers.
Identity Theft, spoofing and phishing attacks
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks.
Attacks on Applications such as E-Governance, E-Commerce etc.
Data Breach
Data Leak
Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
Attacks or incidents affecting digital payment systems
Attacks through Malicious mobile Apps
Fake mobile apps
Unauthorised access to social media accounts
Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, drones.
Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.
No comments:
Post a Comment
Welcome To My Blog.