Government Postpones Compliance Deadline for VPN Providers to Store 295s4w Share Data to September 25

VPN service providers have been told to collect and store information for five years or longer. 5l1k3z

By Sourabh Kulesh | Updated: 28 June 2022 12:43 IST

Government Postpones Compliance Deadline for VPN Providers to Store, Share Data to September 25

Photo Credit: Unsplash/ Petter Lagson i1730

The cybersecurity directives were to come into effect on June 28

Highlights

The first directive was issued on April 28
Time for generating capacity building for implementation sought
Non-compliance with the order may invite "punitive action"

ment

The Indian Computer Emergency Response Team (CERT-In) appointed by the Ministry of Electronics and Information Technology has extended the implementation date of its April 28 order in which it asked virtual private network (VPN) providers to and preserve information for at least five years. Additionally, the compliance deadline for all government and private agencies to mandatorily report cybersecurity breach incidents to it within six hours of noticing them has also been pushed forward. The order, which was to come into force on June 28, will now become effective on September 25, 2022.

In a Cyber Security Directions of April 28, 2022 issued under sub-section (6) of section 70B of the Information Technology Act, 2000.

Data centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers sought more time for validation of subscribers/customers. MSMEs sought more time for generating capacity building required for implementation of the cybersecurity directions. As mentioned, the compliance date for both these cybersecurity directives has been postponed to September 25, 2022.

VPN Providers Say 'No' to Share Data Under Government's Directive

In the directive issued in April, VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — were ordered to and maintain accurate information of their services for five years or longer “as mandated by the law after any cancellation or the registration as the case may be”.

The information mentioned includes “the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and numbers, and ownership pattern of the subscribers g into the service.”

Furthermore, it was also directed that the service providers will have to present the information as called for by CERT-In — failing of which (or non-compliance with the order) may invite "punitive action" under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable.

CERT-In had also asked all government and private agencies, including Internet service providers, social media platforms, and data centres, to mandatorily report cybersecurity breach incidents to it within six hours of noticing them.

Is Poco F4 5G a new best-of contender under Rs. 30,000? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

links may be automatically generated - see our ethics statement for details.

Comments

For the latest reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.