Increased Penalties for Failure to Comply with the 2022 CERT-in Directions

The Indian Computer Emergency Response Team (“CERT-In”), the country’s primary cybersecurity regulator under the Ministry of Electronics and Information Technology (“MeitY”), released a set of directions bearing No. 20(3)/2022-CERT-In dated April 28, 2022 that among other requirements mandate that body corporates notify the regulator of cybersecurity breaches within six hours of knowledge of occurrence.

The penalty for non-compliance comprises of a fine up to INR 1,00,000 (one lakh) and imprisonment up to 1 (one) year in jail as per in Section 70B (7) of the Information Technology Act, 2000 (“IT Act”). On August 11, 2023, the Indian government introduced the Jan Vishwas (Amendment of Provisions) Bill, 2023, which raises the fine amount, under Section 70B (7) of the IT Act to a maximum of INR 1,00,00,000 (Rupees One Crore only). While this proposed amendment has not yet taken effect, it aims at significantly raising the risk associated with non-compliance with CERT-In Directions.

Despite the fact that no apparent penalties have been imposed since these directions came into effect, MeitY recently addressed a notice to Apple Inc., after it warned iPhone customers in India that their devices may have been targeted in a “state-sponsored” attack. Given the sensitivity and complexity of the issue and the security breach involving high-level officials, the ministry further reminded Apple that “such security breaches are required to be reported to CERT-In within six hours of occurrence.”

As per the procedure laid down in the CERT-In Rules 2013, if CERT-In discovers that Apple did not comply with the 2022 directives during its investigation, it will submit a report to the Director General (“DG”) of CERT-In. If the DG decides to pursue it, the report will be forwarded to a review committee comprising senior officials from the ministries of information technology, home affairs, law and justice, and telecommunications. Once the review committee agrees with the findings, they will instruct DG CERT-In to file a complaint officially.

Considering the seriousness associated with the risk of non-compliance, it is recommended that body corporates must align with the 2022 CERT-in Directions.