Debangana Ghosh reports:
The Indian Computer Emergency Response Team (CERT-In) on Thursday made it mandatory for firms to report all incidents of cybersecurity vulnerabilities within six hours of noticing. Internet researchers and cybersecurity experts call it a welcome move, protecting consumers and ensuring companies become more alert of cybersecurity. However, some raise concerns over whether end consumers will benefit.
This sounds like a well-intentioned, but possibly unrealistic, mandate. Notifying of vulnerabilities promptly may help hold entities accountable and increase pressure on them to detect and respond quickly, but is there also any requirement or mandated time-frame to effective address/resolve those vulnerabilities?
Ghosh reports that Internet Freedom Foundation, a non-profit I hold in high regard, “found the directions to be well-placed, especially since they expand the range of what needs to be reported.”
“Since this is applied to all government and private sector companies, this is a great policy. Even Aadhaar leaks or other data breaches related to government bodies will now have to be reported within six hours. They have also asked to maintain logs of ICT servers over a period of 180 days. In the next set of guidelines, we’ll hopefully find the mechanism of how CERT-In would report any personal data breach to consumers. The only caveat that remains is whether they will ask for more information than needed,“ Rohin Garg, Policy Counsel – Regulation and Social Welfare, IFF, told BusinessLine.
Read more at TheHinduBusinessLine.