- Most VPN providers offer a “no logs policy.”
- The new guidelines will take effect at the end of June.
As a result of the new rules, VPN service providers and crypto exchanges in India would be required to gather and preserve extensive data on their clients for five years. Furthermore, to organize response actions and emergency measures concerning cyber security events, the Computer Emergency Response Team (CERT-in) under the Ministry of Electronics and Information Technology has released a new set of instructions.
Reaction to Cyber Events
In addition to the duo, data centers and Virtual Private Server (VPS) providers will also be obliged to keep client data following the directives. As a result, for the first time, organizations in these areas will be forced to keep track of their customers’ names, ownership patterns, and contact information.
According to the new directive from CERT-in, the government agency would be required to react to all types of cyber events within six hours. However, the scope of data CERT-in requires enterprises to preserve and release upon request is uncommon, even if the directive is well-intentioned.
Data breaches, phoney applications, server infrastructure assaults, and even illegal access to a user’s social media accounts must be reported to CERT-in. A year in jail is possible for organizations that fail to disclose the requested information under Section 70B (7) of the IT Act.
Additionally, most VPN providers offer a “no logs policy,” or, at the absolute least, preserve user data for a short period. As a result, several VPN providers and other IT firms may no longer be able to function in India with CERT’s-new directives. Unless the compliance window is extended, the new guidelines will take effect at the end of June.