Government cyber rules risk creating ‘environment of fear’: trade body IAMAI
India’s cybersecurity rules due to come into effect later this month will create an ‘environment of fear rather than trust’, the government has warned a body representing tech companies, calling for a one-year delay before the rules come into effect.
The Internet and Mobile Association of India (IAMAI), which represents companies such as Facebook, Google and Reliance, wrote to India’s IT ministry this week criticizing a cybersecurity directive issued in April.
Among other changes, India’s Computer Emergency Response Team (CERT) directive requires technology companies to report data breaches within six hours of noticing such incidents and to retain computer logs and communications for six months.
In the letter seen by Reuters, IAMAI offered to extend the six-hour window, noting that the global standard for reporting cybersecurity incidents is generally 72 hours.
CERT, which falls under the Department of IT, has also asked cloud service providers such as Amazon and virtual private network (VPN) companies to retain customer names and IP addresses for at least five years. , even after you stop using the company’s services.
The cost of adhering to these guidelines could be “enormous”, and the proposed penalties for violation, including prison, would lead “entities to cease operations in India for fear of making a mistake”, the IAMAI letter said.
On Thursday, VPN service provider ExpressVPN pulled its servers from India, saying it “refuses to participate in the Indian government’s attempts to limit internet freedom.”
IAMAI’s letter follows one from 11 prominent tech-aligned industry associations earlier this week, which said the new requirements made it difficult to do business in India.
India has tightened regulations on big tech companies in recent years, causing an industry pushback and, in some cases, even strained trade relations between New Delhi and Washington.
New Delhi said the new rules were necessary because cybersecurity incidents were reported regularly, but the information required to investigate them was not always readily available from service providers.