Cyber Attacks

India’s Information Technology Act, 2000 (the “IT Act“) provides legal framework to address the issues relating to hacking and security breaches of information technology infrastructure. Under the IT Act, the Indian government has constituted “Indian Computer Emergency Response Team“ (the “CERT-IN“) as the national nodal agency for cyber security.

In January 2014, the Indian government had enacted specific law to deal with the incidents of cyber breaches. These rules are called the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-IN Rules“) and prescribe the functions and responsibilities of CERT-IN, procedure for reporting an incident of cyber breach, response and information dissemination, etc.  Further, the government has established sectoral CERTs for various sectors including defence and finance.

The CERT-IN Rules impose mandatory requirement to report all cyber security incidents to CERT-IN “as early as possible“ on the service providers, intermediaries, data centres and body corporates (handling sensitive personal information).

All other individuals, organizations or corporate entities have the option to report the cyber breach incidents to CERT-IN.

Notwithstanding the foregoing, all entities must mandatorily report the cyber security incidents specified in the CERT-IN Rules to CERT-IN at the earliest. These cyber security incidents are:

  • targeted scanning/probing of critical networks/system;
  • compromise of critical systems / information;
  • unauthorized access of IT systems/data;
  • defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;
  • malicious code attacks such as spreading of virus/worm/trojan/botnets/spyware;
  • attacks on servers such as database, mail and DNS, and network devices such as routers;
  • identity theft, spoofing and phishing attacks;
  • denial of service (DoS) and Distributed Denial of Service (DDoS) attacks;
  • attacks on critical infrastructure, SCADA Systems and wireless networks;
  • attacks on application such as e-governance, e-commerce, etc.

For critical infrastructure, the Central Government has set up a National Critical Information Infrastructure Protection Centre (NCIIPC) under the National Technical Research Organisation as a nodal agency, primarily to protect critical information infrastructure in India.

The Indian Government has also enacted the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 (the “NCIIPC Rules“) which prescribe the functions and responsibilities of NCIIPC and the procedures.

It is mandatory that the nodal officers of each critical sector report the cyber breach incident to NCIIPC without any delay. NCIIPC has the power to initiate measures such as interception, monitoring, decrypting or blocking of cyber information to protect the critical information infrastructure. As regards the timeline for reporting a cyber breach incident, the NCIIPC Rules do not have a specific provision.

However, as of now, there is no publicly available information on the practical enforceability of these provisions and any penalties imposed by CERT-IN or NCIIPC for contravention.

We provide extensive support to our clients to create watertight documentation to minimize the liability in the events of cyber-attacks. We also assist the clients in drafting legal complaints and reports of the cyber-attacks to be filed with the concerned authorities, preparing responses, attending the meetings and the hearings, and assist in complete compliance under Indian law for cyber-attack incidents.