VPN Security Rules, Deadline Extended

Share Us

619
VPN Security Rules, Deadline Extended
30 Jun 2022
6 min read

News Synopsis

Computer Emergency Response Team (CERT-In), has extended the deadline by approximately three months for compliance with its controversial rules regarding small businesses and virtual private networks (VPN) service providers within India.

After several VPN providers pulled their servers out of the country, this follows consultations with the sector where many requested more time and were given a notice under Section 70B (IT Act) on 28 April. The original plan was for the rules to take effect on 28 June. They have been extended to 25 Sept.

"The Ministry of Electronics and Information Technology, (MeitY), and CERT-In have received requests to extend the timelines for the implementation of these Cyber Security Directives of 28 April, 2022 in relation to Micro, Small and Medium Enterprises, (MSMEs)," the ministry stated in a Tuesday notice. "Further, additional time has been sought for implementation of a mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers," it added.

For compliance purposes, the MSME sector requested an extension of 300 days starting on 28 June to ensure compliance with ministry talks. Industry experts believe the decision is positive news for incumbents.

Raj Sivaraju (President, Asia-Pacific at Arete), a cyber-incident response company, stated that the extension gives businesses "reasonable" time for capacity building. He said that he believes it was a welcome step towards better preparation for faster recovery and easier reporting, post-incident investigation, and a continuous approach to managing risks.

Amit Jaju (senior managing director, Ankura Consulting Group), stated that the extension will give companies more time to implement the necessary processes and technologies. The reconfiguration of time servers shouldn't take more than a week on all centrally connected machines. Jaju stated that to appoint a point of contact (POC), they will need to supplement the role played by an internal person who can be done quickly.

These new rules were widely criticized and required VPN service providers store user data and keep logs of users' usage. For five years, they were required to keep records of subscriber names, email addresses, usage patterns, IP addresses, and validated emails. VPN companies claimed that this was a violation of privacy because the data they were asked to maintain had personally identifiable information.