VPN, Cloud Providers To Start Providing Extensive User Data To Govt Under New Guidelines In 60 Days: Report
The government of India is asking Virtual Private Network (VPN) or cloud services providers in India to collect and maintain “extensive and accurate” data of their customers for five years under the new cybersecurity policy from the Ministry of Electronics and Information Technology, a report in Hindustan Times has said.
The report says that the new directives have come from India’s Computer Emergency Response Team (CERT-In). The new guidelines are set to affect how VPN services are offered and used in the country. “The failure to furnish the information or non-compliance with the directions may invite punitive action,” the order was quoted in the HT report. It also said that the order is dated April 28 and will come into effect within 60 days, meaning it will come into effect starting June-end.
The order states that all cloud service providers and VPN providers will be required to maintain extensive customer information database for at least five years. The data these VPN and cloud services providers are expected to collect include validated names, addresses, and contact numbers of customers. Further, they have to maintain period of subscription, email address, and IPs being used and purpose for using services, and other details.
The rules will also apply to data centers, and VPN providers. The companies will have to maintain all customer information for five years or longer, even after “any cancellation or withdrawal of services.”
“With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” the order further said.
Under the new policy, the government has asked VPN and cloud providers to mandatorily report any breaches, leaks or outages within six hours of them being flagged.