CURRENT MONTH (May 2022)
India’s Latest Cybersecurity Directions Burden Businesses Far and Wide
By Lakshmi Gopal, Muciri Law, PLLC
On April 28, 2022, the Indian Ministry of Electronics and Information Technology’s (MeitY) Computer Emergency Response Team (CERT-In) issued new Directions related to ongoing augmentation of India’s cybersecurity regime. The 2022 Directions will come into effect in June, sixty days after their issuance, and will extend to entities merely offering services to users located in India. Noncompliance with the Directions is punishable with imprisonment extending to one year, a fine of one hundred thousand rupees (approximately 1,250 USD), or both. The Directions have been met with strong resistance from the business community, with companies threatening to pull out of India because the Directions violate fundamental principles of rule of law.
Faced with industry demand for adherence to rule of law principles, in May, CERT-In issued Clarifications. Though these lack legal effect, they have softened the impact of the Directions on business, including by stating that punitive powers “will be exercised reasonably and on occasions when the non-compliance is deliberate.” At the same time, the Clarifications confirm the troubling scope of the Directions and inadequately address their effect on privacy rights and on ease of doing business for small businesses.
As of now, the 2022 Directions contain five major obligations. First, the Directions require a broad list of covered entities to report certain kinds of cyber incidents to CERT-In within six hours of noticing them. Building on CERT-In’s 2013 Rules, Annexure I of the 2022 Directions adds twenty new kinds of cyber incidents that mandate reporting within six hours, including data breaches, data leaks, and unauthorized access to social media accounts. The Clarifications list additional criteria that would trigger reporting of incidents within the stipulated six-hour time and state that entities should additionally report incidents not specifically listed in the Rules or Directions, after considering “their nature, severity and impact.”
Second, the Directions require covered entities to maintain logs of all their Information Communications and Technology (ICT) systems for a rolling period of 180 days (six months). Such logs are to accompany each mandatory cyber incident report and must be produced as otherwise required by CERT-In. Further, covered entities must provide CERT-In “any such assistance,” “which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.” Finally, entities, including those which merely offer services to the users in India, must maintain a “Point of Contact” as liaison to CERT-In for all “such purposes.”
Third, covered entities are required to synchronize their servers with one of the two authorized Indian national servers. Notably, the Directions permit covered entities with ICT infrastructure “spanning multiple geographies” to use other “accurate and standard time source[s],” while holding them liable to ensure no deviation from either of the two authorized sources. According to the Clarifications, business customers in cloud environments have an option to use the native time services offered by the Cloud to synchronize their clock or they can also set up their own NTP server within their cloud environment.
While the Directions list these first three obligations as belonging to “service providers, intermediaries, data centres[sic], body corporate and Government organisations[sic],” the Clarifications state that the Directions apply to “all entities in so far as reporting of a cyber incident is concerned” and to “any entity only in the matter of cyber incidents and cyber security incidents.” According to the Clarifications, reporting obligations cannot be shared or transferred and extend to even those entities that merely offer their services to users in India.
Fourth, the Directions require data centers, virtual private server (VPS) providers, cloud service providers, and virtual private network service (VPN) providers to register “accurate” private information about any and all of their users to be maintained for a minimum of five years after cancellation or withdrawal of registration. Private information to be maintained by such providers includes validated names and contact details, duration and patterns of use of services, any IPs allotted or used, and the user’s purpose for accessing the services. Commentators have argued that such obligations effectively end anonymity in online speech, undermining the freedom of speech of individuals and businesses alike. The Clarifications state that the Directions do not cover enterprise/corporate VPNs and that under the Directions, VPNs are defined as providing “Internet proxy like services” through the use of VPN technologies to general Internet subscribers/users.
Fifth, the Directions impose upon “virtual asset service providers, virtual asset exchange providers and custodian wallet providers” the same “know-your-customer” obligations imposed on companies regulated by India’s financial sector regulators.
Future developments remain difficult to predict, as the international business community and Indian civil society continue to seek redress against the staggering breadth and impact of the Directions in an increasingly surveillance-oriented regulatory environment and as the Government continues to aggressively defend its current approach to cyber security. With increasing risk for minorities and dissenters in India, businesses owned by minorities and those advancing opinions out of favor with the current regime should exercise particular caution when operating in India.
Twitter’s Deceptive Use of Customer Account Security Data Results in $150 Million Fine Plus Additional Restrictions
By Alan S. Wernick, Esq., Aronberg Goldgehn
On May 25, 2022, Twitter, Inc., agreed to settle with the Federal Trade Commission in a Joint Motion For Entry Of Stipulated Order, filed in the U.S. District Court, ND, California. Twitter’s problems arose from allegedly deceptive use of account security data for targeting advertising: Twitter asked users to provide their phone numbers and e-mail addresses in order to protect the user’s account, and then Twitter profited by allowing advertisers to use this data to target specific users.
In addition to agreeing to pay a $150 million fine, Twitter also agreed to:
- Prohibitions against Twitter misrepresenting its data collection purposes and practices.
- Limitations on Twitter of the use of phone numbers or e-mail addresses specifically provided by users to Twitter to enable account security features.
- Requirement of notices to consumers concerning “Twitter’s Use of Your Personal Information for Tailored Advertising” alerting them that Twitter misused phone numbers and email addresses collected for account security to also target ads to the consumers, and to also provide information about Twitter’s privacy and security controls.
- Requirement that multi-factor authentication options be made available to access the customer’s Twitter account.
- Requirement that Twitter maintain a comprehensive privacy and information security program that protects the privacy, security, confidentiality, and integrity of certain customer personal information.
- Twenty years oversight by the FTC.
The bottom line is this FTC Stipulated Order should serve as a caution to businesses: (1) be crystal clear about the purposes for which they are requesting consumer information; (2) only collect such information consistent with applicable privacy laws; and (3) have strong internal compliance controls in place to ensure that the use of that information is limited to those lawful purposes.
© 2022 Alan S. Wernick and Aronberg Goldgehn.
Council of Insurance Agents & Brokers’ Commercial Property/Casualty Market Index Q4/2021 – Cyber Insurance Premiums Increase 34.3%
By Alan S. Wernick, Esq., Aronberg Goldgehn
The Council of Insurance Agents & Brokers’ Commercial Property/Casualty Market Index Q4/2021, released March 4, 2022, reported an average premium increase in 2021 Q4 of 34.3% for cyber insurance. According to the Council’s report, this is the first time the line has seen an increase of this magnitude since 9/11. Among other things this report also mentioned that respondents to the Council’s survey noted an increased frequency and severity in cyber claims and posited that the difficulty in quantifying cyber risks contributed to the significant increases in premiums. Furthermore, respondents commented on stricter underwriting requirements for cyber risks, and some noted that “carriers wouldn’t ‘entertain new business or renewal applications without MFA [multifactor authentication] in place’ and, depending on the account, would require other risk mitigation practices, such as ‘EDR [endpoint detection and response], adequate backups and segmentation, or employee phishing training.’”
The Council of Insurance Agents & Brokers’ Commercial Property/Casualty Market Index Q4/2021 is available at https://www.ciab.com/download/33125/.
© 2022 Alan S. Wernick and Aronberg Goldgehn.
Microsoft and Insurance Broker Marsh McLennan Release Report “The State of Cyber Resilience”
By Alan S. Wernick, Esq., Aronberg Goldgehn
Microsoft and insurance broker Marsh McLennan released on May 26, 2022, a report titled “The State of Cyber Resilience.” The report contains a number of informative comments concerning cyber risks and cyber resilience drawn from a 2022 Marsh and Microsoft Cyber Risk Survey.
On the topic of cyber insurance, the report mentions several conclusions drawn from their survey including:
- 61% of the respondents said their company buys some type of cyber insurance coverage.
- Nearly one-fourth of the organizations responding to the survey said their spending on cyber insurance will rise by 25% or higher in 2022.
- Cyber insurance providers are requiring insureds to adopt certain cyber risk controls, but many of the respondents struggled to adopt best practices for cyber risk controls.
“The State of Cyber Resilience” report is available at https://www.marsh.com/us/services/cyber-risk/insights/the-state-of-cyber-resilience.html.
© 2022 Alan S. Wernick and Aronberg Goldgehn.