1 | Page

As per section 70-B of the Information Technology Act, 2000 (the IT Act)
the Central Government has the power to appoint an agency of the
government to be called the Indian Computer Emergency Response
Team. In pursuance of the said provision, the Central Government issued
the Information Technology (The Indian Computer Emergency Response
Team and Manner of Performing Functions and Duties) Rules, 2013 (the
CERT Rules) which provide the location and method of functioning of
the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the
CERT Rules gives every person, company or organisation the option to
report cyber security incidents to the CERT-In. It also places an obligation
on them to mandatorily report the following kinds of incidents as early as
possible:

Targeted scanning/probing of critical networks/systems;

Compromise of critical systems/information;

Unauthorized access of IT systems/data;

Defacement of website or intrusion into a website and unauthorized

changes such as inserting malicious code, links to external websites,
etc.;

Malicious code attacks such as spreading of

virus/worm/Trojan/botnets/spyware;

Attacks on servers such as database, mail, and DNS and network

devices such as routers;

Identity theft, spoofing and phishing attacks;

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

attacks;
2 | Page

Attacks on critical infrastructure, SCADA systems and wireless

networks;

Attacks on applications such as e-governance, e-commerce, etc.

According to CERT Rules theres an obligation imposed on service

providers, intermediaries, data centres and body corporates to report
cyber incidents within a reasonable time to allow CERT-In to take
necessary action.

This mandatory obligation of reporting incidents majorly covers within its

ambit the private sector entities; however, it is notable that prima facie
the provision does not impose any obligation on government entities to
report cyber incidents unless they come under any of the expressions
service providers, data centres, intermediaries or body corporate.

This would mean that if the data kept with the Indian Navy regarding any
of their Warships in electronic form is hacked in a cyber incident, then
there is no statutory obligation under the said Rules on it to report the
incident. It is pertinent to mention here that although there is no
obligation on a government department under law to report such an
incident, such an obligation may be contained in its internal rules and
guidelines, etc. which are not readily available.

Incident Reporting under Intermediary Guidelines

Section 2(1)(w) of the IT Act defined the term intermediary in the

following manner;

intermediary with respect to any particular electronic record, means any

person who on behalf of another person receives, stores or transmits that
record or provides any service with respect to that record and includes
3 | Page

telecom service providers, network service providers, internet service

providers, web hosting service providers, search engines, online payment
sites, online-auction sites, online market places and cyber cafes.

Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules,

2011 (the Intermediary Guidelines) also imposes an obligation on any
intermediary to report any cyber incident and share information related to
cyber security incidents with the CERT-In however speedy reporting of
such incidents, especially by banks has not happened in the past. Since
neither the Intermediary Guidelines nor the Information Technology Act
specifically provide for any penalty for non-conformity with Rule 3(9)
therefore any implementation action against an intermediary for not
reporting a cyber security incident would have to be taken under section
45 of the said Act imposing a penalty of Rs. 25,000/-.

With Demonetization in picture large number of citizens have opted for

digital payments, giving rise to more such incidents in past few months
and not only payment gateways and banks are under the threat but even
social media is another target as observed recently when the Twitter
accounts of Congress vice president Rahul Gandhi's, official account of
Indian National Congress, liquor baron Vijay Mallya, journalists Barkha
Dutt were hacked by the so-called hacker group legion, and this group
also stated that some of indias popular e-wallet firms server have been
compromised and attacked at the base level.

Therefore, Ravi Shankar Prasad identified this situation as very critical and
stated in an interview that all digital payment firms have been asked to
report any unusual movement immediately to CERT, and that the ministry
of electronics and IT has started review of the IT Act keeping in mind the
current need and demand of digital payments and mobile banking which
werent prevalent 16 years ago, when the Act initially came into force.
4 | Page