The Directions issued by CERT-In on April 28, 2022, for ensuring better cyber security measures in India as it focuses on the collection and storage of user’s sensitive information. As per the directions issued, VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns, and other forms of personally identifiable information. Let’s discuss the directions in a detailed manner- 

Firstly, as per the directive, VPN companies are mandatorily required to collect and validate customer names, physical addresses, email addresses, and phone numbers along with that they are required to provide the reason each customer is using such service, the dates they use it, and their “ownership pattern.” They are also required to provide the IP address and email address used by a customer to register for the service, along with a registration timestamp. Lastly, they must provide all IP addresses issued to a customer and a list of IP addresses being used by its customer base generally. 

Secondly, the directives by CERT-In will have a wide impact on almost every stakeholder involved in the usage of internet as it is applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. Furthermore, any non-compliance to these directions could lead to criminal imprisonment up to a year as a punishment. 

The CERT-In was set up as a body under the Ministry of Electronics and Information Technology (“MeitY”) to conquer the rising cyber security concerns. Moreover, some form of monitoring of information of users was necessary in order to combat against rising cyber harms. Since the latest directives give CERT-In the power to store and use such sensitive information of users; the directives also mandate that virtual asset service providers must have mandatory KYC and submit their financial transactions report to CERT-In.

It must be noted that the centre will use all the legal and security safeguards along with proper administrative channels to access such information mandated under the present directives. A detailed analysis of the said directions in the next post. Stay tuned!