Any organisation that is affected by ransomware must make disclosure under the provisions of the Information Technology Act, 2000, and must report the incident to the Indian Computer Emergency Response Team (CERT-In).
The Wannacry ransomware attack last week has brought the world to its knees. According to news reports, India is the third worst-affected nation. Though there is no word yet on the exact extent of the attack and no major bank or IT company has reported such incidents, the ransomware attacks are indeed a cause for worry. Amidst the panic, a question that emerges is: Did our cyber/information technology laws anticipate something like this, and did they provide some recourse or identify steps that ought to be followed?
Any organisation that is affected by the ransomware must make disclosures under the provisions of the Information Technology Act, 2000. The IT Act provides for: (i) The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties Rules, 2013 (CERT RulesÂ); and (ii) National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties Rules, 2013 (NCIIPC RulesÂ) that deals with disclosure of such events and mitigation thereafter.
The CERT Rules provide that in case of the following, wherein cyber security is threatened, an individual, a company or an organisation must report the incident to the Indian Computer Emergency Response Team (CERT-InÂ):
In other words, if your organisation experienced the ransomware attack where your systems were compromised, you need to report to CERT-In. Please also note that this reporting requirement is not limited to companies/organisation. If you are an individual and were forced to shell out some Bitcoins, you probably need to report as well. Besides cyber incidents, cases of vulnerability, that is existence of flaw in the computer system that can have adverse effect or result in different functioning of such computer system, may also be reported to CERT-In.
Notwithstanding the reporting requirement, the dilemma is real. If your systems did get compromised, should you come out and talk about it and risk data breach allegations or should you just stay quiet, pay the ransom and move on? Imagine a big private bank or the heath-tech company disclosing that its systems were compromised. Even though they did the right thing by making a disclosure, their customs would fear loss of their personal sensitive data. With reputation at stake, will such companies ever want to disclose a cyber attack?
This is where awareness is important. By making the right disclosures, companies will not expose their vulnerability but, instead, allow the attack to be addressed by experts. For instance, CERT-In is required to exchange relevant information relating to the cyber incidents and vulnerabilities with NCIIPC, and work for the mitigation of such attack. NCIIPC, on the other hand, has an incident response team for addressing such incidents. In addition, NCIIPC directly deals with any harm to Critical Information Infrastructure (CII), that is destruction or harm to a computer system that adversely impacts national security, economy, public health or safety. Any harm to CII that may be caused owing to the ransomware attack can be reported directly to NCIIPC in the prescribed forms.
In other words, if such attacks are reported in a timely manner, not only will organisations be in compliance with laws but also ensure that the attack does not culminate into a national security concern. So, if you are yet to pay the Bitcoins stop and reach out to NCIIPC at the earliest.
CERT Rules require cyber incidents to be reported within a reasonable time of occurrence. In our view, this should be at the earliest possible so that you can minimise your risks. Further, there is no time limit for reporting vulnerabilities by CERT-In. NCIIPC, on the other hand, requires incidents relating to CII to be reported at the earliest.
CERT-In and NCIIPC have incident reporting help desk that operates 24 hours a day and seven days a week. Both entities provide for their respective Cyber Incident Form and Vulnerability Form to report such incidents. The form can be sent by post to CERT-In at Electronics Niketan, CGO Complex, New Delhi - 110003 or emailed at firstname.lastname@example.org. The NCIIPC vulnerability and incident reporting form can be emailed at email@example.com.
In case any person fails to furnish information as required by CERT or NCIIPC, they will be liable for a fine of up to Rs 5,000 for everyday of default under Section 44(b) of the IT Act. In addition, in the event CERT-in calls for information and the concerned person refuses to furnish it, such a person can be punishable with up to one year of imprisonment and/ or a fine of up to Rs 1,00,000.
In case you are still wondering if you need to take any steps even though you had a firsthand experience with Wannacry, reach out to your lawyer and take advice. While there aren't precedents of the government imposing penalties for not complying with the aforementioned reporting requirements, you certainly would not want to be the first!
The NCIIPC's latest report on the ransomware Wannacry can be found at: http://nciipc.gov.in/documents/ransomware_report.pdf
They key forms to report to the NCIIPS and CERT-In can be found here:
(i)Security Incident Reporting http://www.cert-in.org.in/PDF/certinirform.pdf
(ii)Vulnerability Reporting Form http://www.cert-in.org.in/PDF/Vul_Report.pdf
(i)Incident Reporting http://nciipc.gov.in/documents/Incidence_Report.pdf
(ii)Vulnerability Disclosure http://nciipc.gov.in/documents/Vulnerability_Disclosure.pdf
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)