The data protection rules will require firms to report a breach within six hours of discovery
Indian cyber security rules, which will come into place later this month, have been criticised by technology industry body, the Internet and Mobile Association of India (IAMAI).
IAMAI, which represents organisations including Google and Facebook, warns the new rules will create an “environment of fear rather than trust” and has called for a one-year delay before they take effect, according to a letter written to the IT Ministry and seen by Reuters.
Among other changes, the directive from the Indian Computer Emergency Response Team (CERT) will require tech companies to report data intrusions within six hours of noticing and to maintain IT and communications logs for six months following a breach.
IAMAI has proposed extending the six-hour window, noting the global standard for reporting cyber-security incidents is generally 72 hours.
The cost of complying with such directives could be “massive”, and proposed penalties for violation - including prison - would lead to “entities ceasing operations in India for fear of running afoul,” the IAMAI letter said.