Government rolls out standards to request user information from telecom companies for cyber security | India News – Times of India

New Delhi: In a major decision, the government has announced new rules Telecom Act that creates an obligation mobile operators to offer user traffic data – other than the content of messages – to Center to ensure cybersecurity, in addition to the provision that companies report a breach within six hours of an incident. The government will also have the power to analyze and transmit such data to any agency engaged in law enforcement and security related activities.
The government has also directed mobile phone sellers to compulsorily register the International Mobile Equipment Identity (IMEI) number of devices – made in India or imported here – before selling them. The Centre, or a body authorized by the Centre, may, for the purpose of protecting and ensuring the cyber security of telecoms, traffic data and other data, other than the content of messages, from a telecommunications entity, in the form and in the manner desired. specified” by Centre, the notification issued said.
The rules also provide that the government may maintain a register of persons and telecommunications identifiers on whom action has been taken in accordance with the orders “and may direct telecommunications entitiesto prohibit or restrict access to telecommunications services by such persons for a period not exceeding three years from the date of such order. data from designated points to enable its processing and storage.
A telecommunications entity means any person who provides telecom services, or establishes, operates, maintains or expands a telecom network, including an authorized entity that holds a license. The new law replaces the prevention of tampering rules for mobile device identification numbers and will be called ‘Telecommunications (Telecom Cyber ​​​​Security) Rules’.
The statute states that the data collected “may be analyzed for the purpose of taking measures to improve the cybersecurity of telecom, and such analysis may, to the extent determined by the Center as necessary for protecting and ensuring the cybersecurity of telecom, be disseminated under any government agency engaged in law enforcement and security-related activities”. They may also be shared with telecommunications entities or users, provided that the data so disseminated or shared may not be used for any purpose other than to ensure the cyber security of telecommunications.
The new law also requires a telecommunications entity to appoint a chief telecommunications security officer, whose details must be provided to the government in writing.
With regard to reporting the incidents, the law states that the telecommunications entity must notify the central government within six hours of becoming aware of a security incident affecting its network or service. The government will notify a digital implementation portal of the rules and may specify any other implementation mechanism.