According to the new governing law, if a company fails to meet the Ministry of Electronics and IT’s demands, it could be imprisoned for up to one year. The laws will come into action after 60 days of being issued, i.e., July 27th onwards. The companies will keep tracking and maintaining user records even after the user has cancelled the subscriptions or de-activated their account.
Most VPNs these days offer a no-logging policy and full privacy to the customer by not collecting and sharing the user’s data, as they operate on RAM-only servers, meaning the data is stored temporarily. If the order is to be taken in action, the companies will have to switch to storage servers, which will increase the cost quota for the service’s operation.
CERT-in requires companies to report a total of twenty vulnerabilities, including “Unauthorized access to social media accounts,” all of which have varying levels of impact on a company’s services and consequences. Here’s the list of all vulnerabilities:
- Targeted scanning/probing of critical networks/systems.
- Compromise of critical systems/information.
- Unauthorised access of IT systems/data.
- Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
- Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers.
- Attack on servers such as Database, Mail and DNS and network devices such as Routers.
- Identity Theft, spoofing and phishing attacks,
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks.
- Attacks on Application such as E-Governance, E-Commerce etc.
- Data Breach.
- Data Leak.
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers.
- Attacks or incident affecting Digital Payment systems.
- Attacks through Malicious mobile Apps.
- Fake mobile Apps.
- Unauthorised access to social media accounts.
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications.
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones.
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.