When a computer incident occurs, there are often strict timelines of notification required. There has been a recent trend towards shortening the time a company has before it must notify. The EU’s GDPR has a 72 hour notification requirement if personal information is disclosed. In the United States, the Transportation Security Administration now requires notification within 24 hours for security events involving certain critical infrastructure.

Not to be outdone, in India, the Indian Computer Emergency Response Team (CERT-In) now requires a notification 6 hours after a cybersecurity incident for most types of incidents and for most entities that do business in India. Additionally, there are several proactive security measures required, including retention of 180 days of logs and 5 year retention of data elements and identifiers for certain technology and financial providers such as data centers, VPN providers, and payment providers who deal with virtual payments and virtual assets (including cryptocurrency and blockchain-enabled technologies).

Notification Rule