When a computer incident occurs, there are often strict timelines of notification required. There has been a recent trend towards shortening the time a company has before it must notify. The EU’s GDPR has a 72 hour notification requirement if personal information is disclosed. In the United States, the Transportation Security Administration now requires notification within 24 hours for security events involving certain critical infrastructure.

Not to be outdone, in India, the Indian Computer Emergency Response Team (CERT-In) now requires a notification 6 hours after a cybersecurity incident for most types of incidents and for most entities that do business in India. Additionally, there are several proactive security measures required, including retention of 180 days of logs and 5 year retention of data elements and identifiers for certain technology and financial providers such as data centers, VPN providers, and payment providers who deal with virtual payments and virtual assets (including cryptocurrency and blockchain-enabled technologies).

Notification Rule

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]