New Delhi: In a significant decision, govt has notified new rules under Telecom Act that puts an obligation on mobile operators to provide user traffic data – other than content of messages – to Centre to ensure cyber security, apart from stipulating that companies notify a breach within six hours of an incident. Govt will also have the power to analyse such data and pass it on to any agency engaged in law enforcement and security related activities.
Govt also directed seller of mobile phones to mandatorily register International Mobile Equipment Identity (IMEI) number of devices – made in India or imported here – before their sale. Centre, or any agency authorised by Centre, may, for the “purposes of protecting and ensuring telecom cyber security, seek from a telecommunication entity, traffic data and any other data, other than content of messages, in the form and manner as may be specified” by Centre, the notification issued said.
The rules also state that govt may maintain a repository of persons and telecommunication identifiers which have been acted upon pursuant to the orders “and may direct telecommunication entities, to prohibit or limit the access to telecommunication service to such persons for a period not exceeding three years from the date of such order.” The notification empowers govt to “direct a telecommunication entity” establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage.
A telecommunication entity will include any person providing telecom services, or establishing, operating, maintaining, or expanding telecom network, including an authorised entity holding an authorisation. The new law is in supersession of prevention of tampering of Mobile Device Equipment Identification Number Rules, and will be called ‘Telecommunications (Telecom Cyber Security) Rules’.
The statute states that the data collected “may be analysed for taking measures to enhance telecom cyber security, and such analysis may, to the extent determined by Centre as necessary for protecting and ensuring telecom cyber security be disseminated to any agency of the govt engaged in law enforcement and security related activities”. Also, it can shared with telecommunication entities or users, provided that any data so disseminated or shared, shall not be used for any purpose, other than for ensuring telecom cyber security.
The new law also obligates a telecommunication entity to appoint a chief telecommunication security officer, whose details need to be provided in writing to govt.
Regarding the reporting of the incidents, the law states that the telecommunication entity shall notify the central govt within six hours of becoming aware of a security incident that affects its network or service. Govt will notify a portal for digital implementation of the rules and may specify any other implementing mechanism.