Fingerprint Scanners

Data breach reporting requirements in India

Author: Advocate (Dr.) Prashant Mali Published: November 1, 2024

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email

Data Breach Reporting in India

In the digital age, data is one of the most valuable assets for organizations, governments, and individuals alike. This value, however, comes with a significant risk—data breaches. Data breaches can expose sensitive information, disrupt business operations, damage reputations, and, most importantly, put individuals’ personal information at risk. As cyber threats become increasingly sophisticated and frequent, countries worldwide have been enacting laws to regulate data protection and outline how organizations must respond to such incidents.

India, as one of the largest digital markets globally, faces immense challenges in protecting its citizens' data. The government’s recent introduction of the Digital Personal Data Protection (DPDP) Act signifies a major step toward strengthening data security. One key aspect of the DPDP Act is its emphasis on data breach reporting—a critical measure to ensure transparency, accountability, and prompt response in the event of a security incident. With millions of people using online services and transacting digitally, data breaches in India are no longer hypothetical concerns; they are real threats that affect individuals and organizations on a daily basis.

Data breach reporting requirements serve multiple purposes. For individuals, prompt notification provides an opportunity to take protective measures, such as changing passwords or monitoring financial accounts. For regulatory bodies, breach reporting enables oversight and intervention, where necessary, to protect public interests. For businesses, compliance with breach reporting regulations enhances transparency and helps build trust with customers and stakeholders.

Reporting Requirements: Key Sections in the DPDP Act for Breach Notifications

The DPDP Act defines a personal data breach as any unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability.

Under the Act, both data fiduciaries (entities determining the purpose and means of data processing) and data processors (entities processing data on behalf of fiduciaries) are obligated to:

  • Notify the Data Protection Board of India: In the event of a personal data breach, the data fiduciary must inform the Data Protection Board in a prescribed manner.
  • Inform Affected Data Principals: The data fiduciary is also required to notify each affected data principal (individuals to whom the data pertains) about the breach.

Timeline and Content of Reporting: Deadlines and Information to Be Disclosed

While the DPDP Act mandates breach notifications, it does not specify exact timelines for reporting. The absence of a defined timeframe necessitates that organizations act promptly to minimize potential damage.

The content of the breach notification should include:

  • Nature of the Breach: A detailed description of how the breach occurred and the data involved.
  • Potential Consequences: An assessment of the possible adverse effects on the data principals.
  • Measures Taken: Steps already implemented to address the breach and mitigate its impact.
  • Advisory for Data Principals: Recommendations for individuals to protect themselves from potential harm resulting from the breach.

Preventive Measures: Internal Protocols and Incident Response Teams

Proactive measures are essential to prevent data breaches and ensure swift response when they occur. Organizations should consider the following best practices:

  • Establish an Incident Response Team (IRT): Form a dedicated team responsible for managing data breaches, including members from IT, legal, compliance, and public relations departments.
  • Develop a Data Breach Response Plan: Create a comprehensive plan outlining procedures for identifying, containing, eradicating, and recovering from data breaches.
  • Conduct Regular Training: Educate employees on data protection policies, recognizing potential threats, and reporting suspicious activities.
  • Implement Robust Security Measures: Utilize encryption, access controls, and regular security assessments to protect personal data.
  • Perform Regular Audits: Conduct periodic audits to ensure compliance with data protection laws and internal policies.

Examples and Case Studies: Notable Breaches in India and Lessons Learned

Examining past data breaches provides valuable insights into vulnerabilities and effective response strategies.

  • MobiKwik Data Breach (2021): In March 2021, MobiKwik, a digital payment platform, reportedly experienced a breach exposing personal data of nearly 110 million users, including Aadhaar numbers and credit card details.
  • Air India Data Breach (2021): In May 2021, Air India reported a breach affecting approximately 4.5 million passengers, with data compromised over a decade.
  • Aadhaar Data Leak (2023): In October 2023, personal data of 81.5 crore Indians, including Aadhaar details, were reportedly leaked.

Conclusion

In an era defined by digital transformation and vast data flows, data breach reporting is no longer simply a regulatory formality; it’s a critical pillar of an organization’s data protection strategy...

Reaching Author : Email - info@cyberlawconsulting.com | Know more about the Author on www.prashantmali.com

References

  1. Baker McKenzie. "Breach Notification Requirements | India | Global Data Privacy and Cybersecurity Handbook." Resource Hub.
  2. PwC India. "The Digital Personal Data Protection Act, 2023." PwC India.
  3. ICMR India. "Data Breach at MobiKwik." ICMR India.
  4. CSO Online. "The Biggest Data Breaches in India." CSO Online.
  5. Hindustan Times. "Aadhaar Details of 81.5 Crore People Leaked in India's ‘Biggest’ Data Breach." Hindustan Times.