Data Breach Notification India
The 72-Hour Rule Under DPDP

External Attacks

Hacking, phishing, credential stuffing, SQL injection, ransomware encrypting personal data, man-in-the-middle interception, API exploitation

Internal Incidents

Employee accessing records without authorisation, accidental email to wrong recipient, unintended publication of personal data on company website, insider data theft

System Failures

Database corruption causing data loss, backup failure resulting in permanent data destruction, misconfigured cloud storage exposing personal data publicly (S3 bucket incidents)

Vendor Incidents

Third-party processor suffering a breach affecting your personal data, cloud provider security incident, SaaS platform vulnerability exposing tenant data

Breach Detected or Reported

The clock starts when any person in the organisation becomes aware that a personal data breach may have occurred. This includes: automated alerts from security systems, reports from employees, notifications from third-party vendors, reports from affected individuals, or media reports. Document the exact time and source of first awareness. This timestamp is critical for demonstrating compliance with notification timelines.

Initial Assessment and Containment

Activate the breach response team. Conduct initial triage: confirm whether a breach has actually occurred (vs. a false positive); determine whether personal data is affected; assess the scope (number of records, categories of data, systems affected); and take immediate containment measures (isolate affected systems, revoke compromised credentials, block malicious IP addresses). Do not shut down systems that may contain forensic evidence.

CERT-In Notification (Mandatory)

Prepare and submit the CERT-In incident report within 6 hours of becoming aware of the incident. The report must include: nature of the incident, systems affected, geographical scope, and initial assessment of impact. CERT-In provides an online reporting portal and a dedicated email (incident@cert-in.org.in). This is a hard deadline — CERT-In has the power to impose penalties for non-compliance under the IT Act, 2000.

Forensic Investigation and Scope Assessment

Engage external forensic investigators if the breach is significant. Determine: the root cause of the breach; the full scope of personal data affected; whether data was actually exfiltrated or only accessed/encrypted; the number of affected Data Principals; and whether the breach is ongoing or contained. Preserve all logs, forensic images, and evidence. This investigation informs both the DPDP Board notification and the communication to affected individuals.

DPDP Board and Individual Notification

Prepare and submit the notification to the Data Protection Board in the prescribed format. Simultaneously prepare the notification to affected Data Principals. The individual notification must be clear, non-technical, and must include: what happened, what personal data was affected, what the company is doing about it, and what steps the individual should take to protect themselves. If the investigation is still ongoing, submit an initial notification with a commitment to provide supplementary information as it becomes available.

Supplementary Reporting and Remediation

Continue the investigation. Submit supplementary reports to the DPDP Board as new information emerges. Implement permanent remediation measures (not just temporary patches). Conduct a post-incident review. Update security safeguards based on lessons learned. Retain all breach-related records for the period prescribed in the DPDP Rules. If the company is in a regulated sector, submit parallel reports to the relevant sectoral regulator (RBI, IRDAI, SEBI, DoT).

Failure to implement reasonable security safeguards that caused or contributed to the breach

Failure to notify the Data Protection Board and affected individuals of the breach

Additional penalty if the breach involved children's personal data

Additional penalty for any other contravention — e.g., cross-border transfer violations, consent failures, or purpose limitation breaches

Establish a Breach Response Team Before a Breach Occurs

Designate members from legal, IT/security, communications, HR, and executive leadership. Define roles, escalation paths, and decision authority. The team should be able to convene within 30 minutes of a breach alert. Store contact details (personal mobiles, not just office numbers) in an accessible location outside the potentially compromised corporate network.

Pre-Draft Notification Templates

Work with legal counsel to pre-draft notification templates for the Data Protection Board, CERT-In, and affected individuals. These templates should have fill-in-the-blank sections for breach-specific details. In the chaos of an active breach, drafting notifications from scratch costs precious hours. Pre-approved templates ensure legally compliant notifications are sent within the required timelines.

Deploy Breach Detection Systems

You cannot notify what you do not detect. Implement: Security Information and Event Management (SIEM) for log aggregation and alerting; Data Loss Prevention (DLP) tools for exfiltration detection; endpoint detection and response (EDR) on all endpoints; network traffic analysis for anomaly detection. The faster you detect, the smaller the breach scope and the more time you have for notification.

Maintain a Data Inventory

During a breach, the first question is: what data was affected? Without a current data inventory mapping which personal data resides in which systems, answering this question takes days. Maintain an updated data map (Step 02 of the DPDP compliance checklist). Know exactly what personal data each system contains so you can immediately assess the scope of any breach.

Engage External Counsel and Forensics on Retainer

When a breach occurs, you do not have time to evaluate and onboard legal counsel and forensic investigators. Establish retainer agreements with a law firm experienced in data protection law and a digital forensics firm before any breach occurs. Retainer agreements with pre-agreed hourly rates and response SLAs (ideally 2-4 hours for initial mobilisation) ensure immediate expert support when the clock is ticking.

Conduct Quarterly Tabletop Exercises

Simulate breach scenarios quarterly. The exercise should involve the full breach response team and should test: detection and escalation workflows, CERT-In notification within 6 hours, DPDP Board notification within 72 hours, individual notification content and delivery, media and stakeholder communications, and post-incident review. Each exercise should identify gaps and result in concrete improvements to the response plan.

Document Everything from Minute One

From the moment a breach is suspected, document every action taken, every decision made, and every communication sent. This contemporaneous record serves two purposes: it demonstrates to the Data Protection Board that you responded diligently and within timelines, and it provides the evidentiary foundation for any penalty proceeding or litigation that follows. Use a dedicated incident log with timestamped entries.