Data Breach Lawyer India
Emergency Response & DPB Defence
A personal data breach under the DPDP Act 2023 triggers mandatory notification to CERT-In within 6 hours and to the Data Protection Board of India without delay. Failure to notify carries penalties up to Rs 200 crore per contravention (Schedule Sl.2) — on top of Rs 250 crore for the security safeguard breach that caused it (Schedule Sl.1). Unified Chambers provides emergency data breach legal response: immediate counsel engagement, forensic evidence preservation coordination, CERT-In and DPBI notification drafting, and full adjudication defence before the Data Protection Board.
When you discover a data breach, the first call should be to your lawyer — before IT rebuilds systems, before PR drafts a statement, before management decides what to disclose. Advocate Subodh Bajpai, LLM, MBA (XLRI Jamshedpur), provides direct senior-level engagement on every data breach matter.
What Constitutes a Personal Data Breach
Under the DPDP Act
The DPDP Act Section 2(u) defines a personal data breach as any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises confidentiality, integrity, or availability. This definition is deliberately expansive — it captures far more scenarios than the popular understanding of a “hack.”
Common breach scenarios that trigger DPDP notification obligations include: external cyberattacks and data exfiltration, ransomware that encrypts personal data (loss of availability), misconfigured cloud storage exposing customer databases, employee accessing records without authorisation (insider threat), vendor or processor breach affecting your customers’ data, accidental email containing personal data sent to wrong recipients, physical device theft (laptops, backup tapes, server hard drives), API vulnerability allowing bulk data extraction, and SQL injection or application-level attacks on customer-facing systems.
The threshold for notification is low. The Act does not require a minimum number of affected data principals or a minimum severity level. Any breach that “compromises” confidentiality, integrity, or availability — even affecting a single customer record — is a notifiable personal data breach. This zero-threshold approach means organisations must have incident response procedures that can rapidly assess every security event for DPDP notification requirements.
Data Breach Response Timeline
From Discovery to Defence
The first 72 hours after breach discovery determine the trajectory of the entire regulatory response. Every action — or inaction — during this window creates the evidentiary record that the Data Protection Board will examine during adjudication.
Cumulative Penalties for
A Single Breach Event
A single data breach can trigger multiple penalty tiers simultaneously. The DPDP Schedule prescribes separate penalties for the security failure (the breach itself) and the notification failure (failing to inform DPBI and affected persons). These are cumulative — and if the breach also involves other DPDP violations, additional penalties apply.
The breach itself — failure to implement reasonable security safeguards to prevent personal data breach.
Failing to notify DPBI and each affected data principal of the breach — a separate contravention.
A single breach with late notification triggers both penalties simultaneously: Rs 250 Cr + Rs 200 Cr.
If investigation reveals consent failures, purpose limitation breaches, or cross-border transfer violations alongside the breach.
Data Protection Board
Complaint Defence
When a data principal files a complaint with the DPBI following a data breach, the adjudication process begins. The DPBI functions as a digital office — proceedings are conducted online, evidence is submitted electronically, and hearings occur via video conference. Despite the digital format, the stakes are identical to physical court proceedings: penalties up to Rs 250 crore and orders that carry the force of a civil court decree.
Unified Chambers’ defence strategy for DPBI data breach proceedings focuses on three pillars: (a) demonstrating “reasonable security safeguards” existed before the breach — ISO 27001 certification, regular penetration testing, employee training, incident response plans, cyber insurance, and CISO appointment; (b) showing prompt and good-faith notification — timely CERT-In report, expeditious DPBI notification, transparent communication with affected data principals; (c) evidencing effective post-breach remediation — patching the vulnerability, offering credit monitoring to affected persons, conducting root cause analysis, and implementing systemic improvements.
The first DPBI decisions on data breach complaints will set precedent for how “reasonable security safeguards” is interpreted across industries. Organisations that engage experienced legal counsel from the point of breach discovery — not after receiving a DPBI notice — are better positioned to build the evidentiary record that supports a penalty mitigation argument. Appeals from DPBI orders lie to TDSAT under Section 29 of the DPDP Act.
Data Breach Guides & Analysis
Dual Breach Reporting Burden
Two Regulators, Two Timelines, One Breach
CERT-In must be notified within 6 hours of a cybersecurity incident under the CERT-In Directions of April 2022. This is a hard deadline — no exceptions, no extensions, regardless of the severity or scope of the incident. Separately, the Data Protection Board of India requires “prompt” notification of personal data breaches under Section 8(6) of the DPDP Act. Under the 2025 Rules, this is interpreted as 72 hours for detailed reporting to the DPBI and affected data principals.
Two regulators, two timelines, two reporting formats, one breach event. The CERT-In report is a technical incident report focused on the attack vector, systems affected, and containment measures. The DPBI notification is a legal document focused on the personal data compromised, the number of affected data principals, and the remediation offered. The language used in one report can create evidentiary problems in the other proceeding — a technical admission in the CERT-In report may be used against the fiduciary in DPBI penalty proceedings.
Coordinated legal response across both reporting obligations is critical. Unified Chambers drafts both the CERT-In incident report and the DPBI breach notification in parallel, ensuring consistency of position while meeting both timelines. For sector-regulated entities (banks, NBFCs, insurers), a third reporting obligation to the sectoral regulator (RBI, IRDAI, SEBI) adds further complexity.
Data Breach Response — Key Questions
What constitutes a "personal data breach" under the DPDP Act 2023?
Section 2(u) of the DPDP Act defines a personal data breach as "any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data." This definition is deliberately broad. It covers: hacking and external cyberattacks, insider threats (employee accessing data without authorisation), accidental exposure (misconfigured database, unsecured API endpoint), ransomware (loss of access to personal data), physical theft of devices containing personal data, and vendor/processor breaches where a third-party service provider is compromised. Notably, the definition covers both intentional and accidental breaches — an employee accidentally emailing customer records to the wrong recipient constitutes a personal data breach under DPDP.
What are the notification timelines for a data breach in India?
India has two parallel notification regimes: (1) CERT-In Directions (April 2022): All entities must report cyber security incidents to CERT-In within 6 hours of noticing or being brought to notice of the incident. This is mandatory, applies regardless of severity, and carries penalties under the IT Act for non-compliance. (2) DPDP Act Section 8(6): Data fiduciaries must intimate the Data Protection Board of India and each affected data principal of a personal data breach. The Act uses the phrase "give the Board and each affected Data Principal" notice — the DPDP Rules (when notified) are expected to specify the exact timeline, but best practice is "without unreasonable delay." The two timelines run concurrently: CERT-In notification within 6 hours of discovery, and DPBI notification as soon as the scope is assessed. Engaging legal counsel immediately upon breach discovery is critical to coordinating both notification workflows.
What penalties apply for failing to notify a data breach under DPDP?
The DPDP Act Schedule prescribes two penalty tiers directly related to data breaches: (1) Up to Rs 250 crore for breach of security safeguards to prevent personal data breach (Schedule Sl.1, Section 8(5)) — the highest penalty under the Act. (2) Up to Rs 200 crore for breach of notification obligation for data breach (Schedule Sl.2, Section 8(6)) — penalises the notification failure, separate from the breach itself. These penalties are per contravention and cumulative. A single breach event can trigger both: Rs 250 crore for inadequate security plus Rs 200 crore for late notification, totalling Rs 450 crore. If the breach also involves other DPDP violations (e.g., processing without consent, children's data), the catch-all Rs 50 crore penalty under Schedule Sl.7 may also apply.
When should I engage a data breach lawyer — before or after notifying CERT-In?
Immediately upon discovery — before any notification. The 6-hour CERT-In window starts when the incident is "noticed or brought to notice." The first actions after discovery should be: (a) contain the breach to prevent further data exposure; (b) preserve forensic evidence (do not wipe, rebuild, or patch affected systems before forensic capture); (c) engage legal counsel to assess notification obligations and draft the CERT-In incident report. Legal counsel involvement before notification is critical because: the CERT-In report creates a regulatory record that may be referenced in subsequent DPBI proceedings; the language of the notification affects the scope of regulatory inquiry; and premature public disclosure can cause reputational damage and trigger secondary regulatory scrutiny (from RBI, SEBI, or sector regulators). Unified Chambers provides emergency response counsel — WhatsApp Advocate Subodh Bajpai directly at +91 84008 60008.
How can DPDP data breach penalties be mitigated?
The DPDP Act provides limited statutory guidance on penalty mitigation, but Section 33(2) directs the Data Protection Board to have "due regard to" certain factors when determining penalty amounts: (a) the nature, gravity, and duration of the breach; (b) the type and nature of personal data affected; (c) the repetitive nature of the breach; (d) whether the fiduciary made efforts to mitigate the damage; (e) whether the fiduciary acted in good faith. Effective mitigation strategies include: maintaining a documented incident response plan (demonstrates preparedness), prompt notification (demonstrates good faith), implementing post-breach remediation (patching vulnerabilities, offering credit monitoring to affected persons), cooperating with DPBI investigation, and showing evidence of pre-breach security investments (ISO 27001 certification, regular penetration testing, data protection training programmes). The strongest mitigation is a well-documented compliance programme that predates the breach — proving that the organisation took "reasonable security safeguards" before the incident occurred.
Can a data principal file a complaint with the DPBI after a data breach?
Yes. Section 13 of the DPDP Act grants every data principal the right to file a complaint with the Data Protection Board of India if the data fiduciary or data processor fails to comply with any provision of the Act. After a data breach, an affected individual can complain to the DPBI alleging: (a) the fiduciary failed to take reasonable security safeguards (Section 8(5)); (b) the fiduciary failed to notify the breach (Section 8(6)); (c) the fiduciary failed to respond to their rights request (Section 11, 12, 13). The DPBI has the power to inquire, summon documents, and impose penalties. Appeals from DPBI orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Unified Chambers represents data fiduciaries in DPBI complaint proceedings — from initial response drafting through the full adjudication process.
What forensic evidence should be preserved after a data breach?
Forensic preservation is critical for both regulatory defence and potential criminal proceedings. Key evidence to preserve: (a) system logs — access logs, authentication logs, firewall logs, database query logs, and application logs from the period surrounding the breach; (b) network traffic captures — packet captures showing data exfiltration or unauthorised access patterns; (c) memory dumps — RAM snapshots from compromised servers (volatile evidence lost on reboot); (d) disk images — bit-for-bit copies of affected storage media before any remediation; (e) email and communication records — internal emails about the breach discovery and response; (f) third-party logs — cloud provider logs, CDN logs, and managed security service provider (MSSP) alerts. The forensic chain of custody must be maintained for DPBI proceedings. Evidence collected without proper chain of custody may be challenged during adjudication. Engage a CERT-In empanelled auditor for forensic analysis, coordinated through your legal counsel to maintain privilege where applicable.
Data Breach Discovered?
Call Your Lawyer First
WhatsApp Advocate Subodh Bajpai directly. Describe the breach, when it was discovered, and what systems are affected. Senior Partner engagement from first contact. CERT-In notification support within the 6-hour window. DPBI defence preparation from day one. Minimum engagement: Rs 50 lakhs.