Under the DPDP Act 2023, a personal data breach means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data. Upon becoming aware of a breach, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal in the prescribed manner. Failure to notify carries penalties up to Rs 100 crore. Additionally, CERT-In Directions (2022) require reporting cyber security incidents within 6 hours.
A ransomware attack on a hospital database exposing patient records is a personal data breach requiring notification under DPDP.
A personal data breach, defined under Section 2(u) of the DPDP Act 2023, is not limited to hacking — it covers accidental disclosure, loss of access, alteration or destruction that compromises the confidentiality, integrity or availability of personal data. The defining practical obligation is speed and notification: once aware, the Data Fiduciary must notify the Data Protection Board and each affected data principal in the prescribed manner, and Section 8(6) makes that duty enforceable. For a bank or hospital, the response clock starts the moment the incident is discovered, and the institution must also reckon with CERT-In Directions (2022) requiring cyber incident reporting within 6 hours, so two parallel regimes may apply at once. Counsel's role is to coordinate forensic containment, legal notification, and documentation so the timelines are met and the narrative is consistent across regulators. Getting notification wrong — delaying, under-reporting, or notifying inconsistently — carries heavy penalties. Well-advised institutions keep a tested breach-response playbook ready.
For specific advice on how Personal Data Breach applies to your debt recovery matter, consult Advocate Subodh Bajpai — LLM, MBA (XLRI Jamshedpur). 8+ years of exclusive banking and debt recovery practice across DRT, SARFAESI, IBC, and NI Act.
Defined by Advocate Subodh Bajpai, Senior Partner, Unified Chambers and Associates