Data Breach Basics

A data breach is any incident where personal data is accessed, disclosed, altered, or destroyed without authorisation. Under DPDPA, businesses have mandatory obligations when a breach occurs.

What Is a Personal Data Breach?

A breach includes:

• Unauthorised access to a database or file containing personal data
• Accidental email containing personal data sent to the wrong recipient
• Ransomware attack encrypting or exfiltrating customer or employee records
• Loss of a device containing personal data
• Insider misuse of data access privileges

Notification Obligations

Section 8(6) of the DPDPA requires Data Fiduciaries to notify the Data Protection Board of a personal data breach "in such manner and within such period as may be prescribed."

Expected requirements based on draft rules:

• Initial notification within 72 hours of becoming aware of the breach
• Detailed report following investigation
• Notification to affected individuals where the breach poses significant risk

Building Basic Breach Response Capability

You do not need a large security team to be prepared. A basic incident response plan covers:

• Detect — How will you know a breach has occurred?
• Contain — How do you stop the breach from spreading?
• Assess — What data was affected, how many individuals, what is the risk?
• Notify — Who do you notify and when?
• Remediate — How do you prevent recurrence?

Practical Steps for Indian SMEs

• Know where all your personal data is stored
• Ensure access logs exist for systems containing personal data
• Have a contact for reporting security incidents internally
• Know who at your organisation would make the notification decision
• Have draft notification templates ready
• Ensure your cloud and SaaS vendors have breach notification SLAs in their contracts

Penalties for Breach Notification Failure

Up to ₹200 crore for failing to notify the Data Protection Board of a breach. This is separate from penalties for inadequate security safeguards, which can reach ₹250 crore.