Data Breach in India: Legal Obligations and First Steps
- Kiratraj Sadana
- May 21
- 3 min read
Updated: May 26
Introduction
A data breach is more than just a tech problem—it’s a legal emergency. With the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 prescribing strict compliance requirements, businesses in India are now under greater scrutiny than ever before when personal data is compromised.
This article outlines what qualifies as a data breach under Indian law, your immediate legal obligations, and how to respond effectively to reduce regulatory and reputational fallout.
What Is a Data Breach?
A data breach is any unauthorised access to, disclosure of, or loss of control over personal data. This can include:
Hacking or ransomware attacks
Accidental exposure of sensitive data
Loss of physical devices containing personal data
Insider threats or employee negligence
Both personal data and sensitive personal data are protected under Indian law.
Applicable Legal Framework in India
Law / Regulation | Relevance to Data Breach Response |
IT Act, 2000 – Section 43A | Requires implementation of reasonable security practices and compensation for data loss due to negligence. |
IT Rules, 2011 | Mandates a privacy policy and appointment of a grievance officer. |
DPDP Act, 2023 | Introduces mandatory breach reporting and penalties up to ₹250 crore. |
Sectoral Guidelines | RBI, SEBI, IRDAI and others mandate sector-specific breach disclosures. |
Who Must Comply?
Any entity that qualifies as a Data Fiduciary under the DPDP Act—including startups, MNCs, e-commerce platforms, fintech, healthcare providers, and government departments—must comply with data breach obligations if they collect, store, or process digital personal data.
Mandatory Breach Notification: What the Law Says
Under the DPDP Act, 2023, in the event of a personal data breach:
Notify the Data Protection Board of India: As soon as possible, no later than the time prescribed by future rules (expected to mirror GDPR-like timelines).
Notify Affected Individuals: If the breach is likely to cause harm (e.g., identity theft, financial loss, reputational damage), affected users must be informed in clear language.
Maintain Internal Records: All breaches—whether reportable or not—must be documented internally for compliance verification.
First Legal Steps After a Data Breach
If your business suffers a breach, follow these steps immediately:
Contain the Breach
Isolate affected systems and stop the unauthorised access.
Assemble an Incident Response Team
Include IT, legal, and communication personnel to coordinate the response.
Conduct Preliminary Assessment
What data was affected? How many users? Was it encrypted? Are there signs of misuse?
Notify the Authorities and Individuals
As required by the DPDP Act and any sectoral regulations.
Preserve Evidence
Log files, breach snapshots, and communication trails for regulatory review.
Engage Legal Counsel
To draft notifications, advise on potential penalties, and liaise with the Data Protection Board.
Penalties for Failing to Respond Correctly
Under the DPDP Act, penalties for breach-related failures include:
Failure Type | Maximum Penalty |
Failure to take reasonable safeguards | ₹250 crore |
Failure to notify the Board or affected users | ₹200 crore |
Non-cooperation during inquiries | ₹50 crore |
Can You Be Sued for a Data Breach in India?
Yes. Apart from regulatory penalties:
Users may claim compensation under Section 43A of the IT Act.
Class action lawsuits may be viable in large breaches.
Shareholders, investors, and partners may initiate proceedings for loss of value or reputational harm.
How Apar Law Helps in Breach Response
We offer 360° legal support for data breach management:
Immediate breach response strategy and legal compliance
Drafting and filing notifications to regulators and individuals
Reviewing contracts and policies for liability control
Conducting internal data audits and root cause analysis
Representing companies before the Data Protection Board
Comments