Reports of personal data breaches and cyber security incidents adversely impacting thousands of people and businesses are frequent. A recent study reported 388 data breaches, 107 data leaks, 39 ransomware activities, and 59 cases of access sales or leaks in the first six months of 2024.

Last year, the Ministry of Electronics and Information Technology stated that India witnessed 13.91 lakh cyber security incidents in 2022, and 47 incidents of data leaks and 142 incidents of data breaches during the last five years. Discrepancies in numbers from different sources show that recorded instances are just the tip of the iceberg, as several remain undetected or are not officially reported.

Such incidents can involve personal data of individuals, or non-personal data, such as commercially sensitive data, trade secrets, operational data, etc. They cause harm to individuals through the exposure of their personal information, often resulting in financial or identity-related fraud, and potentially threaten economic and national security. They can also cause significant disruption to business operations, or reputational damage which is much harder to fix in an environment of rapidly declining consumer trust.

Incidents can occur through a variety of means. Some are malicious and intentional such as targeted attacks on systems, or exploitation of vulnerabilities in software, while others are simple inadvertent human error, or poor data access policies resulting in unauthorised access. Legal compliances and remedies vary and overlap depending on the types of data affected or incident(s) that have occurred.

Legal framework 

The regulatory framework is scattered across various legal instruments, but the primary legislation is the Information Technology Act, 2000, and its rules. It provides for the establishment of India’s Computer Emergency Response Team (CERT-In) and reporting obligations.

However, over the years several other laws have emerged, tailored for specific types of data or sectors. These include the Digital Personal Data Protection Act, 2023 (DPDP Act) for personal data breaches, the Aadhaar Act, 2016, and its rules and sector-specific regulations from the RBI, SEBI, etc.

Reporting obligations

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, (CERT-In Rules) along with the Cyber Security Directions 2022 (CERT-In Directions) mandate entities to report cybersecurity incidents to the CERT-In within six hours.

On personal data breaches, the DPDP Act requires entities processing personal data to notify the Data Protection Board of India and each affected individual in the event of a ‘personal data breach’. The scope of a personal data breach prescribed under the law is broad, however, the DPDP Act is not yet fully in force due to pending rules and the establishment of the data protection board.

A comprehensive approach

Beyond complying with legal mandates, organisations must adopt a comprehensive approach, including preventive measures that secure data to prevent breaches, an incident response plan to swiftly address them, and remedial actions to mitigate harm and ensure accountability. While dealing with personal data, higher standards of protection and clear processing guidelines at the organisational level to mitigate risks are needed. Irrespective of the type of data, at the very minimum, businesses must consider adopting and establishing the following:

Preventive measures: Businesses need to design effective breach prevention strategies based on detailed risk assessments and deploy technical and organisational measures. Technical measures may include pseudonymisation and encryption of personal data, backup and disaster recovery processes, regular system audits and intrusion prevention and detection systems to identify and respond to breaches before they escalate. Organisational measures to prevent employees from falling prey to phishing and other tactics could include regular employee training on data breach management principles and internal procedures for responding to security incidents.

Incident response plan: This is vital for managing data breaches, with designated personnel responsible for information security, supported by adequate resources and authority. It should be designed to provide a systematic way to address different types of incidents, mitigate their impact and provide clear procedures to regain control of compromised data and systems.

Remedial measures: After a breach or incident, organisations must document each step taken before and after such incident. Once a breach is contained and control over the compromised data/system is regained, an in-depth assessment and audit should be conducted. This would help improve the efficacy of measures deployed by them and help with resilience.

Needless to say, in the event of a data breach, co-operation with law enforcement agencies and compliance with legal obligations are essential.

(Gangesh Varma and Yaqoob Alam work with the Technology and Policy practice, at Saraf and Partners.)

Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.