Data Protection in India is a Joke
Your sensitive financial details, medical history, and even your Aadhaar number are available to hackers at the click of a button. Hackers don’t need sophisticated tools—they can get to your data faster than you can hit ‘submit’ on a Google form. India is sitting on a ticking time bomb of personal data breaches, with more than 100 million records leaked over just a few years. This isn’t some dystopian sci-fi; it’s India's digital reality.
And it’s no laughing matter…
Your personal data is a goldmine, and businesses and hackers alike are digging in with zero regard to user consent. The DPDP Act with its strict laws and steep penalties is the farthest our country has come in its efforts to protect data privacy.
Why should businesses care?
The DPDP Act takes data breaches very seriously and the stakes are monumental. The Act mandates that organizations take comprehensive measures to prevent, and if necessary, respond to data breaches effectively. Data breaches can precipitate massive financial losses, inflict irreparable damage to your brand's reputation, and can now attract penalties as steep as ₹250 Crores.
What constitutes a Personal Data Breach?
As per the Digital Personal Data Protection (DPDP) Act of 2023, a data breach occurs when personal data that should have remained secure and confidential gets exposed—whether through hacking, accidental release, or careless handling. The definition is fairly broad - any unauthorized or accidental disclosure, alteration, loss, or access that compromises the confidentiality, integrity, or availability of personal data.
Let us break down these terms:
Unauthorized Access: This occurs when data is accessed without permission, often through hacking or security oversights, exposing personal data to individuals or entities without the right to view it.
Accidental Disclosure: This can happen when personal data is mistakenly sent to the wrong recipient, published online without proper safeguards, or otherwise exposed through some kind of human error.
Data Loss: Often a result of technical failures or disasters (like fires or floods), data loss happens when data is destroyed without backups available. It can also happen in cyber attacks like ransomware where your access to your data is revoked and it can be deleted or permanently lost.
Alteration: When data is changed without authorization, altering its original state and potentially leading to misinformation or misuse.
Why are Personal Data Breaches such a Big Deal?
According to Internet Freedom Foundation (IFF), India has seen an alarming number of data breaches over the past few years. IFF reported that between 2018 and 2021, over 500 million records containing personal data of Indian citizens were exposed in various breaches. This number continues to rise, underscoring the urgency of implementing stringent data protection mechanisms in India
IFF also noted that specific sectors, such as healthcare, financial services, and e-commerce, are frequent targets for breaches. For instance, the financial sector witnessed multiple breaches involving banks and digital payment platforms which store vast amounts of sensitive personal and financial data.
People suffer: Data breaches can have a profound impact on users. Victims may face financial losses, such as fraudulent charges or the costs associated with securing their credit and identity. Data breaches also erode trust in the affected institutions.
Just last year, the Indian Council of Medical Research (ICMR) suffered a massive leak that compromised the personal data of 81.5 crore individuals, potentially making it one of the largest breaches in India’s history. The stolen data included Aadhaar numbers, passport details, home addresses, and possibly sensitive medical records related to COVID-19 testing. The breach exposed millions of people to the risk of identity theft and financial fraud, as their Aadhaar numbers could be exploited to access banking services or government schemes. The compromised medical records also caused serious privacy violations with personal health data being exposed.
You can use websites like Have I Been Pwned (HIBP) and Firefox Monitor to check if your email addresses or phone numbers have been compromised in a data breach. These services collect information from publicly disclosed breaches and provide notifications if your data appears in their databases. Additionally, Google’s Dark Web Report feature (available through Google One) can help you monitor if your personal information, like email addresses and phone numbers, has surfaced on the dark web.
Financial Implications: Data breaches can lead to direct financial losses through fraud or the necessity of remedial actions, such as legal fees and compensations. Indirect costs include potential fines imposed for non-compliance with data protection laws, which under the DPDP Act can reach up to ₹250 Crores.
Reports indicate a significant rise in data breaches affecting Indian users. According to a study by IBM referenced in IFF’s work, the average data breach cost in India was ₹14 crore, marking an increase of 9.4% since 2014. Additionally, the per-record data cost went up by 10%, indicating that data breaches are not only frequent but also increasingly expensive to manage. The average time to both detect and contain a breach has also increased, taking approximately 230 days to detect and 83 days to contain
Zomato experienced this first hand in 2021 when data of 17 million users was stolen and put up for sale. Zomato faced significant market valuation drops due to loss of consumer trust and potential fines. It further bore heavy direct costs of securing the breach, legal fees, and compensation to users.
Legal Consequences: Beyond financial penalties, failing to manage data securely can lead to legal actions and regulatory directives that significantly impact a business. Such directives can disrupt operations, increase scrutiny and operational costs, erode trust with partners, damage market reputation, and necessitate costly upgrades for compliance.
This year, the Reserve Bank of India (RBI) imposed a ban on Kotak Mahindra Bank, barring it from onboarding new customers through online and mobile channels and from issuing new credit cards. This action was taken due to serious deficiencies identified in the bank’s IT systems, including shortcomings in IT inventory management, patch and change management, user access management, vendor risk management, and data security. The bank was required to conduct a comprehensive external audit, approved by the RBI, to address these deficiencies.
Reputational Damage: In the digital age, news of data breaches spreads quickly leading to a faster decline in business reputation. Individuals may become wary of digital transactions, potentially withdrawing from online activities that they previously engaged in without concern. This hesitancy can alter consumer behavior and impact digital commerce ecosystems. Moreover, the tedious process of securing one's identity and the potential of personal information being misused or sold can lead to long-term vigilance, further embedding the breach's impact into everyday life. Rebuilding the lost trust requires significant investment in both time and resources to enhance security measures and transparent communication efforts
Take the example of BigBasket, which experienced a significant data breach in 2020 which compromised the personal information of over 20 million users, including names, email addresses, and hashed passwords. The incident was widely publicized, leading to heightened consumer apprehension and distrust. The breach sparked immediate public relations challenges and had long-lasting effects on customer loyalty and brand perception. In the aftermath, BigBasket had to invest heavily in security enhancements and transparent communication to rebuild trust and assure their customers of enhanced data protection measures.
What is the DPDP Law on Personal Data Breaches
The Digital Personal Data Protection Act lays down a detailed framework aimed at preventing and responding to personal data breaches. This framework emphasizes proactive measures and timely responses, placing significant responsibilities on Data Fiduciaries (businesses deciding the how and why of using personal data) to ensure data security and compliance. The fiduciaries are also responsible for preventing and responding to personal data breaches through data processors (third parties or vendors employed by the fiduciary) who process data on behalf of the fiduciary.
Breach Prevention Obligations
Data Fiduciaries are mandated to implement ‘Reasonable Security Safeguards’ to prevent data breaches. This standard has not been defined in the Act or the leaked copies of the DPDP rules. The BN Srikrishna Committee referred to the The Information Technology (Reasonable Security Practices) Rules, 2011 (SPD Rules) definition which could guide the DPDP standard for data security as well. The SPD Rules define reasonable security practices as implementing security standards, a detailed information security program, and comprehensive policies covering managerial, technical, operational, and physical measures appropriate to the data and business type. The IS/ISO/IEC 27001 standard is recognized, and custom standards must be government-approved.
To further strengthen breach prevention, a certain class of ‘Significant Data Fiduciaries’ under the DPDP Act are tasked with additional compliances: they must conduct regular risk assessments to identify vulnerabilities within their data processing systems and infrastructures.
The penalty for failing to undertake reasonable security safeguards to prevent personal data breach is ₹250 Crores per instance of breach. This is the highest penalty envisaged in the DPDP Act. We have covered DPDP Penalties in greater detail in another consent blog.
Breach Notification Obligations
Immediate Notice: Upon discovering a data breach, Data Fiduciaries must immediately notify the Data Protection Board (DPB) AND the affected Data Principals (users). The notification to the DPB and affected Data Principals must be crafted and delivered in a manner that is clear, concise, and useful to those receiving them. The notification must occur without undue delay, ensuring that all parties are informed promptly to take necessary actions to mitigate the impact of the breach.
Notice to the DPB: As per one of the leaked copies of the upcoming DPDP Rules, a fiduciary must inform the DPB of the following details as soon as it becomes aware of a personal data breach at its end:
- Description of breach and its nature;
- Date and time when the fiduciary became aware of the breach;
- Timing or duration of the breach;
- Location where the breach occurred;
- Nature and quantum of data affected; and
- Potential impact of the breach.
The leaked rules require any business that faces a breach to disclose it to the DPB within 72 hours of gaining knowledge of the breach. The DPB may extend the intimation period upon a written request made by the fiduciary. A disclosure about a breach to the DPB must cover:
- Broad facts, reasons and circumstances that lead to the breach;
- Detailed description of the extent of the breach including the number of users affected or likely to be affected;
- Updates on any previous information shared with the board;
- Measures proposed or already undertaken to mitigate risks to the users;
- Findings relating to the person responsible for the breach;
- Remedial measures to prevent recurrence of such a breach.
The fiduciaries will be able to submit this information via the DPB website. They also have the option of using a “Personal Data Breach Intimation Artefact” to fulfill the notification obligation. The Breach Intimation Artefact is a machine readable electronic record that is capable of letting the fiduciary or a consent manager report a breach of data to the DPB in the manner specified under law. The Artefact will contain:
- Information identifying the concerned fiduciary or consent manager;
- Electronic signature of the fiduciary or consent manager; and
- A sequence of characters uniquely identifying the electronic record.
Notice to the Data Principal: As per the same leaked DPDP Rules, a similar notice of breach must be sent to the affected user as soon as the fiduciary becomes aware of the breach. This notice must include:
- Description of the breach, its nature, and the cause whether the breach was due to unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data;
- Timing or duration of the breach;
- Extent of the breach to which it relates to the data principal. This means one breach could prompt a fiduciary to send multiple customized notices to every affected user;
- The consequences for the user that are likely to arise from the breach;
- Mitigating measures undertaken by the fiduciary, if any;
- Safety measures that can be taken by the user to protect their interests;
- Name and contact information of the Data Protection Officer (DPO) or equivalent person from the fiduciary company who is responsible for responding to the breaches.
Such a notice may be presented to the user via any mode of communication of the user that is registered with the fiduciary or any other effective method such as in-app notification. The notice should also be easily storable by the user for future reference. The penalty for failing to notify the user or the DPB about a personal data breach is ₹200 Crores per instance. This is the second-highest penalty envisaged under the DPDP Act.
Sectoral Laws Mandating Data Breach Notification
- RBI - has issued the Master Direction on Outsourcing of Information Technology Services, effective October 1, 2023. This directive applies to various RBI-regulated entities including commercial banks, small finance banks, payments banks, and non-banking financial companies, among others. The Directions include the obligation of immediate notification of any cyber incidents to the regulated entities, which in turn must report these incidents to the RBI within six hours of detection. The RBI has also issued the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices, effective April 1, 2024. The Direction mandates regulated entities to establish robust data security protocols. Crucially, the directive also requires these entities to have a cyber incident response mechanism in place and to report such incidents promptly to both the RBI and the CERT-IN, ensuring alignment with broader cyber security regulations.
- CERT - In - The Indian government has designated CERT-In to oversee the collection, analysis, and dissemination of information related to cyber incidents. As outlined in the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, and supplemented by the Cyber Security Directions, service providers, intermediaries, data centers, and corporate entities must promptly notify CERT-In about incidents such as targeted scanning or probing of critical networks/systems, compromise of critical systems or information, unauthorized access to IT systems or data, and defacement of websites, among others, must be promptly reported to CERT-In.
- IRDAI - has published the Guidelines on Information and Cyber Security for Insurers in April 2023. This comprehensive directive applies to a wide range of entities within the insurance sector, including brokers, corporate agents, TPAs, and more. The guidelines stipulate that all specified insurance entities must adopt a Board-approved cyber security policy and undergo an independent assurance audit annually. Additionally, any information security incidents must be promptly reported to various stakeholders, including the IRDAI and CERT-In, within six hours of detection, as well as to law enforcement and affected customers.
- SEBI - in its notification dated June 14, 2023, inserted Regulation 27(2)(ba) into the Listing Regulations. This mandates that listed entities disclose details of cyber security incidents or breaches or loss of data or documents in their quarterly Corporate Governance report. Subsequently the stock exchanges released a format for the disclosure of cyber security incidents in the quarterly governance report. This format requires entities to confirm any instances of cyber security incidents or breaches or loss of data or documents during the quarter; provide the date of the event; and give brief details of the event.
Preventive Measures to Avoid Data Breaches
The saying “prevention is better than cure” applies squarely to personal data breach compliances under the DPDP Act. Robust security of personal data within an organization requires a systematic approach that spans technical, administrative, and educational strategies. Here’s how Data Fiduciaries can fortify their defenses against data breaches, in alignment with the mandates of the Digital Personal Data Protection Act 2023 :
- Data Minimization: Adopt a policy of collecting only the data that is necessary for the specific purposes defined by your organization. This reduces the risk of exposing unnecessary personal data in the event of a breach.
- Storage Limitation: Limit the retention of personal data to a predefined period that aligns with the purpose for which the data was collected. After this period, ensure that the data is securely deleted to prevent unauthorized access. Refer to our industry specific Guide to Data Retention for further guidance.
- Encryption: Use strong encryption to protect data at rest and in transit. This makes it harder for unauthorized individuals to access or decipher the data even if they manage to bypass other security measures.
- Security Protocols: Implement robust security protocols such as secure socket layers (SSL), firewalls, and intrusion detection systems to monitor and protect network traffic and prevent unauthorized access to data systems.
- Data Governance Policies: Establish clear data governance policies that outline how data is handled, who has access to it, and the procedures for data processing and storage. These policies should be regularly updated to reflect new security challenges and regulatory requirements.
- Regular Risk Assessments and Audits: Conduct regular risk assessments to identify potential vulnerabilities in your data handling and storage processes. Follow these assessments with comprehensive audits to ensure that all systems comply with your data governance policies and any regulatory requirements.
- Third Party Oversight: Ensure that all data processors operating on behalf of your organization are bound by contractual agreements that mandate adherence to the same security standards and practices as the data fiduciaries. Include your third party vendors/data processors within your assessment audits to ensure compliance across the board.
- Regular Training Programs: Develop ongoing education and training programs for all employees on the importance of data security and the specific practices they must follow to protect sensitive information. Include training on recognizing phishing attempts and other common cyber threats.
- Awareness Campaigns: Regularly update staff on new security protocols and potential threats. Make data security awareness a part of the company culture to ensure everyone understands their role in protecting personal data.
Effective Breach Response Strategies
When a data breach occurs, the way an organization responds can significantly influence the outcomes for both the business and affected individuals. Here’s a structured approach to effectively managing data breaches:
Immediate Measures
- Identify and Contain: The first step in responding to a data breach is to quickly identify the source and scope of the breach. Once identified, take immediate action to contain the breach. This might involve disabling compromised accounts, blocking unauthorized access points, or isolating affected network segments.
- Assess the Impact: Evaluate the types of data involved in the breach to understand the potential impact on individuals and the organization. This assessment will guide the subsequent steps of the response, including notification and remediation efforts.
- Secure Evidence: Preserve evidence related to the breach for forensic analysis and legal purposes. This includes logs, system images, and access records that can help in understanding how the breach occurred and in preventing future incidents.
Developing a Breach Response Plan
- Preparation: Establish a formal breach response plan that includes roles and responsibilities, response procedures, and communication strategies. This plan should be an integral part of the organization’s overall security strategy.
- Response Team: Assemble a response team that includes members from IT, legal, communications, and upper management. This team is responsible for managing the breach from detection to resolution. Your DPO or equivalent person should be heading the response efforts.
- Legal Compliance: Ensure that the response plan adheres to regulatory requirements, such as those outlined in the Act and upcoming rules which may dictate specific steps for notification and remediation. For example, the notice of breach must be made easily preservable or storable for the customer.
Communication Strategies
- Internal Communication: Quickly inform relevant internal stakeholders of the breach. Clear and direct communication helps in mobilizing the necessary resources and expertise to address the breach effectively.
- External Communication: Notify the affected users and the DPB without delay. Communications should be clear, concise, and provide specific advice on how individuals can protect themselves from potential harm resulting from the breach.
- Transparency: Maintain transparency with external stakeholders, including customers, partners, and the public, about what occurred and what is being done to resolve the issue and prevent future breaches.
Remediation Measures
- Address Vulnerabilities: After containing the breach, work on closing security gaps that allowed the breach to occur. This might involve updating software, changing policies, or reconfiguring systems.
- Monitor Post-Breach Activity: Keep an eye on the affected systems to detect any sign of residual or renewed malicious activity. Continuous monitoring in the aftermath of a breach can prevent additional data loss.
- Review and Learn: After managing the breach, conduct a thorough review of the incident and the effectiveness of the response. This review should lead to an update of the breach response plan and security measures based on lessons learned.
Next Steps
To deepen your understanding of data protection and ensure your organization remains compliant with the DPDP Act, consider exploring additional resources on our Consent Blog or refer to our DPDP Compliance Checklist. Staying informed about the latest in data security and regulatory changes can help you adjust your strategies proactively.
If you have questions about how to implement these strategies in your organization or need professional advice tailored to your specific needs, please reach out by filling the form below.
Wish to outsource your DPDP compliance to experts so you focus on your core business? Sign up for a free demo of our Consent Manager made specifically for the DPDP Act.