🚨 Data Breach Under DPDPA 2023
A personal data breach means any unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data.
⏱️ Breach Notification Timeline
Immediate
Notify Data Protection Board
Immediate
Notify affected Data Principals
6 Hours
Report to CERT-In (cyber incidents)
Ongoing
Containment & remediation
💰 Penalty Framework
₹250 Cr
Security safeguard failure
₹200 Cr
Breach notification failure
₹200 Cr
Children's data violation
₹150 Cr
SDF non-compliance
📌 Multiple Penalties Possible
A single breach can attract multiple penalties. Total exposure can exceed ₹500 Crore!
📋 CERT-In Reporting (2022 Directions)
📌 6-Hour Reporting Rule
Report cyber incidents to CERT-In within 6 hours. Maintain logs for 180 days within Indian jurisdiction.
Reportable Incidents
- Data breach / data leak
- Unauthorized access to IT systems
- Ransomware and malicious code attacks
- Identity theft, phishing attacks
- Attacks on critical infrastructure
🏛️ Sectoral Regulations
🏦
RBI
2-6 hours for banks
📈
SEBI
6 hours for intermediaries
🏥
IRDAI
48 hours for insurers
📡
CERT-In
6 hours for all
⚖️ Civil & Criminal Liability
| Type | Provision | Consequence |
|---|---|---|
| DPDPA Penalty | Schedule | Up to ₹250 Crore |
| IT Act 43A | Negligent data handling | Compensation |
| IT Act 72 | Breach of confidentiality | 2 years + fine |
| IT Act 72A | Disclosure in breach of contract | 3 years + ₹5 lakh |
| Consumer Act | Deficiency in service | Compensation |
✅ Liability Mitigation
Reasonable security safeguards, prompt notification, quick containment, cooperation with authorities, and prior compliance documentation (audits, DPIA).
📝 Part 12.2 Quiz
Q1: Maximum penalty for security failure under DPDPA:
Q2: CERT-In breach reporting timeline:
Q3: Log retention under CERT-In rules:
Q4: Penalty for breach notification failure:
Q5: IT Act Section for breach of confidentiality:
Q6: RBI breach reporting for banks:
Q7: CERT-In Directions issued in:
Q8: Section 72A max imprisonment:
Q9: Children's data violation penalty:
Q10: Logs must be maintained in: