🚨 Four-Phase Breach Response

🔴 Phase 1: Detection & Assessment

0-6 Hours
  • Identify source and scope of breach
  • Preserve evidence (logs, screenshots, systems)
  • Classify data types affected (personal, sensitive, financial)
  • Estimate number of affected individuals
  • Activate Incident Response Team
  • Engage forensic investigator if needed

🟡 Phase 2: Containment

6-24 Hours
  • Isolate affected systems
  • Block unauthorized access points
  • Reset compromised credentials
  • Implement emergency patches
  • Document all containment actions
  • Preserve evidence chain of custody

🟣 Phase 3: Notification

6-72 Hours
  • Report to CERT-In within 6 hours
  • Notify Data Protection Board (DPDPA)
  • Notify sectoral regulators (RBI, SEBI, IRDAI)
  • Prepare Data Principal notification
  • Brief senior management and board
  • Prepare external communications

🟢 Phase 4: Remediation & Review

Ongoing
  • Implement permanent fixes
  • Conduct root cause analysis
  • Update security controls
  • Revise incident response plan
  • Document lessons learned
  • Prepare for regulatory inquiry/litigation

📝 Notification Templates

Template 1: CERT-In Notification

To: incident@cert-in.org.in Subject: Cyber Security Incident Report - [Company Name] Date/Time of Incident: [DD/MM/YYYY HH:MM IST] Date/Time of Detection: [DD/MM/YYYY HH:MM IST] Type of Incident: [Data Breach / Unauthorized Access / Ransomware] INCIDENT DETAILS: 1. Nature: [Brief description] 2. Systems Affected: [Server/Database/Application] 3. Data Compromised: [Type and volume] 4. Estimated Impact: [Number of records/individuals] 5. Attack Vector: [If known] CONTAINMENT MEASURES: [Actions taken to contain breach] CONTACT: Name: [CISO/DPO Name] Phone: [Number] Email: [Email] [Signature]

Template 2: Data Principal Notification

Subject: Important: Notice of Data Security Incident Dear [Name], We are writing to inform you of a data security incident that may have affected your personal information. WHAT HAPPENED: On [Date], we discovered unauthorized access to our systems containing personal data. WHAT INFORMATION WAS INVOLVED: The following categories of your data may have been affected: - [Name, Email, Phone, etc.] WHAT WE ARE DOING: 1. Contained the incident and secured our systems 2. Engaged forensic investigators 3. Reported to relevant authorities 4. Enhanced security measures WHAT YOU CAN DO: 1. Monitor your accounts for suspicious activity 2. Change passwords for related accounts 3. Be cautious of phishing attempts CONTACT US: For questions, contact our Data Protection Officer: Email: [dpo@company.com] Phone: [Helpline number] We sincerely apologize for this incident. [Signature]

✅ Breach Response Checklist

📋 Immediate Actions (First 6 Hours)
Activate Incident Response Team
Document timeline and facts
Preserve all evidence (forensic images)
Assess scope and affected data
Contain the breach
Notify CERT-In (6-hour deadline)
Engage legal counsel
Brief senior management
📋 24-72 Hour Actions
Notify Data Protection Board
Notify sectoral regulators (RBI/SEBI/IRDAI)
Prepare Data Principal notification
Brief Board of Directors
Prepare media response (if needed)
Engage PR/communications team

⚖️ Legal Privilege Considerations

⚠️ Protecting Investigation Privilege
  • Engage external counsel to direct investigation
  • Label forensic reports as "Privileged & Confidential - Attorney Work Product"
  • Route communications through legal counsel
  • Maintain separate privileged and non-privileged tracks
  • Limit distribution of investigation findings

📝 Part 12.7 Quiz

Q1: CERT-In reporting deadline:

Q2: First action on detecting breach:

Q3: DPDPA requires notification to:

Q4: To protect privilege, engage:

Q5: Containment phase timeline:

Q6: Evidence preservation requires:

Q7: Board briefing should happen within:

Q8: Root cause analysis happens in:

Q9: Forensic reports should be labeled:

Q10: Incident Response Team activation is: