2.1 The Multi-Regulator Notification Landscape
A single data breach in India can trigger notification obligations to multiple regulators simultaneously. Legal counsel must map all applicable requirements and create a coordinated notification strategy to avoid compliance failures.
Notification Timeline Overview
These are SEPARATE obligations. Reporting to one regulator does NOT satisfy obligations to others. Each requires specific format, content, and channel. Maintain a compliance matrix for each incident.
2.2 DPDPA Notification to Data Protection Board
Section 8(6) of DPDPA creates mandatory breach notification obligations for Data Fiduciaries, requiring notification to both the Data Protection Board and affected Data Principals.
Statutory Requirement
Section 8(6) states: "In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed."
Expected Notification Content (Based on Global Standards)
- Nature of the Breach: Description of what happened, how data was compromised
- Categories of Data Affected: Types of personal data involved (financial, health, identity)
- Approximate Number Affected: Estimated count of Data Principals impacted
- Likely Consequences: Potential risks to affected individuals
- Remedial Measures Taken: Steps taken to address the breach and mitigate harm
- Contact Information: Data Protection Officer or designated contact details
While DPDPA Rules are yet to be notified, international standards (GDPR) and industry expectations suggest a 72-hour notification window "without unreasonable delay." Prepare for this timeline in your incident response plan.
Notification to Data Principals
Unlike regulatory notification, notification to affected individuals must be:
- Clear and Simple: Avoid legal jargon - Data Principals are laypeople
- Actionable: Specific steps they should take (change passwords, monitor accounts)
- Direct: Reach affected individuals through verified channels
- Prompt: Delays increase harm and regulatory scrutiny
Pre-draft notification templates for both Board and Data Principal communications. Have them legally reviewed BEFORE an incident. During a breach, you will not have time for careful drafting from scratch.
2.3 CERT-In 6-Hour Reporting Rule
The CERT-In Directions 2022 mandate incident reporting within 6 hours - one of the strictest timelines globally. Understanding what triggers this obligation and how to comply is essential for incident response.
When Does the 6-Hour Clock Start?
The Directions state: "within 6 hours of noticing such incidents or being brought to notice about such incidents."
| Trigger Event | Clock Starts When | Practical Implication |
|---|---|---|
| Security tool alert | Alert is received and reviewed | SOC must have process for immediate legal escalation |
| Third-party notification | When organization is informed | Third-party breach clauses should require immediate notice |
| User complaint | When complaint is received | Helpdesk must recognize security incidents |
| Media report | When organization becomes aware | Media monitoring is part of incident detection |
| Regulatory inquiry | When inquiry is received | May already be in violation if not self-reported |
Reportable Incidents Under CERT-In Directions
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorised access to IT systems/data
- Defacement of website or intrusion into website
- Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers
- Attack on servers (Database, Mail and DNS) and Routers
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical infrastructure, SCADA systems and Wireless networks
- Attacks on Applications such as E-Governance, E-Commerce etc.
- Data Breach
- Data Leak
- Attacks or incident affecting Digital Payment systems
- Attacks through Malicious mobile Apps
- Fake mobile Apps
- Unauthorised access to social media accounts
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
- Attacks or malicious/ suspicious activities affecting systems/ servers/ software/ applications related to Artificial Intelligence and Machine Learning
The list is extremely broad - even "targeted scanning" triggers reporting. When in doubt, report. Under-reporting is more risky than over-reporting with CERT-In.
CERT-In Report Content Requirements
- Organization details: Name, GSTIN, sector, contact person
- Incident details: Type, description, affected systems
- Timeline: Date/time of occurrence and detection
- Impact assessment: Systems affected, data compromised
- Actions taken: Immediate containment and response measures
- Artifacts: Logs, indicators of compromise (as available)
2.4 Sector-Specific: RBI and SEBI Requirements
Financial sector entities face additional reporting obligations to RBI and/or SEBI depending on their regulatory status. These requirements operate alongside CERT-In and DPDPA obligations.
RBI Cyber Security Framework Requirements
RBI's Cyber Security Framework for Banks (2016) and subsequent circulars mandate:
| Entity Type | Reporting Authority | Timeline | Key Requirements |
|---|---|---|---|
| Scheduled Commercial Banks | RBI (Department of Banking Supervision) | 2-6 hours | Report to cyber.incident@rbi.org.in |
| NBFCs (Upper/Middle Layer) | RBI (Department of Non-Banking Supervision) | 6 hours | Per NBFC Master Directions |
| Payment System Operators | RBI (DPSS) | 6 hours | Includes payment aggregators, wallets |
| Co-operative Banks | NABARD/RBI | As applicable | Per specific directions |
RBI Report Must Include
- Incident classification: Category and severity assessment
- Customer impact: Number of customers affected, data types
- Financial impact: Actual or potential monetary loss
- Root cause (preliminary): Initial assessment of how breach occurred
- Containment status: Whether incident is contained
- Recovery timeline: Expected service restoration
SEBI Disclosure Requirements
For listed entities, SEBI's LODR Regulations require disclosure of material events:
A cyber incident is likely material if it: (1) affects significant business operations, (2) impacts large number of customers, (3) involves financial loss exceeding thresholds, (4) attracts regulatory action, or (5) is likely to affect share price.
SEBI Circular on Cyber Security (SECC/HO/CFD/CMD/CIR/P/2018/77)
- Immediate disclosure: Material cyber incidents to stock exchanges within 24 hours
- Board reporting: Quarterly report to Board on cyber incidents
- Annual disclosure: Cyber security posture in annual report
- Stock exchange notification: Per LODR Regulation 30
For listed companies, involve Company Secretary and Compliance Officer immediately in breach response. They must assess materiality and coordinate stock exchange disclosures while legal handles regulatory notifications.
2.5 Developing a Notification Strategy
Effective breach notification requires pre-planned strategy, coordination across stakeholders, and clear decision-making protocols. Build your notification framework before an incident occurs.
Notification Decision Matrix
| Regulator | Trigger | Timeline | Responsible Party |
|---|---|---|---|
| CERT-In | Any cyber security incident | 6 hours | CISO/IT Security |
| Data Protection Board | Personal data breach | 72 hours (expected) | DPO/Legal |
| RBI | Cyber incident at regulated entity | 2-6 hours | Compliance/Risk |
| SEBI/Stock Exchanges | Material cyber incident | 24-48 hours | Company Secretary |
| IRDAI | Insurance company incidents | As per guidelines | Compliance |
| TRAI | Telecom operator incidents | As per license terms | Regulatory Affairs |
Key Principles for Notification Drafting
- Accuracy over speed: Do not speculate. State what you know, what you are investigating, what is unknown.
- Consistency across regulators: Facts must be consistent in all notifications - regulators compare notes.
- Legal review mandatory: All notifications should be reviewed by legal counsel before submission.
- Document everything: Maintain records of when notifications were sent, to whom, and their content.
- Update obligations: Initial notification is not final - provide updates as investigation reveals more.
Create a "single source of truth" document during incidents - a master incident record that all notifications draw from. This ensures consistency and prevents conflicting information being sent to different regulators.
Key Takeaways
- Multiple regulators: One breach may require notifications to CERT-In, DPB, RBI, SEBI simultaneously
- CERT-In is strictest: 6-hour timeline starts from noticing - have immediate escalation protocols
- DPDPA dual notification: Both Board AND affected Data Principals must be notified
- Sector-specific: RBI/SEBI requirements are additional, not alternatives to CERT-In/DPDPA
- Pre-plan everything: Templates, decision matrices, escalation protocols must exist BEFORE incident
Part 2 Quiz: Test Your Knowledge
Breach Notification Requirements
Test your understanding of notification obligations across regulators