India's need for tighter cybersecurity has been growing with increasing digitization and connectivity, both locally and globally. While India's government has taken steps to enhance cybersecurity measures through policies and regulations, there has been a rapid surge in cyber incidents, including ransomware attacks, phishing schemes and data breaches.

In 2022, the Indian Computer Emergency Response Team, the national agency tasked with performing various functions around cybersecurity, issued directions related to information security practices, procedures, and the prevention, response and reporting of cyber incidents.

Since then, the government's initiatives have shifted toward regulating data fiduciaries and imposing higher penalties on them, recognizing their crucial influence on managing the flow of personal data — rather than primarily focusing on preventing cybersecurity incidents.

Prevention versus cure

India's Digital Personal Data Protection Act defines a personal data breach as "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."

While this definition has more or less remained identical through all drafts of the data protection legislation deliberated by the government prior to the DPDPA's passage, there has been a major shift in the regulatory approach compared to the foremost framework, the Personal Data Protection Bill, released in 2018. While the 2018 framework enumerates the obligations of data fiduciaries in the case of a personal data breach in finer detail, the DPDPA outlines the broad contours of the obligations within just two provisions under Section 8.

First, as a preventive measure, the DPDPA requires a data fiduciary to implement reasonable safeguards to protect personal data in its possession or under its control, including with respect to any processing undertaken by it or on its behalf by a data processor. Second, as a corrective measure in the case of a breach event, the DPDPA requires data fiduciaries to inform the Data Protection Board of India and every affected data principal of the personal data breach.

As such, the DPDPA being a principle-based legislation does not set out the security standards or the relevant safeguards. Instead, these operational requirements are set out in the newly notified Digital Personal Data Protection Rules. The DPDP Rules prescribe certain minimum safeguards which include securing personal data through implementation of measures such as encryption, access control, logging, monitoring and data backups. These security standards seem to be rooted in globally accepted principles of integrity, confidentiality and accountability.

This seems to be a crucial departure from the existing legislation on the subject, i.e., the Sensitive Personal Data or Information Rules, which set out just a two-fold baseline standard for when a body corporate would be considered in compliance with reasonable security standards and procedures. First, organizations had to comprehensively document information security programs and policies commensurate with the nature of the personal data being protected. Second, they had to implement security control measures as per such documented policies and be able to demonstrate the same to the authorities in case of an information security breach. This approach gave organizations considerable flexibility to decide their own security controls based on the nature of the personal data they processed. However, the DPDP Rules, in contrast to the legacy benchmarks, provide more specific and prescriptive requirements that are aligned with globally accepted standards and processes for preventing personal data breaches.

While the minimum reasonable security standards have now been prescribed under the DPDP Rules, no system can be considered immune from the risk of a personal data breach. Accordingly, the DPDP Rules provide more detailed guidance on the remedial actions data fiduciaries should take when they fail to prevent a personal data breach.

Broadly, the DPDP Rules introduce a two-stage breach-notification mechanism, prescribing both an immediate intimation —to be undertaken on a best of knowledge basis — and a 72-hour reporting framework that has updated and detailed information. The mechanism details what must be reported and to whom at each stage, making it a highly actionable and time-sensitive obligation for data fiduciaries. Affected data principals and the DPBI are required to be immediately notified of the breach, including its nature, potential consequences and the recommended mitigation measures. A more detailed report must be submitted to the DPBI within 72 hours of the data fiduciary learning about the breach.

Given the heavy quantum of fines prescribed under the DPDPA, data fiduciaries ― especially those processing sensitive personal data, like financial, health and children's information ― should invest in their cybersecurity infrastructure. They should also conduct regular training sessions and awareness programs to instill readiness among in-house departments like legal, IT, business and customer services, and procure adequate cyber liability insurance policies to offer comprehensive protection.

Penalty assessment

The DPBI has the power to impose fines of up to INR 250 crore (approximately USD27 million) for failure to implement reasonable security safeguards to prevent a personal data breach.

To determine the monetary penalty to be imposed, the DPBI will consider the nature, gravity and duration of the breach; the type and nature of the personal data affected; any action taken to mitigate the effects and consequences; and the timeliness and effectiveness of any mitigative action.

A quick look at practices in other relevant jurisdictions indicates authorities, like the European Data Protection Board, Ireland's Data Protection Commission and the U.S. Federal Trade Commission, have become increasingly stringent in imposing penalties in cases when there has been a conscious failure to take reasonable steps to secure data and fix critical vulnerabilities identified by data fiduciaries.

When it comes to penalty assessment, another key factor to consider is how the DPBI and CERT-In will interact. Organizations are currently required to report cyber incidents, including data breaches, to CERT-In within six hours of discovery as opposed to the 72-hour timeline prescribed under the DPDP Rules.

Given that the scope of CERT-In directives is much broader in terms of applicability and extends to personal data breaches, there is undoubtedly an overlap in the reporting obligations of a data fiduciary for personal data breaches, allowing for penalties to be levied under both frameworks if authorities are not notified.

Having said that, there has not been a single instance of reprimand or levy of penalty in connection with cyber incidents by any authority to date. As the DPBI becomes operational and regulatory practices evolve, the roles, powers and functions of the DPBI and CERT-In regarding personal data breaches ― particularly in relation to penalties ― may become clearer and demarcated.

Extrajurisdictional enforcement

The DPDPA's scope extends to the processing of digital personal data outside India in cases when the processing pertains to offering of goods or services to data principals within the country.

This means data fiduciaries processing personal data in jurisdictions outside India must also comply with the DPDPA's provisions if the processing pertains to services or goods offered to India's data principals.

However, enforcement of the extraterritorial application, specifically in cases of personal data breaches, is undoubtedly riddled with challenges. Enforcing the DPDPA on foreign entities may be inherently complex due to the jurisdictional limitations and differing legal frameworks of other countries.

Cooperation from international counterparts is crucial but often difficult to secure, leading to potential enforcement gaps. Further, compliance by data fiduciaries offering their services and goods to data principals in India can incidentally, and not systematically, be burdensome given the increased operational costs.

Right to compensation

The DPDPA imposes a substantial penalty of INR 250 crore (approximately USD27 million) for data breaches, which is credited to the Consolidated Fund of India. Unlike many data protection laws, including the EU General Data Protection Regulation, the DPDPA does not compensate data principals whose personal data has been breached.

The absence of explicit provisions for compensating data principals has been a contentious issue, especially given that such measures were included in earlier drafts of data protection legislation. While some argue the government aims to reduce frivolous litigation, others believe this lack of compensation may deter data principals from reporting data breaches altogether.

Additionally, since civil courts lack jurisdiction over matters arising from the DPDPA, data principals may be unable to seek compensation from either the DPBI or the courts. To ensure the DPDPA's efficacy, it is imperative to clearly define the roles of CERT-In and the DPBI and establish precise guidelines for reporting personal data breaches. Moving beyond mere awareness programs, it will be interesting to observe how the government plans to incentivize users to report such incidents, thereby fully realizing the DPDPA's objectives.

Full series overview

The overview page for the full series can be accessed here.

• Scope, key definitions and lawful data processing
• Individual rights
• Obligations of data processing entities
• Enforcement and the Data Protection Board
• Cross-border data transfers
• Comparative analysis with the GDPR and other major data privacy laws
• Consent management
• Data audits for significant fiduciaries
• Data protection impact assessments
• Data breaches