close
close

Have you been hacked in 2024? Indian data protection regulations require you to take action

Have you been hacked in 2024? Indian data protection regulations require you to take action

What if someone with legitimate authority intentionally accesses and/or shares data with the intent to harm you? This malicious insider also caused the data leak.

Did an employee lose an office device last year? This could be an unencrypted and unlocked laptop or an external hard drive—anything that contains sensitive information. Another data breach has occurred. Finally, have you been hacked?

All of these are data breaches. This occurs when personal data for which the organization is responsible is subject to any unauthorized processing or accidental disclosure, acquisition, use, exchange, alteration, destruction or loss of access that compromises the confidentiality, integrity or availability of such data.

If you were affected by a data breach last year, would you need to report it to the authorities? You might assume “No” because there was no data protection authority in India. But will you need to report such cases retrospectively when the Data Protection Board of India (DPBI) is set up?

The draft 2025 Digital Personal Data Protection Rules (Privacy Rules) require such retrospective reporting. It covers data breaches occurring in the interim period since the notification (11 August 2023) of the Digital Personal Data Protection Act 2023. (DPDP Law) until its full implementation later this year.

The window between the two dates cannot be considered a vacation or safe harbor. As a former IT minister advised, this only means that the data leaks will keep piling up. The DPBI is expected to start processing the cases as soon as it can.

Unless the privacy rules expressly provide otherwise, the DPDP Act applies to all trustees in relation to their interactions with data principals.

The first is to take appropriate technical and organizational measures to avoid possible data breaches. And if such violations do occur, notifications and other triggers may apply to them retrospectively.

So what steps should data fiduciaries take? First, map out the personal data being collected/processed. Then apply security measures.

Various data security measures, such as encryption, obfuscation, and mapping of personal data in virtual tokens, may be adopted to protect personal data from hacking.

If data processors are involved, ensure that the contract includes a requirement for the processors to apply “reasonable security standards” to their processing.

Now, if you are affected by a data breach, who do you call? DPBI once it is established. In the meantime, have you notified the responsible data controllers? This will be one of the first questions DPBI will ask. So it must be done now.

What if you don’t notify DPBI of a data breach you’ve experienced in the interim? Failure to report a data breach can result in fines of up to 200 crores. And, if you fail to take “reasonable safety precautions” during this period, you may be liable for an additional 250 crores.

If you decide to notify DPBI, how much time do you have to make this call? Since there is no provision for violations in the interim, it is safe to assume that it will be within 72 hours of DPBI being able to receive the reports.

If you need more time, just ask DPBI. It may allow more than 72 hours if the trustee submits a written and well-reasoned request for an extension.

Do the draft privacy rules treat all violations equally? Unfortunately, all of the previous examples are suitable. Should minor violations have fewer compliance obligations?

Would a risk-based approach be a fairer way of dealing with the consequences of a breach? It is possible that the government will consider changes to the rules if public comments raise these issues by February 18.

The last point. If the data breach is also related to a cyber security incident, the Computer Emergency Response Team (Cert-In) must also be notified.

Now that the long-awaited privacy rules are in draft form, if we provide our comments, we will not only help strengthen the legal shield for digital personal data, but also resolve outstanding issues regarding breach notification, especially the potential requirement for retrospective reporting. with a closing date of August 11, 2023.

The author is a partner at JSA Advocates & Solicitors