Our Terms & Conditions | Our Privacy Policy
India needs a threshold-based system for data breach reporting, speakers argued at MediaNama’s discussion on the draft Digital Personal Data Protection Rules (DPDP Rules, 2025) on February 7. This came as a comment during the session on the draft rules around data breaches. MediaNama conducted this discussion under the Chatham House Rule. (Chatham House Rule in a meeting allows the participants to freely use the information received, but the identity of the speakers or of any other participant must not be revealed.)
The DPDP Act and the subsequent rules require companies to inform both affected individuals and the Data Protection Board in the event of a breach without delay. Companies also have a period of 72 hours to inform the data protection board and the affected users about the mitigation measures they have implemented to tackle the breach.
One of the key concerns that participants expressed was that a personal data breach could be something as small as someone clicking on a malicious link and compromising their account. Given the broad definition of a data breach, a participant wondered, would even such a compromised account classify as a breach? “Everybody agrees there should be a threshold. It’s kind of like the privacy impact assessment, right? Let there be a trigger. But what is that trigger? If you take competing geographies, if you take Japan and you take Singapore, they take a number between 500 to 1,000. Now that may make sense for a city-state like Singapore,” another participant said. They added that India cannot copy-paste what the breach threshold should be from another jurisdiction (like Singapore or Japan).
Important points from the discussion:
Factoring in the type of data into breach reporting:
The type of data could also be a factor in determining the impact of a breach, a participant argued. “I know we don’t have a classification of sensitivity of data, but we’re classifying significant data fiduciaries on the kind of data that they’re holding as well,” they mentioned and asked whether breach reporting requirements should be classified based on the sensitivity of the data. Another participant suggested that maybe such requirements could come in based on the kind of data the central government committee would classify as requiring significant data fiduciaries to store in India.
Companies will have to report the same breach thrice:
The necessity of creating a breach threshold becomes pertinent when we consider that companies will have to report breaches thrice— to the affected people, the Data Protection Board and the Indian Computer Emergency Response Team (CERT-In). “And double-stage reporting as well, right? Post that 72-hour period, [there is a provision for an] additional information request. So, you’re going to overload the system,” a participant mentioned. His comment comes in the context of the fact that companies have to first submit a preliminary report to the Data Protection Board “without delay” and then within 72 hours submit another report which contains details of mitigation measures. Participants emphasised that companies would prefer if the government had a harmonised set of reporting requirements so that they could automate the reporting process
Cannot turn to CERT-IN reporting norms for clarity:
While participants agreed that there would be an overlap in the responsibilities of CERT-In and the Data Protection Board (DPB), they argued that the government cannot turn to CERT-In norms for creating uniform regulations. “CERT-In also does not have very clear norms. In CERT-In, it is even more difficult because they say that even if it is an event, you must be safe and report it. So, CERT is even more difficult to comply with. At least here they have said a breach,” a participant mentioned.
CERT-In cannot do anything with data breach information:
Given the sheer number of breaches that companies currently have to report, participants questioned whether CERT-In could even do anything with the breach data. “ Do you have the capacity to do anything with that data at all? And at this point, I think the answer is no. But I think their basic thing is that we are not trying to segregate, et cetera. We are saying whatever it is, [within] six hours [you have to] report,” they explained.
Immediate breach reporting to affected users could cause panic:
Participants argued that if companies immediately inform people affected by a breach, it could cause panic and can even lead to market crashes. “Sometimes you’re tipping off the hacker even before the investigation is complete,” a participant mentioned.
Publicizing Data Breach Information can paint a target on vulnerable companies:
“The flip side of having all of this information public is also planting a red target on the company with very bad data security and telling hackers that, hey this company seems to be a prime target by the number of attacks that has happened,” a participant said.
DPB will struggle to handle reporting timeline extensions:
While the rules allow companies to send in written requests to the DPB to ask for more time (as opposed to the prescribed 72 hours) before they submit mitigation measures, the board will not be able to tackle such requests. “It seems to be arbitrary that you have to write to them and ask for an extension each time. The number of ransomware attacks that go through in this country, they won’t be able to handle those,” a speaker mentioned.
Uncertainty About Whether Security Failures Constitute a Breach
“So, it does say personal data breach under the law, but what the law also requires you to do is have reasonable security safeguards. So, if they were to fail, essentially a reading would be that even if there is no personal data breach actually, but because your reasonable security safeguards are failing, is that also a personal data breach?” a participant questioned. They argued that the rules could consider failure of security safeguards as a breach because that would mean that the concerned company does not have measures to prevent a breach in the future.
Users want companies to inform them of every data breach:
“As a user, I do want to be, I honestly want to be informed every time there’s a personal data breach because otherwise, the companies lie all the time. They gaslight me as a user. So, I want them to report it every time because they don’t take fines seriously. At least they’ll take reputational damage seriously,” a participant mentioned.
Advertisements
Absence of monetary compensation for affected parties:
The DPDP Rules do not require companies to give compensation to people affected by a data breach and in that case, reputational damage is the best course of action, a participant mentioned. “Just last month, there was a case in which a compensation of over two crores was given to a victim of a data breach under the IT Act. And also, just to point out, this victim wasn’t an individual, it was a bank,” they explained.
Getting data breach notifications every day could trivialise breaches:
Another participant argued that if as a user they get breach notifications from different companies every single day, they would stop taking the breaches seriously. “So, maybe I want to know about breaches that are an active risk,” they said. They added that perhaps quarterly or semi-annual breach notifications might make more sense.
Organisational capacity could make reporting a challenge:
A participant mentioned that when discussing the data breach reporting requirements, it is important to consider that not all organisations have the resources to even figure out that they have a breach and fix it, much less report it within the stipulated time. “The government chose to not create a small business exemption properly into the law,” another participant argued in response to this adding that the government could have required bigger entities to have more compliance requirements.
Key Recommendations:
Harm and population-based thresholds for breach reporting:
The government can consider two separate kinds of thresholds for what qualifies as a breach worth reporting, participants noted. While one way to create a reporting threshold is to focus on the number of people affected by the breach, another is to rely on a harm-based threshold, where reporting happens when a breach causes substantial harm to the affected people.
DPB should release monthly breach data:
A participant recommended that the DPB should put out data about all the breach reports they received in a month. This report should include the names of the companies that reported the breach, the number of breaches, and the nature of the breaches. They argued that this would ensure that the board is transparent and accountable to the general public. Another user argued that while the government may not be inclined to release the specifics of a breach, people should be able to access aggregated data via RTIs.
Companies Should report breaches to ONLY one authority:
Instead of reporting breaches to multiple different bodies, a participant suggested that India could consider an approach where companies notify one body that shares this information with other government entities. “In the United Kingdom, what happens is that people report data breach incidents to the Information Commissioner’s Office under the Data Protection Law. That is shared. And I think there’s an administrative guideline to how they share it with four or five other agencies,” they mentioned.
Reporting timelines could start when the breach is fixed:
“The timeline for reporting maybe should start from the point where you have corrected the breach, rather than when you become aware of the breach,” a participant suggested. They said that this could prevent bad actors from finding out about the breach and exploiting a company’s vulnerability. They added that the DPB could keep companies accountable for fixing the breach in a timely manner by keeping tabs on how long the issue took to fix via the report the company submits to it.
Also read:
Support our journalism:
For You
[ad_1]
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Aggregated From –
[ad_2]
Comments are closed.