Data Breach Response in India: 72-Hour Playbook

Share on:

Introduction

Imagine it's just another ordinary workday, when suddenly you receive an alarming notification: millions of customer records in your system might have been exposed. In India’s rapidly growing digital economy, such incidents can severely tarnish a company’s reputation. While data breaches are undeniably stressful, the Digital Personal Data Protection Act (DPDPA) offers a framework that requires companies to notify both the authorities and affected users within a specified timeframe. This legal requirement ensures that responses are both timely and organized, helping companies stay compliant while safeguarding public trust. By responding swiftly and transparently, organizations can not only mitigate the impact of a breach but also demonstrate their commitment to protecting personal data. 

The importance of 72-hour reporting

When a breach happens, businesses are expected to notify the Data Protection Board of India (DPBI) “without undue delay,” and the global timeframe is 72 hours. This isn’t just another government formality; it’s about giving people a chance to protect themselves from fraud, theft, or further misuse of their information. Delays can trigger substantial regulatory penalties—up to ₹200 crore—and far greater damage to a brand’s credibility. 

Understanding the Legal Framework

• DPDPA, 2023, is the new backbone of data privacy. All organizations (“data fiduciaries”) must immediately take action and report data breaches to the DPBI and the people affected, regardless of the scale of the breach.
• CERT-In guidelines: India’s national cybersecurity agency requires reporting of certain incidents—including data breaches—within just six hours if there’s a cybersecurity angle.
• Sector-Specific Rules: Banks, insurers, and health providers follow even tighter timelines and stricter sectoral regulations.

If an organization handles personal data in India, it has to be ready with all these requirements. 

Early Detection and Team Mobilization 

When the breach occurs, the team must 

• Recognize the incident, no matter how minor it is.
• Mobilize the data breach response team quickly. It is a mix of IT, legal, risk management, and communication teams.
• Secure the affected systems. 

Investigation and Containment 

The next task is to control the damage. 

• The team has to understand what actually happened and what data has been compromised.
• Contain the breach and separate the servers that contain the vulnerabilities. 
• Preserve the records for internal and external investigation. 

Assessing the Impact 

A quick assessment of the following should be done 

• The personal data that was involved. 
• The number of individuals who were affected. 
• The types of risks involved, if the data is exposed. 

Reporting the Breach

Under the DPDPA, the following steps have to be followed, and the issue has to be rectified within 72 hours. 

• Inform the DPBI as soon as possible with the facts available. 
• Inform affected individuals if there’s any risk to their rights, usually through email, SMS, or app notification.
• Report to any sectoral regulator (RBI, IRDAI, SEBI) and CERT-In if the breach relates to critical infrastructure or cyber-attacks.
• The notification should include 

1. What and when it happened, what kind  
2. What kind of data got affected
3. How many people are impacted by it
4. Steps taken to mitigate the harm
5. Advice for affected users, such as changing passwords or monitoring financial accounts

Communication and Support of affected people 

Technical ways to resolve the breach are important, but humane responses also matter. The affected users must be notified clearly and promptly. The users should be given answers on what the team is doing to fix it and how to avoid data breaches in the future, like activating extra authentication or monitoring credit reports.

Steps for Recovery

Once the urgency has passed, 

• A full forensic investigation must be finished.
• Stronger protection must be recommended to the users.
• Communicate and keep the regulators and the public updated.
• Take necessary steps to improve the plans to keep the records safe. 

Practical tips to build a successful 72-hour Playbook 

• Be prepared, train teams, and run simulations to maintain up-to-date playbooks.
• Keep documentation and logs of every work to produce to the court whenever in need. 
• Legal teams and cybersecurity professionals must be involved in taking necessary steps to prevent data breaches. 

Conclusion 

Data breaches can happen to anyone. The organizations that are the strongest are the ones that respond with discipline, empathy, and speed. The 72-hour playbook is not just a legal compliance; it’s about showing customers, partners, and authorities that your business values transparency and accountability, even at the toughest times.