Data breaches are no longer limited to big tech companies. In India, startups, small businesses, hospitals, fintech platforms, ed-tech companies, and even local service providers are facing data leaks every day.
Customer data leaks are not just technical failures anymore; they are legal issues.
If your company suffers a data breach and you don’t handle it correctly, you may face penalties, lawsuits, reputational damage, and even regulatory action.
This article explains the legal obligations of a company after a data breach under Indian law, particularly after the Digital Personal Data Protection (DPDP) Act.
What Is a Data Breach Under Indian Law?
A data breach occurs when personal or sensitive data is:
- Accessed without authorisation
- Disclosed accidentally or unlawfully
- Stolen, hacked, leaked, or misused
This can include:
- Customer names, phone numbers, and email IDs
- Aadhaar, PAN, KYC documents
- Bank details or UPI information
- Employee personal data
- Health or financial records
Even a small leak, such as customer data shared with a third party without consent, can legally qualify as a data breach.
Why Data Breaches Are a Serious Legal Issue Now
Earlier, companies treated data leaks as internal IT problems. That approach no longer works.
With the introduction of the Digital Personal Data Protection Act, 2023, data protection has become a statutory obligation.
Companies are now legally responsible for:
- How data is collected
- How data is stored
- How data is shared
- How data is protected
Failure in any of these areas can attract penalties.
Which Laws Apply to Data Breach in India?
1. Digital Personal Data Protection Act, 2023 (DPDP Act)
This is the primary law governing personal data protection in India.
Under the DPDP Act:
- Companies are called Data Fiduciaries
- Customers are Data Principals
The law applies to:
- Indian companies
- Foreign companies processing Indian users’ data
2. Information Technology Act, 2000
Section 43A and related rules impose liability on companies that fail to protect sensitive personal data due to negligence.
3. Contract & Consumer Laws
Data breach can also result in:
- Consumer complaints
- Breach of contract claims
- Class action style litigation
Legal Obligations of a Company After a Data Breach
1. Immediate Containment of Breach
The first legal duty is not paperwork; it is action.
The company must:
- Identify the source of the breach
- Stop further unauthorised access
- Secure compromised systems
Delaying containment can worsen legal liability.
2. Mandatory Reporting of Data Breach
Under the DPDP Act, companies must report inevitable data breaches to the Data Protection Board of India.
While detailed reporting rules are evolving, the principle is clear:
Serious data breaches cannot be hidden.
Failure to report can itself attract penalties.
3. Informing Affected Users
If a breach affects users’ personal data, companies have a duty to:
- Inform affected individuals
- Explain what data was compromised
- Advise protective steps (password change, etc.)
Silence or vague messaging increases legal risk.
4. Cooperation With Authorities
Companies must cooperate with:
- Data Protection Board
- Cybercrime authorities
- Regulatory bodies (if applicable)
Non-cooperation can constitute aggravating conduct.
Penalties for Data Breach Under Indian Law
Under the DPDP Act, penalties can go up to:
₹250 Crore for serious non-compliance.
Penalties depend on:
- Nature of data breached
- Volume of affected users
- The company’s preventive measures
- Speed and transparency of response
Even startups and SMEs are not exempt.
Can Affected Users Sue the Company?
Yes.
Affected individuals may:
- File complaints before the Data Protection Board
- Approach the Consumer Court
- Claim compensation for negligence
If financial loss or identity theft occurs, liability increases significantly.
Common Mistakes Companies Make After a Data Breach
- Trying to hide the breach
- Blaming third-party vendors
- Delaying user communication
- No documented incident response plan
Legally, these mistakes make things worse.
How Companies Can Reduce Legal Risk
- Have a written data protection policy
- Limit data collection to necessity
- Conduct regular security audits
- Train employees on data handling
- Prepare a data breach response plan
Prevention is not just good practice; it’s legal protection.
Real-World Situation (Very Common)
A mid-sized Indian startup suffered a data breach due to an unsecured database. They delayed user notification for weeks.
The issue became public through social media. Users filed complaints. Regulatory scrutiny followed.
The legal cost and reputational damage far exceeded the cost of early disclosure.
Data Protection Is a Legal Responsibility
In today’s digital India, companies don’t just handle data, they hold trust.
A data breach mishandled can permanently destroy that trust.
Understanding and fulfilling legal obligations is no longer optional. It is essential for survival and credibility.
— — —
Disclaimer:
This article is published for general legal awareness and informational purposes only, and should not be construed as legal advice or a solicitation to act.
About the Author:
Joginder Poswal is an advocate enrolled with the Bar and practising law, specialising in cyber law, criminal law, and corporate compliance.
For more information, please refer to the contact details provided on this website.