An employee’s laptop with customer data was stolen. As a business owner in India, what legal steps do you need to take?
It started as a normal Monday morning. Then your sales manager called.
His laptop was stolen from his car over the weekend. It held the entire customer database: names, phone numbers, email addresses, and possibly bank details or health records. There was no encryption or remote wipe. Now, thousands of your customers’ personal data are at risk.
Your first instinct is probably to hope nobody finds the laptop. Or to quietly replace it and move on.
That approach has now become much more risky and could even be illegal.
India’s data protection landscape changed fundamentally in November 2025. The Digital Personal Data Protection Rules, 2025, are now in force. The Data Protection Board of India is operational. And a stolen laptop containing customer data is no longer an operational inconvenience. It is a notifiable personal data breach, subject to specific legal obligations, strict timelines, and penalties that can reach ₹250 crore.
This guide tells you exactly what those obligations are, what to do in the first 72 hours, and how to make sure this never catches you unprepared again.
First, Is This Actually a Data Breach Under Indian Law?
Yes, it is.
The DPDP Act, 2023, defines a personal data breach under Section 2(u) as:
“Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data.”
If a laptop containing customer personal data is stolen, it meets at least three criteria simultaneously: accidental disclosure, acquisition by an unknown party, and loss of access. It does not matter if the thief wanted the data or if the laptop was password-protected. As long as customer data was on the laptop and the organisation cannot control it anymore, this counts as a personal data breach under the DPDP Act, 2023.
The older Indian law, under Section 43A of the IT Act, 2000, defined “reasonable security practices” in a broad, vague manner, and enforcement was limited. In contrast, the DPDP Rules, 2025 are more specific and mandatory. They are backed by an active regulator, the Data Protection Board, with clear timelines for breach notifications and strong enforcement measures.
What Laws Apply to You Right Now
Before walking through what to do, let’s be clear on which laws are actually in play. Most business owners in India think data protection is only for large tech companies. It isn’t.
| DPDP Act, 2023 + DPDP Rules, 2025 | Notify affected individuals without delay; report to the Data Protection Board within 72 hours | Notify affected individuals without delay; report to Data Protection Board within 72 hours |
| CERT-In Directions, 2022 | Service providers, intermediaries, data centres, body corporates | Report cybersecurity incident to CERT-In within 6 hours of detection |
| IT Act, 2000: Section 43A | Body corporates handling sensitive personal data | Pay compensation for negligence in maintaining security practices |
| Consumer Protection Act, 2019 | Any business with consumers | Disclosing personal information given in confidence is an unfair trade practice |
The DPDP Rules 2025 represent the biggest change. Full compliance requirements, including security measures and breach notifications, will become mandatory by May 13, 2027. However, the Data Protection Board is already active, and the duty to notify of a breach is in effect.
Your Exact Timeline: What to Do in the First 72 Hours
Many businesses make mistakes in the first few days. On day one, they often panic. By day two, they are still deciding who to contact. By day three, they may have already missed important legal deadlines.
You can avoid these mistakes. Here is a clear timeline to follow after a breach.
Hour 0–6: Contain and Report to CERT-In
As soon as you learn about the breach, you need to do two things at the same time.
Step 1: Act quickly to contain the damage.
- If the laptop has remote wipe capability, activate it now.
- Change all passwords and access credentials that the employee had.
- Revoke the employee’s access to all company systems, cloud accounts, and databases.
- Find out exactly what data was on the device. Was it customer names, phone numbers, emails, financial data, health information, or Aadhaar numbers? Write down your findings.
- Preserve all internal logs, access records, and system data related to the incident. The DPDP Rules require that security logs be maintained for at least 1 year.
Step 2: Report the incident to CERT-In within 6 hours.
According to the CERT-In Directions, 2022 (issued under Section 70B of the IT Act), any company that faces a cybersecurity incident, including data breaches, must report it to the Indian Computer Emergency Response Team within 6 hours of discovery. This is one of the strictest reporting timelines worldwide.
File your report at: www.cert-in.org.in
You do not need to know everything within 6 hours. Report what you do know, such as the nature of the incident, when you found it, which systems were affected, and what data was involved. CERT-In lets you send updates as you learn more. Do not stay silent.
Non-compliance with CERT-In Directions can attract penalties under the IT Act, including imprisonment and fines.
Hours 6 to 24: Assess the full scope of the breach.
After you file the first CERT-In report, focus on finding out what happened and what data might be at risk.
- Conduct a thorough internal investigation. Who had access to that laptop? What databases or files were stored locally versus on cloud systems?
- Was the data encrypted? If it were, the risk to affected individuals would be much lower. Make sure to record this.
- Was there sensitive personal data on the device? Under the DPDP Act, sensitive categories include financial information, health records, and data that could cause harm to individuals if disclosed.
- How many individuals are potentially affected? Ten customers or ten thousand?
- Is there any evidence that the data has already been accessed or misused?
Write down every finding. This record will help you notify the Data Protection Board and the people affected.
Hours 24 to 72: Notify the Data Protection Board and the people affected.
This is the step most Indian businesses are unprepared for and the one with the highest penalties.
Notify affected individuals as soon as possible.
Under the DPDP Rules 2025, when a data breach occurs, you must notify each affected individual directly. The notification must include:
- What happened: the nature and extent of the breach
- What data was involved: specifically,y what personal data of theirs was compromised?
- What are the potential consequences for them?
- What protective steps should they take, such as monitoring bank statements or changing passwords
- Your business contact details for follow-up queries
The Rules require you to notify people “without delay.” In practice, this means as soon as you have enough information to communicate clearly, usually within 24 to 48 hours after confirming the breach.
Submit a detailed report to the Data Protection Board within 72 hours. In addition to notifying individuals, you must send a detailed breach report to the Data Protection Board of India within 72 hours of discovering the breach. This report should include the nature of the breach, the data involved, the number of people affected, the steps taken, and measures to prevent it from happening again.
You must notify both individuals and the Board, regardless of whether the breach was caused by a cyberattack or something as simple as a stolen laptop.
What If You Don’t Report? The Penalty Picture
At this point, things become much more serious.
| Failure to implement reasonable security safeguards (which allowed the breach to occur) | Up to ₹250 crore Section 8(5) of the DPDP Act, 2023, and the penalty Schedule specify that failure by a Data Fiduciary to maintain “reasonable security safeguards” to prevent a breach can attract a maximum penalty of up to ₹250 crore per violation. |
| Failure to notify the Data Protection Board or affected individuals of a breach | Up to ₹200 crore Section 8(6) of the DPDP Act requires prompt notification of personal data breaches to the Data Protection Board of India (DPBI) and the affected Data Principals; failure to do so can result in a maximum penalty of up to ₹200 crore. |
| Non‑compliance with CERT‑In 6‑hour reporting | Imprisonment and/or fine under the IT Act Separately, the IT Act, 2000, and CERT‑In Directions (April 2022) require reporting of certain cybersecurity incidents to CERT‑In within 6 hours of detection. Non‑compliance can lead to imprisonment of up to one year and/or a fine of up to ₹1 lakh, under Section 70B(7) of the IT Act. |
These numbers are not just theoretical. The Data Protection Board is now active, and the first enforcement actions will likely focus on high-profile, severe, or systemic violations. These cases will show how seriously India’s regulators take data protection failures.
For smaller businesses, the penalty might be lower, depending on factors such as the seriousness of the breach, the size of the business, and whether the violation was intentional or accidental. However, saying “I didn’t know I had to report it” has never worked as a legal defence in India, and it will not work here either.
The Scenario in Practice: A Real-World Walk-Through
Let’s look at a real example of how this situation might unfold for a typical Indian SME.
Consider a B2B software company in Gurugram with 40 employees. The company keeps client contact details, contracts, and some financial data on employee laptops.
One day, a sales executive’s laptop is stolen from a café. The laptop contains a spreadsheet with 800 client contacts, including names, company names, email addresses, phone numbers, and purchase history.
Here’s what the company needs to do next:
- Within 6 hours, file an initial report with CERT-In at cert-in.org.in.
- Within 24 hours: Remotely wipe the laptop (if possible), revoke all credentials, identify all 800 affected clients, and draft individual breach notifications.
- Within 48 hours, send breach notifications to all 800 affected clients. The message should explain what happened and what data was involved.
- Within 72 hours, file a detailed breach report with the Data Protection Board of India.
What if the company does nothing?
Affected clients can file complaints with the Data Protection Board. The Board can investigate, impose penalties, and issue binding directions. The company could face penalties of up to ₹200 crore for failing to notify clients and up to ₹250 crore for failing to implement proper security safeguards, such as encryption or remote wipe. Even if enforcement targets larger companies first, legal liability begins as soon as the breach goes unreported.
Section 43A of the IT Act: Is It Still Relevant?
Here’s a brief explanation of a topic that often causes confusion.
Section 43A of the IT Act, 2000 used to require companies handling sensitive personal data or information (SPDI) to follow “reasonable security practices.” It also made them responsible for paying compensation if a data breach occurred due to negligence.
With the DPDP Act, 2023, and the DPDP Rules, 2025, now notified, Section 43A and the 2011 SPDI Rules are being phased out and effectively superseded by a far more detailed and enforceable framework.
The DPDP Act, 2023, itself provides that Section 43A will be omitted from the IT Act once the relevant provisions are brought into force, and the DPDP Rules, 2025, will then replace the earlier “reasonable security practices” standard with specific, mandatory security obligations.
The DPDP Rules set out specific security measures, such as encryption, access controls, monitoring, logging, and backup systems (for example, Rule 6 of the DPDP Rules, 2025). This shifts the focus from the earlier, vague idea of “reasonable practices” to a clearer, risk-based security standard.
For practical purposes, complying with the DPDP Rules, 2025 will generally mean that an organisation is meeting, and in most respects exceeding, what Section 43A and the SPDI Rules ever required.
What Security Measures the DPDP Rules Actually Require
It’s important to know this before a breach occurs, since the Data Protection Board will look closely at your security measures if a breach is reported.
The DPDP Rules 2025 (Rule 6) require Data Fiduciaries to implement the following minimum security safeguards:
- Encrypt or tokenise personal data, both when it is stored and when it is being sent.
- Set up access controls so that only employees who need certain data for their work can access it.
- Keep logs and monitor access to record who accessed which data and when.
- Back up your data to make sure you can recover it if it is lost or compromised.
- Make sure any third-party processing of your data is under a contract that requires them to follow the same safeguards.
If the company in our earlier example had encrypted the laptop, the stolen device would still count as a reportable breach, but the risk to affected individuals would be much lower, and regulators would likely pay less attention.
The takeaway is that good security measures lower both the harm from a breach and the regulatory fallout.
After the Breach: What Affected Individuals Can Do
Your customers whose data was on that laptop have rights under the DPDP Act:
- The right to know what data of theirs was involved
- The right to correction if any data about them is inaccurate
- The right to withdraw consent for future processing
- The right to file a complaint with the Data Protection Board if they believe their data was mishandled
You must address any such request from an affected individual within 90 days. Failing to do so is a separate violation of the DPDP Rules.
Building a Breach Response Plan Before It Happens
The best time to prepare for a data breach is before it happens. If you run a business that handles any customer personal data, and almost every business does, you need a basic breach response plan in place.
It doesn’t need to be a 50-page document. At a minimum, it should cover:
- Who is responsible for managing a breach response (an internal point of contact or external legal advisor)
- How to immediately contain a breach, remote wipe capability, credential revocation procedures, and log preservation
- What data you hold, where it is stored, and how many individuals it relates to
- Draft notification templates, so you’re not writing these from scratch at 2 AM after a breach
- CERT-In reporting process, the portal, the format, and the 6-hour timeline
- Data Protection Board reporting process, the 72-hour timeline, and what the report must contain
The DPDP Rules 2025 compliance deadline is May 13, 2027. That window is now actively running. Businesses that build this infrastructure now, rather than scrambling in early 2027, will be in a dramatically better position both legally and operationally.
Quick Reference: The Stolen Laptop Checklist
Print this. Keep it somewhere accessible.
| Action | Timeline | Who to Contact |
|---|---|---|
| Remotely wipe device (if possible) | Immediately | Your IT team |
| Revoke all employee credentials | Immediately | Your IT team |
| Identify all data on the device | Within 2–3 hours | IT + management |
| File initial report with CERT-In | Within 6 hours of awareness | cert-in.org.in |
| File breach report with the Data Protection Board | Within 12–24 hours | Internal investigation |
| Notify affected individuals | Without delay (within 24–48 hours) | Direct communication |
| File breach report with Data Protection Board | Within 72 hours | Data Protection Board portal |
| Document all steps taken | Ongoing | Internal records |
| Address individual queries/complaints | Within 90 days | Designated contact person |
The laptop was password-protected but not encrypted. Does that change our legal position?
A password alone is not encryption. A password protects against casual access but can be bypassed by anyone with basic technical skills or simply by removing the storage drive. Under the DPDP Rules 2025, full encryption of personal data is one of the specified security safeguards. If the data on the laptop was not encrypted, this will be a material factor in any regulatory examination of whether your organisation maintained "reasonable security safeguards" under Rule 6. It doesn't mean you've automatically violated the law, full compliance obligations aren't mandatory until May 2027, but it weakens your position significantly if a complaint is filed.
We notified CERT-In but missed the 72-hour deadline for notifying the Data Protection Board. What happens now?
Notify the Data Protection Board as soon as possible; do not wait further. The Board has the power to take into account the steps you took to mitigate harm and whether you acted in good faith. A late notification is significantly better than no notification. When you file, include an explanation of why the 72-hour deadline was not met and what actions you took in the interim. The Board's penalty determination considers factors including the nature and gravity of the breach, whether it was intentional or negligent, and the steps taken to address it.
Does the employee whose laptop was stolen bear any legal liability?
Potentially yes, depending on the circumstances. If the employee violated company security policies (e.g., storing data locally when it should have been on a cloud system, or leaving the laptop unattended in a vehicle), they may face internal disciplinary action and, in some circumstances, civil liability. However, as the employer and Data Fiduciary, your business bears the primary legal responsibility for maintaining appropriate security safeguards. The obligations under the DPDP Act and CERT-In Directions fall on the business, not the individual employee.
One of our affected customers is threatening to file a complaint. What should we do?
Take it seriously and respond promptly. Under the DPDP Act, any individual whose data was involved in a breach has the right to file a complaint with the Data Protection Board. The best position to be in is one where you have already notified the individual of the breach, told them which data was involved, explained the steps you have taken, and provided a point of contact for their queries. If you've done all of this, you've demonstrated good faith. If the individual still files a complaint, respond cooperatively to the Board's investigation. Ignoring or being unresponsive to the Board dramatically worsens your legal position.
The stolen laptop also had employee data, salary information and ID documents. Does that change anything?
Yes. Employee personal data is also protected under the DPDP Act, although the DPDP Rules contain specific provisions allowing employers to process employee data for employment-related purposes. If the breach involves employee-sensitive information, such as health data, financial information, or identity documents, the same notification obligations apply to affected employees as to affected customers. You must notify the individuals whose data was compromised, regardless of whether they are customers or employees.
We are a very small business with no IT team and limited resources. Where do we even start with DPDP compliance?
Start with a data mapping exercise, simply understanding what personal data you collect, where it is stored, who has access to it, and what would happen if it were lost or stolen. This doesn't require expensive software. A simple documented inventory of: what data you hold, where it lives (laptop, server, cloud), who can access it, and how long you keep it, gives you a foundation. From there, the most impactful immediate steps are: enabling full-disk encryption on all employee devices, setting up remote wipe capability, and ensuring you have a point of contact designated for data protection matters. These can be implemented at minimal cost and will significantly reduce both your breach risk and your legal exposure.
— — —
Disclaimer:
This article is published for general legal awareness and informational purposes only, and should not be construed as legal advice or a solicitation to act.
About the Author:
Joginder Poswal is an advocate enrolled with the Bar Council of Punjab & Haryana (Enrolment No. PH/9616/2023) and practising exclusively in non-litigation legal advisory, drafting, and consultation under Indian law.
For more information, please refer to the contact details provided on this website.