Data Breach is any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of such data. Under Indian law, data fiduciaries are required to notify both the Data Protection Board of India and affected data principals "without delay" upon discovery of a personal data breach under Section 8(6) of the Digital Personal Data Protection Act, 2023, with detailed reporting within 72 hours under the DPDP Rules, 2025, and CERT-In requires all entities to report cybersecurity incidents including data breaches within 6 hours of detection.
Legal definition
The Digital Personal Data Protection Act, 2023 defines personal data breach:
Section 2(u) — "Personal data breach": Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
The notification obligation is established under:
Section 8(6): In case of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
The DPDP Rules, 2025 prescribe that notification to the Data Protection Board must include the nature of the breach, the categories and approximate number of data principals affected, the likely consequences, and the measures taken or proposed. Notification to affected data principals must include a description of the breach, its likely consequences, and measures taken to mitigate harm.
Additionally, under CERT-In Directions of April 2022 (issued under Section 70B of the IT Act), all entities must report cybersecurity incidents — including data breaches, data leaks, and unauthorised access to systems — to CERT-In within 6 hours of noticing or being brought to notice of the incident. This is among the most stringent breach reporting timelines in the world.
How courts have interpreted this term
K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]
The nine-judge bench of the Supreme Court held that informational privacy — the right to control one's personal data — is a fundamental right under Article 21. The judgment established that any entity processing personal data owes a duty to protect it against unauthorised access and disclosure, providing the constitutional foundation for breach notification obligations. The Court held that data protection legislation must include adequate safeguards for data security.
Dhiren Prajapati v. State of Gujarat [(2021) — Gujarat High Court]
The Gujarat High Court addressed a data breach involving personal records in a government database. The Court observed that data breaches affecting citizens' personal information engage the right to privacy and that the data custodian has an obligation to implement adequate security measures. While pre-dating the DPDP Act, the judgment reinforced the duty of care owed by data custodians.
Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal [(2020) 7 SCC 1]
The Supreme Court's ruling on the mandatory nature of Section 65B certificates for electronic evidence has direct implications for data breach litigation. In breach-related disputes, the authenticity and integrity of electronic evidence proving the breach must be established through proper certification — making forensic evidence handling critical.
Why this matters
India has experienced several high-profile data breaches affecting millions of users, including breaches at financial institutions, telecom operators, e-commerce platforms, and government databases. The DPDP Act creates, for the first time, a comprehensive statutory framework for breach notification and accountability in India.
For data fiduciaries (organisations processing personal data), the obligations are significant. Upon discovering a breach, they must notify the Data Protection Board and affected data principals "without delay," with detailed reporting within 72 hours. The penalty for failure to implement reasonable security safeguards leading to a breach is up to Rs 250 crore under Schedule I of the DPDP Act. Failure to notify the Board or affected data principals attracts an additional penalty of up to Rs 200 crore. These are among the highest data protection penalties in the world.
For data principals (individuals whose data is breached), the DPDP Act provides the right to receive breach notification, the right to file complaints with the Data Protection Board, and the right to seek compensation through the Board's adjudication process. Affected individuals should also immediately change passwords, monitor financial accounts for suspicious activity, and consider locking biometric authentication.
For organisations, a robust incident response plan is no longer optional but a legal necessity. This must include mechanisms for breach detection, internal escalation protocols, notification templates for the Board and data principals, forensic investigation capacity, and remediation procedures — all capable of being activated within the 6-hour CERT-In timeline and the 72-hour DPDP timeline.
Related terms
Parent framework:
Related concepts:
Related institutions:
Frequently asked questions
What is the deadline for reporting a data breach in India?
There are two parallel timelines. Under CERT-In Directions (2022), all cybersecurity incidents including data breaches must be reported to CERT-In within 6 hours of detection. Under the DPDP Rules, 2025, data fiduciaries must notify the Data Protection Board and affected data principals "without delay" with detailed reporting within 72 hours. Both obligations run concurrently and apply independently.
What are the penalties for failing to prevent or report a data breach?
Under the DPDP Act, failure to implement reasonable security safeguards leading to a breach attracts a penalty of up to Rs 250 crore. Failure to notify the Data Protection Board or affected data principals attracts a penalty of up to Rs 200 crore. Under the IT Act, failure to report a cybersecurity incident to CERT-In attracts penalties under Section 70B(7). Additionally, affected individuals may file civil suits for compensation.
Does every data breach need to be reported?
Under the DPDP Act, every personal data breach must be reported to the Data Protection Board and affected data principals. There is no materiality threshold — any breach compromising the confidentiality, integrity, or availability of personal data triggers the notification obligation. Under CERT-In Directions, all cybersecurity incidents (not just personal data breaches) must be reported within 6 hours.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.