Introduction: The Critical 72-Hour Window
In the digital age, data breaches are not a matter of if but when. The Digital Personal Data Protection Act (DPDPA), 2023, recognizes this reality and establishes one of the world's most stringent breach notification timelines: 72 hours. Unlike GDPR's flexible approach or CCPA's 30-day grace period, India's framework demands immediate action. This guide provides a comprehensive roadmap for organizations to respond effectively within this critical window.
Understanding Data Breach Under DPDPA
Section 2(f) of DPDPA defines a data breach as "unauthorized disclosure of personal data that compromises the confidentiality, integrity, or availability of the information." This broad definition encompasses not just cyberattacks but also accidental disclosures, insider threats, and physical security failures.
What Constitutes a Reportable Breach?
- Unauthorized Access: Hacking, credential compromise, or system infiltration
- Unauthorized Disclosure: Accidentally exposing data through misconfigured databases or misdirected emails
- Data Modification: Unauthorized alteration of personal data affecting accuracy
- Data Deletion: Ransomware attacks or malicious data destruction
- Business Email Compromise: Phishing attacks leading to credential theft
- Insider Threats: Employees or contractors accessing data without authorization
The 72-Hour Incident Response Flowchart
The DPDPA mandates a structured timeline with specific actions at each stage:
| Time Frame | Action Required | Responsible Department | Documentation |
|---|---|---|---|
| 0-2 Hours | Detect breach, verify authenticity, activate incident response team | Security Operations, IT | Incident log, alert timestamps |
| 2-6 Hours | Assess scope, identify affected data principals, preserve evidence | Incident Response Team, Forensics | Breach assessment report, evidence chain |
| 6-24 Hours | Contain breach, notify internal stakeholders, prepare DPB notification | CISO, Legal, Compliance | Containment report, notification draft |
| 24-72 Hours | Submit formal notification to Data Protection Board | Legal/Compliance Officer | Formal DPB notification, proof of submission |
| 72+ Hours | Notify data principals, conduct forensic investigation, remediation | All departments, External Forensics | Communication logs, investigation report |
Step-by-Step Incident Response Process
Phase 1: Detection and Verification (0-2 Hours)
Objective: Confirm the breach and prevent further data exposure.
Actions:
- Isolate affected systems immediately
- Disable compromised user accounts
- Verify the breach through multiple sources (logs, alerts, third-party reports)
- Activate the incident response team
- Document all observations with timestamps
Tools and Technologies:
- SIEM (Security Information and Event Management) systems
- Network segmentation and firewall rules
- Two-factor authentication disabling mechanisms
- Event logging and monitoring platforms
Phase 2: Assessment and Scoping (2-6 Hours)
Objective: Understand the full extent of the breach.
Actions:
- Access logs to determine when the breach began
- Identify all affected data types (PII, financial data, health records)
- Count affected data principals
- Determine breach severity category (see Severity Matrix below)
- Preserve digital evidence for forensic investigation
Critical Information to Gather:
- Date and time of breach discovery
- Date and time of breach occurrence (if different)
- Number of data principals affected
- Types of data compromised
- Whether data was encrypted or protected
- Potential threat actor (external/internal)
Phase 3: Containment (6-24 Hours)
Objective: Stop ongoing data exposure.
Actions:
- Patch vulnerabilities that enabled the breach
- Revoke compromised credentials
- Deploy security controls to prevent recurrence
- Monitor for lateral movement or data exfiltration
- Engage external incident response firm if needed
Phase 4: Notification Preparation (24-72 Hours)
Objective: Prepare comprehensive notification for Data Protection Board.
The notification must include:
- Detailed description of the breach
- Date and time of discovery
- Scope (number of affected data principals, data types)
- Actions taken for containment
- Assessment of potential harm
- Measures to be taken for remediation
- Contact information for further inquiry
Data Breach Severity Classification Matrix
| Severity Level | Criteria | Examples | Notification Priority |
|---|---|---|---|
| Critical | Breach involving sensitive data (financial, health, biometric) affecting >50,000 principals | Bank customer database, health records, Aadhaar-linked data | Within 24 hours |
| High | Sensitive data affecting 1,000-50,000 principals, or any biometric data | Email lists with passwords, customer phone numbers with SSN | Within 48 hours |
| Medium | Non-sensitive data affecting >10,000 principals or sensitive data affecting <1,000 | Marketing contact lists, semi-public information | Within 72 hours |
| Low | Limited exposure to non-sensitive data | Publicly available information accidentally exposed | Full documentation required even if not severely impactful |
Data Protection Board Notification Template
To: Data Protection Board of India
Subject: Data Breach Notification Under Section 6, DPDPA, 2023
Date of Notification: [Date]
1. Organization Details:
Name: [Organization Name]
Registration Number: [DPB Registration Number]
Address: [Registered Address]
Contact Person: [Designated DPO or Compliance Officer]
Email: [Contact Email]
Phone: [Contact Phone]
2. Breach Details:
Date of Breach Discovery: [Date]
Date of Breach Occurrence: [Date, if different]
Time of Discovery: [Time]
Method of Discovery: [Self-discovery/Third-party report/Law enforcement]
3. Scope of Breach:
Number of Affected Data Principals: [Number]
Types of Personal Data Compromised: [List specific data types]
Method of Breach: [Hacking/Insider threat/Accidental disclosure/Physical theft/etc.]
Was Data Encrypted: [Yes/No]
Was Data Pseudonymized: [Yes/No]
4. Impact Assessment:
Potential Harm to Data Principals: [Describe potential consequences]
Risk of Identity Theft: [Low/Medium/High]
Risk of Financial Loss: [Low/Medium/High]
Risk of Discrimination: [Low/Medium/High]
5. Containment Measures:
[Describe immediate actions taken to stop the breach]
6. Remediation Plan:
[Describe long-term measures to prevent recurrence]
7. Notification to Data Principals:
Date of Notification to Principals: [Date]
Method of Notification: [Email/SMS/In-person/etc.]
Information Provided: [Summary of provided information]
Post-Breach Audit Checklist
After initial notification, complete a comprehensive audit:
| Audit Item | Status | Evidence/Notes | Responsible |
|---|---|---|---|
| Root cause analysis completed | ☐ | Forensics Team | |
| Forensic investigation report prepared | ☐ | External Expert | |
| All affected systems patched | ☐ | IT/Security | |
| Security controls assessment completed | ☐ | Security Team | |
| Data principals offered remedial services | ☐ | Communications | |
| Incident response plan updated | ☐ | CISO | |
| Staff training conducted on lessons learned | ☐ | HR/Training | |
| Notification records maintained for 3 years | ☐ | Compliance |
Case Study: Air India Data Breach (2021) - Lessons for DPDPA
Incident Overview: In October 2021, Air India suffered a data breach affecting approximately 4.5 million customers. Personal information including names, email addresses, phone numbers, passport numbers, and frequent flyer PII were compromised through a vulnerable web application.
What Went Wrong:
- Delayed Detection: The breach occurred in February 2021 but wasn't discovered until August 2021 - a 6-month gap
- No Immediate Containment: The vulnerable application remained accessible for months
- Inadequate Security Measures: Lack of proper authentication mechanisms on critical systems
- Poor Incident Response: No structured procedure for breach response and notification
Lessons for DPDPA Compliance:
- Continuous Monitoring: Deploy 24/7 security monitoring to detect breaches within hours, not months
- Vulnerability Management: Regular penetration testing and vulnerability scanning should have identified the weakness
- Incident Response Team: A dedicated team should have been activated immediately upon detection
- Documentation: Every step must be documented for DPB notification and regulatory compliance
- Third-Party Accountability: For Air India, cloud service providers also bear responsibility for security
DPDPA Impact: Under the new law, Air India would face:
- Mandatory DPB notification within 72 hours
- Penalties up to Rs. 2 crore for delayed notification
- Additional penalties for inadequate security measures
- Potential suspension of data processing operations
- Mandatory credit monitoring services for affected principals
Critical Don'ts During Breach Response
What NOT to Do During a Breach:
- Don't Delay Notification: Every hour matters. The 72-hour window is strict and non-negotiable.
- Don't Attempt Cover-Up: Concealment violates DPDPA and attracts higher penalties than the breach itself.
- Don't Communicate Inconsistently: Ensure all notifications to DPB and data principals contain consistent information.
- Don't Destroy Evidence: Preserve all logs, communications, and forensic data for investigation.
- Don't Make Premature Promises: Don't guarantee breaches won't happen again; instead, outline concrete improvements.
- Don't Ignore Affected Individuals: Provide them with actionable steps to protect themselves.
- Don't Rely Solely on External Vendors: While third-party incident response is valuable, ultimate responsibility rests with the organization.
Philosophy: Trust and Transparency in Data Handling
The Fiduciary Principle Behind DPDPA:
DPDPA's 72-hour notification requirement reflects a fundamental philosophical shift from India's previous data protection framework. Rather than treating data protection as a technical compliance checkbox, DPDPA explicitly embraces the fiduciary relationship between data fiduciaries (organizations) and data principals (individuals).
A fiduciary owes a duty of care, loyalty, and transparency. This means:
- Transparency First: When a breach occurs, immediate disclosure is not punishment but an affirmation of trust. Organizations that hide breaches violate the fundamental trust placed in them.
- Accountability Matters: The 72-hour window isn't arbitrary; it reflects the belief that accountability must be swift and visible.
- Individual Empowerment: By notifying data principals quickly, they gain agency to protect themselves (change passwords, monitor credit, etc.)
- System Integrity: Swift, transparent breach reporting strengthens the entire data protection ecosystem by creating incentives for better security.
This approach contrasts sharply with earlier "whisper campaigns" where organizations would downplay or hide breaches. DPDPA establishes that breach transparency is the foundation of trust, not its violation.
Regulatory References and Guidance
- DPDPA, 2023: Section 6 (notification of personal data breach), Section 2(f) (definition of breach)
- Data Protection Rules, 2025: Rules governing breach notification procedures and documentation
- Data Protection Board Guidance: Recent circulars on acceptable notification formats and timelines
- International References: GDPR Article 33 for comparative framework, NIST Cybersecurity Framework for incident response procedures
Conclusion: Preparation is Prevention
Data breaches are inevitable in the digital world. However, with proper preparation and a documented incident response plan, organizations can navigate the critical 72-hour window effectively. The key is not to avoid breaches entirely, but to respond swiftly, transparently, and in full compliance with DPDPA requirements.
Organizations that invest in breach response planning today will find themselves better equipped to protect their data principals and maintain regulatory compliance when incidents occur.