Data Breach Response in India: What to Do in the First 6 Hours

On 28 April 2022, CERT-In published a direction under Section 70B(6) of the Information Technology Act 2000 that fundamentally changed India's cybersecurity incident response obligations. Among other requirements, it mandated that cybersecurity incidents be reported to CERT-In within six hours of detection. **The 6-Hour Clock** The 6-hour reporting obligation applies to a defined list of incident types, including: - Targeted scanning of critical networks - Compromise of critical systems - Data breaches and data leaks - Rogue mobile applications - Financial fraud involving computer systems - Attacks on Internet of Things devices - Ransomware attacks - Attacks on cloud infrastructure The 6-hour period runs from detection — not from the commencement of the attack. Detection is defined broadly. **What to Report to CERT-In** The CERT-In portal (https://incident.cert-in.org.in) requires: - Nature and description of the incident - Date and time of detection - Number of affected systems - IP addresses of affected systems - Systems/services affected - Data compromised (type and volume) - Impact assessment **The DPDP Act Reporting Layer** Separately, the DPDP Act 2023 will require notification of personal data breaches to the Data Protection Board. The Rules are expected to specify timelines for this obligation — likely within 72 hours of the organisation becoming aware of a breach affecting personal data. **The Legal Response Framework** Every organisation should have a data breach response plan that covers: 1. **Identification and containment** — who is responsible for identifying and containing the breach 2. **Legal notification** — who triggers the CERT-In notification and what they say (important: notification content must be accurate) 3. **Regulatory coordination** — identification of all applicable reporting obligations (CERT-In, DPDP Board, RBI for banks, IRDAI for insurers, SEBI for market intermediaries) 4. **Customer notification** — when and how affected individuals will be notified 5. **Communications** — media and stakeholder communications strategy 6. **Preservation** — preservation of forensic evidence for potential litigation and regulatory proceedings **The Strategic Importance of Pre-Incident Preparation** A breach without a response plan results in CERT-In notifications that contain inaccurate information, missed regulatory notifications, and communications that create rather than resolve legal exposure. The organisation that has rehearsed its response is in a fundamentally different position to one that has not.