Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Companies and individuals are mandated to report specific types of cyber security incidents to the Indian Computer Emergency Response Team (CERT-In) as soon as possible under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. These include:
- targeted scanning or probing of critical systems/networks
- compromise of critical systems and information
- unauthorized access of IT systems and data
- defacement of a website or intrusion into a website and unauthorized changes
- malicious code attacks
- attacks on servers and network devices
- identity theft, spoofing, phishing attacks
- Denial of Service and Distributed Denial of Service attacks
- attacks on critical infrastructure, SCADA systems and wireless networks
- attacks on applications (e-governance, e-commerce, etc.)
In addition to these reporting obligations, CERT-In can request information and give direction to entities relating to cybersecurity (with potential penalties including jail time for noncompliance) (The Information Technology Act, 2000 and its amendments).
HR Best Practices: Make sure to follow any security and data protection controls outlined in your company’s security policies (this includes regular audits by independent agencies). In the event of a possible cybersecurity incident, reach out to the Indian Computer Emergency Response Team as soon as possible.