Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Companies and individuals are mandated to report specific types of cyber security incidents to the Indian Computer Emergency Response Team (CERT-In) as soon as possible under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. These include:
- targeted scanning or probing of critical systems/networks
- compromise of critical systems and information
- unauthorized access of IT systems and data
- defacement of a website or intrusion into a website and unauthorized changes
- malicious code attacks
- attacks on servers and network devices
- identity theft, spoofing, phishing attacks
- Denial of Service and Distributed Denial of Service attacks
- attacks on critical infrastructure, SCADA systems and wireless networks
- attacks on applications (e-governance, e-commerce, etc.)
In addition to these reporting obligations, CERT-In can request information and give direction to entities relating to cybersecurity (with potential penalties including jail time for noncompliance) (The Information Technology Act, 2000 and its amendments).
In the event of a breach, companies will have to demonstrate that they implemented security controls outlined in their documented information security policies, when requested by the agency mandated by law (Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011).
HR Best Practices: Make sure to follow any security and data protection controls outlined in your company’s security policies (this includes regular audits by independent agencies). In the event of a possible cybersecurity incident, reach out to the Indian Computer Emergency Response Team as soon as possible.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.