Rule 7: Intimation of Personal Data Breach
When a personal data breach occurs, timing and transparency are everything. Rule 7 of the Draft Rules requires that both the Data Protection Board of India and the affected individuals must be informed without delay.
A personal data breach is any event where personal information is accidentally exposed, altered, destroyed, or accessed by someone who is not authorized to do so.
The law is clear: hiding a breach is not an option.
The Data Fiduciary must report the breach to the Board, typically within seventy-two hours of becoming aware of it.
The notice should include:
- The nature of the breach
- The categories of data affected
- The number of individuals impacted
- The remedial steps taken
If the breach has serious consequences for individuals, the organization must also notify the affected Data Principals directly.
Example Scenario
Consider ABC Bank Ltd., which discovers that hackers gained unauthorized access to its online banking portal, exposing account numbers, linked Aadhaar details, and registered mobile numbers (e.g., 7890XXXXXXX).
Within 72 hours, ABC Bank must file a breach report with the Data Protection Board, explaining what happened and what actions are being taken to secure the systems.
At the same time, it must notify its customers like Krishna and Govind, advising them to reset passwords and remain alert for suspicious activity.
The purpose of this rule is twofold:
- To give regulators the information they need to oversee the situation.
- To empower individuals to protect themselves when their data has been compromised.
In practice, this rule raises the standard of accountability for all industries — from insurance companies handling health claims, to crypto exchanges storing trading wallets, to social media platforms managing personal profiles.
Every organization must be prepared to respond to a breach immediately, not after weeks of internal discussions.