Skip to main content

Q2 - What happens if a company reports a breach late — is the penalty automatic?

Answer
  • Companies must notify the Data Protection Board within 72 hours of becoming aware of the breach.
  • If the report is delayed, the Board will examine whether there was a reasonable justification.
  • If no valid reason exists, penalties can apply.
Example

ABC E-commerce discovers on 1st July that its customer database was leaked.

  • If it reports only on 10th July without any valid reason, the Board can impose fines, even if customers did not suffer financial harm.
  • If the company can show that it genuinely detected the breach only on 8th July (e.g., after forensic review), it may escape penalties.