Q2 - What happens if a company reports a breach late — is the penalty automatic?
No — the penalty for late reporting of a data breach under the Digital Personal Data Protection Act, 2023 (DPDPA) is not automatic. However, it is highly likely if the Data Protection Board of India determines that the delay was unreasonable, intentional, or negligent, or if it increased the risk of harm to individuals.
The Act gives the Board discretion to assess the circumstances of each case before deciding whether to impose a penalty.
1. Legal Basis
Section 8(5) —
Every Data Fiduciary shall protect personal data from breach of security safeguards and, in the event of a breach, shall notify the Data Protection Board and each affected Data Principal in such manner as may be prescribed.
Section 33(2) —
In determining the penalty, the Board shall consider the nature, gravity, and duration of the breach, the type of personal data involved, whether the breach was intentional or negligent, and whether the Data Fiduciary took prompt action to mitigate harm.
This means penalties are based on evaluation, not imposed automatically.
2. How the Board Evaluates Late Reporting
When a company reports a data breach late, the Board examines:
- How long the delay was after discovering the breach.
- Why the company failed to report promptly — for example, internal confusion, incomplete investigation, or deliberate suppression.
- Whether the delay caused harm to Data Principals (such as identity theft, fraud, or loss of trust).
- What steps the company took to contain or mitigate the impact before reporting.
If the Board finds the delay reasonable or justified, it may issue only a warning or directive.
But if the delay appears avoidable or strategic, a financial penalty can follow.
3. Penalty Range
| Violation Type | Relevant Section | Maximum Penalty |
|---|---|---|
| Breach of security safeguards (including failure or delay in notification) | Section 8(5) | Up to ₹250 crore |
The Board decides the final amount based on proportionality and impact.
For example:
- A small, quickly-contained breach might attract no fine or a small warning.
- A delayed report involving millions of affected users could result in severe penalties.
4. Practical Example
A fintech platform detects a data breach exposing customer transaction records but waits 10 days to report it, claiming internal verification delays.
The Data Protection Board finds that the company had enough information to report earlier and that the delay increased the risk of harm to users.
It imposes a ₹40 crore penalty and orders the company to improve its breach detection and reporting processes.
Another company reports a minor data exposure within 24 hours, takes remedial steps, and keeps the Board informed of progress.
Even though the breach affected some users, the Board waives penalties, recognizing good faith and prompt response.
5. Key Takeaway
- Late reporting is not automatically penalized, but it’s closely scrutinized.
- The Data Protection Board evaluates intent, impact, and response quality.
- Acting transparently and promptly can significantly reduce or eliminate penalties.
Referenced Provisions:
- Section 8(5) – Obligation to report data breaches to the Board and affected individuals.
- Section 33(1)–(2) – Factors considered before imposing monetary penalties.
- Schedule (Entry 2) – Breach of security safeguards punishable up to ₹250 crore.