Module 2 · Part 3

Security Safeguards & Breach Management

Navigate the security obligations under Section 8(5) and the critical breach notification requirements under Section 8(6) — with penalties up to ₹250 Crores at stake.

55-65 minutes § Section 8(5), 8(6) 💰 ₹250 Cr max penalty

🎯 Introduction

In the digital age, a data breach can destroy years of carefully built trust in moments. The 2023 AIIMS ransomware attack paralysed India's premier medical institution for weeks. The 2022 CoWIN data exposure raised alarm about vaccination records. These incidents underscore why security safeguards and breach management are existential imperatives — not mere compliance checkboxes.

₹250 Cr
Security Safeguard Failure
Schedule, Entry 5
₹200 Cr
Breach Notification Failure
Schedule, Entry 6

🏛️ The Philosophy of Security

Security is not merely a technical exercise but an ethical obligation rooted in the fiduciary relationship. As Kant's categorical imperative demands: treat persons as ends in themselves, never merely as means. A Data Fiduciary that neglects security treats Data Principals as mere data points — instrumentalised for profit without regard for their dignity. Security safeguards operationalise the respect owed to every Data Principal.

"The right to privacy includes the right to have one's personal data protected against unauthorized access, use, or disclosure. This imposes a positive obligation on entities collecting personal data to implement appropriate safeguards."
— Justice Sanjay Kishan Kaul, K.S. Puttaswamy (2017) 10 SCC 1

🔒 Section 8(5): Security Safeguards

📖 DPDPA 2023, Section 8(5)

"A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach."

Deconstructing Section 8(5)

🔑 "In its possession or under its control"

This extends beyond data physically stored on the fiduciary's servers. Cloud-hosted data, data with outsourced processors, and data in transit all remain the fiduciary's responsibility. The locus of data is irrelevant — control triggers the security obligation.

🔑 "Including... processing by a Data Processor"

The Data Fiduciary cannot outsource liability. Even when a Data Processor handles actual processing, the Fiduciary remains accountable for security. This creates cascading obligation: fiduciary → processor → sub-processor. Contractual security requirements are essential.

🔑 "Reasonable security safeguards"

The critical qualifier. The law doesn't mandate specific technologies. Instead, it requires what is "reasonable" given the circumstances — a flexible standard that evolves with technology and threat landscape.

⚖️ The "Reasonable" Standard

The DPDPA doesn't define "reasonable security safeguards" — a deliberate choice allowing flexibility. Courts and the DPB will interpret reasonableness based on:

Factor Consideration Example
Sensitivity of Data Higher sensitivity demands stronger safeguards Financial data requires encryption; public data may need less
Volume of Data Larger datasets justify more security investment 1 crore users vs. 100 customers
Industry Standards What peers in industry implement Banks follow RBI guidelines; healthcare follows NABH
Cost Proportionality Proportionate to organisation size Startups vs. enterprises have different capabilities
Threat Landscape Known vulnerabilities and attack vectors Ransomware protection critical post-2020

⚖️ Precedent: IT (Reasonable Security Practices) Rules, 2011

Under IT Act, 2000, "reasonable security practices" were defined with reference to ISO 27001 or industry-approved standards (Rule 8). While DPDPA doesn't explicitly adopt this, the 2011 Rules provide interpretive guidance. Compliance with ISO 27001, SOC 2, or PCI-DSS strongly indicates "reasonableness."

🛡️ Technical Security Controls

While DPDPA doesn't mandate specific technologies, industry practice suggests these essential controls:

🔐

Encryption

Data at rest (AES-256) and in transit (TLS 1.3). Keys securely managed and rotated.

🔑

Access Control

RBAC, least privilege, MFA, and privileged access management (PAM).

📊

Monitoring & Logging

SIEM, audit trails, anomaly detection, real-time alerting.

🧪

Vulnerability Management

Regular VAPT, timely patching, secure SDLC practices.

🔥

Network Security

Firewalls, IDS/IPS, network segmentation, DDoS protection.

💾

Backup & Recovery

Regular backups, tested recovery, 3-2-1 rule, ransomware resilience.

👥

Employee Training

Security awareness, phishing simulations, incident reporting.

📋

Third-Party Risk

Vendor assessments, contractual requirements, regular audits.

📝 NIST Cybersecurity Framework

1. Identify: Asset inventory, risk assessment
2. Protect: Access control, encryption, training
3. Detect: Monitoring, anomaly detection
4. Respond: Incident response, communications
5. Recover: Recovery planning, improvements

Mapping to NIST demonstrates systematic "reasonableness."

🚨 Section 8(6): Breach Notification

📖 DPDPA 2023, Section 8(6)

"In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed."

Dual Notification Requirement

Board
Data Protection Board of India
Regulatory notification for oversight
Affected
Each Data Principal Affected
Individual notification for self-protection

📖 Personal Data Breach Definition

📖 DPDPA 2023, Section 2(u)

"'personal data breach' means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data"
Category Examples CIA Impact
Unauthorised Processing Employee accessing without authorisation; processing beyond consent Confidentiality
Accidental Disclosure Email to wrong recipient; public upload of private files Confidentiality
Unauthorised Acquisition Hacking, phishing, malware attacks Confidentiality
Alteration Data tampering, SQL injection Integrity
Destruction/Loss of Access Ransomware, malicious deletion, DoS Availability

⚠️ Broad Definition

Note "accidental" incidents are included — not just malicious attacks. An employee emailing a spreadsheet to wrong person is a breach. A misconfiguration exposing data is a breach. The standard is whether CIA is compromised — intent is irrelevant.

⏱️ Breach Response Timeline

Hour 0-1: Detection & Containment

Confirm breach, activate IR team, contain threat, preserve evidence.

Immediate Action

Hour 1-24: Assessment

Determine scope, identify affected data and principals, assess severity.

Critical Analysis

Hour 24-72: Notification Preparation

Prepare Board notification, draft principal communications, coordinate teams.

Documentation

Within 72 Hours: Board Notification

File formal notification with DPB in prescribed form.

Regulatory Compliance

Promptly: Data Principal Notification

Notify each affected individual with clear information and guidance.

Individual Rights

⚠️ CERT-In 6-Hour Rule

CERT-In's 2022 directive mandates 6-hour reporting for cyber incidents to the nodal agency. Combined with DPDPA obligations, organisations face multiple parallel notification requirements. Delayed notification attracts up to ₹200 Crore penalty.

💰 Penalty Framework

Violation Section Maximum Penalty
Failure to take reasonable security safeguards §8(5) ₹250 Crores
Failure to notify Board of breach §8(6) ₹200 Crores
Failure to notify affected Data Principals §8(6) ₹200 Crores

⚠️ Cumulative Exposure: ₹650 Crores

A single breach can trigger: inadequate security (₹250 Cr) + Board notification failure (₹200 Cr) + principal notification failure (₹200 Cr) = ₹650 Crores maximum. Plus reputational damage, civil litigation, and potential IT Act liability.

📚 Case Studies

📋 Case Study 1: Unsecured Cloud Database

Scenario: A health-tech startup stores 5 lakh patient records in a cloud database. A researcher discovers it's publicly accessible without authentication due to misconfiguration.

Violations: §8(5) failure (no access controls); §2(u) breach (confidentiality compromised even without confirmed exfiltration).

Penalty Exposure: Up to ₹250 Cr for security failure. Lack of basic access controls for health data clearly fails "reasonable" standard.

📋 Case Study 2: Delayed Disclosure

Scenario: An e-commerce company suffers a breach affecting 50 lakh customers. Management decides to "investigate thoroughly." Three months later, customers learn from media — not the company.

Violations: §8(6) failure to notify Board + failure to notify principals. Investigation doesn't excuse delay.

Penalty Exposure: ₹200 Cr + ₹200 Cr + potential ₹250 Cr = ₹650 Cr maximum, plus reputational devastation.

📋 Case Study 3: Ransomware Attack

Scenario: A financial firm is hit by ransomware. Customer data encrypted for 10 days. Attackers claim exfiltration but firm cannot confirm.

Violations: §2(u) includes "loss of access" (availability) and potential "unauthorised acquisition." Notification required even without confirmed exfiltration.

Best Practice: Assume worst case. Notify immediately. Engage forensics. Document everything.

🎯 Key Takeaways

🔒

Reasonable = Contextual

"Reasonable" depends on sensitivity, volume, industry practice, and threat landscape.

📊

Fiduciary Remains Liable

Outsourcing to Processors doesn't transfer liability. Fiduciary accountable for processor security.

🚨

Dual Notification

Breach requires notifying both Board AND each affected Data Principal.

Speed Matters

Delayed notification itself attracts ₹200 Cr penalty. Build rapid response capability.

💰

₹650 Cr Exposure

Combined penalties for security + notification failures among highest globally.

📋

Document Everything

Security measures and incident response must be documented to prove "reasonableness."