Reporting a Data Breach to CERT-In and the Data Protection Board — India

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Digital Personal Data Protection Act, 2023, s. 8(6); DPDP Rules, 2025; CERT-In Direction No. 20(3)/2022-CERT-In dated 28 April 2022; IT Act, 2000, s. 70B

Sourced from Indian central (Union) law — Constitution of India, central Acts of Parliament, and Supreme Court decisions. State-level information reflects each state's own Acts and High Court rulings. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Indian Central Law

What is this right?

India runs two parallel breach-reporting regimes.

  • CERT-In (Indian Computer Emergency Response Team) under MeitY enforces the 28 April 2022 Directions. Specified cyber-incidents — including ransomware, data breach, identity theft, unauthorised access, defacement, attacks on critical infrastructure — must be reported by the entity to CERT-In within 6 hours of noticing. ICT system logs must be maintained for 180 days within India.
  • Data Protection Board of India under DPDPA s. 8(6) and DPDP Rules 2025 — Data Fiduciaries must inform the Board and each affected Data Principal of a personal-data breach in the form, manner, and timelines prescribed by the Rules.

As a Data Principal, your role is to verify the Fiduciary actually notified you, document the breach for your own protection, and — if the Fiduciary stays silent — file a complaint with the Board yourself.

When does it apply?

Applies when:

  • A company or government department holding your personal data suffers a breach.
  • You are notified, or you discover via a public dump / dark-web monitoring / a phishing email referencing internal account details.
  • Even where no notification is made, you can file a complaint to investigate.

What to Do If Your Personal Data Has Been Breached in India

  • Preserve the breach notification email, SMS, or in-app message. Note the exact time of receipt.
  • Change passwords immediately on the affected service and on any service where the password was reused. Enable two-factor authentication.
  • If financial data was exposed, follow up with your bank under the 3-working-day rule on any suspicious transaction (see the Scams Recovery category).
  • Get a CIBIL credit report free once a year — watch for unfamiliar accounts.
  • If the Fiduciary fails to notify or downplays the breach, file a complaint with the Data Protection Board of India citing DPDPA s. 8(6).
  • You may also separately file at cybercrime.gov.in if the breach involved an offence under IT Act s. 66 / 66C / 72.

What should you NOT do?

  • Do not click any "verify your account" link in a breach notification email — go to the website directly. Breach notifications are exploited by follow-on phishing.
  • Do not assume CERT-In handles individual claims. CERT-In's role is system-level coordination — your individual remedy runs through the DPB or IT Act adjudicating officer.
  • Do not delay password rotation. Even "low-severity" breaches expose credentials reused elsewhere.

About Data Privacy & Digital Rights in India

India's data-protection regime entered force in phases starting 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 under the Digital Personal Data Protection Act, 2023 (DPDPA). The Data Protection Board of India (DPB) is now operational; the Consent Manager Framework goes live 13 November 2026; full operational compliance — notice, consent, breach reporting, rights handling — by 13 May 2027. Until then, the Information Technology Act, 2000 and the SPDI Rules 2011 continue to govern cybercrime and remain the active route for offences against personal data. CERT-In directions (28 April 2022) require incident reporting within 6 hours for specified categories of cyber-incident. Sahyog portal (sahyog.mha.gov.in) is the unified portal for content takedown intimations under IT Act s. 79(3)(b) and rule-based blocking. For NCII (non-consensual intimate imagery), the IT Act s. 67/67A, BNS s. 79, and POCSO Act (for minors) apply.

Common Questions

What is the reporting a data breach to cert-in and the data protection board right in India?

India runs two parallel breach-reporting regimes.CERT-In (Indian Computer Emergency Response Team) under MeitY enforces the 28 April 2022 Directions. Specified cyber-incidents — including ransomware, data breach, identity theft, unauthorised access, defacement, attacks on critical infrastructure — must be reported by the entity to CERT-In within 6 hours of noticing. ICT system logs must be maintained for 180 days within India.Data Protection Board of India under DPDPA s. 8(6) and DPDP Rules 2025 — Data Fiduciaries must inform the Board and each affected Data Principal of a personal-data breach...

When does reporting a data breach to cert-in and the data protection board apply?

Applies when:A company or government department holding your personal data suffers a breach.You are notified, or you discover via a public dump / dark-web monitoring / a phishing email referencing internal account details.Even where no notification is made, you can file a complaint to investigate.

What should I do if a company in India has lost my personal data in a breach?

Preserve the breach notification email, SMS, or in-app message. Note the exact time of receipt.Change passwords immediately on the affected service and on any service where the password was reused. Enable two-factor authentication.If financial data was exposed, follow up with your bank under the 3-working-day rule on any suspicious transaction (see the Scams Recovery category).Get a CIBIL credit report free once a year — watch for unfamiliar accounts.If the Fiduciary fails to notify or downplays the breach, file a complaint with the Data Protection Board of India citing DPDPA s. 8(6).You may a...

What mistakes should I avoid with reporting a data breach to cert-in and the data protection board?

Do not click any "verify your account" link in a breach notification email — go to the website directly. Breach notifications are exploited by follow-on phishing.Do not assume CERT-In handles individual claims. CERT-In's role is system-level coordination — your individual remedy runs through the DPB or IT Act adjudicating officer.Do not delay password rotation. Even "low-severity" breaches expose credentials reused elsewhere.

More in Data Privacy & Digital Rights

Your Rights as a Data Principal under DPDPA 2023The DPDPA gives every Data Principal — that is, you, the individual whose personal data is being processed — five concre...Read more →Non-Consensual Intimate Image Takedown in IndiaIf sexually explicit images or videos of you have been shared online without consent, India has a layered takedown syste...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission