Data Breach Law in India – Simple Guide for 2025

If your personal info pops up in a data breach, you probably feel exposed and angry. You’re not alone. In India, the legal framework for data breaches is still shaping up, but there are clear rules you can rely on. This guide walks you through the basics, your rights, and the actions you should take right after a breach.

What the Law Says About Data Breaches

India’s primary data law is the Information Technology (Reasonable Security Practices and Procedures) Rules, 2011, which is part of the IT Act 2000. It tells companies how to keep data safe and what to do when it’s compromised. If a company fails to follow these rules, the affected person can ask for compensation under the consumer protection statutes.

In 2022, the government introduced the Personal Data Protection Bill (PDPB), which will soon become the main data‑privacy statute. The bill requires every data fiduciary to report a breach to the Data Protection Authority within 72 hours and inform the impacted users in plain language. Until the bill is fully enforced, the IT Rules still hold sway, but many firms are already adopting PDPB‑style policies.

Steps You Should Take After a Breach

1. Confirm the breach. Check if the notification comes from a legitimate source. Look for official emails, SMS alerts, or a notice on the company’s website. Scammers sometimes fake breach alerts to steal more info.

2. Change passwords immediately. Reset passwords on the compromised account and any other site where you reuse the same login. Use a password manager to create unique, strong passwords.

3. Enable two‑factor authentication (2FA). Adding a second verification step blocks most attackers, even if they have your password.

4. Watch your accounts. Keep an eye on bank statements, credit cards, and online services. Report any unauthorized transaction to your bank or service provider right away.

5. File a complaint. If the breach involves a serious lapse in security, you can lodge a complaint with the Cyber Cell of your local police or the National Cyber Crime Reporting Portal. Provide the breach notice, screenshots, and any evidence of loss.

6. Seek legal advice. When you suffer financial loss or emotional distress, a lawyer can help you claim compensation under the Consumer Protection Act or the IT Act. Some firms offer free legal aid for breach victims.

Taking these steps quickly can limit damage and give you a stronger case if you decide to pursue legal action.

Remember, data breaches aren’t just a tech problem—they’re a legal issue too. Knowing your rights and the law’s expectations can turn a scary situation into a manageable one. Stay alert, act fast, and don’t hesitate to reach out for professional help when you need it.