Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations Are there specific security obligations that must be complied with? Section 43A refers to ‘reasonable security practices and procedures’, which have been defined as reasonable security practices and procedures as determined by a law in force (of which there is none) or as agreed to by the parties and, in the absence of both, the rules framed by the government (ie, the Privacy Rules). Accordingly, the parties are free to decide on the security standards to be adopted.

The Privacy Rules do not prescribe a particular security standard (although this is was what the rules were meant to do). Instead, they suggest that the International Standards Organisation/International Electrotechnical Commission 27001 or a code prescribed by an industry association and approved by the government can be used. Thus far, the government has approved no codes. 

Breach notification Are data owners/processors required to notify individuals in the event of a breach? The IT Act or the Privacy Rules do not require data owners or processors to notify individuals in the event of a breach. 

Are data owners/processors required to notify the regulator in the event of a breach? Under the IT Act and the rules thereunder, no obligation to notify the regulator of a breach exists. However, under the relevant banking regulations, India’s central bank, the Reserve Bank of India, has prescribed that banks must notify it, the Computer Emergency Response Team or the Institute for Development and Research in Banking Technology of all security breaches. 

Click here to view the full article.