Cybersecurity & Incident Response

Cybersecurity is no longer solely a technical concern — it carries significant legal implications under Indian law and international frameworks. Organisations facing cyberattacks, data breaches, or regulatory investigations require legal guidance that bridges technical realities with legal obligations.

Legal Framework for Cybersecurity in India

Information Technology Act, 2000 (IT Act)

The IT Act and its associated rules form the primary legal framework governing cybersecurity in India. Key provisions include:

Section 43A: Liability for failure to implement reasonable security practices for sensitive personal data, where such failure causes wrongful loss or gain.
Section 66: Offences relating to computer-related crimes including unauthorised access, data theft, and introduction of malicious code.
Section 70: Protection of Critical Information Infrastructure (CII) and the role of CERT-In in responding to cyber incidents.

CERT-In Directions, 2022

The Indian Computer Emergency Response Team (CERT-In) issued Directions in April 2022 mandating service providers, intermediaries, data centres, corporates, and government entities to report cybersecurity incidents to CERT-In within 6 hours of detection. The Directions also impose requirements around log maintenance and, in certain cases, synchronisation of system clocks with NTP servers.

Digital Personal Data Protection Act, 2023

The DPDP Act requires Data Fiduciaries to notify the Data Protection Board (and affected Data Principals) of personal data breaches in a prescribed manner and within prescribed timelines.

Key Areas of Practice

Cybersecurity Compliance Advisory

Advising organisations on their obligations under the IT Act, CERT-In Directions, and sector-specific cybersecurity frameworks (e.g., RBI guidelines for banks and NBFCs, SEBI cybersecurity circulars for market participants, IRDAI guidelines for insurers).

Incident Response Legal Support

Providing immediate legal guidance during and after a cybersecurity incident, including advice on breach notification obligations, engagement with regulators, managing legal privilege in investigations, and coordinating with technical response teams.

Security Policy Drafting

Drafting and reviewing information security policies, incident response plans, business continuity plans, and acceptable use policies to ensure they meet legal requirements and industry standards.

Cybercrime Investigations

Advising on and supporting legal proceedings related to cybercrime, including complaints to law enforcement agencies, preservation of digital evidence, and coordination with forensic investigators.

Vendor and Third-Party Risk

Reviewing and drafting contracts with IT vendors, cloud service providers, and managed security service providers to ensure appropriate allocation of cybersecurity obligations and liability.

Frequently Asked Questions

What must I report to CERT-In, and when?

Cybersecurity incidents such as targeted scanning, compromised systems, unauthorised access, data breaches, website defacement, malware outbreaks, and identity theft must be reported to CERT-In within 6 hours of detection or being brought to notice. The CERT-In Directions, 2022 provide a non-exhaustive list of reportable incident types.

Is a cybersecurity incident always a “personal data breach”?

Not necessarily. A personal data breach under the DPDP Act is specifically a breach affecting personal data (i.e., data that can identify an individual). A cybersecurity incident affecting only non-personal or anonymised data may not trigger DPDP Act notification obligations, though CERT-In reporting requirements may still apply.

What is legal privilege, and why does it matter in an incident?

Communications between a legal adviser and their client for the purpose of obtaining legal advice are protected by legal privilege and may not be compelled to be disclosed in legal proceedings. Engaging legal counsel early in an incident helps ensure that sensitive investigation findings are captured under privilege where appropriate.