Data Breach Incident Response
Data Breach Incident Response
Legal-Led Response from Detection to Resolution
A data breach triggers simultaneous legal, regulatory, and reputational obligations — all with short deadlines. SIRI Law LLP provides integrated legal incident response: CERT-In notification, regulatory management, forensic oversight, customer communication, and insurance claim support — from the first moment of detection.
You have 6 hours to notify CERT-In.
Call us now.
Every minute of delay increases your regulatory exposure under the IT Act, DPDPA 2023, and CERT-In Rules 2022. We handle the legal triage, forensics, and mandatory filing simultaneously.
If you are unsure whether you have had a breach — call us anyway. The consultation is free.
Your Legal Obligations
Mandatory initial notification to CERT-In under Rule 12(1)(a) of the CERT-In Rules 2022. This is non-negotiable and carries significant penalties for delay.
Detailed extended report to CERT-In including nature of incident, affected systems, data categories impacted, and preliminary remediation steps.
Comprehensive final incident report including root cause analysis, full scope of breach, all remediation actions completed, and future prevention measures.
SIRI's Response
Senior cyber law attorney engaged immediately. Nature of breach classified. Attorney-client privilege established over all communications. Litigation hold issued to prevent evidence destruction.
Forensic engineer deployed. System logs preserved. Chain-of-custody documentation initiated. Evidence secured in a manner admissible to Indian courts. Volatile data captured before system changes.
Mandatory initial notification to CERT-In drafted by your attorney. All required fields under Rule 12(1)(a) completed accurately. Legal review completed before filing to minimise regulatory risk.
RBI, SEBI, IRDAI, or other sectoral regulator notification obligations assessed. Communication strategy agreed with client. Disclosure scope confirmed to limit unnecessary regulatory exposure.
Notification filed electronically via CERT-In portal. Filing reference number secured. Timeline documented. Client briefed on confirmation and next obligations under Rule 12(1)(b) within 72 hours.
Full written briefing delivered to client board and key stakeholders. 72-hour extended report timeline set. Ongoing forensic investigation scoped. Media and customer communication strategy advised.
Our Team
- Senior Cyber Law AttorneyLeads legal triage, establishes privilege, advises on regulatory strategy and notification obligations.
- Certified Digital Forensics EngineerOSCP/CEH certified. Preserves evidence, traces breach vector, produces court-admissible forensic reports.
- CERT-In Liaison SpecialistManages the CERT-In notification portal, ensures accurate and timely filing, tracks response communications.
- Regulatory Communication SpecialistDrafts all regulator correspondence, coordinates with RBI/SEBI/IRDAI as needed, manages media statements.
Overview
When a Breach Occurs: What the Law Requires
India’s CERT-In Directions (2022) require notification within 6 hours of becoming aware of a cybersecurity incident — one of the world’s strictest reporting timelines. The DPDPA 2023 will impose breach notification obligations to the Data Protection Board and affected data principals. GDPR requires notification within 72 hours for organisations processing EU data. Non-compliance compounds the regulatory exposure from the breach itself.
Legal privilege over the forensic investigation is critical — structuring the investigation through legal counsel protects findings from regulatory compulsion in most scenarios. A breach investigated without legal oversight produces unprotected findings that regulators can compel disclosure of.
SIRI Law LLP provides a complete legal incident response service — available around the clock for active incidents — covering all regulatory notification obligations, legal strategy, and post-incident remediation advisory.
Response Timeline
Key Deadlines You Face
Services Offered
Incident Response Legal Services
- 24/7 legal incident response — immediate engagement for active breaches
- CERT-In 6-hour notification — preparation and submission
- GDPR supervisory authority notification (72-hour) — where EU data involved
- DPDPA Data Protection Board notification advisory
- Legal privilege structuring for forensic investigation
- Forensic investigation oversight and legal strategy
- Evidence preservation — legal hold notices and court orders
- Customer and data subject notification strategy
- Notification drafting — legally accurate, plain-language communications
- Cyber insurance notification and claim management
- Regulatory response management — post-notification engagement
- Law enforcement coordination — FIR, CERT-In liaison
- Board and executive briefing — legal risk quantification
- Post-incident security legal review
- Third-party liability assessment — vendor and supply chain
- Media and reputational risk management advisory
Why SIRI Law LLP
Our Approach & Advantage
Available 24/7 for Active Incidents
Cybersecurity incidents do not respect business hours. Our cyber incident response team is available around the clock for active breaches — with a defined escalation process for immediate engagement.
CERT-In Compliance Guaranteed
We have a proven process for preparing and submitting CERT-In notifications within the 6-hour window — even when we are engaged hours after the incident begins. The quality of the notification matters as much as its timeliness.
Legal Privilege Protection
Structuring the forensic investigation through legal counsel protects findings under legal professional privilege — a critical protection that many organisations fail to establish from the outset.
Integrated Multi-Framework Response
A single incident may trigger CERT-In, DPDPA, GDPR, and RBI notification obligations simultaneously. We manage all obligations in parallel — with a single legal team ensuring consistency across all regulatory communications.
Insurance Maximisation
Cyber insurance claims are most successfully advanced when the breach response is professionally managed from the outset. We advise on maximising insurance recovery alongside managing regulatory obligations.
Representative Matters
Typical Engagements
All matters described generically to protect client confidentiality.
Hospital Group — Ransomware Response
CERT-In notified within 6 hours, forensic investigation structured under legal privilege, no ransom paid, regulatory clearance achieved with no penalties — ₹0 fines despite 2,000+ patient records affected.
Fintech Company — Payment System Breach
Coordinated simultaneous CERT-In, RBI, and customer notification for a payment system breach — managing all three regulatory obligations on different timelines with a consistent factual narrative.
SaaS Provider — EU Customer Data Breach
Managed GDPR 72-hour supervisory authority notification alongside CERT-In notification for a breach affecting EU customer data — navigating different regulatory expectations simultaneously.
E-Commerce Company — Customer Data Exfiltration
Advised an e-commerce company on breach notification strategy following exfiltration of customer data — including customer notification phasing, media management, and regulatory engagement.
Frequently Asked Questions
What qualifies as a ‘reportable incident’ under CERT-In directions?
CERT-In’s 2022 Directions require mandatory reporting of a broad list of incident types including: targeted scanning/probing, compromise of critical systems or data, website defacement, malware deployment, identity theft, data breaches, attacks on critical infrastructure, and ransomware. When in doubt, report — CERT-In’s approach to late notification is significantly harsher than to over-reporting.
What does CERT-In do with the notification?
CERT-In uses notifications to track incident trends, coordinate with affected organisations, and facilitate response. Notification does not automatically trigger enforcement proceedings — responsive, transparent notifications typically result in CERT-In providing advisory support rather than enforcement action. Concealment or late notification is a much greater enforcement risk than prompt reporting.
Should we pay the ransom in a ransomware attack?
We advise against ransom payment in most circumstances — based on PMLA implications of cryptocurrency payment to unknown parties (potentially sanctioned), the fact that payment does not guarantee data recovery or non-disclosure, and the encouragement it provides to attackers. Each situation is assessed individually based on the specific facts and available alternatives. Legal counsel should be engaged before any payment decision.
How does legal privilege protect our forensic investigation?
When a forensic investigation is conducted by a third-party firm engaged directly by legal counsel — rather than by the client’s IT team or an independently engaged forensic firm — the investigation and its findings may attract legal professional privilege. This means regulators cannot compel disclosure of the investigation findings in most circumstances. This protection must be established from the outset of the investigation.
Immediate legal and forensic response. CERT-In notification within the mandatory 6-hour window.
If you are unsure whether you have had a breach, call us anyway. The initial consultation is free and confidential. Attorney-client privilege attaches from your first call.