Loopholes in the law
When does a data breach officially begin?
The DPDP Rules 2025 create important obligations around personal data protection, breach notification, retention, governance, and accountability.
Like any regulatory framework, however, their practical impact depends not only on what is written, but also on what is left open to interpretation. Over the coming posts, I will examine several areas where the Rules are silent, ambiguous, or leave room for different interpretations in practice.
The first relates to a deceptively simple question. When does a data breach officially begin?
What does "discovers" actually mean?
At first glance the answer seems obvious. A breach begins when a company discovers it. But what does "discovers" actually mean? Imagine this scenario:
- Monday. A security analyst notices unusual activity.
- Tuesday. The incident response team starts investigating.
- Wednesday. Internal discussions suggest customer data may be affected.
- Thursday. Evidence becomes stronger.
- Friday. Senior management formally confirms a breach.
So when did awareness begin? Monday? Wednesday? Or Friday?
Why the timing matters
This question matters because the DPDP Rules require a Data Fiduciary to act once it becomes aware of a personal data breach. Yet neither the Rules nor the Act clearly define what constitutes awareness.
That creates an interesting challenge. One organisation may treat the first internal alert as awareness. Another may wait until technical confirmation. A third may wait until management approval. All three could face the same incident and still start the reporting clock at different times.
For threat actors, every additional day can mean more data copied, more accounts compromised, and more harm to affected individuals. For organisations, uncertainty creates a different risk. If regulators, investigators, or affected individuals later disagree about when awareness actually began, the organisation may find itself defending not only the breach itself, but also the timing of its response.
One possible approach
One possible solution would be to define awareness as the first documented internal alert that indicates a credible possibility of a personal data breach. Such an approach would create an auditable record and reduce disputes about when obligations were triggered.
The broader question is worth discussing: should breach awareness begin when suspicion first arises, or only after formal confirmation?