A legal analysis of breach costs, DPDP Act penalties, and the preparedness failures that turn a security incident into regulatory liability.

A data breach in India is a regulatory event with hard legal deadlines. Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules 2025 (notified 13 November 2025), an organization that fails to protect personal data can face DPDP Act penalties of up to ₹250 crore for inadequate security safeguards, plus up to ₹200 crore for a failed breach notification.

The average data breach cost in India reached a record ₹220 million (USD 2.6 million) in 2025. The biggest driver of avoidable loss is poor preparation: excessive data retention, third-party vendor compromise, no incident response plan, late legal involvement, and the absence of an AI governance policy.

A Breach Is a Legal Crisis From Minute One

A data breach in India is not a technical glitch. It is an immediate legal, regulatory and reputational crisis. In the country’s new data-protection regime, a single exposed database can cascade into large-scale consequences within hours. The DPDP Act and the CERT-In Directions impose tight reporting deadlines and steep penalties, so any delay or misstep is costly.

Organisations must therefore treat a breach as a multi-front emergency from the outset. Early legal guidance and a documented incident response plan are now as critical as technical containment. 

The biggest financial damage rarely comes from the hack itself. It comes from poor preparation. Firms that hoard excessive personal data, suffer a third-party vendor compromise, operate without an incident response plan, delay involving legal counsel for data breach, or allow sensitive information into ungoverned generative-AI tools because they lack an AI governance policy. These gaps multiply both cost and regulatory exposure.

Why Data Breaches Are Becoming More Expensive for Indian Businesses

Recent data breach incidents have hit hospitals, insurers, banks, logistics firms, education platforms and utilities alike. Attackers exploit phishing, software vulnerabilities and supplier weaknesses. The top three initial attack vectors were phishing (18%), third-party vendor and supply-chain compromise (17%), and vulnerability exploitation with the average breach lifecycle still running 263 days to identify and contain. The prominence of third-party vendor compromise as a leading cause is precisely why vendor security clauses now sit at the centre of data breach prevention.

Rising DPDP Act penalties

The DPDP Act empowers the Data Protection Board of India to impose substantial DPDP Act penalties. The Schedule to the Act sets out maximum fines per violation:

Source: Schedule to the DPDP Act, 2023

These DPDP Act penalties are levied per violation and are cumulative. A single incident involving a security lapse, a failed breach notification, and processing without consent could attract layered penalties running into several hundred crore.

Damage beyond the immediate loss

Investigation and remediation costs are only part of the toll. Delayed reporting, inconsistent public statements, contractual claims and loss of customer trust often cause greater losses in data breach cases. Downtime, customer churn and reputational harm are among the steepest-rising components of the data breach cost in India. Firms that contain incidents quickly, with a mature incident response plan that includes legal counsel, consistently resolve breaches faster and at lower cost.

The Preparedness Failures That Multiply Liability

Despite the stakes, many businesses persist in five risky practices:

Excessive data retention

Holding unnecessary personal data is pure liability. Rule 8 of the DPDP Rules 2025 now requires erasure once the purpose is served, with a mandatory one-year retention log. Timely deletion shrinks both the attack surface and regulatory exposure.

Weak vendor controls

A third-party vendor compromise can leave a backdoor wide open. Critically, the data fiduciary remains ultimately liable even when a processor causes the data breach, so a vendor’s failure becomes your ₹250 crore problem.

No formal incident response plan

Without defined roles and a tested incident response plan, technical teams, management and communications diverge and waste the critical first hours.

Delayed legal involvement

Companies often call data breach lawyers only after regulators or lawsuits appear, by which time statutory deadlines may have lapsed and forensic evidence may be lost.

Ungoverned AI use (shadow AI)

This is the fastest-growing risk. Shadow AI was among the top three cost drivers of a data breach in India, adding roughly ₹17.9 million to the average cost yet nearly 60% of breached Indian organizations had no AI governance policy in place. A clear AI governance policy is now a core data breach prevention control. 

Case Study: The Star Health Data Breach (2024)

In late 2024, the Star Health data breach exposed the personal and medical records of an estimated 3.1 crore (31.2 million) policyholders, allegedly offered for sale via Telegram chatbots by a hacker using the alias “xenZen.”

The legal fallout from the Star Health data breach illustrates the multi-front nature of a modern incident:

• Star Health filed suit in the Madras High Court against Telegram and Cloudflare; the Court issued interim orders directing the platforms to block and delete the leaked data. 
• A separate writ petition by a cybersecurity researcher seeking a government probe was ultimately dismissed, with the Court directing the petitioner to civil remedies given parallel proceedings.
• The IRDAI publicly acknowledged data leaks from insurers and reiterated its cybersecurity guidelines in a press release dated 18 October 2024.

With reported leadership resignations, ransom demands and a stock-price hit, the Star Health data breach is a textbook example of how mishandling converts a security incident into a sustained legal crisis and a likely early test of how the Data Protection Board approaches enforcement.

Conclusion

Poor data governance and slow response multiply the data breach cost in India. Organizations that invest in data minimization, strong vendor contracts against third-party vendor compromise, a tested incident response plan, a robust AI governance policy, and early legal crisis management keep both costs and DPDP Act penalties far lower. 

With DPDP Rules 2025 enforcement rolling out in phases through November 2026 and May 2027, the time to close these gaps is now before the clock starts on a real breach.