Question: Are data-breach notification procedures established and tested to meet legal timelines (e.g., CERT-In 6 hrs / DPDP 72 hrs)?
Why This Matters
Failure to notify on time can lead to penalties and loss of trust. A tested process ensures that breaches are reported accurately and promptly.
Maturity
0 — Unaware
No awareness of regulatory timelines.
No awareness of regulatory timelines.
1 — Ad Hoc
Notification done only after legal review post-incident.
Notification done only after legal review post-incident.
2 — Defined
Procedure documented; responsible roles assigned.
Procedure documented; responsible roles assigned.
3 — Managed
Checklist tested in drills; templates ready.
Checklist tested in drills; templates ready.
4 — Integrated
Workflow automated via SOAR or case system.
Workflow automated via SOAR or case system.
5 — Optimized
Real-time monitor of breach timelines and auto escalation.
Real-time monitor of breach timelines and auto escalation.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify all laws requiring breach reporting. |
| 1 → 2 | Write procedure with roles & timers (CERT-In, DPDP). |
| 2 → 3 | Test with tabletop and record elapsed time. |
| 3 → 4 | Integrate workflow into case management. |
| 4 → 5 | Add dashboard for deadline tracking and alerts. |
Enablers
- People: DPO, Legal, IR Lead
- Process: Breach assessment → approval → notification
- Technology: SOAR timer, email templates, audit logs
Evidence
- Notification procedure document
- Drill logs showing timing
- Notifications sent (sample)
KPIs
- Avg notification time
- % breaches reported within SLA
- Number of missed deadlines
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Timer workflow | n8n / Zapier | Automated countdown |
| Templates | Google Docs / OnlyOffice | Approved letters |
| Audit trail | Odoo / Notion | Record approvals and timestamps |
Common Pitfalls
- Unclear ownership between Legal and Security
- Delay in impact assessment
- Notifications sent without records
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | A.5.24 / A.5.25 (Communication) |
| CERT-In 2022 | Rule 12 (6-hour Reporting) |
| DPDP Act 2023 | Sec 8 (72-hour Reporting) |
| NIST CSF 2.0 | RS.CO-02 / RC.CO-03 |
| NIRMATA Mapping | IR-Q07 demonstrates legal notification readiness. |