
Introduction
For years, India’s fintech ecosystem have seen a familiar script unfold. A customer success executive with database access exports a CSV with thousands of user profile names, PAN numbers, bank account details, loan histories. The internal security team logs the anomaly. HR silently suspends the employee. Legal counsel is in the loop. Then the Compliance team begins a careful, methodical investigation that can take three to four weeks. At last, a decision is reached. To lodge a police complaint or let the matter quietly subside. Customers are blissfully unaware of this whole process. The incident is buried under layers of internal process and institutional caution.
The notification of the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) has essentially redefined the legal framework around data breach response in India. The robust core of this transformation, particularly for fintechs, is a deceptively simple yet operationally seismic mandate: when a personal data breach occurs, the Data Protection Board of India (“DPBI”) and every affected data principal must be notified within 72 hours of the breach becoming known to the organisation.
The Insider Threat Problem in Indian Fintech
Data breaches driven by insiders are among the most damaging and least discussed security failures in the financial technology sector. Whereas any external cyberattack immediately triggers the technical response protocols, the defining features of insider threats are their stealth, their use of legitimate access, and the institutional hesitation they induce in victim organizations.
A customer retention executive could have access to transaction histories. Each of these individuals represents a potential insider threat vector, not because fintechs are careless, but because the nature of their business requires broad internal data access.
When an insider breach occurs whether for financial gain personal vendetta or recruitment by competitors or fraudsters the organisation faces a complex triage. It has to preserve evidence, deal with employment law issues, determine the scope of data exposure, work with cyber security forensics teams and decide whether to call in law enforcement, all at the same time. Each of these work streams will require time. The default pre-DPDP was to just let this process play out before looking at any external communications. That default has been taken away by DPDP Rules.
What the DPDP Rules Actually Require
The DPDP Act and the Rules thereunder establish a framework that imposes affirmative obligations on Data Fiduciaries, a category that comprises virtually every fintech operating in India that collects, stores or processes personal data of Indian citizens. Including fintechs that gather financial data, credit data, transaction histories, or even just basic identity data from users. The DPDP framework provides that a Data Fiduciary shall, upon becoming aware of a personal data breach, notify the DPBI and the data principals concerned in such form and manner as prescribed.
The 72- hour window is not a wish. It is the legal outer boundary. This is the same approach as the European Union’s General Data Protection Regulation (“GDPR”) which also requires notification to supervisory authorities within 72 hours of a breach becoming known, a standard that European organisations have found operationally demanding even after years of preparation.
The notification to the DPBI must include information on the nature of the breach, the categories and approximate number of data principals affected, the probable consequences of the breach and the measures taken or proposed to address the breach. The notice to affected data principals shall be in plain language and clear and shall contain sufficient information to enable affected data principals to take protective action.
The Collision: HR Investigation Timelines vs. Regulatory Clocks
Internal investigations in insider fraud cases serve legitimate purposes. Organisations need to establish the full scope of data ex-filtration before they can accurately describe the breach to regulators and affected individuals. They need to preserve digital forensic evidence in a manner that supports potential criminal prosecution. They need to ensure that suspension or termination processes are legally defensible under employment law. They need to assess whether the breach extends beyond the identified individual to a broader conspiracy. These are not trivial concerns they are the legitimate preconditions for an informed and legally sound response.
But a 72-hour notification window does not accommodate the pace of a thorough investigation. Forensic imaging of a device may take 24 hours. A preliminary analysis of exported data logs may require another 12 hours.
This is where Indian fintechs must fundamentally recalibrate their thinking. The DPDP Rules do not require notification of a fully understood, fully investigated breach. They require notification of a known breach, even if the complete picture remains unclear. Regulators under the GDPR framework have consistently held that organisations are expected to notify with the information available at the time, and to update that notification as further details emerge. Indian fintechs should expect the DPBI to adopt a similar interpretive posture.
The ‘Hush-Up’ Playbook Is No Longer Viable
In addition to the operational challenge, the DPDP Rules have also removed the institutional incentive structure, which can be said to have been attractive till date, in a candid sense. Under the pre-DPDP legal regime, an organisation that quietly addressed an insider breach by terminating the employee, recovering or deleting exfiltrated data where possible and refusing to file a public complaint, was subject to little external accountability. Those customers wouldn’t know their data has been compromised. Competitors would find no vulnerability. There is no basis for regulators to ask. The reputational and commercial costs of disclosure often seemed to exceed the legal risks of non-disclosure.
The DPDP Act turns this calculus on its head. Failure to notify the DPBI within the prescribed timeframe is itself a breach of statutory duty and carries with it substantial financial penalties. The DPBI can investigate breaches, call for information and levy penalties of up to Rs 250 crore for not implementing adequate security safeguards the category under which a failure to notify would most naturally fall. If an organisation manages to keep a breach from regulators and is later discovered to have done so, it may be subject to not only the initial penalty for poor security but also possible further liability for the concealment itself.
AMLEGALS Remarks
The convergence of insider threat vulnerability and the 72-hour notification mandate for fintech organizations requires nothing less than a structural redesign of breach response protocols one that embeds regulatory compliance into the first hours of incident response, rather than treating it as an afterthought to internal investigation. The organisations that will confidently navigate the data protection landscape in India are those that understand now that the duty they owe to their data principals is parallel to and not sequentially after the duty they owe to their own institutional interests. The clock is not a constraint to be managed, but a discipline to be adopted.
For any queries or feedback, feel free to connect with Dhwani.tandon@amlegals or Hiteashi.desai@amlegals.com
