Recently recieved data breach notification from Angel One and I think that notice is just information customer about dara breach and DPDPA recommends more than mere notification.
What are your thoughts in this notice format?
1 Answers
Incidents are unfortunate, but transparency in such situations is critical. In the absence of published draft rules under the Digital Personal Data Protection Act (DPDPA), 2023, it is commendable that Angel One has proactively communicated with data principals about a potential cybersecurity incident. Their effort to engage with affected individuals aligns with the intent of the law.
That said, constructive feedback is essential to strengthen such notifications and ensure compliance with DPDPA’s principles of transparency, accountability, and data principal rights. Here are key areas where the notification could improve:
1/ Unspecified Nature of Breached Data - Notice does not specify which personal data was compromised (if). Without this, data principals cannot assess risks like identity theft or financial fraud etc.
2/ Ambiguity in Impact on Data Principals – Either there is data breach or no data breach! Notice vaguely refers to a "potential cyber security incident" but does not clarify how the breach affects individuals. For example, it does not state whether compromised data could lead to phishing, unauthorized transactions, or reputational harm.
3/ Absence of Mitigation Guidelines - No actionable steps are provided to help affected individuals protect themselves (e.g., changing passwords, monitoring bank accounts, or reporting suspicious activity).
4/ Non-Compliant Communication Channel - Under DPDPA, such notifications must be routed through a Consent Manager (Section 8(6)) to ensure compliance with auditability and transparency.
5/ No Contact Information for Assistance - There is no dedicated point of contact (e.g., helpline, email, or grievance officer) for affected individuals to seek clarification, report issues, or request support.
6/ No Acknowledgement of DPDPA Compliance - Notice does not explicitly reference DPDPA or affirm adherence to its breach notification obligations, raising doubts about legal compliance transparency.
7/ Failure to Define "Potential" Breach Severity - Well, term "potential incident" is ambiguous. Was there are breach or not? Categorization breach as significant harm, non-significant, low-risk, systemic, contained breach, third party breach is always comforting to data principal and right move.
8/ Data Principal Communication: Notices, especially for data breaches, must be in Schedule 22 languages. Angel One's English-only notice fails to meet inclusivity and accessibility requirements under the law.
Related Questions