Is this breach reportable, and by when?
Answer a few questions and see which regimes likely require notification — and the deadline for each, soonest first.
Whose data is affected?
choose anyAre you a regulated entity in India?
Roughly how many people are affected?
optionalTell us whose data is affected and whether you are regulated in India. Your likely obligations appear beside the questions.
Breach reportability — common questions
When does the clock start?
For most regimes the deadline runs from when you become aware of the breach, not from when it first happened. That is why having detection and an escalation path in place matters — the time you spend deciding whether something counts is time on the clock.
What if multiple laws apply at once?
You have to satisfy each one, and the shortest deadline governs your timeline. If a single incident triggers CERT-In, GDPR and HIPAA, the 6-hour CERT-In window sets the pace — you cannot wait the full 72 hours just because GDPR allows it.
Do small breaches still need to be reported?
Often yes. Several regimes require notification regardless of size, and thresholds tend to change what extra steps apply — for example, large HIPAA breaches add notice to HHS and the media — rather than whether you report at all. Treat scale as a factor in the response, not a reason to skip it.
Is this legal advice?
No. This is general guidance to help you see which regimes are likely in scope and how tight the timing is. Your actual obligations depend on the facts of the incident, your contracts, and where you operate — confirm them with qualified counsel before you rely on them.
Build your breach-response plan
A 30-minute call to map your reporting obligations to your data, contracts, and the clock.
Free Assessment
No obligation, no sales pitch
Custom Roadmap
Tailored to your organization
Expert Guidance
500+ successful audits