This guide is written for practical orientation. The correct legal response depends on the documents, transaction trail, police station, complaint stage, devices involved and the specific allegations.
Incident types
- Ransomware and business interruption
- Data breach or unauthorised access
- Source code theft and insider threat
- Email compromise and invoice fraud
- Cloud, SaaS, API or vendor breach
First 24 hours
- Activate an internal incident-response team covering legal, information security, management, HR, communications and vendor owners.
- Preserve logs, endpoint images, SaaS records, email headers, admin activity, cloud records, access-control evidence and contractual records.
- Contain the incident without destroying forensic artefacts; avoid hasty restoration that overwrites evidence.
- Assess regulatory, contractual, employee, customer, DPDP, CERT-In, sectoral and law-enforcement reporting obligations.
- Prepare privilege-aware reports, board updates, preservation notices, vendor communications and law-enforcement representations where required.
Legal workstreams
- Privilege-aware fact finding
- Regulatory and contractual reporting assessment
- Evidence preservation and forensic coordination
- Police complaint or FIR strategy
- Customer, vendor, insurer and board communication
Frequently asked questions
Should a company call police immediately after a cyber incident?
It depends on the incident, evidence, impact and legal objectives. Some matters require urgent reporting; others first require controlled forensic preservation.
What should be preserved after a ransomware attack?
Endpoint images, ransom notes, logs, backups, firewall records, admin activity, email headers and affected-system inventories are usually important.
Can internal investigation reports be privileged?
Privilege depends on the purpose, structure and legal involvement. It should be planned carefully from the beginning.
Do data breaches require regulatory reporting in India?
Reporting obligations depend on the nature of data, sector, contractual commitments, CERT-In directions, DPDP considerations and other applicable rules.