We value your privacy & take necessary steps to protect your information.
Crisis Management is the process of managing an unexpected event that threatens to put an individual/stakeholder at risk. Depending upon the type of business an individual/stakeholder is engaged in, a crisis can be of various types – data breach, tax evasion, bribe, corruption, fraud, etc.
In this article, we have addressed certain general questions related to how to deal with different types crisis in India after they have occurred, including questions pertaining to duty to report a crisis, legislation in force and authorities established thereunder to provide for on how to proactively deal with a crisis, rights and protection offered to the individual reporting a crisis, rights of an individual/stakeholder to refuse seizure of documents involved in the investigation into a crisis, and the matters related thereto.
1. Regulator or Government Agencies to be notified in discovery of data breach in India
In the case of a data breach in a banking company or a non-banking financing company (NBFC), a report must be filed to the Reserve Bank of India (RBI) in a Security Incident Reporting (SIR) form by the company within two to six hours from the time of occurrence or on noticing such data breach. The SIR form requires particulars of the incident, specifically name of bank, details of incident, chronological order of events, etc. Further, a subsequent update must be sent to the RBI in Cyber Security Incident Reporting (CSIR) outlining further details of the breach.
2. Legislations in India relating to criminal offences and civil wrongs in case of data breach
3. Agencies in India that can conduct dawn raids on private sector companies and legislation that give those agencies the power to undertake those inspections.
4. Criteria to permit or refuse the seizure of documents in India. On what bases, including privilege and/or confidentiality, may organisations refuse to permit the seizure of documents?
A company in India cannot be compelled to disclose confidential communication with its legal advisors unless such company offers itself as a witness before any court.5 Privilege in India extends to the documents which have come into existence in anticipation of litigation for the purpose of seeking legal advice with the client’s legal advisors.6 However, privilege does not extend to in-house counsel employed by the company. Further, a company may refuse to permit the seizure of documents which are outside the scope of the warrant for search and seizure.
5. What are the circumstances in India under which an employee is entitled to protection when reporting an alleged wrongdoing?
India has enacted the Whistle Blowers Protection Act, 2011 (the Act); however, it is not yet in force. The Act provides protection for a whistle blower in circumstances where relevant disclosures are made by the employee under the Act in good faith. The disclosures must be accompanied by a personal declaration stating that the complainant reasonably believes that the information disclosed or the allegations made by him/her are substantially true. Such disclosures can be made in writing or by electronic mail message and must contain full particulars and supporting documents, together with other relevant materials, if any.
6. What legislative protection does that employee enjoy in India?
The employee blowing the whistle against their employer or rendering assistance in the inquiry into a whistleblowing investigation enjoys the following protection under the Whistle Blowers Protection Act, 2011:
7. Main anti-corruption laws and regulations in India
The Prevention of Corruption Act, 1988: Central Vigilance Commission
8. Extra-territorial effect of legislation in India
9. Enforcement bodies in India
10. Is there any duty to report the issue, for example to a regulator?
Where an internal investigation has been undertaken into the affairs of a company, the company must report it to a regulator in the following circumstances:
11. What is the protection available in India from disclosure for documents generated as a part of the investigation (for example, privilege)?
12. Is the advice given by an in-house lawyer in India in relation to the investigation privileged and/or confidential?
In order to take advantage of client-attorney privilege in India, an attorney, pleader, barrister or lawyer must be a full-time practicing attorney. However, an in-house lawyer is a full-time employee of the company and therefore outside the protection of client-attorney privilege.12
This compilation of FAQs was originally prepared for TERRALEX GLOBAL CRISIS MANAGEMENT REGULATORY GUIDE 2019