Ransomware Incidents: Legal Considerations for Businesses

A ransomware attack — malware that encrypts a victim’s data or systems and demands payment for the decryption key — is a compound legal event. It is simultaneously a cybercrime, a potential data breach, a possible contractual breach, a regulatory incident, and a governance challenge. Organisations that treat a ransomware incident purely as an IT problem to be resolved by the technology team, without engaging legal counsel in the first hours, consistently make decisions that increase their legal exposure and reduce their options. This article sets out the full spectrum of legal considerations that arise when a business in India suffers a ransomware attack.

The Criminal and Regulatory Dimension

A ransomware attack involves multiple cognisable offences under Indian law. Introduction of the malware constitutes unauthorised access under Sections 43 and 66 of the Information Technology Act, 2000. Encryption of data without authorisation constitutes damage to a computer resource under Section 43(b). Demanding payment for the decryption key constitutes extortion under Section 308 of the Bharatiya Nyaya Sanhita, 2023. A complaint should be filed at the jurisdictional cybercrime police station and through the National Cyber Crime Reporting Portal (cybercrime.gov.in), supported by the forensic evidence preserved in the initial response phase. In parallel, CERT-In’s April 2022 Directions require covered entities to report a ransomware incident within six hours of detection — this obligation is mandatory and independent of any remediation or payment decision. Regulated entities must additionally comply with sector-specific reporting requirements: the RBI CSITE Cell for banking entities, IRDAI for insurance entities, and SEBI for market intermediaries.

Contractual Obligations

An organisation’s commercial contracts are directly engaged by a ransomware incident. Service level agreements with customers may include uptime guarantees and data security standards that are breached when ransomware takes systems offline. Data processing agreements will typically require notification of a security incident within a specified timeframe — often 24 to 72 hours — and failure to notify within that window constitutes an independent contractual breach. Counsel should identify the notification obligations across the organisation’s key commercial relationships and manage the communication timeline accordingly. Force majeure clauses in supplier contracts may excuse the organisation’s own supply failures during the incident, but the applicability of any specific clause must be assessed against its precise drafting before reliance is placed on it.

Insurance and the Payment Decision

Where the organisation holds a cyber insurance policy, the insurer must be notified within the policy’s prescribed notification window — typically 24 to 72 hours from discovery — and the coverage terms reviewed urgently. Cyber policies typically cover: incident response costs (forensics, legal, public relations), business interruption losses, regulatory fines where insurable, extortion demand payments subject to policy conditions, and third-party liability for customer claims. Any ransom payment — if ultimately authorised after legal advice — may be required in cryptocurrency, which raises PMLA considerations and requires coordination with the insurer’s coverage position. The decision to pay must never be made without legal advice on the PMLA, sanctions, and regulatory exposure involved, and without confirming the insurer’s prior authorisation.

Governance, DPDP Act and Listed Company Obligations

A ransomware attack that materially disrupts operations or compromises customer data must be brought to the board. Documented board decisions on regulatory reporting, customer communication, forensic investigation, and remediation investment demonstrate that the organisation exercised reasonable governance under crisis conditions. Where the attack has resulted in personal data being compromised — through encryption, exfiltration, or both — the notification obligation under Section 8(6) of the Digital Personal Data Protection Act, 2023 to the Data Protection Board and affected individuals is engaged in addition to CERT-In reporting. For listed companies, a material ransomware incident may require prompt disclosure to the stock exchange under the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 — counsel must assess the disclosure threshold without delay.

DPDP Act Obligations and Personal Data Exposure

Ransomware incidents almost invariably involve the exfiltration of personal data before the encryption payload is deployed — threat actors extract data to use as additional leverage. Where an Indian organisation processes personal data subject to the Digital Personal Data Protection Act, 2023, a ransomware-associated data exfiltration constitutes a personal data breach triggering notification obligations to the Data Protection Board of India and to affected Data Principals. These obligations run independently of whether the ransom is paid and independently of the criminal complaint process. The notification should be accurate, timely, and reviewed by legal counsel before despatch, since inaccurate notifications create independent regulatory exposure.

Cyber Insurance and Post-Incident Recovery

Organisations holding cyber insurance policies must notify their insurer promptly — typically within 24 to 72 hours of the incident — and in any event before engaging external incident response vendors or taking steps that the policy characterises as mitigation expenditure. Failure to notify within the policy window is the most common basis for insurers declining ransomware claims. The policy terms should be reviewed at the outset of the incident to confirm what is covered: ransom payments, forensic response costs, legal fees, notification costs, business interruption losses, and third-party liability claims are covered differently across different policy forms. Post-incident, the root cause of the ransomware infection — typically a phishing email, an unpatched vulnerability, or a compromised remote access credential — must be identified and remediated before systems are restored to operation.