If you are stuck in such a situation, here is what to do.
Recently, Mr. Ramesh Gupta received a startling text message from CERSAI, the Central Registry of Securitisation Asset Reconstruction and Security Interest of India. The alert stated that “Apex Securities” had fetched the CKYC (Central Know Your Customer) data for a Mr. Vikram Singh. Just a few days earlier, he had received a similar message, but it mentioned “Zenith Bank” as the entity accessing the data. Mr. Gupta has no personal or professional connection to Mr. Vikram Singh or any accounts held in that name. This incident points to a significant data breach, where sensitive information is being misrouted or wrongly linked.
Concerned, Mr. Gupta promptly filed a formal complaint with CERSAI. When he contacted Zenith Bank about the first alert, their response was evasive. They suggested that some other, unidentified bank might have erroneously updated Mr. Gupta’s phone number in Mr. Singh’s customer profile. So far, neither CERSAI nor the CKYC registry has provided any meaningful assistance, leaving Mr. Gupta worried about the security of his personal information and potential misuse.
Advice in such cases
Document Everything: Take screenshots of the SMS alerts. Keep a detailed record of all communications, including dates, times, and the names of people you speak with at the financial institutions and regulatory bodies. Save copies of all emails and complaint reference numbers.
File Formal Complaints: Do not rely on verbal communication. Send written complaints via email or registered post to the Grievance Redressal Officer of the concerned bank (Zenith Bank) and the securities company (Apex Securities). Clearly state the issue and the resolution you seek.
Escalate to Regulators: File formal complaints with CERSAI and the Reserve Bank of India (RBI) Ombudsman. With the new data protection laws, you can also approach the Data Protection Board of India once it is fully functional.
Monitor Your Finances: Keep a close watch on your own bank accounts and credit reports for any unusual activity. While the breach appears to involve someone else’s data being linked to your number, it’s a prudent step to ensure your own financial data is secure.
Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of Rs. 10,000 to 50,000 depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored. A good lawyer can get the issues resolved much faster than you think
Applicable Sections of Law
Such cases of data mismanagement and breach are primarily governed by the following laws in India:
The Digital Personal Data Protection Act, 2023 (DPDPA): This is the most critical legislation. It imposes strict obligations on “Data Fiduciaries” (like banks and securities firms) to process personal data lawfully, ensure its accuracy, and implement security safeguards to prevent breaches. A failure to do so can result in significant penalties. The act gives individuals the right to have their data corrected and erased.
The Information Technology Act, 2000: Section 43A of the IT Act holds corporate bodies liable to pay compensation if they are negligent in implementing and maintaining reasonable security practices and procedures, resulting in wrongful loss or wrongful gain to any person. Although the DPDPA is more recent, this section can still be relevant.
Reserve Bank of India (RBI) Regulations: The RBI has issued various circulars and guidelines on KYC norms, data security, and customer service for banks and other financial institutions. A violation of these can lead to penalties imposed by the RBI.
If you are the complainant
If your phone number or email has been wrongly linked to someone else’s account, causing you to receive their sensitive alerts, you are the primary complainant. Your course of action should be:
Send a Legal Notice: Through a lawyer, send a formal legal notice to the financial institution(s) involved. This notice should detail the breach, the mental harassment caused, and demand immediate rectification and a formal apology. This often prompts a faster and more serious response.
File a Complaint with the RBI Ombudsman: If the bank fails to resolve the issue to your satisfaction within 30 days, you can file a complaint with the RBI’s Ombudsman scheme for deficiency in service.
Approach the Data Protection Board: Under the DPDPA, you can file a complaint with the Data Protection Board of India against the Data Fiduciary for failing to maintain the accuracy of personal data and for the breach of your information.
Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of Rs. 10,000 to 50,000 depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored. A good lawyer can get the issues resolved much faster than you think
If you are the victim
The person whose CKYC data was actually fetched (Mr. Vikram Singh in this story) is also a victim, as their sensitive information is being sent to an incorrect, unknown third party. If you find yourself in this position:
Demand Rectification: Immediately contact your bank or financial institution and demand to know why your data is linked to an incorrect phone number. Provide proof of your correct contact details and insist they update their records across all platforms, including the CKYC registry.
Request an Audit Trail: Ask the institution for a record of who accessed your data and when. This is your right under the DPDPA.
Review Account Security: Change passwords and review all recent transactions on your account to ensure no fraudulent activity has taken place as a result of this data exposure.
Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of Rs. 10,000 to 50,000 depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored. A good lawyer can get the issues resolved much faster than you think
How the police behave in such cases
Initially, the police might view such a case as a civil or regulatory matter rather than a criminal one, especially if there is no immediate financial fraud. They may direct you to file a complaint with the Cyber Crime Cell. The police are more likely to register a First Information Report (FIR) under the Bharatiya Nyaya Sanhita, 2023 (BNS) or the IT Act if there is evidence of criminal intent, such as identity theft, cheating, or if the data breach has led to a financial loss. However, their primary advice will often be to approach the appropriate regulatory authorities like the RBI or the Data Protection Board first.
FAQs people normally have
What evidence is required?
To build a strong case, you must gather all possible evidence. This includes:
Screenshots of the SMS alerts from CERSAI or the bank.
Copies of all written correspondence (emails, letters) with the bank, securities firm, CERSAI, and other regulatory bodies.
Reference numbers for all complaints filed.
A log of phone calls made, including dates, times, and the names of the representatives you spoke with.
A copy of the legal notice sent, if any, and its postal receipts.
How long will the investigation take?
The timeline for resolution can vary significantly. An internal investigation by a cooperative bank might resolve the data error within a few weeks. However, if you need to escalate the matter to the RBI Ombudsman or the Data Protection Board, the process can take several months. The duration depends on the complexity of the issue, the responsiveness of the financial institutions, and the caseload of the regulatory authorities.
Advocate Sudhir Rao, Supreme Court of India