By Anuradha Gandhi and Rachita Thakur
Introduction
On June 9, 2025, Zoom car Holdings, Inc. (hereinafter referred to as ‘Zoom Car’/ ‘Company’) identified a cybersecurity incident involving unauthorized access to its information systems resulting in an unauthorized third party access to a data set containing certain personal information of approximately 8.4 million users. On June 13, 2025, Zoom Car filed an Item no. 1.05 disclosure report under Form 8-K of the Securities Exchange Act, 1934 reporting a Cyber Security Incident as a mandatory compliance measure under the United States of America’s (hereinafter referred to as ‘US’) Legal Framework.
Brief Context about the Incident[1]
How did the incident come to light?
Zoom Car, in its disclosure report, claimed that it discovered the cyber incident when certain employees received external communications from a threat actor alleging unauthorized access to Company data.
What Personal Information was compromised?
According to the company, the cyber incident resulted in a compromise of names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. However it denied having any evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised.
What Measures have been taken by Zoom Car post data breach?
The report filed states that the company has implemented additional safeguards across the cloud and internal network. This included increasing system monitoring, and reviewing access controls. Zoom Car is also engaging with third-party cybersecurity experts to further assist with the investigation pertaining to the breach.
Has the data breach caused disruption in Company Operations?
Based on a preliminary internal investigation, the company claims that the incident has not resulted in any material disruption to its operations. However, it continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.
Why has Zoom Car filed Disclosure Report before a US regulator?
On December 29, 2023. Zoom Car listed and began trading on the National Association of Securities Dealers Automated Quotations (hereinafter referred to as ‘NASDAQ’) global stock exchange which is based in New York City.[2] This made the rules and regulations released by the US Securities and Exchange Commission (hereinafter referred to as ‘SEC’) applicable on Zoom Car.
US SEC’s Disclosure Requirements for NASDAQ Listed Companies
Rules for Cybersecurity Risk Management
On July 26, 2023, the Securities Exchange Commission adopted the Rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers (hereinafter referred to as ‘SEC Cybersecurity rules’). The rules created obligations on listed entities to file disclosure reports before the SEC about cybersecurity incidents within the prescribed time limit. The rules introduced Form 8-K for this purpose.[3]
The rules introduced three types of disclosures relating to Data Security:
- Material cybersecurity incidents,
- Cybersecurity risk management processes and
- Cybersecurity management and governance.
What is a Material Cybersecurity Incident? [4]
The SEC Cybersecurity Rules summarize the quantitative and qualitative factors for determining a material cybersecurity incident, including the following:
- Harm to a company’s reputation
- Impact of disruption to business operations
- Harm to a company’s customer or vendor relationships
- Harm to competitiveness
- The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities
- Impact on business value
- Actual and expected direct and indirect costs stemming from the incident
Based on these factors, a listed company is obligated to determine if a particular cybersecurity incident is material or non – material. The former must be mandatorily disclosed while the latter may be voluntarily disclosed at the discretion of the companies.
Reporting of Cybersecurity Incidents under Form 8-K
Resolving the Overlap of Item 1.05 and 8.01 of Form 8-K
Form 8-k covers cybersecurity incident disclosures under Item 1.05 and Item 8.01. Item 1.05 addresses the mandatory disclosure of material incidents related to cybersecurity. However, a corporation may also disclose non-material cybersecurity incidents under this item. Item 8.01 allows businesses to voluntarily report non-material cyber security incidents. The SEC clarified the scope of the disclosure requirement under these two items in a statement issued on May 21, 2024, encouraging corporations to submit for voluntary disclosures under Item 8.01, not Item 1.05. This recommendation sought to limit disclosures under Item 1.05 to material cyber security events exclusively.[5]
Deadline to file the material cybersecurity incidents disclosure
A company having suffered a material cyber security incident shall report the same through Form 8-K to the US SEC, within 4 business days of discovering the cyber security incident.
Permissible delay on the grounds of National Security
The company may be allowed to delay the disclosure of material cyber security incident if the United States Attorney General (hereinafter referred to as ‘US AG’) determines that such disclosure could pose a threat the national security. Maximum permissible delay is prescribed at 120 days beyond which if the threat persists, the Security Exchange Commissioner may consider further delays upon a written communication from the US AG. [6]
What if this Data breach occurred in India?
Obligations and Disclosure Requirements by Securities Exchange Board of India (hereinafter referred to as ‘SEBI’)
Applicability of SEBI Regulations on Zoom Car’s operations in India
Unlike US, Zoom car is not listed on the Indian Stock Exchange due to which it is not regulated by SEBI. However, assuming if such breach happens with a listed entity within the jurisdiction of SEBI, such entity shall be obligated to disclose the details of cyber security incidents in its Corporate Governance Report to be submitted quarterly to SEBI.
Obligation to file Quarterly Compliance Report on Corporate Governance
According to Regulation 27 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, listed entities must submit a quarterly compliance report on corporate governance in the format specified by SEBI to the relevant stock exchange within 21 days of the end of each quarter.
Disclosure of Cybersecurity Incidents form a part of Corporate Governance Report
On June 14, 2023, SEBI vide Notification No. SEBI/LAD-NRO/GN/2023/131 issued the SEBI (Listing Obligations and Disclosure Requirements) (Second Amendment) Regulations, 2023 and inserted sub clause 27(2) (ba) wherein it is specified that the details of Cyber Security incidents or breaches or loss of data or documents shall be disclosed in the Corporate Governance Report and shall be submitted by the listed entities to the stock exchanges on a quarterly basis which is effective from July 14, 2023 onwards.[7]
CERT-In’s Direction on Disclosure of Cyber Incidents
Zoom Car is an online marketplace service provider which brings it within the applicability of rules and regulations released by Indian Computer Emergency Response Team (hereinafter referred to as ‘CERT-In’).
CERT-In’s Cyber Incident Reporting Framework and Intermediary liability
On April 28, 2022, CERT-In issued direction on ‘Information security practices, procedures, prevention, response and reporting of Cyber Incidents for safe and trusted internet’ (hereinafter referred to as ‘CERT-In directions’) under sub-section (6) of section 70B of the Information Technology Act, 2000.[8]
As per these directions, any service provider, intermediary, data center, body corporate and Government Organization must mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about any such incident.
What does the term ‘Cyber incident’ include?
Annexure I of the CERT-In’s FAQ document on CERT-In directions details the types of cyber incidents that need to be reported covering a very wide scope of incident reporting which includes
- Data Breach,
- Data Leak,
- Targeted scanning/probing of critical networks/systems,
- Compromise of critical systems,
- Unauthorized access of IT Systems,
- Defacement of Website,
- Malicious code attacks,
- Identity theft, spoofing, phishing attack
- Denial of Service attacks[9]
This list is not exhaustive and indicates that the term ‘cyber incidents’ holds a wide meaning and may include any malicious activity in the cyberspace.
Definition of ‘Cyber Incidents’ under India’s Intermediary Framework
The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as ‘SPDI rules’)[10] defines the term ‘cyber incidents’ under Rule 2(d) as, ‘any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorization.’
Status of Zoom Car as an Intermediary
Section 2(w) of the Information Technology Act, 2000 (hereinafter referred to as ‘IT Act’) defines the term ‘intermediary’. The IT Act includes ‘online marketplaces’ within the definition of an ‘intermediary’. Therefore, all obligations pertaining to cybersecurity and data protection measures to be implemented by intermediaries shall be applicable on Zoom Car as an Online Marketplace.[11]
Therefore Zoom Car, shall adhere with CERT-In’s Disclosure requirements both as a Service Provider and as an Intermediary.
The Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’)[12]
Scope of Data Collected by Zoom Car
As per Zoom Car’s filing before the US SEC, it has disclosed to be in position of wide range of personal data elements including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. It denies any compromise related to financial information, plaintext passwords, or other sensitive identifiers.
Status of Zoom Car under DPDPA
DPDPA defines a data fiduciary ‘as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.’ For the purpose of DPDPA, Zoom car shall fall within the ambit of data fiduciary which determines the purpose and means of processing the personal data of both, one who hires a rental car and one who lists the car on the website for hiring.
Data Fiduciary’s Data Breach Disclosure Obligations
Under Section 8(6) of the DPDPA, a data fiduciary which has suffered a data breach is obligated to intimate regarding the same to the Data Protection Board (hereinafter referred to as ‘DPB’) and all the affected data principals.
Further Rule 7 of the Draft Digital Personal Data Protection Rules, 2025 (hereinafter referred to as DPDP Rules),[13] prescribes the content and the form in which such intimation is to be conveyed to the DPB as well as the affected Data Principals. Such intimation shall be conveyed in concise, clear and plain manner and without delay.
Intimation to the affected Data Principals:
Under Rule 7 of DPDP rules, a data fiduciary having suffered a data breach shall, without any delay, inform the Data Principals about such breach. The information must include:
- Description of the breach, including its nature, extent and the timing and location of its occurrence;
- The consequences relevant to her, that are likely to arise from the breach;
- The measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
- The safety measures that she may take to protect her interests; and
- Business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
Intimation to the DPB:
A data fiduciary, having suffered a data breach, shall as soon as practicable, share the information of such breach and convey an initial intimation describing the breach, including its nature, extent, timing and location of occurrence and the likely impact.
Subsequently, the DPDPA puts a 72 hour limit on the data fiduciary to share Detailed Information regarding the breach. This should include:
- Updated and detailed information in respect of such description;
- The broad facts related to the events, circumstances and reasons leading to the breach;
- Measures implemented or proposed, if any, to mitigate risk;
- Any findings regarding the person who caused the breach;
- Remedial measures taken to prevent recurrence of such breach; and
- A report regarding the intimations given to affected Data Principals.
Prateek Chandgothia, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.
[1] https://www.sec.gov/Archives/edgar/data/1854275/000121390025054319/ea0245724-8k_zoomcar.htm
[3] https://www.debevoisedatablog.com/2023/07/28/sec-adopts-new-cybersecurity-rules-for-issuers/
[6] https://www.sec.gov/files/form8-k.pdf
[8] https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
[9] https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf
[11] https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
[12] https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
[13] https://static.mygov.in/innovateindia/2025/01/03/mygov-999999999568142946.pdf