📧 admissions@cyberlawacademy.com
Back to Course
CCPModule 5Lesson 5.1

⚖️ IT Act 2000 & Cyber Crime Framework

India's foundational cyber law—understanding offences, penalties, and landmark judgments

⏱️ 150 minutes📖 Lesson 1 of 4🎯 Advanced

Introduction: The Digital India Legal Foundation

"The Information Technology Act, 2000 is India's first cyber law, giving legal recognition to electronic transactions and providing a framework for combating cyber crime."

The IT Act 2000, amended significantly in 2008, remains the primary legislation governing cyberspace in India. Every cybersecurity professional must understand its provisions—both for compliance and for understanding the legal consequences of cyber incidents.

🎯 Lesson Objectives

  • Explain the structure and key provisions of IT Act 2000
  • Identify cyber offences under Sections 43, 66, 66A-F, 67
  • Apply intermediary liability provisions (Section 79)
  • Analyze landmark cyber law judgments

1. IT Act 2000 Overview

The Information Technology Act, 2000 (IT Act) was enacted on 17 October 2000, making India the 12th nation to adopt cyber legislation. It was significantly amended in 2008 to address emerging cyber threats.

1.1 Key Objectives

  • Legal recognition of electronic documents and digital signatures
  • Facilitation of electronic commerce and governance
  • Prevention of cyber crimes
  • Establishment of regulatory authorities (CERT-In, Adjudicating Officers)

1.2 Structure of the Act

ChapterSectionsSubject Matter
I1-2Preliminary (Title, Definitions)
II3-3ADigital Signature & Electronic Signature
III4-10AElectronic Governance
IV11-14Attribution & Acknowledgment
V15-16Secure Electronic Records & Signatures
VI17-34Certifying Authorities
IX43-47Penalties & Compensation (Civil)
X48-64Cyber Appellate Tribunal
XI65-78Offences (Criminal)
XII79-81Intermediaries & Exemptions
XIII82-90Miscellaneous

2. Civil Liability: Section 43

⚖️ Section 43: Penalty for Damage to Computer Systems

If any person without permission of the owner:

  • (a) Accesses or secures access to a computer system
  • (b) Downloads, copies, or extracts any data
  • (c) Introduces any computer virus or contaminant
  • (d) Damages or causes damage to computer system
  • (e) Disrupts or causes disruption
  • (f) Denies or causes denial of access
  • (g) Provides assistance to any person to facilitate access
  • (h) Charges services availed by unauthorized access
  • (i) Destroys, deletes, or alters information
  • (j) Steals, conceals, destroys, or alters source code

Penalty: Compensation up to ₹1 crore to affected persons (adjudicated by Adjudicating Officer)

⚖️ Section 43A: Compensation for Failure to Protect Data

Where a body corporate possessing, dealing, or handling any sensitive personal data/information is negligent in implementing reasonable security practices, causing wrongful loss/gain to any person:

Penalty: Liable to pay damages by way of compensation to affected person

Note: "Reasonable security practices" defined by reference to IS/ISO/IEC 27001 or government-approved standards

3. Criminal Offences: Sections 65-74

3.1 Key Offence Provisions

SectionOffencePunishment
65Tampering with computer source documents3 years imprisonment + ₹2 lakh fine
66Computer related offences (hacking)3 years imprisonment + ₹5 lakh fine
66BReceiving stolen computer resource3 years imprisonment + ₹1 lakh fine
66CIdentity theft (using electronic signature/password)3 years imprisonment + ₹1 lakh fine
66DCheating by personation using computer3 years imprisonment + ₹1 lakh fine
66EViolation of privacy (capturing/publishing images)3 years imprisonment + ₹2 lakh fine
66FCyber terrorismLife imprisonment
67Publishing obscene material electronicallyFirst: 3 years + ₹5 lakh; Second: 5 years + ₹10 lakh
67APublishing sexually explicit contentFirst: 5 years + ₹10 lakh; Second: 7 years + ₹10 lakh
67BChild pornographyFirst: 5 years + ₹10 lakh; Second: 7 years + ₹10 lakh
72Breach of confidentiality and privacy2 years imprisonment + ₹1 lakh fine
72ADisclosure of information in breach of lawful contract3 years imprisonment + ₹5 lakh fine

⚠️ Section 66A: Struck Down

Section 66A (sending offensive messages) was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional for being vague and overbroad, violating Article 19(1)(a) - Freedom of Speech.

However, some law enforcement agencies continued to register cases under 66A until the Supreme Court ordered purging of all such cases in 2021.

4. Intermediary Liability: Section 79

⚖️ Section 79: Intermediary Safe Harbor

An intermediary shall NOT be liable for any third-party information, data, or communication link made available if:

  • (a) Its function is limited to providing access to a communication system
  • (b) It does not initiate, select, or modify the information
  • (c) It exercises due diligence and observes prescribed guidelines

Exception: Safe harbor does NOT apply if:

  • Intermediary conspires, abets, aids, or induces the commission of the unlawful act
  • Upon receiving actual knowledge or being notified by government, fails to expeditiously remove/disable access

💡 Landmark Case: Shreya Singhal v. Union of India (2015)

The Supreme Court interpreted Section 79 to require:

  • "Actual knowledge" means a court order, not mere user complaints
  • Intermediaries need not proactively monitor content
  • Reading down of Section 79(3)(b) to mean actual knowledge from court order

Citation: (2015) 5 SCC 1

5. Landmark Cyber Law Cases

📋 Avnish Bajaj v. State (Bazee.com Case) - 2005

Facts: An obscene MMS clip was listed for sale on Bazee.com (now eBay India)

Issue: Is the intermediary liable for user-uploaded content?

Held: CEO was granted bail. Court noted that intermediaries cannot be expected to monitor all content but must act on receiving knowledge.

Impact: Led to amendments clarifying intermediary liability in 2008

📋 Syed Asifuddin v. State of Andhra Pradesh - 2005

Facts: Tampering with electronic subscriber identity in mobile phones

Held: ESN/IMEI tampering falls under Section 65 (tampering with source code)

Significance: First case interpreting "source code" broadly

📋 State of Tamil Nadu v. Suhas Katti - 2004

Facts: Accused posted obscene messages about a woman on Yahoo Groups

Held: First conviction under IT Act—sentenced under Sections 67 and IPC 469

Significance: Landmark first successful cyber crime prosecution in India

6. CERT-In and Enforcement

⚖️ Section 70B: Indian Computer Emergency Response Team

CERT-In is designated as the national agency for:

  • Collection, analysis, and dissemination of cyber incident information
  • Forecast and alerts of cyber security incidents
  • Emergency measures for handling cyber incidents
  • Coordination of cyber incident response activities
  • Issue guidelines and advisories

Power: Can call for information and give directions to service providers, intermediaries, data centres, and body corporates

Non-compliance: Up to 1 year imprisonment and/or fine

📝 Key Takeaways

1

Section 43 provides civil remedies (up to ₹1 crore) for unauthorized access and damage

2

Section 66 criminalizes hacking with up to 3 years imprisonment

3

Section 66A was struck down as unconstitutional in Shreya Singhal (2015)

4

Section 79 provides safe harbor for intermediaries with due diligence

5

CERT-In under Section 70B is the national cyber incident response agency

✅ Lesson Complete!

You've mastered IT Act 2000. Next: The critical DPDPA 2023 Deep Dive.