1.1 Overview: The Multi-Layered Breach Framework
Data breach law in India is not contained in a single statute. It exists as a complex mesh of civil remedies, criminal penalties, regulatory reporting obligations, and sector-specific requirements. Understanding this layered structure is essential for effective incident response.
Key Statutes Governing Data Breaches
- Information Technology Act, 2000: Sections 43, 43A, 72, and 72A provide civil and criminal remedies
- Digital Personal Data Protection Act, 2023 (DPDPA): Mandatory breach notification and penalties up to Rs. 250 crore
- CERT-In Directions, 2022: Six-hour mandatory incident reporting requirement
- Sector-Specific Regulations: RBI, SEBI, IRDAI, and TRAI impose additional obligations
- Bharatiya Nyaya Sanhita, 2023: Criminal provisions for identity theft and data-related offenses
A single data breach may trigger multiple reporting obligations with different timelines, different regulators, and different consequences. Legal counsel must map ALL applicable requirements before advising on response strategy.
1.2 IT Act Section 43: Civil Liability
Section 43 of the IT Act provides the foundation for civil remedies in unauthorized access and data breach cases. It covers both intentional acts and negligent conduct, with compensation now unlimited after the 2008 amendments.
Key Elements Under Section 43
| Clause | Activity | Legal Significance |
|---|---|---|
| 43(a) | Unauthorized access | Covers intrusion without permission |
| 43(b) | Unauthorized download/copy | Data exfiltration liability |
| 43(c) | Introducing virus/contaminant | Malware, ransomware attacks |
| 43(d) | Damage to computer system | System destruction or impairment |
| 43(e) | Disruption of access | DDoS attacks, service denial |
| 43(f) | Denial of access to authorized person | Ransomware locking systems |
| 43(g) | Assisting in contravention | Accomplice liability |
| 43(h) | Charging for services of another | Resource theft |
| 43(i) | Destroying/altering source code | Evidence tampering |
| 43(j) | Stealing/concealing data | Data theft |
Compensation: No Upper Limit
The 2008 Amendment removed the Rs. 1 crore cap on compensation. The Adjudicating Officer can now award compensation "as he thinks fit." This makes Section 43 a powerful remedy for data breach victims.
When representing breach victims, quantify damages comprehensively: actual losses, consequential damages, business disruption costs, reputation damage, and regulatory penalty exposure. The Adjudicating Officer has wide discretion in awarding compensation.
1.3 Section 72A: Criminal Liability for Disclosure
Section 72A introduced criminal liability for unauthorized disclosure of personal information by service providers. This is crucial for holding organizations criminally accountable for breach-related disclosures.
Essential Elements for Section 72A
- Lawful Contract: Services provided under contractual relationship
- Access to Personal Information: Material containing personal data
- Disclosure Without Consent: Unauthorized sharing with third parties
- Intent or Knowledge: Intent to cause or knowledge of likely wrongful loss/gain
Section 72A requires "intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain." Mere negligent disclosure may not attract criminal liability under this section. For negligent breaches, civil remedies under Section 43/43A are more appropriate.
Section 72A vs Section 72 Comparison
| Aspect | Section 72 | Section 72A |
|---|---|---|
| Who is liable | Government officials with IT Act powers | Any person including intermediaries |
| Type of information | Electronic records, books, information | Personal information |
| Consent requirement | Disclosure without consent of concerned person | Disclosure without consent in breach of contract |
| Punishment | Up to 2 years imprisonment or Rs. 1 lakh fine | Up to 3 years imprisonment or Rs. 5 lakh fine |
1.4 DPDPA Breach Provisions
The Digital Personal Data Protection Act, 2023 introduces India's first comprehensive data breach notification regime with significant penalties for non-compliance.
Definition of Personal Data Breach
Key DPDPA Breach Obligations
- Section 8(6): Mandatory notification to Data Protection Board and affected Data Principals
- Form and Manner: As prescribed by Rules (yet to be notified)
- Timeline: "Without unreasonable delay" - expected to be 72 hours based on global standards
- Content: Nature of breach, categories of data affected, likely consequences, remedial measures
DPDPA Penalties for Breach-Related Violations
| Violation | Schedule Provision | Maximum Penalty |
|---|---|---|
| Failure to implement reasonable security safeguards | Schedule, Para 3 | Rs. 250 Crore |
| Failure to notify breach to Board and Data Principals | Schedule, Para 4 | Rs. 200 Crore |
| Failure of Significant Data Fiduciary obligations | Schedule, Para 5 | Rs. 150 Crore |
| Children's data processing violations | Schedule, Para 6 | Rs. 200 Crore |
Organizations must comply with BOTH DPDPA notification requirements AND CERT-In 6-hour reporting. These are separate obligations with different regulators, different timelines, and different penalties.
1.5 CERT-In Directions 2022
The CERT-In Directions of April 2022 mandate six-hour incident reporting for a wide range of cyber security incidents, creating one of the world's strictest breach notification timelines.
Mandatory Reporting Incidents (6 Hours)
- Targeted scanning/probing: Of critical networks/systems
- Compromise of critical systems: Including unauthorized access
- Unauthorized access to IT systems: And data
- Website defacement: Including government and critical sectors
- Malicious code attacks: Ransomware, spyware, cryptomining
- Attacks on servers: Database, mail, DNS servers
- Identity theft and phishing: Large-scale attacks
- Data breaches and leaks: Including personal data
- Attacks on critical infrastructure: Power, transport, finance
- Attacks on IoT devices: And associated systems
CERT-In Reporting Requirements
| Requirement | Obligation | Timeline |
|---|---|---|
| Initial Incident Report | Report incident to CERT-In | 6 hours of noticing or being notified |
| Detailed Report | Submit comprehensive incident details | As required by CERT-In |
| Log Retention | Maintain ICT logs | 180 days (rolling) |
| Log Location | Store logs within India | Ongoing |
| POC Designation | Appoint Point of Contact | Register with CERT-In |
Failure to comply with CERT-In Directions can attract penalties under Section 70B(7) of the IT Act - imprisonment up to one year or fine up to one lakh rupees or both. For organizations, direction to block/suspend services is also possible.
Who Must Report to CERT-In?
- Service Providers: Internet, cloud, VPN, data centers
- Intermediaries: Social media, e-commerce platforms
- Data Centers: Virtual private server providers
- Body Corporate: Organizations handling sensitive data
- Government Organizations: All ministries and agencies
Advise clients to pre-draft incident report templates with required fields (incident type, affected systems, initial assessment, POC details). The 6-hour clock starts from "noticing or being notified" - have detection mechanisms that trigger immediate legal review.
Key Takeaways
- Section 43: Civil remedy with no upper limit on compensation - use for breach victims
- Section 72A: Criminal liability requires intent/knowledge of wrongful loss/gain
- DPDPA: Up to Rs. 250 crore penalty for security failures, Rs. 200 crore for notification failures
- CERT-In: Six-hour mandatory reporting - strictest timeline globally
- Dual Compliance: DPDPA and CERT-In are SEPARATE obligations - comply with both
Part 1 Quiz: Test Your Knowledge
Legal Framework for Data Breaches
Test your understanding of IT Act provisions, DPDPA requirements, and CERT-In obligations