Compensation for Failure to Protect Data (Section 43A)

Section 43A of the Information Technology Act, 2000 is the provision that first put a price tag on corporate carelessness with personal data. Inserted by the Information Technology (Amendment) Act, 2008 and brought into force on 27 October 2009, it fastens civil liability on a body corporate that, while handling sensitive personal data or information, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. For a decade and a half it was India's principal statutory hook for data-breach compensation, fleshed out by the SPDI Rules, 2011 and applied by adjudicating officers and the appellate tribunal in the banking phishing cases. This chapter dissects the text, the rules, the leading rulings, and the provision's scheduled sunset under the Digital Personal Data Protection Act, 2023.

The Statutory Text and Its Genesis

Section 43A reads: “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” A proviso, inserted by the same amendment, makes clear that there is no upper ceiling on the compensation that may be awarded under the section — a deliberate departure from the old one-crore cap that Section 43 once carried.

The provision did not exist in the original 2000 statute. It was introduced by the Information Technology (Amendment) Act, 2008 and notified into force, alongside the bulk of the amendment, on 27 October 2009. The trigger was the outsourcing boom: India's BPO and banking sectors were processing vast quantities of foreign and domestic personal data, and a string of data-leak scandals exposed the absence of any general data-protection obligation. Section 43A was Parliament's answer — a compact, civil-liability provision that imposed a duty of care on the custodians of sensitive data without enacting a full-blown data-protection code. For the wider scheme of the Act, see our note on the introduction to the IT Act.

Anatomy of the Liability: Five Ingredients

To succeed under Section 43A a claimant must establish five cumulative ingredients. First, the defendant must be a body corporate — the Explanation defines this as any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. A purely individual wrongdoer therefore falls outside the section (though Section 43 may still apply). Second, the data in question must be sensitive personal data or information, a category left to be defined by rules. Third, the body corporate must possess, deal with or handle that data in a computer resource it owns, controls or operates. Fourth, there must be negligence in implementing and maintaining reasonable security practices and procedures. Fifth, that negligence must cause wrongful loss to the victim or wrongful gain to someone.

The phrases “wrongful loss” and “wrongful gain” are not defined in the IT Act and are read in their general sense — loss by unlawful means of property to which a person is legally entitled, and the corresponding unlawful gain — echoing the familiar penal-law usage. The causal nexus between the security failure and the wrongful loss or gain is the analytical heart of the section: a breach that causes no loss, or a loss with no link to any security failure, will not sustain a claim. Equally, the negligence is assessed against the standard of reasonable security, not perfect security — a body corporate is not an insurer against every conceivable intrusion, only against the consequences of failing to maintain the baseline that a prudent custodian of such data would maintain.

The architecture is significant. Section 43A is a negligence-based provision, not a strict-liability one. The claimant need not prove intentional wrongdoing — mere failure to maintain reasonable security suffices — but the failure must be causally connected to the loss. This distinguishes it from the contemporaneous penal provisions, and from the act-specific, intent-laden offences elsewhere in the statute. Compare the definitional scaffolding in our note on the definitions under the IT Act.

Who Is a 'Body Corporate'?

The first Explanation to Section 43A states that “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The breadth is deliberate: the legislature wanted the obligation to reach not just incorporated companies but partnerships, proprietorships and professional outfits that handle client data. Government departments, by contrast, are generally not bodies corporate in the commercial sense, which is one reason public-sector data leaks have historically fallen into a Section 43A gap — a gap the Digital Personal Data Protection Act, 2023 later sought to close by applying to the State as a Data Fiduciary.

The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) emphasised this breadth in the banking-phishing line of cases, holding that a bank — unquestionably a body corporate handling financial data — cannot escape the obligation by pointing to customer carelessness. In IDBI Bank Ltd. v. Sudhir S. Dhupia, TDSAT observed that a corporate entity dealing with sensitive personal information bears the obligation to maintain reasonable security without any exception.

Sensitive Personal Data or Information

The third Explanation provides that “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. The prescription came in Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — the “SPDI Rules”. Rule 3 enumerates: passwords; financial information such as bank account, credit card, debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; and any detail relating to the above provided to a body corporate for providing a service.

Crucially, the proviso to Rule 3 carves out information freely available in the public domain or furnished under the Right to Information Act, 2005 — such data is not “sensitive” for the purposes of the rules. The list is exhaustive rather than illustrative, which meant that categories outside it — caste, religion, political opinion, location data — were not protected as “sensitive” under the 2011 regime, a limitation widely criticised and addressed in later reform debates.

Reasonable Security Practices and Procedures

The second Explanation defines “reasonable security practices and procedures” as practices and procedures designed to protect information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties, or as specified in any law in force, or in their absence, as may be prescribed by the Central Government in consultation with professional bodies. The hierarchy is important: a contractual security standard governs first; failing that, a statutory standard; and only in the absence of both does the prescribed default apply.

Rule 8 of the SPDI Rules supplies that default. A body corporate is deemed to have complied if it implements security practices and standards under a comprehensive documented information-security programme and information-security policies containing managerial, technical, operational and physical control measures commensurate with the information assets being protected and the nature of the business. Rule 8 expressly recognises the IS/ISO/IEC 27001 standard on Information Security Management Systems as one such reasonable practice. A body corporate certified to that standard — or to a code of best practice approved and notified by the Central Government — is deemed compliant, and any such body or its auditor must be audited at least once a year, or whenever it undertakes a significant upgrade of its processes.

No Upper Cap: The Compensation Architecture

One of the most consequential features of Section 43A is the proviso removing any monetary ceiling on compensation. This contrasts sharply with Section 43 read with Section 45, and with the position before the 2008 amendment, when adjudication under the Act was capped. By removing the cap for data-protection failures, Parliament signalled that the quantum should track the actual loss suffered — a victim whose financial data is compromised and who loses lakhs (or crores) is not to be artificially confined to a statutory limit.

Jurisdictionally, claims under Section 43A are adjudicated by an adjudicating officer appointed under Section 46, with appeals to the appellate tribunal (originally the Cyber Appellate Tribunal, whose functions were merged into TDSAT in 2017). For claims exceeding five crore rupees, the jurisdiction lies with the competent civil court rather than the adjudicating officer. The adjudicating officer, when fixing compensation, must have regard under Section 47 to the amount of gain or unfair advantage made, the loss caused, and the repetitive nature of the default — a structured discretion rather than an at-large one.

The Umashankar Phishing Case: Section 43A Comes Alive

The provision's first great test came in the phishing saga of S. Umashankar Sivasubramaniam v. ICICI Bank. In September 2007 the complainant, an NRI customer, received an email purporting to come from ICICI Bank asking him to confirm his internet-banking credentials. He complied, and roughly Rs 6.46 lakh was siphoned from his account. The adjudicating officer for Tamil Nadu held the bank liable for negligence in failing to put in place a foolproof internet-banking system with adequate authentication and validation, and directed it to pay Rs 12.85 lakh in compensation — a sum exceeding the actual loss, reflecting the no-cap philosophy of the section.

ICICI Bank challenged the order. On 10 January 2019 the appellate tribunal (TDSAT, exercising the erstwhile Cyber Appellate Tribunal jurisdiction) in ICICI Bank Ltd. v. Umashankar Sivasubramanian upheld the adjudicator's verdict in full, retaining the Rs 12.85 lakh award. The ruling cemented the principle that a bank handling customers' financial data cannot offload the entire risk of phishing onto the customer where its own security architecture is deficient. For the conceptual link between secure systems and statutory recognition, see our note on secure electronic records and signatures.

IDBI Bank v. Sudhir Dhupia: Obligation Without Exception

The Umashankar principle was reaffirmed and sharpened in IDBI Bank Ltd. v. Sudhir S. Dhupia, 2019 SCC OnLine TDSAT 226 (decided 13 August 2019). A customer lost Rs 81,700 through unauthorised transactions after clicking a phishing link that bore the bank's own domain name. TDSAT held the bank guilty of violating Section 43A for failing to implement a robust security system to protect customer data, and squarely rejected the argument that the customer's own disclosure of confidential information absolved the bank.

The tribunal's most-quoted observation is that a corporate entity dealing with personal sensitive information has an obligation to maintain reasonable security without any exception. The decision is doctrinally important because it treats the Section 43A duty as a continuing, non-delegable one: the body corporate cannot contract out of it, cannot plead customer fault as a complete defence where its own systems were deficient, and cannot rely on the mere existence of warnings to escape liability for an architecture that permitted the fraud.

Karmanya Singh Sareen: Data-Sharing and the Limits of 43A

Section 43A's reach — and its limits — was tested in Karmanya Singh Sareen v. Union of India, 233 (2016) DLT 436. The petitioners challenged WhatsApp's 2016 privacy-policy change, under which user account information was to be shared with Facebook and its group companies. The grievance was framed partly around the inadequacy of statutory data protection. On 23 September 2016 a Division Bench of the Delhi High Court declined to grant the broad relief sought but directed that, for users who opted to delete their accounts before 25 September 2016, the data already collected was not to be shared, and for users who continued, information collected up to that date was to be deleted from WhatsApp's servers. The Court also urged the Government and TRAI to consider a regulatory framework for such applications.

The case is instructive for what Section 43A could not do: it offered a compensation remedy for security failures, but provided no clear handle on consensual data-sharing by a platform under a (arguably one-sided) privacy policy. That gap — between breach-driven compensation and rights-based control over personal data — became a central theme of the reform that followed.

Puttaswamy and the Constitutionalisation of Data Privacy

The decisive constitutional backdrop is Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, where a nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right protected under Articles 14, 19 and 21 of the Constitution, overruling M.P. Sharma and Kharak Singh to that extent. Informational privacy — the right to control one's personal data — was recognised as a facet of this right.

Puttaswamy transformed the significance of Section 43A. What had been a narrow, negligence-based compensation provision now sat beneath a constitutional guarantee of informational self-determination. The judgment expressly contemplated a robust statutory data-protection regime and effectively mandated the legislative process that produced the Digital Personal Data Protection Act, 2023. Section 43A, in retrospect, was a transitional instrument — the best India had before privacy was constitutionalised and before a dedicated data-protection statute existed.

The SPDI Rules, 2011: Operating the Section

Section 43A is a frame; the SPDI Rules, 2011 are the picture. Beyond defining sensitive personal data (Rule 3) and reasonable security practices (Rule 8), the Rules imposed a suite of obligations on bodies corporate. Rule 4 required a body corporate to publish a privacy policy on its website, covering the type of information collected, the purpose, and disclosure practices. Rule 5 governed collection — requiring consent, limiting collection to lawful and necessary purposes, and granting data subjects the right to review and correct their information and to withdraw consent. Rule 6 regulated disclosure to third parties, generally requiring prior permission of the provider. Rule 7 addressed transfer of sensitive data, including cross-border transfer, permitting it only where the same level of protection is ensured and the transfer is necessary or consented to.

This rule-set, though modest by modern standards, gave Section 43A operational content: a body corporate's failure to maintain the Rule 8 security baseline, or its breach of the collection and disclosure norms, became the negligence on which a Section 43A claim could rest. The relationship between the parent provision and its rules illustrates the wider IT Act technique of skeletal sections fleshed out by delegated legislation — a pattern visible across the statute, including in electronic governance.

A practical point on proof: because Rule 8 makes ISO/IEC 27001 certification (or a Government-approved code of best practice) a deeming standard, a certified body corporate can shift the evidential burden — it is deemed to have maintained reasonable security, and the claimant must then show that the certification was not genuinely implemented or that the specific failure fell outside the certified controls. Conversely, an uncertified body corporate with no documented information-security programme starts on the back foot, since the Rule 8 baseline supplies a ready yardstick of what reasonable security would have required. This evidential dynamic is what made the SPDI Rules the practical fulcrum of every Section 43A dispute, even though the section itself never mentions ISO 27001 or any specific standard.

Section 43A Distinguished from Section 43

Section 43 and Section 43A are siblings, often conflated, but distinct. Section 43 targets a person who, without permission of the owner, does any of a list of specified acts to a computer or computer system — unauthorised access, downloading, introducing a virus, causing damage, denying access, and the like — and makes that person liable to pay damages by way of compensation. It is conduct-specific and applies to any person. Section 43A, by contrast, applies only to a body corporate, is triggered by negligence in maintaining reasonable security around sensitive personal data, and is concerned with the custodian's omission rather than an intruder's positive act.

In practice the two often operate together: a phishing fraud might involve a wrongdoer liable under Section 43 (unauthorised access and data theft) and a bank liable under Section 43A (negligent security). The Umashankar and IDBI rulings are sometimes cited under Section 43 and sometimes under Section 43A precisely because the factual matrix engages both — the bank's negligence in protecting financial data being the Section 43A wrong. Understanding the division of labour between an intruder's liability and a custodian's liability is the key to placing any given fact-pattern correctly.

The Sunset: Repeal by the DPDP Act, 2023

Section 43A's life is now finite. The Digital Personal Data Protection Act, 2023 — enacted in the wake of Puttaswamy — omits Section 43A. Section 44(2) of the DPDP Act, read with its Schedule, provides for the omission of Section 43A and clause (ob) of Section 87(2) of the IT Act (the rule-making power that underpinned the SPDI Rules), with the consequence that the SPDI Rules, 2011 will fall away. This omission is part of a phased rollout; following notification of the Digital Personal Data Protection Rules, 2025, the relevant repeal provisions are scheduled to take effect, with commentators identifying 13 May 2027 as the operative date for the Section 43A omission and the lapse of the SPDI Rules.

The shift is structural, not merely cosmetic. Section 43A's negligence-and-compensation model gives way to the DPDP Act's consent-based Data Fiduciary framework, with a Data Protection Board empowered to impose financial penalties (up to Rs 250 crore for certain breaches) rather than award compensation to individuals. The individual's private right to damages under Section 43A is, controversially, not replicated in the same form. Until the omission takes effect, however, Section 43A and the SPDI Rules remain live law — examinable, litigable, and the governing regime for breaches occurring during the transition.

Exam Takeaways and Analytical Frame

For judiciary and CLAT-PG purposes, anchor Section 43A to five points: it is a civil-liability, negligence-based provision; it applies only to a body corporate; it protects sensitive personal data or information as defined in Rule 3 of the SPDI Rules; it carries no upper compensation cap; and it is operationalised by the SPDI Rules, 2011, with ISO/IEC 27001 as the benchmark reasonable practice under Rule 8. Pair each limb with authority: Umashankar v. ICICI Bank and IDBI Bank v. Dhupia for the custodian's non-excusable security duty; Karmanya Singh Sareen for the limits of the provision against consensual data-sharing; and K.S. Puttaswamy for the constitutional backdrop that ultimately rendered Section 43A inadequate.

A favourite examiner's trap is the Section 43 / Section 43A distinction — keep “any person doing a wrongful act” (43) separate from “a body corporate negligently failing to secure sensitive data” (43A). Another is the DPDP transition: be precise that the provision is scheduled to be omitted, not yet fully repealed in all respects, and that the compensation-to-penalty shift is a real change in remedial philosophy. For the procedural mechanics of how electronic records are dealt with under the Act, cross-read our note on attribution, acknowledgment and dispatch of electronic records.