Penalties and Adjudication (Sections 43–47)

Chapter IX of the Information Technology Act, 2000 is the statute's civil engine. While the offences in Chapter XI (Sections 65-74) carry imprisonment and require proof of dishonest or fraudulent intent, Sections 43 to 47 create a parallel, no-fault regime of penalties and compensation enforced not by a magistrate but by a designated executive officer sitting in a quasi-judicial capacity. For judiciary and CLAT-PG aspirants this cluster is examined relentlessly because it tests three distinct ideas at once: strict civil liability for damage to a computer resource, the special data-protection liability of body corporates under Section 43A, and the unusual adjudicatory machinery that decides these claims outside the ordinary civil courts. This chapter maps each provision against the bare text and the leading adjudications, including the phishing cases that turned Section 43 from theory into hard money.

The Scheme of Chapter IX: Penalties, Compensation and Adjudication

Sections 43 to 47 form the core of Chapter IX of the Information Technology Act, 2000, titled "Penalties, Compensation and Adjudication" (the words "Compensation" and "Adjudication" were inserted by the Information Technology (Amendment) Act, 2008). The chapter does two things. First, it identifies a catalogue of wrongful acts done to a computer, computer system or computer network and attaches a civil consequence to them. Second, it builds an adjudicatory machinery — the adjudicating officer under Section 46 — to hear these claims and award money. The critical exam point is that this is a civil scheme: it operates on the standard of preponderance of probabilities, it does not require proof of mens rea, and the remedy is compensation and penalty, not imprisonment.

This distinguishes Chapter IX from Chapter XI. The same factual conduct — say, unauthorised downloading of data — may simultaneously attract civil liability under Section 43 and criminal liability under Section 66, but Section 66 only bites where the act is done "dishonestly or fraudulently" within the meaning of Sections 24 and 25 of the Indian Penal Code (now the Bharatiya Nyaya Sanhita). Section 43 has no such requirement. A candidate must be able to articulate that the IT Act deliberately offers a victim a quicker, evidence-light civil track that runs alongside, and independent of, the criminal track. To place this chapter in context, read it after the introduction to the Act and the definitions chapter, because every operative word — "computer", "computer resource", "data", "information" — carries the meaning assigned in Section 2.

Section 43: Penalty and Compensation for Damage to Computer, Computer System, etc.

Section 43 is the heart of the civil regime. It opens: "If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network" does any of the enumerated acts, "he shall be liable to pay damages by way of compensation to the person so affected." The marginal note, after the 2008 amendment, reads "Penalty and compensation for damage to computer, computer system, etc." The two operative ingredients are therefore (i) absence of permission and (ii) commission of a listed act. Notably, the section says nothing about intention; liability is strict.

The enumerated acts are: (a) accesses or secures access to such computer resource; (b) downloads, copies or extracts any data, computer database or information; (c) introduces or causes to be introduced any computer contaminant or computer virus; (d) damages or causes to be damaged any computer, system, network, data, database or programmes; (e) disrupts or causes disruption; (f) denies or causes the denial of access to any person authorised to access (a denial-of-service style act); (g) provides assistance to any person to facilitate access in contravention of the Act; and (h) charges the services availed of by a person to the account of another by tampering with or manipulating the computer resource. Clauses (i) and (j) were inserted by the 2008 amendment: (i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means; and (j) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage. Only clause (j) carries an intention element; the rest are strict.

The Explanation to Section 43: Defining Contaminant, Virus, Damage and Source Code

The Explanation appended to Section 43 supplies four definitions that frequently surface in objective questions. "Computer contaminant" means any set of computer instructions designed to modify, destroy, record or transmit data or programme residing within a computer resource, or by any means to usurp the normal operation of the computer resource. "Computer database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio or video that is being prepared or has been prepared in a formalised manner and is intended for use in a computer resource. "Computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed. "Damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.

The Explanation was supplemented in 2008 to add the definition of "computer source code" — the listing of programmes, computer commands, design and layout and programme analysis of a computer resource in any form — so as to anchor the new clause (j). Examiners often test the distinction between a "contaminant" (any malicious instruction set, including spyware that merely records or transmits) and a "virus" (which must destroy, damage or degrade performance or self-replicate). A worm that records keystrokes and exfiltrates them without degrading performance is a contaminant but may not satisfy the narrower virus definition.

No Mens Rea: Strict Liability and the Removal of the Rs 1 Crore Cap

Two features make Section 43 distinctive. First, liability is strict. Unlike Section 66, which imports "dishonestly or fraudulently", Section 43 imposes liability the moment an unauthorised listed act is established, irrespective of motive. The wrongdoer's good faith or absence of fault is no defence to the civil claim, although it may bear on the quantum under Section 47. This is why the section is a workhorse for victims of phishing, account siphoning and data theft, who can recover without proving the criminal threshold.

Second, in its original 2000 form Section 43 capped the compensation payable to "the person so affected" at "one crore rupees". The Information Technology (Amendment) Act, 2008 deleted that ceiling, so that Section 43 now reads simply "liable to pay damages by way of compensation to the person so affected" with no statutory upper limit on the section itself. The monetary boundary today is jurisdictional rather than substantive: it is found in Section 46, which fixes the adjudicating officer's pecuniary competence at claims not exceeding Rs 5 crore. A claim above that figure must go to a civil court. Candidates frequently confuse the deleted Section 43 cap with the surviving Section 46 jurisdictional ceiling; keep the two firmly apart.

Section 43A: Compensation for Failure to Protect Sensitive Personal Data

Section 43A, inserted by the 2008 amendment and in force from 27 October 2009, is India's first statutory data-protection liability and remains heavily examined. It provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Crucially, the original 2008 text once again contained no cap on the compensation, marking a deliberate legislative choice to leave large data-breach awards possible.

The section turns on three defined ideas. "Body corporate" is explained to include any company, firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. "Reasonable security practices and procedures" means practices designed to protect information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement, or in law, or prescribed by the Central Government — operationalised through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which recognise the IS/ISO/IEC 27001 standard. "Sensitive personal data or information" is left to be prescribed and includes passwords, financial information, health and biometric data. Section 43A liability is therefore fault-based (it requires negligence), unlike the strict liability of Section 43 — a contrast worth memorising. The 2011 Rules and Section 43A have now been overtaken in part by the Digital Personal Data Protection Act, 2023, but for IT Act syllabi the Section 43A framework remains live.

Sections 44 and 45: Penalty for Non-Compliance and the Residuary Penalty

Section 44 penalises failures of compliance owed to the Controller or the Certifying Authority. If a person required to furnish any document, return or report fails to do so, he is liable to a penalty not exceeding Rs 1,50,000 for each such failure. If a person fails to file any return or furnish information, books or other documents within the prescribed time, he is liable to a penalty not exceeding Rs 5,000 for every day during which the failure continues. And if a person fails to maintain books of account or records, he is liable to a penalty not exceeding Rs 10,000 for every day during which the failure continues. These are regulatory penalties aimed at the digital-signature and certifying-authority ecosystem, and they connect to the machinery discussed in the digital and electronic signatures chapter.

Section 45 is the residuary provision. It states that whoever contravenes any rules or regulations made under the Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding Rs 25,000 to the person affected by such contravention or a penalty not exceeding Rs 25,000. It functions as a catch-all so that no breach of the subordinate legislation escapes a civil consequence merely because the rule-maker did not specify one. In exams, Section 45 is the answer whenever a contravention of a rule or regulation has no bespoke penalty elsewhere in the Act.

Section 46: Power to Adjudicate and the Adjudicating Officer

Section 46 creates the forum. Sub-section (1) empowers the Central Government to appoint, by notification, an officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government as the adjudicating officer to hold an inquiry into any contravention of the Act, rules, directions or orders for which compensation or penalty is provided. In practice the Secretary, Department of Information Technology, of each State has been notified as the adjudicating officer for that State. The officer must give the person alleged to have committed the contravention a reasonable opportunity of making a representation, and if, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the Act.

Sub-section (1A), inserted in 2008, fixes the pecuniary jurisdiction: the adjudicating officer adjudicates contraventions where the claim for injury or damage does not exceed Rs 5 crore; beyond that figure, jurisdiction vests in the competent civil court. Sub-section (3) prescribes the qualifications — the adjudicating officer must possess such experience in the field of information technology and such legal or judicial experience as may be prescribed. Sub-sections (4) and (5) give the officer the procedural attributes of a quasi-judicial authority: in conducting the inquiry he follows a prescribed procedure and, importantly, every adjudicating officer is deemed to be a civil court for the purposes of specified provisions of the Code of Criminal Procedure and is vested with the powers of a civil court conferred on the Cyber Appellate Tribunal under Section 58(2), so that his proceedings are judicial proceedings within the meaning of Sections 193 and 228 IPC. Read this section together with the electronic governance framework, since the same officials often administer both.

Section 47: Factors the Adjudicating Officer Must Weigh

Section 47 structures the discretion conferred by Section 46. It provides that while adjudging the quantum of compensation under Chapter IX, the adjudicating officer shall have due regard to the following factors: (a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (b) the amount of loss caused to any person as a result of the default; and (c) the repetitive nature of the default. These three statutory factors convert what could be an arbitrary award into a reasoned, proportionate exercise.

The structure mirrors the well-known disgorgement-plus-loss logic found in regulatory statutes: the officer looks both at what the wrongdoer gained and at what the victim lost, and then aggravates for repeat conduct. Because the factors are mandatory ("shall have due regard"), an award that ignores them — for instance, one that fixes a round figure without reference to the victim's actual loss or the defendant's gain — is vulnerable on appeal to the Tribunal for non-application of mind. Examiners like to ask candidates to list these three factors verbatim, so they should be committed to memory. Section 47 governs only the quantum; liability itself is decided under the substantive sections (43, 43A, 44, 45).

The Phishing Benchmark: Umashankar Sivasubramanian v. ICICI Bank

The single most cited adjudication under this chapter is Umashankar Sivasubramanian v. ICICI Bank. In September 2007 the complainant received an email purporting to come from ICICI Bank asking him to confirm his internet-banking credentials; after he responded, roughly Rs 6.46 lakh was siphoned from his account. He filed a complaint before the adjudicating officer for Tamil Nadu (the State IT Secretary), who in April 2010 held the bank liable under Section 43 for the unauthorised access to and manipulation of the complainant's account, finding that the bank had failed to put in place a foolproof internet-banking system with adequate authentication and validation. The officer directed ICICI Bank to pay Rs 12.85 lakh in compensation.

The bank appealed. On the appellate side, the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), exercising the jurisdiction of the erstwhile Cyber Appellate Tribunal, upheld the adjudicator's finding in its January 2019 decision, confirming that the bank bore responsibility for the loss. The case is doctrinally important for three reasons: it established that a victim of phishing can recover under Section 43 even where the immediate fraudster is untraced, that a financial institution operating a computer resource owes a duty in respect of unauthorised access through its systems, and that the adjudicatory machinery of Sections 46-47 can deliver real compensation. It is the leading authority students should cite for the proposition that Section 43 has teeth in the banking context.

Sharing the Loss: Poona Auto Ancillaries v. Punjab National Bank

The principle of apportioning liability between a careless customer and a negligent bank is illustrated by Poona Auto Ancillaries Pvt. Ltd. v. Punjab National Bank, adjudicated by the Maharashtra adjudicating officer (the State IT Secretary) in 2013. The complainant's managing director responded to a phishing email, after which approximately Rs 80.10 lakh was fraudulently transferred out of the company's PNB account. The adjudicating officer found that, although the complainant had contributed to the loss by replying to the fraudulent email, the bank had been negligent in failing to run adequate security checks against the mule accounts opened to receive the siphoned funds. He awarded compensation of about Rs 45 lakh, expressly apportioning the loss to reflect the complainant's contributory negligence while holding the bank substantially liable.

The decision is valuable because it demonstrates Section 47 in action: the officer weighed the loss caused, the bank's failure, and the complainant's own conduct in fixing the figure. It is also the standard authority for the proposition that customer contributory negligence reduces but does not extinguish a bank's liability where the bank's own security controls were deficient. Together with Umashankar, it forms the phishing pair that almost always appears in answer scripts on this chapter.

Section 43A in the Tribunal: The IDBI Bank Data-Security Ruling

Section 43A received authoritative appellate treatment in the TDSAT decision holding IDBI Bank liable for violation of Section 43A. The Tribunal held that a corporate entity dealing with sensitive personal information or data carries an obligation to implement and maintain reasonable security practices and procedures, and that this obligation operates "without any exception". The ruling is significant because it confirms that Section 43A imposes an affirmative, non-delegable data-security duty on body corporates handling sensitive personal data, and that breach of that duty sounds in compensation before the adjudicatory machinery and the Tribunal.

For exam purposes the case anchors three points: first, that Section 43A liability is distinct from Section 43 in being predicated on negligence in maintaining reasonable security practices rather than on a specific unauthorised act; second, that the duty extends to any body corporate that "owns, controls or operates" the computer resource holding the data; and third, that the appellate tier (TDSAT, which absorbed the Cyber Appellate Tribunal's functions in 2017) will enforce the duty strictly against institutions. The decision is best learned alongside the 2011 Reasonable Security Practices Rules, which supply the content of the duty.

Phishing Declared Unlawful: NASSCOM v. Ajay Sood

Although it arose on the civil side of a High Court rather than before an adjudicating officer, National Association of Software and Service Companies (NASSCOM) v. Ajay Sood (Delhi High Court, 2005) is the foundational Indian authority on phishing and is routinely cited in this chapter. The defendants, running a placement agency, sent emails masquerading as NASSCOM to extract personal data from job-seekers. The Court held that phishing — pretending to be a legitimate entity such as a bank to extract personal data like access codes and passwords — is an illegal act, and granted an injunction along with recovery of damages, treating the conduct as falling within the kind of unauthorised access contemplated by Section 43(a) of the IT Act.

The decision matters because it judicially defined "phishing" for Indian law and confirmed that the act of unauthorised access and data extraction is actionable, supplying the conceptual bridge between the bare clauses of Section 43 and the later banking adjudications in Umashankar and Poona Auto. It also illustrates that the same conduct can attract a civil suit, the IT Act's adjudicatory remedy, and criminal prosecution under Section 66 and the penal code simultaneously — the multi-track character of computer wrongs that this chapter repeatedly emphasises.

Appeals and the Bar on Civil Courts: Sections 57, 58 and 61

An order of the adjudicating officer is not final. Under Section 57, any person aggrieved by an order made by the Controller or by an adjudicating officer may prefer an appeal to the Appellate Tribunal having jurisdiction, ordinarily within forty-five days. The Appellate Tribunal — originally the Cyber Appellate Tribunal under Section 48 — was merged into the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) by the Finance Act, 2017, so appeals from adjudicating officers now lie to TDSAT. Section 58 frees the Tribunal from the rigours of the Code of Civil Procedure while clothing it with the essential powers of a civil court (summoning witnesses, requiring discovery, receiving evidence on affidavit), and Section 62 provides a further appeal to the High Court on a question of fact or law.

Section 61 completes the architecture by ousting the ordinary civil courts. It provides that no court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer or the Appellate Tribunal is empowered to determine, and that no injunction shall be granted in respect of any action taken or to be taken under the Act. The bar is not absolute: read with the Rs 5 crore pecuniary ceiling in Section 46(1A), a claim exceeding that limit falls outside the adjudicating officer's competence and may proceed in a civil court. This jurisdictional map — adjudicating officer up to Rs 5 crore, civil court beyond, appeal to TDSAT, further appeal to the High Court, and a statutory bar in between — is a favourite of examiners. For the foundational concepts underpinning these electronic-record disputes, revisit the Information Technology Act hub and the chapter on secure electronic records and signatures.

Exam Strategy: How Sections 43-47 Are Tested

For prelims, lock down the numbers: Section 43 has no monetary cap after 2008; the adjudicating officer's pecuniary jurisdiction is Rs 5 crore (Section 46(1A)); the Section 44 penalties are Rs 1,50,000 per failure, Rs 5,000 per day for a continuing failure to file, and Rs 10,000 per day for failure to maintain books; and Section 45's residuary penalty is Rs 25,000. The minimum rank for an adjudicating officer is Director to the Government of India or an equivalent State officer. The three Section 47 factors — unfair gain, loss caused, and repetitive nature of the default — should be reproducible verbatim.

For mains, the high-value distinctions are: strict liability under Section 43 versus negligence-based liability under Section 43A; civil compensation under Chapter IX versus criminal punishment under Section 66 (which adds the "dishonestly or fraudulently" element); and the adjudicatory forum (adjudicating officer) versus the ordinary criminal or civil courts, with the Section 61 bar and the Section 57 appeal to TDSAT. Tie the doctrine to authority — Umashankar v. ICICI Bank for banking phishing under Section 43, Poona Auto Ancillaries v. PNB for contributory negligence and apportionment, the IDBI Bank ruling for the Section 43A data-security duty, and NASSCOM v. Ajay Sood for the judicial definition of phishing. A candidate who can move cleanly from bare text to the leading adjudications will score on any question this chapter throws up.