IT Act 43A Consulting

Indian law puts significant responsibility on persons (including companies) handling sensitive personal data or information to implement reasonable security measures for protecting such information. Substantial legal liability may result if such persons are found lacking in the implementation of such measures.


Such legal liabilities, if not mitigated, may:
1. substantially affect profitability,
2. erode public confidence and
3. result in imprisonment of the officials and directors of such companies.

Direct benefits of IT Act compliance
1. Compliance with legislation
2. Increased reliability and security of systems
3. Increased profits
4. Cost-effective and consistent information security
5. Systems rationalization

Indirect benefits of section 43A compliance
1. Improved management controls
2. Better human relations
3. Improved risk management and contingency planning
4. Enhanced customer and trading partner confidence

Liabilities under Information Technology Act
The Central Government in exercise of the powers conferred by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000) has defined reasonable security practices and procedures to be followed by those possessing, dealing or handling sensitive personal data or information.


Under this new law, "sensitive personal data or information of a person" means such personal information which consists of information relating to:
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.


Negligence in implementing and maintaining reasonable security practices and procedures may make a person liable to pay damages. It is interesting to note that the Information Technology Act originally capped compensation claims at Rs 1 crore under section 43. This cap has now been removed. Compensation claims upto Rs 5 crore are now handled by Adjudicating Officers while claims above Rs 5 crore are handled by the relevant courts.


Section 72A provides imprisonment upto 3 years and fine upto Rs 5 lakh for disclosure of personal information in breach of a lawful contract.


Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law will not be regarded as sensitive personal data or information for the purposes of his law.


It is interesting to note that the term "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

The Information Technology Act 2000 (The Act) penalizes cyber crimes. Chapter IX provides for compensation and Chapter XI provides for imprisonment and fine for committing cyber crimes.


In this regard, it is important to note section 43 of the Act. This section imposes strict liability to pay compensation for unauthorized access, downloading or copying, introducing a virus or other malicious programs, causing damage or committing any other act which injuriously affects information stored in a computer resource, among others.