India

Can I claim compensation for data breach under IT Act?

₹5,000/cr
Max penalty per breach
Section 43A
Relevant provision
2000
IT Act year
Body corporate
Liable entity
The Short Answer

Yes, you can claim compensation for a data breach under Section 43A of the IT Act, 2000, if a body corporate fails to protect sensitive personal data and causes wrongful loss or gain.

What the Law Says

The Information Technology Act, 2000 provides a statutory right to compensation for individuals affected by negligent data handling by companies.

Section 43A of the IT Act, 2000 imposes liability on a 'body corporate' — such as a company, firm, or LLP — that possesses, deals with, or handles 'sensitive personal data or information' (SPDI) and is negligent in implementing reasonable security practices. If this negligence causes wrongful loss or wrongful gain to any person, the body corporate is liable to pay compensation.

The law defines 'reasonable security practices' by reference to standards like ISO/IEC 27001 or those specified in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Compensation is determined by the adjudicating officer appointed under the IT Act.

There is no fixed upper limit on compensation under Section 43A — it is based on actual loss suffered. However, adjudicating officers typically consider factors like nature of data, extent of misuse, duration of exposure, and efforts made to mitigate harm.

Statutory Text

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Information Technology Act, 2000, s. 43A — Compensation for failure to protect data

What to Do

1

Confirm the breach involved 'sensitive personal data or information' (e.g., passwords, financial info, biometrics, health data).

2

Gather evidence: screenshots, emails, logs, or communications showing negligence and resulting loss.

3

File a complaint with the Adjudicating Officer (appointed by the Central Government) under Section 43A — no court fee required.

4

Alternatively, approach the Consumer Disputes Redressal Commission if the data breach arose from deficient service (e.g., banking, telecom).

5

Consider filing an FIR under Section 66 of the IT Act if the breach involved hacking or identity theft.

Sources

statuteInformation Technology Act, 2000, s. 43A — Compensation for failure to protect data

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.