IT Act Section 43A requires Indian companies that possess, deal, or handle any sensitive personal data or information to implement "reasonable security practices and procedures." If negligent handling causes wrongful loss or gain, the company becomes liable to pay compensation to the affected person — with no fixed statutory cap defined in the Act itself. This foundational data-security obligation predates the DPDP Act 2023 by fifteen years and continues to apply alongside it today.
The IT Act 2000: India's First Digital Law
The Information Technology Act 2000 gave legal recognition to electronic commerce, digital signatures, and early cybercrime offences — but contained no corporate data-security obligations. As digital business expanded through the 2000s, that gap was addressed by the Information Technology (Amendment) Act 2008, which inserted Section 43A and its companion provisions.
The full text of the IT Act is available at indiacode.nic.in and MeitY publishes guidance at meity.gov.in.
Section 43A: Compensation for Negligence in Handling Sensitive Data
Section 43A, inserted by the 2008 Amendment, imposes a specific civil liability on body corporates — defined broadly to include companies, firms, sole proprietorships, and other associations engaged in commercial or professional activity — that deal with sensitive personal data or information.
Three elements must be present: (1) the entity is a body corporate that possesses or handles SPDI; (2) it was negligent in implementing or maintaining reasonable security practices; (3) that negligence caused wrongful loss or gain to any person. When all three are present, the aggrieved person may seek compensation from the body corporate — the quantum is determined by an Adjudicating Officer under the IT Act, with no prescribed statutory cap in Section 43A itself.
Section 72A: Wrongful Disclosure of Personal Information
Section 72A creates criminal liability for an intermediary or service provider who discloses personal information without consent and in breach of a lawful contract — covering IT vendors leaking client data or employees selling customer databases. Together, Sections 43A and 72A create a two-track framework: civil liability for the body corporate that fails to protect data, and criminal liability for individuals who disclose it.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanThe SPDI Rules 2011: What "Reasonable Security Practices" Actually Means
The phrase "reasonable security practices and procedures" in Section 43A was deliberately left flexible. Parliament delegated the definition to the Central Government, which exercised that power through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly called the SPDI Rules.
The SPDI Rules are the operational heart of India's pre-DPDP data-protection regime. They specify:
What Counts as Sensitive Personal Data or Information
The Rules define eight categories of SPDI that require heightened protection:
| Category | Examples |
|---|---|
| Passwords | Account credentials, PINs |
| Financial information | Bank account details, credit/debit card numbers |
| Physical, physiological, and mental health conditions | Medical records, prescriptions |
| Sexual orientation | Any data revealing sexual preference |
| Medical records and history | Test results, diagnoses, treatment history |
| Biometric information | Fingerprints, retina scans, facial recognition data |
| Information received from another body corporate | Any SPDI shared in a B2B context |
The Privacy Policy Requirement
Every body corporate that collects SPDI must publish a privacy policy on its website. The policy must state what information is collected, the purpose of collection, how it is disclosed, and reasonable security practices in place.
Consent and Purpose Limitation
SPDI may be collected only with the prior written consent of the provider, for a lawful purpose. It must not be retained longer than necessary, and it must not be transferred to a third party without consent — with a narrow exception for data processors acting under contract.
What Satisfies "Reasonable Security Practices"
This is the most practically significant aspect. Rule 8 of the SPDI Rules states that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented either:
- IS/ISO/IEC 27001, the international standard for information security management systems; or
- A documented, company-specific security programme approved and notified by the Central Government.
Law Evolution: From IT Act to DPDP Act
graph TD
A[IT Act 2000
Digital transactions + cybercrimes] --> B[IT Amendment Act 2008
Inserts Section 43A + 72A]
B --> C[SPDI Rules 2011
Defines SPDI + Reasonable Security Practices]
C --> D[DPDP Act 2023
Digital Personal Data Protection]
D --> E{Which law applies?}
E --> F[Sensitive personal data
like health, financial, biometrics
SPDI Rules 2011 + Section 43A]
E --> G[General digital personal data
name, email, address, identifiers
DPDP Act 2023]
E --> H[Computer offences
hacking, unauthorized access, fraud
IT Act Sections 43, 66, 66C, 66D]
E --> I[Employee disclosure breach
Section 72A applies
Criminal track]
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style D fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style G fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0Key Obligations at a Glance
xychart-beta
title "Section 43A Compliance Obligations by Effort Level"
x-axis ["Privacy Policy", "Consent Mechanism", "Data Inventory", "Security Programme", "ISO 27001", "Incident Response", "Vendor Contracts", "Audit Trail"]
y-axis "Relative Implementation Effort" 0 --> 10
bar [3, 4, 5, 6, 9, 7, 5, 6]How the IT Act Coexists with the DPDP Act 2023
A common misconception is that the DPDP Act 2023 replaced or superseded the IT Act. It did not. Both statutes are in force simultaneously, and they regulate overlapping but distinct spaces.
The DPDP Act 2023 focuses on digital personal data in digital form. It introduces consent and data-principal rights, creates the Data Protection Board of India, and prescribes significant financial penalties for breaches. MeitY has published the Act and FAQs at meity.gov.in.
The IT Act and SPDI Rules remain in force alongside the DPDP Act for four reasons:
- SPDI Rules define sensitive-data categories that overlap with but are not identical to the DPDP Act's definitions — both must be read together until the SPDI Rules are formally amended.
- Cybercrime provisions (Sections 43, 66, 66B–D) remain the primary criminal law for hacking, identity theft, and fraud — unaffected by the DPDP Act.
- Section 72A criminal liability for wrongful disclosure by intermediaries continues unchanged.
- Section 43A civil compensation (via Adjudicating Officer) and DPDP Act penalties (via Data Protection Board) are separate proceedings with separate remedies.
Practical Obligations for Indian Companies
If you collect any of the eight SPDI categories, here is your minimum compliance checklist under Section 43A and the SPDI Rules:
| Obligation | What It Requires | Risk if Missing |
|---|---|---|
| Privacy Policy | Published on website; cover collection purpose, disclosure, security measures | Section 43A civil liability |
| Prior Written Consent | Explicit consent before collecting SPDI; cannot be bundled into T&Cs | Compensation claim |
| Purpose Limitation | Collect only what is needed; delete after purpose is fulfilled | Compensation + reputational risk |
| Data Processor Contracts | Vendors handling SPDI must be contractually bound to the same standards | Section 72A exposure |
| Reasonable Security Programme | ISO 27001 or documented approved programme covering CIA triad | Core Section 43A negligence test |
| Grievance Officer | Named individual with published contact; must respond within one month | Regulatory non-compliance |
| Incident Response | Identify, contain, and report breaches; feeds CERT-In reporting obligations | Compounded exposure |
| No Cross-border Transfer Without Consent | SPDI cannot go to foreign entities without consent or equivalent protection | SPDI Rule 7 liability |
The Role of VAPT in Section 43A Compliance
Under the SPDI Rules, a documented, regularly tested security programme is a legal requirement, not merely a best practice. VAPT forms a core component because it provides evidence of active security testing (directly relevant to the "reasonable security practices" standard), generates remediation-driving findings, and supports ISO 27001 Annex A controls (A.12.6 technical vulnerability management, A.18.2 information security reviews). A company with documented VAPT reports and evidence of remediation is in a materially stronger legal position if a Section 43A claim arises.
Bachao.AI, built by Dhisattva AI Pvt Ltd, provides automated VAPT for Indian businesses through its platform. You can book a free VAPT scan to understand your current exposure under these obligations.
For further reading on how the DPDP Act 2023 interacts with these obligations, see our DPDP compliance guide and the rest of the Bachao.AI blog.