The Information Technology Act 2000 (IT Act) was India's first comprehensive legislation addressing electronic commerce, digital signatures and cyber crimes. Despite being over two decades old, it remains the primary legal framework governing digital activities in India.

Key Provisions for Businesses

Section 43: Penalty for Damage to Computer Systems
Any person who without permission accesses, downloads, introduces viruses, disrupts or denies access to a computer system is liable to pay compensation up to ₹1 crore to the affected party. This section is civil in nature and does not require criminal intent.

Section 43A: Compensation for Failure to Protect Data
This is the most important provision for businesses. Any body corporate that possesses, deals or handles sensitive personal data and is negligent in implementing reasonable security practices is liable to pay compensation to affected persons. There is no cap on liability under this section.

Section 66: Computer Related Offences
Dishonestly or fraudulently doing any act referred to in Section 43 is a criminal offence punishable with imprisonment up to 3 years and/or fine up to ₹5 lakh.

Section 66A (Struck Down)
Section 66A, which criminalised "offensive" online messages, was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional.

Section 66C: Identity Theft
Using another person's electronic signature, password or unique identification feature dishonestly is punishable with imprisonment up to 3 years and fine up to ₹1 lakh.

Section 66D: Cheating by Impersonation
Cheating by impersonating another person using a computer resource is punishable with imprisonment up to 3 years and fine up to ₹1 lakh.

Section 67: Publishing Obscene Material
Publishing or transmitting obscene material in electronic form is punishable with imprisonment up to 3 years and fine up to ₹5 lakh for first conviction.

Section 69: Power to Issue Directions for Interception
The Central Government can direct interception, monitoring or decryption of information through any computer resource in the interest of national security, public order or prevention of offences.

Section 72: Breach of Confidentiality and Privacy
Any person who has secured access to electronic records, books, registers or other documents and discloses them without consent is punishable with imprisonment up to 2 years and/or fine up to ₹1 lakh.

Compliance Requirements for Businesses

Under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, businesses must:

1. Publish a privacy policy
2. Obtain consent before collecting sensitive personal data
3. Implement reasonable security practices (ISO 27001 is the prescribed standard)
4. Appoint a Grievance Officer
5. Respond to data subject requests within 30 days

CERT-In Directions 2022

The Computer Emergency Response Team of India (CERT-In) issued mandatory directions in April 2022 requiring:
- Reporting of cyber incidents within 6 hours of detection
- Maintaining logs for 180 days
- Synchronising ICT system clocks with NTP servers
- Mandatory KYC for VPN and cloud service providers

Non-compliance with CERT-In directions can result in imprisonment up to 1 year and/or fine.

Nyaya Siddhanta provides comprehensive IT Act compliance audits and advisory services. Contact our Cyber Law team for a compliance assessment.