Home » What Is Company Liability In Case Of Data Breach?

What Is Company Liability In Case Of Data Breach?

General Legal issues / By
What Is Company Liability In Case Of Data Breach

In today’s digitized arena, information is the backbone of any modern-day business setup. Depending on the use of multiple digital platforms and cloud-based systems, businesses collect, store, and process a huge quantity of personal and sensitive data. And yet, with this digital exposition, there are higher chances of cyber-threats, and data breaches emerge as the prime concern. Therefore, the legal landscape concerning data breaches in India is fairly fluid, with liability being defined through legislations and judicial decisions.

This article discusses the various avenues through which liable entities exist for a data breach in India, referring extensively to some laws, judgments, and current happenings. 

Need A Legal Advice

The internet is not a lawyer and neither are you. Talk to a real lawyer about your legal issue

Talk to a Lawyer

What is a Data Breach?

A data breach is when information meant to stay confidential is accessed or disclosed without authorization, be it from hackers, rogue insiders, or even an internally negligent employee forwarding a confidential document.

Common Breach Triggers in Real Cases

  • Ransomware attacks on unsecured servers
  • Third-party vendor negligence
  • Staff unknowingly clicking phishing links
  • Poor password hygiene or lack of multi-factor authentication 

Which Indian Laws Relates to Data Breach?

1. Information Technology Act, 2000

  • Section 43A: Where individuals are aggrieved by neglect in the implementation of reasonable security practices and procedures in relation to their data, compensation has to be paid to them. 
  • Section 72A: Criminal penalties apply for unauthorized disclosure by insiders or staff.
  • Section 66: Criminalizes hacking and malicious destruction or alteration of data.

2. IT Rules, 2011

These define what qualifies as sensitive personal data (like passwords or biometrics) and set the baseline for what’s considered “reasonable security.”

ALSO READ:  Legal notice for recovery of money

Tip from our legal practice: ISO 27001 is commonly used to prove you had “reasonable security practices.”

3. Digital Personal Data Protection Act, 2023

This is the game-changer. Though not fully in force yet, it introduces:

  • Mandatory breach notifications
  • Consent-based data processing
  • Penalties up to ₹250 crore

4. Sectoral Guidelines

It is advised NBFCs and insurers navigating RBI, IRDAI, and SEBI breach disclosure norms. These regulators have their own expectations, failing them invites separate penalties.

Note: CERT-In (Indian Computer Emergency Response Team) also issues directives on cyber incident reporting for entities.

Who Is Legally Liable If a Breach Happens?

Here’s how liability plays out in post-breach legal strategy for clients.

1. Civil Liability: Compensation to Users

If there was negligence, companies must compensate users for losses. Under Section 43A, even indirect harm can trigger liability.

There was a case where leaked email IDs led to phishing scams. The client had to pay compensation despite no financial data leak.

2. Criminal Liability: For Wilful or Malicious Breach

If staff leak or misuse data, they can face jail under Section 72A. This includes:

  • Unauthorized sharing
  • Selling user info
  • Intentional leaks

3. Contractual Liability: Clients May Sue

Most SaaS and BPO contracts now include data indemnity clauses. We’ve helped both claimants and defendants handle such disputes after a breach.

4. Regulatory Liability: Government Fines

The DPDP Act will allow the Data Protection Board to fine companies heavily, especially for failing to notify users or implement safeguards.

Landmark Cases on Data Breach

  • Puttaswamy v. Union of India (2017): Landmark privacy ruling. Supreme Court declared data privacy as a fundamental right, the legal base for all data laws now.
  • Zomato Breach (2020): 17 million accounts exposed. Even without financial leaks, the reputational impact was massive.
  • Air India Breach (2021): Data of 45 lakh passengers leaked due to third-party failure. Taught companies to audit vendors better.
  • TCS vs. Epic Systems (U.S. Case): TCS was fined over $900 million. Even Indian companies operating abroad face strict data laws.
ALSO READ:  Contingent Contracts under Indian Contract Act

Hidden Challenges Most Companies Miss

  • Lack of Internal Awareness: Most staff don’t know what counts as a data leak or how to report one.
  • Proving Negligence Isn’t Easy: Cyber incidents are complex, and proving fault or wrongful intent is difficult.
  • No Class Action Option Yet: As of now, India still somehow lacks a strong class-action mechanism, whereby victims affected by large-scale data breaches could bring in a suit.
  • Ambiguity in Legal Standards: Defined terms such as “reasonable security practices” are ambiguous and, hence, present a general area of enforcement.

How Companies Can Prevent a Legal Disaster?

Here’s what every corporate client after conducting risk audits should do.

  • Implementation of Cybersecurity Standards: Implementation of ISO 27001, SOC 2, and Penetration Testing on a scheduled timely manner.
  • Data Breach Action Plan: A draft outline will be created to forestall notification, containment, and post-breach audit procedures.  
  • Train Your Team: 80% of breaches we see begin with staff errors.
  • Encrypt & Anonymize: Especially for financial and health data.
  • Audit Your Vendors: Most recent breaches we handled originated from third-party flaws.
  • Prepare for DPDP Compliance: Appointment of DPOs, keeping data records, and conducting Data Protection Impact Assessments.

Final Word

A data breach doesn’t just bring penalties; it shakes user trust. At Lead India Law, we’ve seen companies lose contracts, clients, and brand value overnight due to mishandled incidents.

The best strategy is prevention and preparation for it. Prepare your systems, policies, and employees to face breaches and you shall successfully maintain compliance if they occur while keeping reputation stigma to the barest minimum. 

ALSO READ:  How to Stop Illegal Construction in India: Legal Steps, Solutions, and Key Court Rulings

One can talk to lawyer from Lead India for any kind of legal support. In India, free legal advice online can be obtained at Lead India. Along with receiving free legal advice online, one can also ask questions to the experts online free through Lead India.

FAQs

1. Is appointing a Data Protection Officer under the DPDP Act a must? 

Yes, in cases where certain categories of data fiduciaries dealing with large volumes of personal data are required to appoint a DPO so that legal compliances are fulfilled.

2. When will a data breach have to be reported in India? 

With respect to directions by CERT-In and Section 32(3) of the DPDP Act, companies shall report such incidents of data breaches within 6 to 72 hours from such occurrence, depending on the degree/severity and nature of such breach.

3. Could liability attach upon a company if third-party vendor breaches personal data? 

If the company did not do due diligence or monitor vendor’s data security practices, one may hold the company vicariously liable.

Social Media