Information Technology Act 2000 — Section 43A (Reasonable Security Practices)

India's Information Technology Act 2000, Section 43A (inserted by the 2008 Amendment), establishes liability for body corporates that handle sensitive personal data and fail to implement reasonable security practices. Section 43A provides that where a body corporate possessing, dealing, or handling any sensitive personal data or information is negligent in implementing and maintaining reasonable security practices and procedures, and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages to the affected person. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) implement Section 43A by defining sensitive personal data, specifying reasonable security practices (including ISO 27001 compliance), and establishing consent requirements. India's Digital Personal Data Protection Act 2023 (DPDPA) significantly updates this framework, introducing mandatory breach notification to the Data Protection Board within prescribed timeframes and imposing fines of up to INR 250 crore for significant violations.