The first hint usually comes from a stranger. A spam call where the caller already knows your full name, your bank, and the last four digits of your card. A WhatsApp message in your name asking for money — but you didn't send it. A login attempt from a country you've never visited. Then you check the news and see it: the dating app you used briefly, the food delivery service you signed up to, the small lender you applied to once — they have been breached. Your KYC, your Aadhaar number, your phone, your email, possibly your selfie verification — all sitting on a website where anyone can pay forty dollars and download it. You did everything right. They did not. And now you are the one paying for it in spam, sleepless nights, and a creeping suspicion that someone, somewhere, is preparing to use your identity for something worse.

This article is about a specific question: can the company that leaked your data be made to pay? The answer, under Indian law, is yes — and the path is older and clearer than most people realise. Read on for the law, the procedure, the realistic numbers, and what to do this week.

Why a Data Leak Hurts More Than People Realise

A data breach is not a one-time event for the victim. It is a slow, recurring tax. Once your sensitive information is in the wild, it is bought and sold across multiple criminal markets. Years after the original leak you may still be receiving phishing attempts crafted with the leaked data. You may be denied a loan because a criminal opened a credit line in your name. Your friends and family may be targeted because the leak revealed your social graph.

The Indian legislature understood this back in 2008, when the IT Act was amended to insert Section 43A. The provision came into effect on 27 October 2009 and was, in its original form, capped at Rs 5 crore in compensation. The amended Act removed even that cap. Today, Section 43A provides for unlimited damages by way of compensation when a company is negligent with your sensitive data. That is a serious right, and most Indians have no idea it exists.

Section 43A — The Law That Makes Companies Pay

Section 43A of the IT Act is short, but every word does work. The full text:

"Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected."

Eight elements have to be present. The body corporate must (1) possess, deal with, or handle (2) sensitive personal data or information (3) in a computer resource (4) which it owns, controls or operates. It must (5) be required to implement and maintain reasonable security practices and procedures and (6) be negligent in doing so. As a result, (7) wrongful loss must be caused to a person, or (8) wrongful gain to any person or itself.

What is striking about Section 43A is what it does not require. It does not require dishonest intent. It does not require a hack. It does not require the data to be misused — only that a wrongful loss or gain results. It does not require you to prove a contract. The bar is lower than ordinary tort negligence in many ways, and the court has a statutory anchor for awarding damages.

It is also worth noting what Section 43A is not. It is the civil compensation provision; the criminal cousin is Section 72A (covered later). The two run on parallel tracks and a victim can pursue both.

What Counts as Sensitive Personal Data?

The IT Act itself does not define "sensitive personal data or information" — it leaves that to the Rules. The relevant Rules are the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Rule 3 lists what qualifies:

  • Passwords — including, by extension, usernames, security questions and answers
  • Financial information — bank account, credit card, debit card or other payment instrument details
  • Physical, physiological and mental health condition
  • Sexual orientation
  • Medical records and history
  • Biometric information — including iris and retina scans, thumb impressions, and any data collected in connection with biometrics
  • Any detail relating to the above that is provided to a body corporate for service
  • Any of the above received by the body corporate under contract or otherwise

Notice how broad this is. A leaked password is sensitive data. So is a leaked Aadhaar (because of the biometric link), a leaked KYC photograph, a leaked health insurance form, a leaked bank statement. Even details about a person's sexual orientation explicitly qualify — a serious matter for dating apps, support apps, and discreet services. The Rules also note an important exception: information that is already freely available in the public domain or furnished under the Right to Information Act is not "sensitive" for these purposes.

If your leaked data falls in any of these buckets, you are inside the protection of Section 43A.

What Does Reasonable Security Practices Even Mean?

Section 43A's Explanation defines "reasonable security practices and procedures" as security practices and procedures designed to protect information from unauthorised access, damage, use, modification, disclosure or impairment. The standard can be set by:

  1. An agreement between the parties — meaning the privacy policy or terms of service the company itself published
  2. Any law for the time being in force — banking regulations, telecom KYC rules, sectoral data security mandates
  3. Where neither applies, what the Central Government prescribes — and the Government has accepted internationally recognised standards like ISO 27001 as evidence of reasonableness

So when a company says "we follow industry-standard security," that promise becomes evidence the court can use against them. A company that promised encryption and stored data in plain text is negligent. A company that promised two-factor authentication and didn't enforce it is negligent. A company that did not patch a known vulnerability for which a patch was publicly available is negligent. A company whose admin panel had a default password is negligent. The list is long.

Importantly, the burden of demonstrating that reasonable security practices were maintained falls on the body corporate. The victim does not have to be a security engineer to prove negligence. The victim shows the leak; the company has to show what it did to prevent it.

How Much Compensation Can I Actually Get?

Honest answer first: it depends on your demonstrated loss, the gain to others, and the seriousness of the negligence. The law does not impose a ceiling. The original draft of Section 43A had a Rs 5 crore cap; the Parliamentary Standing Committee actually wanted Rs 25 crore. In the final amendment, the cap was removed entirely, and damages by way of compensation are now unlimited.

That said, here are the practical brackets observed in proceedings:

  • Up to Rs 5 crore — heard by the Adjudicating Officer of the State (under Section 46(1A) of the IT Act). Most individual claims fit here.
  • Above Rs 5 crore — heard by the competent civil court. Typically for organisational claimants, large institutional losses, or class-style claims aggregating multiple victims.

Section 47 of the IT Act guides the quantum. The Adjudicating Officer must consider the amount of gain or unfair advantage (wherever quantifiable) made as a result of the default, the amount of loss caused to any person, and the repetitive nature of the default. So a data leak that was the company's first security mishap will see lower damages than one where the company had been warned earlier and did nothing.

Real-world losses to plead include direct financial losses (fraudulent debits, account takeovers, ransom paid), expenses incurred to mitigate the breach (credit monitoring, identity protection services, legal fees, time spent), and non-pecuniary losses (mental anguish, reputational damage, anxiety) — the Supreme Court in Dr Vimla v. Delhi Administration has acknowledged that injury includes non-economic harm.

Where Do I File and How Does It Work?

Section 46 of the IT Act creates the post of Adjudicating Officer. The Central Government has notified that the Information Technology Secretary of each State serves as Adjudicating Officer. The Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 govern how the proceedings work.

The mechanics:

  1. Your lawyer drafts an application explaining the breach, your status as a customer/user, the negligence, and the loss claimed. Documentary evidence is annexed.
  2. The Adjudicating Officer issues notice to the body corporate. The company files a reply.
  3. Both sides file evidence with Section 65B certificates for electronic records — see our guide to preserving digital evidence properly.
  4. The Officer holds an enquiry. Witnesses can be examined.
  5. An order is passed. If the body corporate is found liable, damages are awarded.
  6. Either party may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT, which absorbed the earlier Cyber Appellate Tribunal), and then onward to the High Court and Supreme Court.
  7. An unpaid award can be recovered as arrears of land revenue under Section 64 of the IT Act.

The 2003 Rules say each application should be heard within four months and finished within six. The reality, as flagged by the Parliamentary Standing Committee, is that adjournments are routine. Plan for 12 to 24 months for a contested proceeding. Settlements happen sooner — many companies prefer a quiet settlement to a public adjudication.

Critically, Section 61 of the IT Act bars civil courts from entertaining matters that the Adjudicating Officer is empowered to decide. So you cannot bypass the Adjudicating Officer for claims within Rs 5 crore — that forum is mandatory.

What Should I Actually Do Now?

  1. Confirm the breach. Save news reports, the company's breach notification, the leak forum post, screenshots of your own data on the leak. Date-stamp everything.
  2. Lock down your accounts. Change passwords, enable two-factor authentication, freeze your CIBIL credit if Aadhaar or KYC was leaked, watch your bank for suspicious activity.
  3. Document your relationship with the company. Save welcome emails, app screenshots, KYC submissions, payment records. You need to be able to show you were a user.
  4. Track every loss carefully. Bank fraud, time spent, money spent on credit monitoring, replacement of cards, lost work hours — all of it. Keep a running log.
  5. Send the company a written notice. Demand information on what was leaked, the security measures in place, and compensation. Companies that ignore this notice strengthen your negligence case.
  6. File a complaint at cybercrime.gov.in if criminal misuse of your data has begun (phishing, identity fraud, fake accounts in your name).
  7. Preserve all electronic evidence with Section 65B compliance. The Supreme Court in Anvar P.V. v. P.K. Basheer made the certificate mandatory.
  8. Look for other affected users — coordinated complaints carry more weight before an Adjudicating Officer than isolated individual ones.
  9. Consult a cyber lawyer for an opinion on whether your case is worth pursuing, what forum applies, and what realistic relief looks like.
  10. File the application before the Adjudicating Officer or, if loss exceeds Rs 5 crore, the competent civil court. Your lawyer will handle drafting and representation.

Section 72A and the Criminal Side of a Leak

Section 43A is civil. Section 72A is criminal. The provision punishes any person — including an intermediary — who, while providing services under a lawful contract, has secured access to material containing personal information about another person, and who then discloses that material without consent or in breach of contract, with intent to cause or knowing it likely to cause wrongful loss or gain. Punishment is imprisonment up to three years or fine up to five lakh rupees, or both.

So if a specific employee, vendor or call-centre operator wrongfully shared your data, a Section 72A FIR is possible. Section 72A is broader than Section 43A in one sense: it covers personal information generally, not only "sensitive" personal data. It is narrower in another: it requires conscious wrongdoing by the disclosing person, while Section 43A only needs negligence by the body corporate.

Section 85 of the IT Act is also worth knowing. It says that if an offence under the IT Act is committed by a company, every person who at the time was in charge of and responsible to the company for the conduct of its business is guilty of the offence and liable to be punished. So directors and senior managers cannot hide behind the corporate veil where there is evidence of their involvement.

The DPDP Act and Your Other Rights

India has separately enacted the Digital Personal Data Protection Act, which provides a fuller framework for "data fiduciaries" and "data principals", with consent obligations, breach reporting, rights to erasure and correction, and penalties imposable by the Data Protection Board of India. As the DPDP rules and Board roll out fully, victims will have a parallel administrative remedy alongside Section 43A. The two regimes can coexist; one does not extinguish the other.

You may also have rights under contract law — your privacy policy is a contract, and breach of it is actionable. Constitutional privacy jurisprudence following Justice K.S. Puttaswamy v. Union of India recognises informational privacy as a fundamental right, which colours the interpretation of all data laws and can support writ petitions where state actors are involved.

For consumer-facing companies, you may simultaneously pursue a complaint under the Consumer Protection Act for deficiency of service. A bank that lost your data, in particular, faces parallel obligations under RBI master directions on cyber security. The right strategy depends on facts; a lawyer experienced in banking consumer disputes may add useful angles to a pure cyber claim.

A Realistic Look at What You Can Expect

Honesty matters here, because too many people walk into Section 43A litigation with Hollywood-class-action expectations and walk out disappointed. The reality:

Cases worth pursuing: clear breach, identifiable victim, concrete losses (fraud, identity theft, account takeover), well-preserved evidence, organised legal effort. These either settle or succeed at the Adjudicating Officer stage. Awards in the lakhs of rupees are realistic. Coordinated multi-victim claims push higher.

Cases that struggle: tiny individual losses, no documentary trail of being a user, breach denied by the company with no public confirmation, victim acted slowly. These are still arguable, but the cost-benefit may not justify two years of litigation.

What helps a case the most: public confirmation of the breach (news, regulator findings, the company's own notification), multiple victims willing to coordinate, demonstrable monetary losses, well-preserved electronic evidence, a lawyer who has run a Section 43A claim before.

If you are unsure whether your situation is winnable, the cheapest thing you can do is take the documents you already have to a short consultation. Pinaka Legal in Delhi handles Section 43A and 72A matters as part of regular cyber practice. A frank thirty-minute conversation often saves people months of wasted effort, or — equally often — reveals a stronger case than the victim realised. The data was yours. The right to be paid for its mishandling exists. The only question is whether the path ahead is worth walking, and that is a question worth answering with a lawyer rather than alone.

Get legal help from Pinaka Legal — Cyber Law experts in Delhi

Frequently Asked Questions

Can I really claim compensation when a company leaks my data?

Yes. Section 43A of the IT Act, 2000 specifically creates this right. If a body corporate that holds your sensitive personal data is negligent in maintaining reasonable security practices, and that negligence causes you wrongful loss or causes the company wrongful gain, the company is liable to pay you damages by way of compensation. Significantly, Section 43A places no cap on the compensation amount — the law provides for unlimited damages. You file before the Adjudicating Officer (up to Rs 5 crore) or the competent court (above Rs 5 crore).

What counts as "sensitive personal data" under Indian law?

The Information Technology Rules, 2011 define sensitive personal data or information very broadly. It includes passwords, financial information like bank account, credit card and debit card details, physical, physiological and mental health information, sexual orientation, medical records and history, and biometric information including iris scans and thumb impressions. Even the answer to your secret question is treated as sensitive personal data because it relates to your password. Information freely available in the public domain or furnished under the RTI Act is excluded.

What does "reasonable security practices" mean?

Section 43A defines reasonable security practices and procedures as security measures designed to protect information from unauthorised access, damage, use, modification, disclosure or impairment. The standard can be set by an agreement between the parties, or specified in any law, or in the absence of those, prescribed by the Central Government. Compliance with internationally recognised standards like ISO 27001 is generally treated as evidence of reasonableness. The court asks: did this company do what a competent organisation in its industry would have done to protect your data? If no, that is negligence.

Who exactly is a "body corporate" under Section 43A?

The IT Act defines body corporate very widely. It means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. So it covers banks, fintech apps, e-commerce platforms, ride-share services, dating apps, hospitals, edtech firms, and even small consulting partnerships. Intermediaries like ISPs, telecom operators, search engines and online payment sites are also covered. The only carve-out is non-profit trusts and associations not engaged in commercial activity. If you paid for a service or signed up to one, the holder is almost certainly a body corporate.

What is "wrongful loss" versus "wrongful gain" in this context?

Section 43A requires that the negligence caused either wrongful loss to you or wrongful gain to anyone. The IPC defines wrongful loss as loss by unlawful means of property to which the person losing it is legally entitled. Wrongful gain is gain by unlawful means of property to which the person gaining is not legally entitled. So an identity-fraud loss in your bank account is wrongful loss to you. A scammer profiting from your leaked data is wrongful gain. Even potential or pending losses can qualify, depending on facts and the lawyer's framing.

Where do I actually file a claim under Section 43A?

Section 46 of the IT Act creates the post of Adjudicating Officer. The Central Government has notified that the IT Secretary of each State serves as Adjudicating Officer for that State. By Section 46(1A), this officer has jurisdiction over claims up to Rs 5 crore. For claims exceeding Rs 5 crore, you go to the competent civil court. The Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 govern the process. Your lawyer files an application with the evidence, the company is heard, and an order is passed.

How long does the Adjudicating Officer process take?

The 2003 Rules say each application should be heard and decided within four months and the entire matter finished within six months. Honest answer: in practice, it takes longer. The Parliamentary Standing Committee itself flagged the procedure as cumbersome. Adjournments are frequent. But the process is real, orders are passed, and the order can be enforced as arrears of land revenue under Section 64 of the IT Act. Realistic expectation: 12 to 24 months for a contested matter, faster if the company chooses to settle.

What if the company says it was "hacked", not their fault?

Section 43A does not require the company to have leaked the data on purpose. The standard is negligence. If the company is hacked because it failed to implement and maintain reasonable security practices, that is exactly the negligence the section punishes. So a hacker getting in is not a defence — the question is whether the company had taken reasonable care to keep them out. Outdated software, weak passwords on admin accounts, no encryption of stored data, missing audit logs — any of these can establish negligence. The burden of showing reasonable practices is on the body corporate.

Can I also file a criminal complaint against the company employees who leaked the data?

Yes, in many cases. Section 72A of the IT Act punishes any person, including an intermediary, who while providing services under a lawful contract has secured access to material containing personal information about another person, and discloses it without consent or in breach of contract. Punishment is imprisonment up to three years or fine up to five lakh rupees. So if a specific employee or vendor wrongfully disclosed your data, Section 72A applies alongside the Section 43A civil claim. Also, Section 85 makes the company itself, and persons in charge of its business, liable for IT Act contraventions.

What about new data protection law — does the DPDP Act change anything?

India has separately enacted the Digital Personal Data Protection Act, which provides a fuller framework for data fiduciaries, consent, breach notification and penalties imposed by the Data Protection Board. As DPDP rules and Board roll out, victims will have additional administrative remedies. Until then, and even alongside DPDP, Section 43A of the IT Act remains a working live remedy for compensation. You may also have parallel rights under contract law (the privacy policy you accepted is a contract) and under constitutional privacy jurisprudence following Justice Puttaswamy. A lawyer will identify the strongest combination.

What evidence do I need to prove the leak and my loss?

You need three things. First, evidence the leak occurred — news reports of the breach, the dump on a leak forum, the company's own breach notification, screenshots showing your data exposed. Second, evidence you were a customer or user — emails, app screenshots, bills, KYC submissions. Third, evidence of loss — bank statements showing fraudulent debits, fresh phishing emails received, identity-theft incidents, time and money spent fixing things. All electronic evidence must be preserved with Section 65B compliance under the Indian Evidence Act, as the Supreme Court mandated in Anvar P.V. v. P.K. Basheer.

Is it worth the trouble? Are these claims actually winnable?

It depends. Cases where there is clear evidence of a breach, identifiable victims, and concrete losses tend to settle or succeed. Mass breaches with thousands of victims sometimes get more traction through coordinated complaints or class-style litigation. Smaller individual claims are still possible, but the cost-benefit needs to be assessed. The honest answer: it is more winnable today than five years ago because the law has matured and breach reporting has become routine. A short consultation with a cyber lawyer about your specific facts will tell you if it is worth pursuing.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog. Written by the Pinaka Legal Editorial Team. For queries, call +91 8595704798 or email info@pinakalegal.com.