The Breach Just Happened — What Now

It is one of three nights. Either a colleague has just shown you a screenshot — your private photo, posted by a stranger on a public group, with your face. Or your bank app sent an unfamiliar SMS, your KYC details have surfaced on a Telegram channel that sells leaked databases, and your phone is buzzing with strange OTPs. Or your former employer has sent your medical leave certificate to a WhatsApp group of HR managers, and you are reading the message with the kind of cold that has nothing to do with the air-conditioning.

Whatever your version, you are now at the same fork. People keep asking you the same question: Should I go to the police, or should I claim money? They mean it kindly, but they are framing it as a binary. It is not. Indian cyber law gives you two parallel tracks, both meant for situations like yours, and you can take both at once. The question is not which one — it is which one to start tonight, which one to file next week, and what each of them realistically does for you.

What the Law Actually Protects

India does not yet have a single, unified privacy statute that covers every kind of online breach. What it has is a layered structure where different statutes protect different aspects of privacy, and a constitutional umbrella that holds them together.

The umbrella is K.S. Puttaswamy v Union of India (2017). A nine-judge Bench of the Supreme Court unanimously held that the right to privacy is a fundamental right under Article 21 of the Constitution. The Court was specific that informational privacy — control over one's own data — is part of that right. Like other fundamental rights, it is not absolute, but any law that intrudes upon it must satisfy legality, necessity and proportionality. The judgment binds the State and shapes how courts read every other privacy provision below.

Underneath that umbrella, the IT Act gives you the operational tools:

  • Section 43 of the IT Act — civil compensation for unauthorised access. Lists ten kinds of unauthorised acts on a computer or network — accessing, copying, damaging, disrupting — each a ground for damages by way of compensation.
  • Section 43A of the IT Act — compensation for failure to protect data. Targets a body corporate that holds your sensitive personal data and is negligent in maintaining reasonable security practices. Compensation is uncapped.
  • Section 66 of the IT Act — computer-related offences. Criminalises Section 43 acts done dishonestly or fraudulently.
  • Section 66C of the IT Act — identity theft. Misuse of password, electronic signature or unique identification feature.
  • Section 66D of the IT Act — cheating by personation. Pretending to be you online to deceive others.
  • Section 66E of the IT Act — capturing or transmitting intimate images. Up to three years and Rs 2 lakh fine. Non-bailable.
  • Section 72A of the IT Act — disclosure of personal information in breach of contract. Targets service providers, employees and intermediaries who leak your data in breach of a confidentiality obligation.

The Indian Penal Code adds Section 354C (voyeurism), Section 354D (stalking), Sections 463/464 (forgery) where the breach involves fabricated documents, and Section 419 (cheating by personation) where the breach was used to deceive others. The procedural law that runs all of this is the BNSS, particularly Section 173 (FIR) and Section 175 (police investigation power).

The Digital Personal Data Protection Act, 2023 sits on top — it adds rights to consent, access, correction and erasure, plus a Data Protection Board with penalty powers. Its rules are still rolling out at the time of writing, so the IT Act remedies above remain the practical front-line.

The Two Tracks Side by Side

Here is what really separates them.

QuestionPolice case (criminal track)Compensation claim (civil track)
What you start withFIR under Section 173 BNSS, citing IT Act offences and IPC offencesApplication under Section 46 IT Act before the Adjudicating Officer of your state
Who decidesPolice investigate, charge sheet under Section 193 BNSS, Magistrate or Sessions Judge triesAdjudicating Officer (the IT Secretary) decides, with the powers of a civil court under Section 46(5) IT Act
What you getPunishment of the wrongdoer — jail and/or fine. Fine paid to the State, not to youDamages by way of compensation paid directly to you, up to Rs 5 crore at the AO level
Burden of proofBeyond reasonable doubtPreponderance of probabilities — civil standard
SpeedSlow. Typical cyber trial: 3–6 years from FIR to judgmentFast in design. Rule 4(k) of AO Rules, 2003: hearing within 4 months, full matter within 6 months
CostLow for you (State prosecutes), but lawyer fees if you assist as victim/witnessModerate. Application filing fee plus advocate fees, typically far less than a civil suit
Where the bar of civil court appliesN/ASection 61 IT Act bars regular civil courts from entertaining what AO can decide
Best whenYou want the wrongdoer punished and deterred; intimate-image cases (Section 66E is non-bailable); criminal personationYou have suffered financial loss; the wrongdoer is a body corporate (Section 43A); you want fast monetary recovery

The big point cyber-law commentary is candid about: the same act often opens both doors at once. Section 43 acts done dishonestly or fraudulently become Section 66 offences. So unauthorised access to your account is simultaneously a Section 43(a) civil wrong (compensation) and a Section 66 read with Section 43(a) criminal offence (FIR). The forums are different; the underlying conduct is the same.

Which Track Should I Pick — and When?

Run both, but start in the right order.

Start with the FIR if the breach is fresh, evidence is volatile, the wrongdoer may move money or data, or the offence involves intimate images, stalking, or impersonation. The FIR triggers police powers under BNSS Section 175 — including the power to seize devices, preserve server logs, and freeze bank accounts (in coordination with the cyber helpline 1930). Cyber forensic windows close fast. Many platforms keep server logs for only six to twelve months. The FIR creates the formal channel through which those records can still be obtained.

Move quickly to the compensation claim if the loss is monetary, the respondent is a body corporate (a bank, hospital, app, telecom, e-commerce company), or you want a faster, lower-burden, clearly-defined money outcome. The Adjudicating Officer track does not need to wait for the criminal trial to finish. Cyber-law commentary describes the AO procedure as summary in nature; the AO can grant compensation up to Rs 5 crore, with the powers of a civil court, and the order is recoverable as arrears of land revenue under Section 64 IT Act.

Stack both when both make sense. The FIR carries evidentiary weight in the AO proceeding — police investigation reports under Section 193 BNSS can be relied on. Conversely, an AO order finding a body corporate negligent under Section 43A can support sentencing arguments in the criminal trial. Each track strengthens the other.

Skip a track only if you have a clear strategic reason. For example, if the wrongdoer is a family member and a criminal record would damage you more than help you, the civil compensation track alone may be the right call. Or if the breach is by a body corporate where no individual wrongdoer is identifiable, the FIR may stall but the Section 43A claim is fully available. These are calls best made with a lawyer who has seen both forums work.

Filing the FIR Under BNSS Section 173

The Bharatiya Nagarik Suraksha Sanhita, 2023 — the new Code of Criminal Procedure — rewrote the FIR provision specifically with cyber and inter-state cases in mind. Section 173 of the BNSS — the law on registration of FIRs — has three changes that matter to you:

  1. Zero-FIR is statutory. The FIR can be lodged "irrespective of the area where the offence is committed". A Delhi station cannot turn you away because the leaker is in Bengaluru.
  2. e-FIR is recognised. Information by electronic communication is now permitted, with a 3-day window for the informant to sign a copy.
  3. Preliminary inquiry framework. Section 173(3) BNSS allows police to conduct a preliminary inquiry to ascertain prima facie case for cognizable offences punishable with three to seven years. Most cyber privacy offences are below seven years, so this can apply — it is not always a delay tactic.

If the police refuse, BNSS Section 173(4) lets you send the substance of your complaint in writing to the Superintendent of Police, who must order an investigation if the information discloses a cognizable offence. If even the SP fails, BNSS Section 175(3) lets you approach a Magistrate to direct police registration and investigation. Cyber-law commentary records published Adjudicating Officer orders that publicly criticised police for refusing to register cyber FIRs — so refusals do happen, but they are correctable.

What to put in the FIR draft: a one-page narrative in chronological order, every section invoked with translation in brackets — "Section 66C IT Act (identity theft)", "Section 66E IT Act (intimate-image transmission)", "Section 354C IPC (voyeurism)" — the URL or platform identifiers, and a list of evidence enclosed. Insist on a copy of the FIR; you are entitled to it free under Section 173(2) BNSS.

If your incident overlaps with online harassment, threats, or stalking, your matter may also touch the cluster on online harm and harassment — these often require parallel platform-side complaints to the Grievance Officer in addition to the FIR.

Filing the Compensation Claim Under Section 46

The civil track begins with an application before the Adjudicating Officer of your state. Section 46 of the IT Act — power to adjudicate — establishes the office. Section 46(1A) gives the AO jurisdiction to award compensation up to Rs 5 crore. Above that, jurisdiction shifts to a competent civil court.

The AO has the powers of a civil court on issues like summoning witnesses, examining evidence, and producing documents (Section 46(5) IT Act). The AO is required to give the respondent a reasonable opportunity to be heard before passing orders. The procedure is summary — designed for speed, not for the elaborate calendar of a regular civil suit.

What goes into a Section 46 application:

  1. Identification of the respondent — the individual wrongdoer for Section 43 claims, the body corporate for Section 43A claims.
  2. The Section 43 sub-clause invoked (a) for unauthorised access, (b) for copying, (d) for damage, (e) for disruption — each is a separate ground.
  3. If the respondent is a body corporate handling sensitive personal data, Section 43A in the alternative.
  4. The wrongful loss in numbers — financial, opportunity, reputational where measurable.
  5. Evidence pack — the same screenshots and Section 65B-supported electronic records you would file in the FIR.
  6. The compensation prayer with a reasoned figure.

Cyber-law commentary points out that Adjudicating Officers in Maharashtra have repeatedly granted compensation in bank-fraud and account-takeover cases — including Dr Sagar Bharat Kelkar v State Bank of India, Dr Vijay Gopal Kulkarni v SBI Card & Payment Services and Sh TM Sathyanarayanan v Bank of Maharashtra — where the bank was found negligent and ordered to compensate. These published orders show the track is real, even if it is uneven across states.

Get legal help from Pinaka Legal — Cyber Law experts in Delhi

Evidence and Takedown — Two Things to Do Today

Preserve, do not destroy. Whichever track you pick, the case turns on what you can show. The first instinct after a privacy breach — to delete the offending message, hide the post, scrub all traces — is the wrong instinct. Capture before you remove. Cyber-law commentary makes the practical point that electronic data is fragile: every reboot of a system can subtly alter resident data, and many platforms recycle logs within months.

Your minimum capture pack:

  • Screenshots of every relevant page — full screen, with URL and timestamp visible.
  • Original device file copies of the offending content.
  • Account handles, post IDs, group invite links, channel names.
  • Email headers — not just bodies — for any email evidence.
  • Phone billing records, OTP receipts, bank SMS where money moved.
  • A written timeline of who, what, when, on which device.

For court, this material is proved through Section 65B of the Indian Evidence Act, 1872 — admissibility of electronic records (now Section 63 of the Bharatiya Sakshya Adhiniyam, 2023). A Section 65B certificate is mandatory and must accompany any printout or copy. The certificate identifies the device, the period of use, and the integrity of the data.

Use the takedown channel in parallel. Under the IT Rules, 2021, every significant social media intermediary must designate a Grievance Officer with published timelines — typically 24 hours for child or sexual content, 72 hours for other privacy violations. Do not wait for the police to write to the platform. File the grievance complaint yourself with screenshots and the URL. Most platforms also require a copy of the FIR or its acknowledgement for permanent removal — so the FIR and the takedown request, paired, move faster than either alone.

If money has moved, call 1930 — the National Cyber Crime Reporting helpline immediately. The helpline can flag and provisionally freeze the receiving bank account during the so-called golden hour, before further layering. This frequently saves money that would otherwise be lost.

What Should I Actually Do Now?

  1. Capture evidence first. Screenshots of every page, URL, post, message — with timestamps visible — before you delete or report.
  2. Save originals on a separate device. Cloud copy plus a USB. Do not edit anything.
  3. Call 1930 within the hour if any money has moved or your bank credentials are exposed.
  4. File at cybercrime.gov.in with full evidence. Note your complaint reference number.
  5. Send a takedown grievance to the platform citing the IT Rules, 2021. Include the FIR number once you have it.
  6. Walk into a police station and file the FIR under Section 173 BNSS. Cite Sections 66, 66C, 66D, 66E, 72A IT Act and IPC sections (354C, 354D, 419) as applicable. Carry your evidence pack and a written one-pager.
  7. If the police refuse, escalate in writing to the Superintendent of Police citing Section 173(4) BNSS, then to the Magistrate citing Section 175(3) BNSS.
  8. Within thirty days, file a Section 46 IT Act application before the Adjudicating Officer of your state for compensation under Section 43 (against the individual wrongdoer) or Section 43A (against the body corporate).
  9. If a body corporate's negligence enabled the breach, send a written legal notice citing Section 43A IT Act and Rule 3 of the IT Rules 2011, putting them on notice of the AO claim.
  10. If the breach affected your bank or financial accounts, also lodge a written complaint with the Banking Ombudsman in addition to the AO, and pursue the banking-side compensation routes.
  11. Track every receipt — FIR copy, complaint reference, AO application number, Grievance Officer ticket. Keep one folder, online and offline.
  12. Do not pay any "settlement" or "fine" demanded by an unknown caller claiming to "remove" your data. That is a second scam. Real takedowns happen through grievance channels and court orders, not payments.

You Have Real Choices Here

The instinct after an online privacy breach is to feel cornered. Friends advise opposite things. The police seem distant. Lawyers seem expensive. The platform's grievance form is buried under three menus. You stare at the leaked photo or the SMS or the strange email and the most natural feeling is helplessness. That feeling is wrong.

Indian privacy law is imperfect. The IT Act was drafted before social media existed in its current form. Many cyber offences are bailable. Adjudicating Officers are sometimes overburdened bureaucrats rather than dedicated judges. The DPDP Act is still maturing. All of this is true.

Also true: K.S. Puttaswamy gave you a constitutional right; Section 43 gives you civil compensation up to Rs 5 crore through a faster forum than any civil court; Section 43A gives you uncapped compensation against a negligent company; Section 66E is one of the few non-bailable cyber offences and exists specifically for image-based abuse; BNSS Section 173 gives you zero-FIR and e-FIR; the cyber helpline 1930 has, in published cases, recovered crores in transit. The system is not friendly, but it is not absent.

The choice between police case and compensation claim, in most situations, is not actually a choice. It is a sequencing question. File the FIR for the criminal sting and the police powers. File the AO application for the money. Use the grievance channel for takedown. Keep your evidence folder current. Do not let the sense of being overwhelmed talk you out of the steps you can take this week. Whatever the platform, whatever the wrongdoer, the law has more for you than you think — and the people who built it are quietly cheering for the citizen who actually walks through the doors it left open.

Frequently Asked Questions

Should I file an FIR or a compensation claim for an online privacy breach?

You should file both, in parallel. The FIR under Section 173 BNSS triggers a criminal investigation that punishes the wrongdoer. The compensation claim under Section 46 IT Act gives you money damages directly. They are separate forums (police plus Magistrate versus Adjudicating Officer), separate burdens of proof, and one does not block the other. Section 43 acts that are also done dishonestly become Section 66 offences — so the same incident gives rise to both a criminal track and a civil track, and you can run them simultaneously. The forums often strengthen each other.

What is a privacy breach in Indian law?

There is no single statutory definition of online privacy breach in India, but the law approaches it from several angles. The Supreme Court in K.S. Puttaswamy v Union of India (2017) held that the right to privacy is a fundamental right under Article 21, and informational privacy is part of that right. Statutorily, Section 66E IT Act criminalises capture or transmission of intimate images, Section 72A criminalises disclosure of personal information in breach of contract, Section 43 grants compensation for unauthorised access to a computer resource, and Section 43A grants compensation against a body corporate for negligent handling of sensitive personal data.

Where do I go to claim money for a privacy breach?

The Adjudicating Officer of your state under Section 46 of the IT Act, for claims up to Rs 5 crore. The Adjudicating Officer is the IT Secretary of the relevant State Government. Filing is by application, supported by evidence and, where the act was unauthorised access, the relevant Section 43 sub-clause. Section 61 of the IT Act ousts the jurisdiction of regular civil courts for matters that the AO is empowered to determine — so this is your forum, not a civil judge. Beyond Rs 5 crore, jurisdiction shifts to a competent civil court.

Where do I file an FIR for a privacy breach?

Three doors. The cyber cell of your local police, by walking in with a written complaint citing Sections 66, 66C, 66E, 72A IT Act and IPC sections such as 354C (voyeurism), 354D (stalking), 419 (cheating by personation) as relevant. The National Cyber Crime Reporting Portal at cybercrime.gov.in or the helpline 1930 — particularly if money was lost. The local police station closest to your residence, since BNSS Section 173 introduced zero-FIR — refusal on jurisdiction is no longer permissible. If the police refuse, escalate under BNSS Section 173(4) and Section 175(3).

Can I sue a company that leaked my personal data?

Yes. Section 43A of the IT Act fixes liability on a body corporate that is negligent in maintaining reasonable security practices and procedures while handling sensitive personal data, and that negligence causes you wrongful loss. There is no cap on the compensation under Section 43A. Rule 3 of the IT Rules, 2011 lists what counts as sensitive personal data — passwords, financial information, health information, biometric data, sexual orientation. The claim is filed before the Adjudicating Officer if it is up to Rs 5 crore. Several state Adjudicating Officers have ordered banks to refund customers for security failures.

My intimate images were leaked online — what is the law?

This is one of the few non-bailable cyber offences. Section 66E IT Act criminalises intentional or knowing capture, publication or transmission of the image of a private area of any person, without consent, in circumstances violating privacy — punishment up to three years and Rs 2 lakh fine. IPC Section 354C (voyeurism) and Section 354D (stalking) attach in personal harassment cases. Section 67/67A IT Act attach where the content is obscene or sexually explicit. File an FIR immediately, and at the same time file takedown requests with the platform and a complaint to the Grievance Officer.

What evidence do I need to prove an online privacy breach?

Screenshots with timestamps, original device files, URLs and post IDs, account handles, and any communication. Critically, do not delete anything — even content that distresses you — until counsel has reviewed it. For court use, the electronic record will be proved through Section 65B of the Evidence Act (Section 63 of the BSA, 2023), with a certificate identifying the device and confirming integrity. Police obtain server logs from the platform on formal request. Cyber-law commentary stresses that electronic data is fragile — every reboot of a system can subtly change residue — so capture early and store on a separate device.

Is the Puttaswamy judgment relevant to my case?

Yes, indirectly but powerfully. K.S. Puttaswamy v Union of India (2017) confirmed that the right to privacy is a fundamental right under Article 21 of the Constitution, and that informational privacy is a facet of that right. The judgment binds the State and shapes how courts interpret statutes that affect privacy — including the IT Act provisions you rely on. While Puttaswamy itself was about constitutional law and Aadhaar, its principles are routinely invoked in cyber privacy disputes to push courts toward stronger protective interpretations of Sections 43, 43A, 66E and 72A.

How long does the criminal track take vs the compensation track?

Cyber criminal trials in India often take three to six years from FIR to judgment, sometimes longer, depending on the court calendar and the accused's defences. The compensation track before the Adjudicating Officer is designed to be a summary procedure — Rule 4(k) of the AO Rules, 2003 says, as far as possible, every application shall be heard and decided in four months and the whole matter in six months. In practice the AO track is usually faster than civil court. Use both, but expect the compensation order to land first.

Are there cases where the police refused to register a privacy FIR?

Yes — and the published Adjudicating Officer record in Maharashtra is unflattering about it. In one published order the AO noted that police were refusing to lodge FIRs in cyber cases against Supreme Court instructions, and directed the Police Commissioner to personally monitor investigations and submit an Action Taken Report. The lesson: refusals happen, but they are correctable. BNSS Section 173(4) lets you escalate to the SP. Section 175(3) lets you approach the Magistrate to direct registration. Carry copies and keep a calm written narrative.

Can I sue under Section 43A even if I am an individual, not a business?

Yes. Section 43A acts the other way — it applies to a body corporate that handles your sensitive personal data. You, as the natural person whose data was compromised, are the claimant. The body corporate is the respondent. The compensation flows to you, capped at Rs 5 crore for the AO's jurisdiction and unlimited beyond that before a civil court. The provision was specifically designed to protect ordinary individuals from negligent handling of their data by companies, banks, hospitals, telecom and intermediaries.

What about the Digital Personal Data Protection Act, 2023?

India enacted the Digital Personal Data Protection Act, 2023 to overlay a data-protection regime on top of the IT Act. Once fully operational, it provides additional rights to data principals — to consent, to access, to correction, to erasure, and to grievance redressal — and creates a Data Protection Board with power to impose financial penalties on data fiduciaries for breaches. This is in addition to the IT Act remedies discussed in this article. Until the DPDP regime is fully operational at the rules level, the IT Act, Sections 43, 43A, 46, 66, 66C, 66E and 72A continue to be the practical battleground.

Can I get the offending content taken down quickly?

Yes, in parallel with the FIR. Most platforms have a Grievance Officer designated under the IT Rules, 2021, who is required to act on complaints relating to violation of personal information within fixed timelines (usually 24 to 72 hours for sensitive content). For child or sexual content, the platform must remove within 24 hours of notice. If the platform does not act, you can complain to the National Cyber Crime Reporting Portal and to the Ministry of Electronics and Information Technology. Court orders for takedown are available too, but the grievance route is usually faster.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog.

For queries, call +91 8595704798 or email info@pinakalegal.com.