Data Breach Liability For Corporates
1. Meaning of Data Breach and Corporate Liability
A data breach occurs when there is:
Unauthorised access
Disclosure
Loss
Alteration or destruction
of personal, sensitive, or confidential data held by a corporate entity.
Data breach liability refers to the civil, criminal, regulatory, and governance consequences arising from a corporation’s failure to protect such data.
2. Constitutional Basis of Data Breach Liability
Indian courts have recognised:
Right to privacy as part of Article 21
Informational privacy as a facet of personal liberty
Corporate data breaches may therefore constitute:
Violation of fundamental rights
Breach of trust and fiduciary duties
3. Statutory Framework Governing Data Breach Liability
A. Information Technology Act, 2000
Key provisions:
Section 43 – Civil liability for unauthorised access or damage
Section 43A – Compensation for failure to protect sensitive personal data
Section 66 – Criminal liability for computer-related offences
Section 72A – Punishment for disclosure of information in breach of contract
B. IT (Reasonable Security Practices and Procedures) Rules, 2011
Corporates must:
Implement reasonable security practices
Maintain documented data protection programs
Ensure consent and purpose limitation
Failure results in compensation claims.
C. Companies Act, 2013
Section 134 – Board responsibility for risk management
Section 447 – Data-related fraud
D. Sector-Specific Regulations
Banking and financial sector guidelines
Healthcare and telecom data protection norms
4. Types of Data Breach Liability
A. Civil Liability
Compensation to affected individuals
Damages for negligence
B. Criminal Liability
Prosecution of company and officers
Imprisonment and fines
C. Regulatory Liability
Penalties
Compliance directions
Licence suspension
D. Contractual Liability
Breach of confidentiality obligations
Indemnity claims
5. Standard of Care and Due Diligence
Corporates are expected to:
Adopt industry-standard security measures
Conduct regular audits
Monitor third-party vendors
Respond promptly to incidents
Negligence is sufficient to attract liability.
6. Liability of Directors and Officers
Directors may be held liable if:
They failed to exercise due diligence
Data breach resulted from governance failure
Cyber risks were ignored
Independent directors may still face scrutiny if oversight is lacking.
7. Vicarious Liability and Third-Party Breaches
Corporates remain liable for:
Breaches by employees
Outsourced vendors
IT service providers
Outsourcing does not absolve responsibility.
8. Judicial Pronouncements
1. Justice K.S. Puttaswamy (Retd.) v. Union of India
(Supreme Court)
Principle:
Right to privacy is a fundamental right under Article 21.
Relevance:
Forms constitutional foundation for data protection and breach liability.
2. Canara Bank v. Canara Sales Corporation
(Supreme Court)
Principle:
Banks have fiduciary duty to protect customer information.
Relevance:
Applies to corporates handling sensitive personal data.
3. ICICI Bank v. Shanti Devi Sharma
(NCDRC)
Principle:
Corporations are liable for unauthorised transactions caused by security failure.
Relevance:
Recognises corporate negligence in data protection.
4. Umashankar Sivasubramanian v. ICICI Bank Ltd.
(NCDRC)
Principle:
Failure to prevent unauthorised electronic access attracts compensation liability.
Relevance:
Clarifies standard of care in electronic data protection.
5. CBI v. Arif Azim (Sony Sambandh Case)
(Delhi High Court)
Principle:
Online data misuse and fraud are punishable cyber offences.
Relevance:
Demonstrates criminal liability arising from data breaches.
6. State of Tamil Nadu v. Suhas Katti
(Madras High Court)
Principle:
IT Act offences are enforceable with strict liability.
Relevance:
Supports prosecution for cyber and data breach offences.
7. Shreya Singhal v. Union of India
(Supreme Court)
Principle:
Limits on intermediary liability while recognising regulatory duties.
Relevance:
Impacts data handling responsibilities of digital corporations.
9. Data Breach Notification and Reporting Obligations
Corporates must:
Report breaches to CERT-In
Inform regulators where required
Notify affected individuals in appropriate cases
Failure to report may aggravate liability.
10. Impact of Data Breaches on Corporate Governance and ESG
Data breaches:
Trigger board-level scrutiny
Affect investor confidence
Influence ESG ratings
Lead to shareholder litigation
Cyber and data risks are now material governance risks.
11. Defences Available to Corporates
Limited defences include:
Absence of negligence
Adoption of reasonable security practices
Acts beyond control (narrowly construed)
Mere existence of policies is insufficient.
12. Best Practices to Mitigate Data Breach Liability
Board-approved data protection policies
Regular penetration testing
Employee training
Vendor due diligence
Incident response and recovery plans
Cyber and data insurance
13. Conclusion
Data breach liability for corporates in India is strict, multi-layered, and rapidly evolving.
Indian jurisprudence establishes that:
Privacy is a fundamental right
Corporates are custodians of personal data
Negligence in data protection attracts liability
In the digital economy, robust data protection compliance is essential for legal security and corporate sustainability.
RELATED Blog
comments