Penalties For Cybersecurity Non-Compliance in INDIA

Introduction

Cybersecurity non-compliance in India refers to failure by individuals, companies, or institutions to follow legally required security standards for protecting digital systems and data.

It is governed through a multi-layer legal framework, mainly:

  • Information Technology Act, 2000 (IT Act)
  • CERT-In Cybersecurity Directions (2022 and later updates)
  • Companies Act, 2013 (governance obligations)
  • SEBI cybersecurity framework (for listed entities)
  • Sectoral regulations (RBI, telecom, insurance, etc.)

Unlike general cybercrime, cybersecurity non-compliance focuses on:

  • inadequate security safeguards
  • failure to report cyber incidents
  • weak data protection practices
  • failure to implement prescribed controls
  • negligence in protecting sensitive data

I. Legal Framework for Cybersecurity Non-Compliance

1. Section 43A – IT Act (Core Provision)

Applies to:

Body corporates handling sensitive personal data.

Obligation:

Maintain “reasonable security practices and procedures.”

Non-compliance leads to:

  • compensation liability for data breach victims
  • negligence-based financial liability

2. CERT-In Directions (2022)

Mandates:

  • reporting cyber incidents within strict timelines
  • log retention (180 days or more)
  • synchronization of system clocks
  • cooperation with authorities

Non-compliance consequences:

  • regulatory penalties
  • investigation escalation
  • potential prosecution under IT Act

3. Section 72A – IT Act

Applies when:

A company discloses personal data without consent.

Penalty:

  • imprisonment up to 3 years
  • fine up to ₹5 lakh

4. Section 43 – IT Act

Covers:

  • unauthorized access
  • system damage
  • malware introduction
  • denial of service

5. Companies Act, 2013

Cybersecurity relevance:

  • directors’ responsibility for internal controls
  • failure of governance oversight

Penalties:

  • fines
  • director liability

6. SEBI Cybersecurity Framework

For listed companies:

  • mandatory cybersecurity governance
  • incident disclosure obligations

Penalties:

  • monetary fines
  • trading restrictions
  • compliance orders

II. Types of Penalties for Cybersecurity Non-Compliance

1. Civil Liability (Compensation)

  • Section 43A IT Act
  • Data breach damages

2. Regulatory Penalties

  • CERT-In enforcement
  • SEBI sanctions
  • sectoral regulator penalties

3. Criminal Liability

  • Section 72A
  • fraud or negligence-related offences

4. Corporate Governance Penalties

  • director liability
  • compliance failure penalties

5. Operational Penalties

  • business restrictions
  • suspension of services

III. Important Case Laws on Cybersecurity Non-Compliance in India

CASE 1

Shreya Singhal v. Union of India (2015)

Facts

Challenge to IT Act provisions regulating online content and compliance obligations.

Legal Principle

Cyber regulations must be clear, reasonable, and not arbitrary.

Relevance

Establishes:

  • cybersecurity enforcement must follow constitutional safeguards
  • compliance obligations must not be vague

CASE 2

Avnish Bajaj v. State (NCT of Delhi) (Bazee.com Case)

Facts

Online platform hosted illegal/obscene content uploaded by users.

Compliance Failure

Lack of adequate monitoring and due diligence.

Outcome

Criminal proceedings against corporate executive.

Legal Principle

Failure of digital platform security compliance can trigger liability.

CASE 3

Sharat Babu Digumarti v. Government of NCT of Delhi (2017)

Facts

Cyber offence involving obscene digital content.

Legal Principle

IT Act is the primary statute governing cyber compliance and liability.

Relevance

Confirms:

  • cybersecurity violations fall under IT Act framework

CASE 4

Citibank Mphasis Payroll Fraud Case

Facts

Insider exploited weak system controls to divert funds.

Compliance Failure

Poor authentication and internal cybersecurity controls.

Legal Principle

Organizations are liable for weak cybersecurity governance.

Relevance

Shows:

  • failure of system security = corporate liability

CASE 5

Pune Cyber Banking Fraud Case (System Security Failure Principle Case)

Facts

Unauthorized transactions occurred due to weak security systems.

Compliance Failure

Inadequate authentication and monitoring systems.

Legal Principle

Negligence in cybersecurity systems leads to liability under IT Act.

Relevance

Establishes:

  • strict duty of care for digital financial systems

CASE 6

CERT-In Enforcement Post-2022 Direction Cases (Regulatory Actions)

Facts

Companies failed to:

  • report cyber incidents within mandated time
  • maintain logs
  • follow cybersecurity protocols

Legal Principle

CERT-In directions are legally binding compliance obligations.

Relevance

Shows:

  • regulatory penalties for cybersecurity non-compliance
  • increased enforcement of reporting obligations

CASE 7

Aadhaar / UIDAI Data Security Compliance Cases (Principle Cases)

Facts

Concerns over unauthorized access and data handling.

Compliance Issue

Failure to implement strong data protection safeguards.

Legal Principle

Entities handling sensitive data must ensure strict cybersecurity controls.

Relevance

Strengthens:

  • data protection compliance obligations

CASE 8

Various Data Breach Class Action-Type Litigation (Indian Context)

Facts

Companies suffered data leaks due to weak cybersecurity systems.

Compliance Failure

Failure to implement reasonable security practices.

Legal Principle

Section 43A liability applies for negligence.

Relevance

Confirms:

  • compensation liability for cybersecurity failure

IV. Liability Structure in Cybersecurity Non-Compliance

1. Direct Corporate Liability

Company itself is responsible for security failures.

2. Vicarious Liability

Employees’ negligence can be attributed to organization.

3. Director Liability

Board oversight failures may trigger penalties.

4. Third-Party Vendor Liability

Cloud/service providers may share responsibility.

V. Key Legal Principles from Case Law

1. Duty of Care Principle

Companies must implement reasonable cybersecurity safeguards.

2. Due Diligence Principle

Failure to monitor systems leads to liability.

3. Strict Compliance Principle

CERT-In and regulatory directions are mandatory.

4. Data Protection Responsibility Principle

Section 43A imposes strict liability for negligence.

5. Dual Liability Principle

Civil + regulatory + criminal liability may coexist.

VI. Challenges in Enforcement

1. Ambiguity in “Reasonable Security”

No uniform cybersecurity standard across industries.

2. Rapid Technological Change

Laws struggle to keep pace with cyber risks.

3. Cross-Border Data Systems

Cloud infrastructure complicates jurisdiction.

4. Limited Enforcement Capacity

Cyber enforcement agencies are overburdened.

5. Underreporting of Cyber Incidents

Companies may delay disclosure.

VII. Emerging Trends

1. Stronger CERT-In Enforcement

Mandatory cyber incident reporting is strictly enforced.

2. Data Protection Act (DPDP Act, 2023)

Expands corporate cybersecurity penalties.

3. Increased SEBI Cyber Governance

Listed companies face stricter compliance rules.

4. Rise of Cyber Insurance Claims

Companies shifting risk through insurance.

5. AI and Cloud Security Regulation

New compliance obligations emerging.

VIII. Conclusion

Penalties for cybersecurity non-compliance in India are governed through a multi-layer legal system combining IT Act provisions, regulatory frameworks, and corporate governance laws.

Key provisions include:

  • Section 43A → compensation for data breach negligence
  • Section 72A → criminal liability for unlawful disclosure
  • CERT-In Directions → mandatory cybersecurity compliance
  • SEBI regulations → corporate cyber governance obligations
  • Companies Act → director responsibility for oversight failures

Key cases such as:

  • Shreya Singhal v. Union of India
  • Avnish Bajaj (Bazee.com case)
  • Sharat Babu Digumarti case
  • Citibank Mphasis fraud case
  • Pune cyber banking fraud cases
  • CERT-In enforcement actions

establish that:

  1. Cybersecurity compliance is a legal obligation, not optional practice.
  2. Failure of cybersecurity systems leads to civil, regulatory, and criminal liability.
  3. Directors and companies can both be held accountable.
  4. Regulatory bodies like CERT-In play a central enforcement role.
  5. India follows a strict liability + regulatory enforcement model for cybersecurity governance.

Overall, India’s cybersecurity penalty framework emphasizes accountability, proactive compliance, and strong institutional enforcement to protect digital infrastructure and personal data.

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface