IT Act 2000 & Cybersecurity Obligations for Indian Businesses

The Information Technology Act, 2000 (IT Act) is the primary legislation governing electronic commerce, digital transactions, and cybersecurity in India. Enacted to give legal recognition to electronic records and digital signatures, the Act has since evolved — through significant amendments in 2008 — into a comprehensive framework addressing cybercrimes, data protection, and the liability of intermediaries. For any organisation operating digitally in India, the IT Act remains the foundational compliance instrument alongside the newer DPDPA 2023.

Section 43A of the IT Act, introduced by the 2008 amendment, imposes liability on corporate bodies that possess, deal with, or handle sensitive personal data and fail to implement reasonable security practices and procedures. Where such failure causes wrongful loss or gain to any person, the corporate body is liable to pay compensation. The Reasonable Security Practices Rules, 2011 (framed under Section 43A) specify that organisations must implement an Information Security Management System (ISMS) — such as ISO/IEC 27001 — and maintain a comprehensive information security policy.

Section 66 of the IT Act criminalises dishonest or fraudulent acts involving computers, including unauthorised access, data theft, introduction of malware, and denial-of-service attacks. Offences under this section are punishable with imprisonment of up to three years and/or a fine of up to ₹5 lakh. Organisations must ensure that their employees and contractors are aware of these provisions, as corporate liability can arise where offences are committed with the knowledge or consent of the organisation's management.

Section 79 of the IT Act provides a safe harbour to intermediaries — including internet service providers, e-commerce platforms, and social media companies — from liability for third-party content, provided they observe due diligence and comply with the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These Rules require intermediaries to publish privacy policies and terms of service, appoint a Grievance Officer, and act upon complaints within prescribed timelines. Failure to comply with these obligations removes the safe harbour protection and exposes the intermediary to civil and criminal liability.

The IT Act and rules framed thereunder require organisations to report cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In). The CERT-In Directions of 2022 mandate that covered entities — including service providers, intermediaries, data centres, and government organisations — report cybersecurity incidents within six hours of becoming aware of them. The Directions also require organisations to maintain logs of ICT systems for a rolling period of 180 days and to synchronise their system clocks with the Network Time Protocol server of the National Informatics Centre. Non-compliance attracts penalties under the IT Act.