This article is written by Shreya Pandey www.linkedin.com/in/shreya-pandey-914234261 , M.K.E.S College of Law, BA, LLB, 4th Year during her internship at LeDroit India
Scope of the Article
• Abstract: The New Trifecta of Corporate Liability
• I. The New Liability Paradigm: The Digital Personal Data Protection (DPDP) Act, 2023
• II. The Financial Consequences: Penalties Under the DPDP Act
• III. Establishing Negligence: Legacy Jurisprudence and Its Enduring Relevance
Landmark Judgment: Justice K. S. Puttaswamy (Retd.) v. Union of India (2017)
• IV. Criminal Liability Vector: The Bharatiya Nyaya Sanhita (BNS), 2022
• V. Conclusion: A Strategic Framework for Corporate Compliance.
Keywords: Corporate Liability, Data Breaches, Digital Personal Data Protection (DPDP) Act, 2023, Data Protection Board of India (DPBI), Financial Penalties, Breach Notification
Abstract: The New Trifecta of Corporate Liability
This report offers a clear analysis of the new multi-layered liability framework that Indian companies face during a data breach. The passage of the Digital Personal Data Protection (DPDP) Act, 2023 marks a significant shift, but it does not function alone. Corporate liability for data breaches has evolved from a singular risk to a complex “trifecta” of associated, high-stakes exposures that boards and executive leadership must handle.
These three main types of liability are:
1. Civil/Regulatory: The unprecedented financial penalties from the Digital Personal Data Protection (DPDP) Act, 2023. This law replaces the previous compensatory structure with a punitive one. It empowers the Data Protection Board of India (DPBI) to impose fines up to ₹250 Crore per violation.
2. Criminal: The new risk of criminal prosecution for directors and officers under the Bharatiya Nyaya Sanhita (BNS), 2023. This new penal code, which replaces the Indian Penal Code, 1860, identifies “cyber-crimes” as a form of “organized crime.” This creates a new avenue for corporate criminal liability in cases of gross negligence or insider involvement.
3. Sectoral: The ongoing and very specific compliance demands from sectoral regulators. The DPDP Act does not replace the strict data governance rules from the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority of India (IRDAI), all of which often impose stricter obligations.
This report will break down each part of this trifecta, offering a structured analysis of the new legal obligations, the serious financial consequences, the challenging operational task of dual breach-reporting mandates, and the continued importance of legal precedents in establishing corporate negligence.
Keywords
- Corporate Liability, Data Breaches, Digital Personal Data Protection (DPDP) Act, 2023, Data Protection Board of India (DPBI), Financial Penalties, Breach Notification
I. The New Liability Paradigm: The Digital Personal Data Protection (DPDP) Act, 2023
The Digital Personal Data Protection (DPDP) Act, 2023, which received Presidential approval on August 11, 2023, serves as the new foundation of India’s data protection system. It replaces the fragmented rules under the Information Technology (IT) Act, 2000, and sets a new standard for corporate liability.
Defining the Key Actors: Data Fiduciary vs. Data Processor
The Act’s liability framework is based on the specific roles assigned to entities that process data:
• Data Fiduciary: This is any person who determines the purpose and means of processing personal data. In corporate terms, this is the primary organization that collects and uses data, bearing the main legal responsibility.
• Data Processor: This refers to anyone who processes personal data on behalf of a Data Fiduciary. This includes cloud service providers, payroll processors, marketing companies, and other third-party vendors.
This distinction is crucial to the new liability model.
The Fiduciary’s Absolute and Inalterable Liability
A significant structural decision in the DPDP Act is to place all main obligations and, therefore, all direct liability on the Data Fiduciary. Data Fiduciaries remain responsible for overall compliance, regardless of any contracts with data processors. Data Processors themselves have no direct obligations or penalties under the Act.
This legal setup has a major economic impact. The Data Fiduciary (the corporation) is now fully responsible to the regulator (the DPBI). The common defense of “it was our vendor’s fault” has no legal standing in an adjudication process.
This regulatory risk, with a potential ₹250 Crore penalty, must be managed financially. This is already changing B2B contracts in India. Data Fiduciaries are forced to demand unlimited liability clauses and large indemnity provisions from their Data Processors to cover the Fiduciary’s potential regulatory fines. This shifts the regulatory liability through contractual agreements. This change is likely to create a two-tier market: large, established processors will be able to handle this liability, while smaller Indian startups and mid-sized vendors may be pushed out of the market because they cannot take on a risk that might bankrupt them.
Defining a “Personal Data Breach”: A Standard Without a Threshold
The trigger for liability is a “personal data breach.” The Act defines this broadly:
“Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data.”
Importantly, the Act requires reporting for all personal data breaches, no matter their sensitivity or impact. Unlike the EU’s GDPR, the DPDP Act does not include a materiality threshold or “risk of harm” qualifier.
This broad definition creates a significant operational burden. By this definition, if an employee accidentally sends a customer list to the wrong colleague, it counts as a reportable breach of confidentiality. While the Data Protection Board of India may not require notification for a low-risk breach, this does not exempt the Fiduciary’s obligation to report the breach to the DPBI.
This may lead to “reporting fatigue,” as the DPBI receives many trivial breach reports. For companies, this makes their internal incident logging and assessment the most important compliance tool. Deciding not to report a minor incident, if later found out, could result in a ₹200 Crore penalty for failing to notify.
The Main Duty: “Reasonable Security Safeguards” Under the Act and Draft Rules
The core of corporate liability is found in Section 8(5) of the DPDP Act. This section requires that a Data Fiduciary must protect personal data by taking reasonable security measures to prevent a personal data breach. A violation of this obligation carries the Act’s highest penalty.
The Act does not define “reasonable.” This gap is addressed by the Draft Digital Personal Data Protection Rules, 2025, published in January 2025. Rule 6 of these Draft Rules provides detailed requirements, stating minimum safeguards that Fiduciaries must implement. These include:
• Encryption and data masking.
• Access control mechanisms.
• Maintenance of logs.
• Incident detection, investigation, and remediation.
• Implementing information security protocols that follow standards like IS/ISO/IEC 27001.
A key point in the Draft Rules is that these safeguards apply to all types of data fiduciaries, regardless of their business type or the amount and sensitivity of personal data they process.
This creates a “one-size-fits-all” issue. While the penalty section of the Act implies a risk-based approach—where fines depend on the nature and sensitivity of personal data involved—the Draft Rules contradict this by imposing uniform standards. This has been called potentially burdensome for smaller businesses. However, the legal consequence is clear: the standard for “reasonableness” is now defined by the Rules. Failing to implement these basic safeguards, such as encryption, could lead to a straightforward violation, making it easier for the DPBI to impose a penalty.
II. The Financial Consequences: Penalties Under the DPDP Act
The major “stick” of the DPDP Act is its unprecedented schedule of financial penalties designed to be a serious deterrent.
The Schedule: A New Era of Unprecedented Financial Deterrence
The Schedule to the DPDP Act, 2023, prescribes the penalty cap for certain non-compliances at ₹250 Crore maximum for each breach.1 This is in contrast to the GDPR, which bases penalties on worldwide turnover. Accordingly, the DPDP Act prescribes absolute caps, albeit very high. The Act also allows the DPBI to impose composite penalties for multiple non-compliances.
The two biggest penalties are consciously crafted to be a strategic deterrent. The penalty for the root cause-failure of safeguards at ₹250 Crore-and the penalty for the cover-up-failure to notify at ₹200 Crore-are amongst the highest under the Act.1 This legislative framing has made a cover-up financially illogical. A company that was keeping a breach under wraps to avoid the ₹250 Crore penalty when the said breach is actually found, is risking the very same penalty, if not more, plus ₹200 Crore as penalty for the cover-up. The law is designed to make the cover-up more expensive than the original sin, forcing companies towards transparency.
The key penalties are summarized below.
Table 1: Schedule of Penalties under the DPDP Act, 2023
| Breach / Non-Compliance | Maximum Penalty (INR) | Relevant Act Provision(s) & Source(s) |
| Failure to take “reasonable security safeguards” to prevent a personal data breach | ₹250 Crore (approx. USD 30 million) | Section 8(5) |
| Failure to notify the Board and affected Data Principals of a personal data breach | ₹200 Crore | Section 8(6) |
| Breach of additional obligations in relation to children’s data | ₹200 Crore | Section 9 |
| Breach of additional obligations of Significant Data Fiduciary (SDF) | ₹150 Crore | Section 10 |
| Breach of Data Principal duties (e.g., filing false complaints) | ₹10,000 | Section 15 |
| Any other non-compliance (“Other Breaches”) | ₹50 Crore | Section 15 |
Adjudication: The Powers of the Data Protection Board of India (DPBI)
Application of these sanctions becomes the responsibility of the newly formed Data Protection Board of India – the DPBI.The DPBI is an “independent board” that is “enshrined with powers of a civil court”. The mandate of DPBI is to:
• Investigate complaints from Data Principals.
•Determine whether or not there is non-compliance with the Act.
•Impose monetary penalties.
In determining the amount of a penalty, the Board is not arbitrary. It must consider a range of mitigating and aggravating factors that include:
•”The nature, gravity and duration of the breach”.
• Type and nature of personal data involved.
• The “harm caused to individuals”.
• Time span of the violation.
For companies, there is a possible off-ramp provided by the Act. The Board can accept under Section a “Voluntary Undertaking” from the company. This is a promise to do or not to do certain things and, if accepted, may operate as a bar to further proceedings.
III. Establishing Negligence: Legacy Jurisprudence and Its Enduring Relevance
The DPBI will not be adjudicating these new, massive penalties in a legal vacuum. The standard for “reasonable security” will be heavily informed by the constitutional mandate and the small body of jurisprudence developed under the (now repealed) IT Act.
Landmark Judgment: Justice K. S. Puttaswamy (Retd.) v. Union of India (2017)
This 2017 nine-judge Supreme Court bench is the constitutional bedrock for all Indian data law. It unanimously pronounced the Right to Privacy as a fundamental right enshrined in Article 21 (Right to Life) of the Constitution. This judgment is not simply history; it is the legal mandate that necessitated the framing of the DPDP Act. It establishes that data protection is a fundamental right and any DPBI adjudication will be viewed through this high constitutional lens.
Landmark Adjudications under Section 43A (IT Act)
While Section 43A is no longer on the books, the adjudications under it are the only extant Indian jurisprudence on what constitutes a “failure to implement reasonable security practices” in a data breach context. These cases therefore afford a clear window into how Indian adjudicators approach corporate negligence.
• Case Study: Krishna Kumar Tiwari vs. State Bank of India (2023)
•Facts: A consumer approached the Madhya Pradesh adjudicating officer after 13 fraudulent transactions took place, stating the bank was negligent in safeguarding his personal information.
•Judgment: The adjudicating officer found the bank liable for “negligence, failure to protect the secure personal information.” The bank was ordered to pay compensation for the reported loss plus Rs. 50,000 for “legal fees and mental agony”.
• Case Study: Balendra Prasad Soni vs. State Bank of India (2023)
• Facts: A customer complained of unauthorized withdrawal of Rs. 80,000 from his savings account.
• Judgment: The adjudicating authority held that there was “grave contravention, deficiency of service and failure to implement reasonable security practices on the part of the. bank.” The bank was directed to pay total compensation for the loss along with Rs. 50,000.
Why This Case Law Remains Critical for DPBI Adjudication
These legacy cases are important for one reason: the DPDP Act too (Section 8(5)) incorporates precisely the same legal principle as the old Section 43A—the duty to maintain “reasonable security” safeguards.
The Tiwari and Soni cases illustrate how the Adjudicators have considered a breach of the above preventative measures as prima facie evidence of negligence. This, in effect shifted the burden of proof onto the bank to prove it wasn’t negligent (which it failed).
The DPBI will most certainly follow this “strict liability” interpretation of negligence. If a breach occurred, the Data Fiduciary will be deemed negligent unless it can show overwhelming evidence of its robust, compliant “reasonable security safeguards” e.g., ISO 27001 audits, access logs, and encryption keys. These old cases, which resulted in payouts of ~Rs. 1 Lakh, will now serve as the jurisprudential basis for imposing penalties of up to ₹250 Crore.
IV. The Criminal Liability Vector: The Bharatiya Nyaya Sanhita (BNS), 2023
The second leg of the liability triumvirate extends beyond monetary damages into the growing area of potential criminal liability. In effect, the IPC has been replaced with the BNS, 2023, which provides for newer criminal legislation, particularly severe in the context of cyber-crime.
BNS Section 111: “Cyber-Crime” as “Organised Crime”
This is amongst the major changes in this new penal code.4 Section 111 of the BNS (Organised Crime) now expressly includes “cyber-crimes” and “economic offences” as predicate acts constituting “organised crime”.
This offense, applicable to acts committed by members of a “crime syndicate”, attracts severe penalties: imprisonment from five years to life, or even death.
This creates a new vector of corporate criminal liability. Usually, in a data breach, the corporation is the victim of the “cyber-crime.” Section 111(4) of the BNS penalises anyone who assists or harbours a member of an organised crime syndicate. Section 111(5) penalizes any person in possession of the proceeds of organised crime.
This could be used by prosecutors to pursue criminal charges against a corporation, or its directors. In a case of gross negligence where a company is shown to have willfully ignored security, it could be argued they “aided” the syndicate. More directly, if an insider is found to have sold data to a hacking syndicate – as was alleged in the 2024 Star Health Insurance case – the corporation itself could be implicated in facilitating “organised crime”. This shifts a data breach from a compliance issue to a criminal law issue for the board.
BNS 335: “Making a False Electronic Record” (Identity Theft)
BNS Section 335 (which replaces the IPC’s forgery sections) explicitly includes “making a false electronic record.” This provision is the statutory basis for prosecuting identity theft, which is the primary consequence of a personal data breach.
Illustrations from the BNS: Translating 19th-Century Forgery to 21st-Century Cyber-Crime
The BNS itself provides illustrations that, though archaic, have a direct and chilling 21st-century application.
• BNS Section 335, Illustration: “A draws a bill of exchange upon a fictitious person, and fraudulently accepts the bill in the name of such fictitious person with intent to negotiate it. A commits forgery.”
The following 19th-century example directly translates to a modern data breach scenario:
1. A hacker-the new “A”-steals personal information such as name, address, and PAN from a corporate data breach.
2. The hacker combines real data from different victims to create a “synthetic identity”, which is the “fictitious person”.
3. He utilises this synthetic identity to apply for a digital loan or credit card-the “bill of exchange”-thereby “making a false electronic record.”
4. He “fraudulently accepts” the line of credit in the name of this “fictitious person” with the “intent to negotiate it”, i.e., max it out and cash it out.
This example confirms that the BNS gives a well-drawn criminal framework in order to prosecute the perpetrators of identity theft. For corporations, this emphasises the severe criminal consequences associated with the same data they are failing to protect.
V. Conclusion: A Strategic Framework for Corporate Compliance
The Digital Personal Data Protection (DPDP) Act, 2023, marks a seismic and irreversible shift, rather than a culmination. What had been, until now, a single-track civil risk of data breaches for Indian companies has transformed into a multi-front war requiring a new, unified governance model.
Indeed, the landscape today is defined by a trifecta of liability:
1. The enormous financial penalties under the DPDP Act- up to ₹ 250 Crore, being essentially punitive, paid to the state, and hence substituted the model of individual compensation.
2. The new latent threat of criminal prosecution under the Bharatiya Nyaya Sanhita for “cyber-crimes” as “organised crime.”
3. The “strictest-rule-wins” principle preserves the authority of parallel and often stricter sector-specific regulations from the RBI, SEBI, and IRDAI.
The immediate operational flashpoint for any organization will be the dual breach notification mandate: the 6-hour technical report to CERT-In and the 72-hour legal report to the Data Protection Board of India create a legal jeopardy trap wherein a hasty technical admission can lead directly to a nine-figure fine.
Ultimately, the DPDP Act, 2023, and its sister laws call for a new, integrated approach. The days are long gone when data breaches were treated as some sort of siloed IT issue. It is, without question at this point, one of the most significant, financially consequential, complex sources of corporate liability facing a company’s board and its executive leadership today.
