Who is liable: Whoever without permission of the owner or any other person in charge of a computer, computer system or computer network:
(a) accesses or secures access to such computer or network;
(b) downloads, copies or extracts any data;
(c) introduces or causes to be introduced any computer contaminant or computer virus;
(d) damages or causes to be damaged any computer or data;
(e) disrupts or causes disruption of any computer;
(f) denies or causes the denial of access to any authorised person;
(g) provides any assistance to any person to facilitate access;
(h) charges the services availed of by a person to the account of another person.

Remedy: Such person shall be liable to pay damages by way of compensation to the person so affected. The Adjudicating Officer can award compensation up to ₹1 crore. This section covers all forms of hacking, data theft, DoS attacks and unauthorised access.

Key Point: Section 43 is a civil remedy — the victim can claim monetary compensation even without filing a criminal complaint.

Who is liable: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Scope: Applies to all companies, hospitals, banks, e-commerce firms, IT companies and other organisations that collect and process personal data (medical records, financial information, passwords, biometric data).

Key Point: This section was the first Indian law holding organisations directly accountable for data breaches caused by inadequate security — a precursor to modern data protection laws. Now supplemented by the Digital Personal Data Protection Act 2023.

Who is liable: If any person who is required under the IT Act or any rules or regulations made thereunder to:
(a) furnish any document, return or report — shall be liable to a penalty not exceeding ₹1.5 lakh for every such failure;
(b) file any return or furnish any information — shall be liable to a penalty not exceeding ₹5,000 for every day during which such failure continues;
(c) maintain books of account or other records — shall be liable to a penalty not exceeding ₹10,000 for every day during which the failure continues.

Key Point: Primarily applies to Certifying Authorities, intermediaries and regulated entities that have reporting obligations under the IT Act.

Provision: Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding ₹25,000 to the person affected by such contravention or a penalty not exceeding ₹25,000.

Key Point: This is a catch-all provision ensuring that any violation of IT Act rules or regulations that is not covered by a specific section still attracts a minimum financial penalty.

Offence: Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable.

Punishment: Imprisonment up to 3 years, or fine up to ₹2 lakh, or both.

Examples: Tampering with government software source code, altering EVM software, destroying mandatory audit trails, modifying billing system code to evade taxes.

Offence: If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable. This is the primary criminal hacking section — it criminalises the same acts as Section 43 when done with dishonest or fraudulent intent.

Punishment: Imprisonment up to 3 years, or fine up to ₹5 lakh, or both.

Examples: Hacking websites, stealing data from servers, installing malware on systems, conducting DoS attacks, gaining unauthorised access to banking systems — all done with dishonest intent.

Historical Note: Section 66A originally penalised sending "offensive" or "menacing" messages through communication services. It was struck down as unconstitutional by the Supreme Court of India on 24 March 2015 in the landmark case Shreya Singhal v. Union of India — on grounds that it violated Article 19(1)(a) (Freedom of Speech) as its terms were vague, overbroad and capable of misuse to suppress legitimate free speech.

Current Position: Section 66A is no longer in force and cannot be used to prosecute anyone. Harassment and threatening messages are now prosecuted under BNS Section 351 (criminal intimidation), BNS 356 (defamation) and other applicable provisions.

Offence: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished.

Punishment: Imprisonment up to 3 years, or fine up to ₹1 lakh, or both.

Examples: Buying or using hacked email accounts, purchasing stolen login credentials on dark web marketplaces, retaining data known to have been stolen from a company database, using a mobile phone known to be obtained through fraud.

Offence: Whoever, fraudulently or dishonestly, makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished.

Punishment: Imprisonment up to 3 years, and fine up to ₹1 lakh.

Examples: Using someone else's password to access their accounts, SIM swapping to steal another person's mobile identity, creating fake profiles using another person's digital credentials, using stolen OTP to authorise transactions, impersonating someone in digital communications.

Offence: Whoever, by means of any communication device or computer resource, cheats by personating, shall be punished.

Punishment: Imprisonment up to 3 years, and fine up to ₹1 lakh.

Examples: Phishing emails pretending to be from banks, vishing calls impersonating government officials, fake banking websites, Business Email Compromise attacks, digital arrest scams, WhatsApp calls pretending to be from family members, fake customer care numbers.

Offence: Whoever, intentionally or knowingly, captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished.

Punishment: Imprisonment up to 3 years, or fine up to ₹2 lakh, or both.

Examples: Secretly filming a person in changing rooms or private spaces, circulating intimate images without consent (revenge porn), voyeurism using hidden cameras, morphing a person's face onto obscene images and distributing them, recording and sharing intimate video calls without the other person's knowledge.

Offence: Whoever, with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by:
(i) denying or causing denial of access to any person authorised to access computer resource;
(ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access;
(iii) introducing or causing to be introduced any computer contaminant — and thereby causing or likely to cause death or injuries to persons or damage or destruction of property or disruption of the supply of essential services or adversely affecting the critical information infrastructure.

Punishment: Imprisonment which may extend to LIFE.

Examples: Attacking power grid control systems, hacking banking settlement infrastructure, attacking hospital systems during emergencies, DDoS attacks on defence networks, disrupting railway or air traffic control systems, attacking communication infrastructure during national emergencies.

Offence: Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished.

Punishment: First conviction — imprisonment up to 3 years and fine up to ₹5 lakh. Second or subsequent conviction — imprisonment up to 5 years and fine up to ₹10 lakh.

Examples: Sharing obscene content via WhatsApp or email, publishing pornographic content on websites accessible to all, sending obscene messages or images to harass victims.

Offence: Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished.

Punishment: First conviction — imprisonment up to 5 years and fine up to ₹10 lakh. Second or subsequent conviction — imprisonment up to 7 years and fine up to ₹10 lakh.

Examples: Non-consensual intimate image sharing (revenge porn), circulation of morphed explicit images, sharing sexually explicit content via digital platforms without age verification, explicit content sent via email to harass victims.

Offence: Whoever publishes, transmits, creates, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form which depicts children engaged in sexually explicit act or conduct; or cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act; or facilitates abusing children online, shall be punished.

Punishment: First conviction — imprisonment up to 5 years and fine up to ₹10 lakh. Second conviction — imprisonment up to 7 years and fine up to ₹10 lakh.

Note: Read together with POCSO Act 2012 for comprehensive child protection. Downloading, viewing, sharing or even searching for CSAM is an offence — there is no defence of accidental viewing.

Provision: The Central Government or State Government or any of its officers specially authorised may, in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign states, public order or for preventing incitement to commission of any cognizable offence, by order, direct any agency to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource.

Punishment for Non-Compliance: Any intermediary or person who fails to extend all facilities and technical assistance shall be punished with imprisonment up to 7 years and shall also be liable to fine.

Key Point: This section is often cited in debates about government surveillance and privacy rights. It provides legal authority for lawful interception of internet communications with proper authorisation.

Provision: The Central Government may, in the interest of sovereignty and integrity of India, defence, security, friendly relations with foreign states, public order or for preventing incitement to commission of any cognizable offence relating to above, by order, direct any agency or intermediary to block public access to any information generated, transmitted, received, stored or hosted in any computer resource.

Punishment for Non-Compliance: Imprisonment up to 7 years and fine.

Key Point: This section was used to block TikTok, PUBG Mobile and 59 Chinese apps in 2020, to block Pakistani social media accounts during security emergencies, and to direct platforms to remove harmful content. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009 govern its implementation.

Provision: The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished.

Punishment: Imprisonment up to 10 years, and fine.

Examples of Protected Systems: National Power Grid control systems, Defence networks, Banking settlement infrastructure (NPCI, RBI systems), Railway control systems (CRIS), Air traffic control, Nuclear facility systems, Government data centres and UIDAI's Aadhaar infrastructure.

Offence: Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any licence or Electronic Signature Certificate, as the case may be, shall be punished.

Punishment: Imprisonment up to 2 years, or fine up to ₹1 lakh, or both.

Key Point: Applies to fraudulent obtaining of Digital Signature Certificates by misrepresentation. Digital signatures are used in e-filing of taxes, company registration, government procurement and other official digital processes.

Offence: Any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punished.

Punishment: Imprisonment up to 2 years, or fine up to ₹1 lakh, or both.

Examples: A government officer who obtains private emails under Section 69 and leaks them, an Adjudicating Officer who discloses confidential case information, an intermediary employee who shares user data without authorisation.

Offence: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished.

Punishment: Imprisonment up to 3 years, or fine up to ₹5 lakh, or both.

Examples: An IT company employee selling customer personal data to a competitor, a bank outsourcing vendor sharing customer account details with third parties, a healthcare IT service provider disclosing patient data in breach of contract.

Offence: Whoever knowingly creates, publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished.

Punishment: Imprisonment up to 2 years, or fine up to ₹1 lakh, or both.

Examples: Creating fake digital signature certificates to fraudulently sign government documents, using fake DSC to file fraudulent GST returns, forged digital signatures on electronic contracts.

Safe Harbour: An intermediary shall not be liable for any third party information, data or communication link made available or hosted by him if:
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored;
(b) the intermediary does not initiate the transmission, select the receiver of transmission and select or modify the information contained in the transmission;
(c) the intermediary observes due diligence while discharging its duties under this Act.

Loss of Safe Harbour: The intermediary loses protection if it has actual knowledge of unlawful content, fails to take down content upon court order or government direction, or conspires or abets the unlawful act.

IT (Intermediary Guidelines) Rules 2021: Social media companies with over 5 million users must appoint a Chief Compliance Officer, Nodal Contact Person and Grievance Officer in India. They must respond to government orders within 36 hours and grievances within 15 days. Significant Social Media Intermediaries (SSMIs) must enable traceability of originator of messages.

Provision: The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority, by notification in the Official Gazette, designate any Department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

Key Point: This section establishes the legal basis for electronic evidence examiners — government-authorised experts who provide forensic analysis and expert testimony on digital evidence in courts. Their reports are admissible as expert evidence in criminal and civil proceedings.

Provision: Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person — the requirement shall be deemed to have been satisfied if such information or matter is authenticated by means of electronic signature affixed in such manner as may be prescribed by the Central Government.

Key Point: This is the foundational section that gives digital signatures the same legal standing as physical signatures in India — enabling e-filing of taxes, digital contracts, company registration and government submissions.

Framework: Sections 17–34 establish the framework for Certifying Authorities (CAs) — who can issue Digital Signature Certificates (DSC) in India. The Controller of Certifying Authorities (CCA) under the Ministry of Electronics and IT (MeitY) is the apex regulatory body.

Licensed CAs in India: eMudhra, National Informatics Centre (NIC), IDRBT, SafeScrypt, Capricorn, CDAC, TCS-CA and NSDL e-Governance are licensed by CCA to issue DSCs.

Key Point: DSCs are used for ITR e-filing, GST registration, company incorporation (MCA), e-tendering, EPFO, customs and many government services.

Provision: The Central Government shall appoint any officer not below the rank of a Director to the Central Government or an equivalent officer of a State Government to be an Adjudicating Officer for holding an inquiry in cases where a contravention of any of the provisions of this Act has been committed.

Powers: The Adjudicating Officer can summon persons, examine evidence, order production of documents and award compensation up to ₹5 crore. The Adjudicating Officer has the powers of a Civil Court for the purposes of taking evidence.

Key Point: The Adjudicating Officer provides an alternative to civil courts for resolving disputes and awarding compensation under the IT Act — faster and more technical than regular courts.

Provision: Sections 48–64 establish the Cyber Appellate Tribunal (CAT) — a quasi-judicial body that hears appeals against orders of the Adjudicating Officer. The Chairperson of CAT must be a retired High Court judge or equivalent.

Appeal Process: Any person aggrieved by an order of the Adjudicating Officer may appeal to the CAT within 45 days of the order. The CAT can confirm, modify or reverse the order of the Adjudicating Officer.

Further Appeal: Appeals against CAT orders lie to the High Court on questions of law.