IT Act 2000

Section 43

Penalty and Compensation for Damage to Computer, Computer System, etc.

THE STATUTE

Original Text

If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, — (a) accesses or secures access to such computer, computer system or computer network or computer resource; (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network; (e) disrupts or causes disruption of any computer, computer system or computer network; (f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act; (h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person so affected.

Simplified

Section 43 is the civil liability backbone of the IT Act. It creates a compensatory remedy — not criminal prosecution — for eight distinct types of computer-related wrongs. The affected party can approach the Adjudicating Officer (appointed under Section 46) rather than filing a criminal complaint, making this a faster civil enforcement route. The maximum compensation was originally ₹1 crore, though the 2008 Amendment removed this cap for the corresponding criminal provision under Section 66 by making it a proper criminal offence. Section 43A (inserted by 2008 Amendment) specifically addresses corporate negligence in data protection. The eight acts covered are: (a) unauthorised access — the classic hacking scenario; (b) data theft — copying or downloading data without permission; (c) virus/malware introduction; (d) system damage; (e) disruption; (f) denial of access (DoS attacks); (g) aiding and abetting unauthorised access; (h) session hijacking or account manipulation. The person must act 'without permission' — so authorised security testing, penetration testing by employees, and legitimate system administration do not attract liability.

Common Queries

Section 43 provides for compensation up to ₹1 crore for damage to a computer system or network. The Adjudicating Officer determines the quantum based on actual loss suffered.

Section 43 is a civil liability provision — it provides for compensation, not imprisonment. Criminal liability for the same acts is covered under Section 66.

Any person whose computer, computer system, or computer network has been damaged can approach the Adjudicating Officer appointed under Section 46 to claim compensation under Section 43.

Section 43 covers unauthorised access, data downloading, introduction of viruses or malware, damage to computer systems, disruption of services, denial of service attacks, and assistance to others in committing these acts.

Legal Evolution

Section 43 was the primary civil cyber-harm remedy for the first eight years of the IT Act. Before the 2008 Amendment's introduction of Section 66 as a proper criminal offence, hackers and cyber attackers could only be pursued through this civil compensation route. Many early IT Act cases were adjudicated before the Adjudicating Officers under Section 43 rather than criminal courts. Section 43A was added in 2008 following concerns about corporate data breaches and negligent handling of customer data — a precursor to comprehensive data protection legislation.

Key Amendments

2008 Amendment added Section 43A — corporate liability for negligent data protection practices.

The criminal equivalent, Section 66, was substantially strengthened in 2008 to complement Section 43's civil remedy.

Original cap of ₹1 crore compensation has been interpreted as the ceiling for Adjudicating Officer jurisdiction.

Landmark Precedents

National Association of Software and Service Companies v. Ajay Sood & Others (2005)

119 (2005) DLT 596

RELEVANCE

Delhi HC recognised phishing as an illegal activity under Indian law, applying IT Act principles to hold defendants liable for fraudulent access and data theft.

Mphasis BFL Ltd. v. Raju (2005)

Adjudicating Officer, Karnataka

RELEVANCE

First major Section 43 adjudication involving call centre employees who misused customer banking credentials — established precedent for insider data theft liability.

Cyber Protocol Info

Section Type: ORIGINAL

OffenceUnauthorised access, data theft, virus introduction, denial-of-service, damage to computer systems

CognizableN/A (Civil)

Trial AuthorityAdjudicating Officer

Cross-References

43A : Compensation for Failure to Protect Data 46 : Power to Adjudicate 66 : Computer Related Offences (Criminal)72 : Breach of Confidentiality and Privacy