*[43A. Compensation
for failure to protect data. - Where a body corporate,
possessing, dealing or handling any sensitive personal data
or information in a computer resource which it owns, controls
or operates, is negligent in implementing and maintaining
reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, such body corporate
shall be liable to pay damages by way of compensation, not
exceeding five crore rupees, to the person so affected. (Change
vide ITAA 2008)
Explanation: For the purposes of this section
(i) "body corporate" means any company and includes
a firm, sole proprietorship or other association of individuals
engaged in commercial or professional activities
(ii) "reasonable security practices and procedures"
means security practices and procedures designed to protect
such information from unauthorised access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement
between the parties or as may be specified in any law for
the time being in force and in the absence of such agreement
or any law, such reasonable security practices and procedures,
as may be prescribed by the Central Government in consultation
with such professional bodies or associations as it may deem
fit.
(iii) "sensitive personal data or information"
means such personal information as may be prescribed by the
Central Government in consultation with such professional
bodies or associations as it may deem fit.
* Inserted vide Information Technology Amendment Act, 2008
|
