Introduction
Tortious liability for data breaches and cybercrimes involves applying principles of tort law, especially negligence, to harm caused by unauthorized access to data or cyberspace activities, often supplemented by specific legislation like India’s Information Technology Act a tort claim—duty, breach, causation, and damages—must be proven, though establishing them in the digital realm presents challenges. Compensation for such harm can come from statutory civil penalties, such as those under Section 43 of the IT Act, or through common law tort claims.
Meaning of Tort and Tortious liability
A tort is a civil wrong for which the remedy is an action on unliquidated damages and which is not solely the violation of a contract, or the violation of a trust, or the violation of other mere equitable duty”- Salmond
The word ‘tort’ was brought into the vocabulary of English Law by French speaking Judges and lawyers of the Courts of Angevin and Normandy Kings of England. Tort has gained a technical meaning as a species of civil wrong or injury as a term of English law. Until around the middle of the seventeenth Century tort was a rare word, when procedure was deemed to be more relevant than the right of a person. This priority of procedural element for deciding the success for a case remained for about 500 years, until 1852, when the Common Law Procedure Act was enacted and priority of substance over procedure slowly established stronger ground. Nowadays the maxim in its present form is ‘ubi jus ubi remedium’, i.e. where there is right there is remedy.
Tortious liability is the legal responsibility of the State for any damage or harm caused to persons or their property because of wrongful omissions or acts. The word tort is derived from the Latin word ‘Tortum’ which means ‘to twist’.
The Basics Concepts : Tort, Cybercrime, and Data Breach
Tort
- It is a civil wrong (excluding breach of contract) which is actionable at law, for which there is a remedy provided by the law (usually, damages). The key ingredients are: breach of duty, causation, damages, and duty of care.
- Tort law imposes liabilities not by agreement but by law, to protect rights of persons generally. Wrongful acts or omissions which violate a legal duty and cause legal injury may give rise to tortious liability.
Data Breach
A data breach is an incident that results in the unauthorized exposure of confidential, private, protected, or sensitive information. These breaches can occur accidentally or intentionally, involving either external attackers or insiders within an organization. The stolen information can be exploited for financial gain or used in further attacks, making data breaches a significant threat to both individuals and businesses.
Cyber-Crimes
Cybercrime refers to the use of the internet or computers for illegal activities. Some of these include hacking, phishing, ransomware, identity theft, and internet fraud.
Both data breaches and cybercrimes cause significant harm to people and organizations, leading to them suffering financial losses, psychological burden, and reputational damage.
Elements of Tortious Liability in Data Breach
In establishing tort liability, four basic elements are required to be proven:
(a) Duty of Care
Once a company collects individuals’ personal data, it is legally bound to protect it.
Banks, hospitals, internet stores, and government agencies alike all owe a duty of care to their clients.
Such duty includes that they ought to take reasonable precautions — like encryption, firewalls, and secure servers — to prevent theft of data.
In India, this responsibility is further upheld by Section 43A of the Information Technology Act, 2000, which makes it liable for damages on account of any failure on the part of any company to implement “reasonable security practices.”
(b) Breach of Duty
Breach occurs where the organization does not exercise that duty of care.
Examples are:
- Not updating software or using outdated systems,
- Poor password protection,
- Not restricting employees’ access to information,
- Neglect of warning signals about system vulnerabilities.
- If such lapses result in a violation, the company is liable for negligence.
(c) Causation
The plaintiff has to show that the loss was due to the negligence of the defendant — and not due to other causes that are independent.
In cyber cases, this is typically tough because there can be several players involved (such as hackers, vendors, or employees).
Courts typically apply the foreseeability doctrine — if the defendant should reasonably have foreseen the risk and failed to avoid it, causation applies.
(d) Damage
Finally, the victim has to establish actual harm — namely:
- Financial loss,
- Identity theft,
- Loss of reputation,
- Emotional distress.
Modern courts increasingly recognize that even emotional or psychological harm caused by data breaches can warrant damages.
Legal Framework in India
India has a framework where tortious liability for data breach is recognized to some extent, but there are gaps and uncertainties.
1 Information Technology Act, 2000 (IT Act)
India’s primary law dealing with cyber-related issues is the Information Technology Act, 2000. It includes both civil and criminal penalties.
● Section 43:
Covers unauthorized access, damage to computer systems, and data theft. Victims can seek compensation.
● Section 43A:
Introduced to address civil liability. If a body corporate fails to implement reasonable security practices and this results in wrongful loss or gain, it is liable to pay damages by way of compensation.
2) constitutional Right to Privacy
Privacy was deemed to be a constitutional right under Article 21 by the Supreme Court in K.S. Puttaswamy v. Union of India (2017).
This decision forms the foundation for tort-based protection of privacy in India.
3) Digital Personal Data Protection Act, 2023
The DPDP Act focuses on duties of data fiduciary, consent, and punishment.
But it predominantly provides remedies administratively, not personal compensation — so tort law remains on the table for victims seeking damages.
Recent Data Breaches in India
1. Zomato Data Leak (2017)
Over 17 million user records, including emails and hashed passwords, were stolen and sold on the dark web.
2. Aadhaar Data Exposure (2018)
An investigative report alleged that access to Aadhaar data was being sold illegally, raising significant privacy concerns.
3. Air India Breach (2021)
Details of around 4.5 million passengers were compromised, including names, passport details, and credit card info.
Conclusion
Tortious liability for data breaches and cybercrimes is a vital tool for accountability in the digital age. While criminal law deals with punishing wrongdoers, civil law (tort) allows victims to be compensated and entities to be incentivized to adopt high security standards. Indian law already has statutory provisions (e.g., Section 43A of the IT Act) that embody this liability, but practical challenges (proof, scope, damages, enforcement) limit its full realization.
Comparative jurisprudence shows that many jurisdictions grapple with similar issues—especially vicarious liability, scope of duties, and reasonable security standards. The future likely holds more developments: stronger data protection laws, clearer tortious principles for cyber injuries, greater awareness among organizations, and judicial precedents.
Also Read:
Rights of undertrial prisoners in India
How To Send A Legal Notice In India
