Corporate Liability in the Era of Data Breaches: Analyzing the Role of the Board under Indian Law

Abstract

This article aims to investigate corporate responsibility and data protection in India’s fast-digitalizing business environment, emphasizing how business firms cope with legal, governance, and regulatory demands. It analyzes corporate liability for civil, criminal, and vicarious liability matters, emphasizing directors’ roles and the importance of internal controls and active cyber security measures. Moreover, it traces the history of privacy how it evolved from a tacit conception to a constitutional right under Article 21, established in K.S. Puttaswamy v. Union of India (2017). The article also chronicles India’s data protection journey from the IT Act, 2000 to the holistic Digital Personal Data Protection Act, 2023, placing it within international frameworks such as the EU’s GDPR, U.S fragmented legislations, and the UK’s regime. This article emphasizes the increasing importance of strong corporate governance in the protection of data and personal privacy in an increasingly networked digital world. On the whole, the study highlights the critical need for reforms to strengthen corporate governance and data protection mechanisms in mitigating data breaches efficiently.

 Understanding corporate liability

In today’s cyber-dependent business environment, companies are increasingly held accountable not only for their own actions but also for the conduct of their employees, agents, and digital partners. A corporation’s legal exposure spans across civil, criminal, and regulatory frameworks, particularly when handling data breaches. In the aftermath of a cyberattack, businesses must allocate substantial resources toward fixing compromised systems, alerting affected consumers, and cooperating with authorities to trace the breach.[1]

It encompasses three primary forms of liability which are civil and criminal.

• Civil liability

 It emerges primarily from contractual breaches, tortious conduct such as negligence, or non-   compliance with legal obligations, often resulting in claims for damages.[2]

• Criminal liability

In the criminal realm, corporations can be prosecuted for offences including financial fraud,     environmental violations, or corrupt practices.[3] The Indian legal system formally recognized corporate criminal liability in the case of Chartered Bank, allowing for penalties such as monetary fines and imprisonment of responsible officials.[4]

• Vicarious liability

A notable component is vicarious liability, where companies can be held accountable under the law for misconduct by its employees or representatives if such act happened during the course their employment.[5] Although traditional Indian criminal law was reluctant to impose vicarious liability due to the requirement of mens rea, courts have evolved to accept the concept of corporate intent through the attribution doctrine.[6] These developments highlight the importance for corporations to institute strong compliance mechanisms and internal governance frameworks to reduce potential legal liabilities.[7]

However, the financial toll extends far beyond these measures. Loss of public trust, decline in investor confidence, market value depreciation, and harm to brand reputation can have enduring consequences for corporate stability and shareholder interests.[8]

Liability does not end with direct employee misconduct. Under the principle of ‘vicarious liability’, a company can be held legally responsible for wrongful acts committed by its workforce, so long as those actions occur within the boundaries of their official duties. Additionally, corporate executives and board members may face scrutiny for insufficient oversight, especially when cybersecurity lapses originate from third-party vendors. The well-known Target breach serves as a cautionary example, where attackers exploited vulnerabilities in a vendor’s system to infiltrate the retailer’s network.[9] As legal thinking evolves, scholars suggest that shareholders could bring derivative actions against directors who fail to ensure that external partners maintain adequate cybersecurity safeguards, thus exposing the organization to data security threats.[10] This underscores the growing necessity for robust internal policies, thorough third-party risk assessments, and active board-level governance to navigate the legal responsibilities imposed by today’s cyber risks.

Definition of privacy  

The term “privacy, derived from the Latin word privatus meaning apart from the public,” has been interpreted in various ways depending on cultural, legal, and societal contexts. With rapid technological advancements and evolving social norms, many countries’ early legal systems did not adequately anticipate or address the complexities surrounding privacy. At its essence, ‘privacy involves an individual’s ability to exercise control over access to their personal information and life determining what information is shared, with whom, and under what conditions’. In India this concept is rooted Article 21. In the Puttaswamy verdict, through its historic ruling, the Apex court reinforced the status of privacy as a constitutionally protected fundamental right.[11] Globally, this right is supported by foundational human rights such as UDHR and ICCPR, which recognize the importance of protecting personal data, private communications, and individual autonomy.[12]

Privacy as an Inherent Constitutional Right

The concept of privacy in India has evolved greatly, from being merely an implicit right to becoming a constitutionally guaranteed one. The previous judgments like M.P. Sharma v. Satish Chandra and Kharak Singh v. State of Uttar Pradesh had refused to recognize privacy as a fundamental right. This stance was reviewed in the iconic case of K.S. Puttaswamy v. Union of India (2017), wherein Justice K.S. Puttaswamy (Retd.) challenged the Aadhaar programme on the grounds that compulsory biometric collection of fingerprints and iris scans infringed the right to privacy. The petition questioned the broader constitutional issue of whether privacy was protected under the Indian Constitution. A nine-judge bench of the Supreme Court, by a majority verdict, ruled that privacy is an integral part of Article 21, protecting life and personal liberty, and is organically linked with the right to equality, freedom, and dignity. The Court went further to assert that privacy includes personal autonomy, control over one’s information, bodily integrity, and the ability to make personal choices. It also established that any privacy restriction must fulfill three tests: it should be supported by a good law, it has to be in the protection of a legitimate public interest, and it must meet the test of proportionality and necessity in a democratic society. By reversing previous rulings which had placed privacy outside the purview of fundamental rights, this judgment was a turning point in Indian constitutional law, compelling state officials as well as private persons to protect privacy and supplying the basis for subsequent legislation on data protection and Indian cybersecurity.

 Understanding Data breach

Although the phrase “data breach” is not defined independently in Black’s Law Dictionary, its meaning can be pieced together using related entries like breach, confidentiality, and data.[13] A data breach refers to any event where protected or sensitive information is exposed, accessed, or disclosed without proper authorization, intentionally or otherwise. Such incidents may occur due to external cyberattacks, internal misuse, or even human error. Common forms of data breaches include:

Types of data breaches

1. Cyber intrusions or malware-based attacks targeting data systems;
2. Inadvertent exposure of information due to operational negligence;
3. Loss or theft of physical devices such as laptops or hard drives containing personal data; and
4. Malicious insider activity, where authorized personnel misuse data for improper purposes.[14]

These breaches not only compromise the personal privacy of individuals but also subject organizations to serious legal, financial, and reputational risks, making robust data protection systems a necessity in today’s digital age.

Directors’ Fiduciary Duties

According to ‘Section 166 of the Companies Act, 2013,’ directors of a company are legally obligated to fulfill their responsibilities with a standard of reasonable care, skill, and diligence. They are prohibited from deriving any illegitimate benefits for themselves or their family members. If such an unjust gain is made, the director is bound to compensate the company by repaying the equivalent value and may also be penalized with a fine of up to ₹5,00,000.[15]

In terms of cybersecurity compliance, “Thomas J. Smedinghoff, a prominent authority in the field, suggests that the emerging legal expectations are not based on fixed technological requirements but are flexible and context-sensitive. Instead of mandating the use of specific tools like firewalls or passwords, organizations are expected to engage in a risk-based decision-making process that considers what is most suitable for their unique operations and threat environment.[16]

This shift allows companies to design customized data protection mechanisms, provided they maintain an ongoing process to review and enhance their security systems. Smedinghoff proposes a structured, seven-element process that reflects a “reasonable” standard of care:

1. Delegation of Responsibility: Organizations should officially appoint individuals to manage and supervise the data security plan.
2. Asset Identification: Businesses must determine which data and digital systems (e.g., servers, laptops) require safeguarding.
3. Risk Evaluation: Companies should assess potential internal and external threats and evaluate the effectiveness of existing controls.
4. Implementation of Controls: Appropriate security strategies technical, physical, and administrative should be adopted to mitigate identified risks.
5. Ongoing Monitoring: Security protocols should be regularly tested, updated, and improved to respond to evolving threats.
6. Annual and Situational Review: The entire security framework should be reassessed at least once a year or whenever significant operational changes or data breaches occur.
7. Oversight of Third Parties: Firms must ensure that external vendors with access to sensitive data possess adequate safeguards to prevent misuse or breaches.[17]

Moreover, corporate directors are bound by the duty of full disclosure, commonly recognized as the duty of candor in Delaware corporate jurisprudence. This principle mandates that directors provide complete and truthful information whenever the company issues a public statement even if shareholder action is not being requested.

As noted by “Professor Lawrence A. Hamermesh, Delaware courts have consistently affirmed that this duty applies to all material facts disclosed in corporate communications, including press announcements.” Importantly, it is a strict liability obligation, meaning that directors may be held accountable even in the absence of intent or negligence.[18] This duty serves two main purposes:

(1) to give shareholders legal remedies when they are misled by corporate disclosures, and

(2) to facilitate a presumption of damages, allowing compensation without requiring proof of actual financial loss.[19]

Finally, the board of directors is expected to play a prominent role in supervising data governance and cyber vulnerability. However, there is often a noticeable gap between the increasing cyber threats and the limited efforts made by boards to effectively manage these risks. This disparity underscores the pressing need for enhanced board-level engagement in cybersecurity to safeguard corporate integrity and protect shareholder interests.[20]

Duty of Care, Diligence, and Good Faith 

Board members and executives are entrusted with the obligation to act responsibly, which extends across all their roles, including the safeguarding of digital assets. In today’s data-driven environment, this fiduciary responsibility has evolved into a specific obligation to ensure the security of corporate data. While many legal standards across jurisdictions mandate the implementation of “reasonable” or “appropriate” cybersecurity measures, they often fail to define the exact parameters for compliance, leaving ambiguity in execution.[21] As outlined by Smedinghoff, the current legal approach to cybersecurity is highly contextual, emphasizing a process-based assessment over rigid technical prescriptions.[22] This process involves identifying sensitive information assets, evaluating risks, assigning responsibility, implementing responsive controls, and continuously monitoring and updating the security framework.[23] It also requires companies to reassess protocols annually or after any significant change or breach.[24] Furthermore, corporations must ensure that ‘third-party service providers with access to data maintain adequate security capabilities.’[25]

The duty to protect against foreseeable digital threats is not imposed by a singular overarching law but arises from a complex matrix of federal, state, and international regulations, common law principles, contractual obligations, and implied commitments.[26]Directors are thus expected to maintain ‘physical, administrative, and technical safeguards that ensure the confidentiality, integrity, and availability of data.’[27] Failing to do so may not only expose the organization to legal consequences but also jeopardize shareholder trust and corporate reputation. Scholars emphasize that this duty is part of a broader obligation to prevent reasonably foreseeable risks in corporate governance.[28]

Evolution of India’s Data Protection Framework

Early Framework – IT Act, 2000 and IT Rules, 2011

Prior to the passage of a stand-alone data protection law, India’s privacy regime was largely regulated by the Information Technology Act, 2000 and the IT Rules, 2011.

• Section 43A held companies accountable for compensation if they didn’t use reasonable security practices in dealing with sensitive personal data.[29]
• Section 72A sanctioned unauthorized disclosure of information gathered under legitimate contracts.[30]

The IT Rules, 2011 also detailed requirements, mandating organizations to publish privacy policies, secure informed consent, employ encryption, and appoint grievance officers.[31] These provisions were a foundation but were shallow in reach, as they were more concentrated on cyber security and contractual liability rather than overall individual rights.

Comprehensive Regime – DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 was a big change as it introduced India’s first full-fledged privacy law. In contrast to the IT Act, it formulates privacy on the basis of rights, aligning with the constitutional acknowledgment of privacy in K.S. Puttaswamy v. Union of India (2017).[32]

Features:

• Consent-based processing: Data may be gathered or used only with free, informed, and specific consent.
• Responsibilities of data fiduciaries: They must implement security measures, disclose breaches, and exercise data minimization by erasing data when its purpose ceases.
• Individual rights: Entails the right to access, rectify, erase, and designate representatives for data rights.
• Regulation: India’s Data Protection Board oversees compliance and can issue fines up to ₹250 crore.[33]
• International data transfer: Allowed only to notified countries by the Central Government.

This Act changes the emphasis from company liability (of the IT Act) to a citizen-focused regime of data rights, obliging both the state and private players to uphold individual privacy.

In the Companies Act, 2013, no direct provision exists regarding data breaches, but there are various sections that bring about indirect responsibility for protecting company data. Section 166[34] mandates directors to exercise due care and act in good faith in the company’s and stakeholders’ best interest, protecting sensitive information. Section 149[35] makes it the duty of independent directors to oversee risk management systems, including cyber and data risks. Moreover, Section 447[36] also prohibits fraud by companies, which can extend to abuse, concealment, or wrongful disposition of company information. Collectively, these sections provide a regime of governance and fiduciary responsibility that enforces companies to maintain proper data security controls.

Comparative Analysis  

• European Union

The ‘General Data Protection Regulation is the primary data protection legislation in the European Union.’ It took effect on the 25th of May, 2018. It was developed to enhance digital rights of citizens and to standardize data protection legislation to be the same in all EU nations. Some of the most significant areas are the right to be informed upon occurrence of a data breach and the right to delete personal data, or the “right to be forgotten.” This provides the possibility for people to have their personal data deleted under specific circumstances.

Organizations under the GDPR should ‘collect and process data fairly, lawfully, and transparently.’ Some of the key principles are restricting the purposes of data use, minimizing data collection, and being responsible for data protection. Companies will have to apply ‘Privacy by Design and by Default, undertake Data Protection Impact Assessments (DPIAs) for high-risk data processing, and appoint Data Protection Officers (DPOs) in certain situations.’ Failure to comply with these principles will result in massive ‘fines of up to €20 million or 4% of the business’s worldwide annual turnover, whichever is greater.’

Notably, the regulation imposes specific obligations on corporate governance structures, mandating that directors and senior executives embed privacy compliance into their risk management and internal control systems. The GDPR has influenced data protection regimes globally, setting a high benchmark for digital rights legislation.

• United States

There is no single general primary law of data protection in the United States. Rather, it employs various laws for various industries, with each law targeting data privacy for a particular industry. For instance, the ‘Health Insurance Portability and Accountability Act (HIPAA)’ is healthcare, the ‘Gramm-Leach-Bliley Act (GLBA)’ is finance, and the ‘Children’s Online Privacy Protection Act (COPPA)’ is for child data protection online.

Regulatory oversight is decentralized:

• The ‘Federal Trade Commission (FTC)’ acts against deceptive or unfair data practices;
• The ‘Securities and Exchange Commission (SEC)’ oversees disclosure of cybersecurity risks that may impact investors; and
• Shareholders may initiate derivative suits against directors who fail to uphold their fiduciary obligations, especially the duties of care and loyalty.

Rather than preventive duties, the U.S. model typically emphasizes reactive enforcement after breaches or violations occur. Although directors can be held accountable through corporate governance standards, there is no statutory equivalent to GDPR’s structured compliance obligations at the federal level.

• United Kingdom

The United Kingdom has retained most of the elements of the ‘GDPR in its own UK General Data Protection Regulation and Data Protection Act 2018,’ which continue to be consistent with the EU’s regulations even after the UK’s departure, or Brexit. The ‘Information Commissioner’s Office is the main office responsible for ensuring compliance with the regulations.’

Corporate accountability is reinforced through governance norms, including those articulated in the UK Corporate Governance Code, which underscores the need for board-level responsibility in managing cyber risks and safeguarding data.

While closely mirroring the EU framework, the UK government has signaled possible reforms to ease regulatory pressures and promote innovation, albeit with a view to maintaining data adequacy for cross-border transfers with the EU.

Challenges 

India’s data protection ecosystem is challenged on legal, governance, and enforcement fronts. Legally, the IT Act, 2000, neither places explicit duty on company directors nor provides them with clear responsibilities to thwart violations, and sectoral instructions issued by RBI, SEBI, and IRDAI tend to overlap or contradict each other, thus fragmenting the compliance landscape.

From a corporate governance point of view, boards register only limited concern for data protection, viewing it as a largely technical matter, and sparse judicial interpretation leaves doubt regarding accountability in the event of infringements. On the enforcement side, systems remain predominantly reactive, with entities like CERT-In intervening after the fact, and the DPDP Act’s.[37]

Data Protection Board still uncertain on operational and penalty powers. In addition, cross border data breach jurisdiction is still not settled because Indian legislation offers minimal insight into how to coordinate with overseas regulators or regulate multinational online platforms. All these loophole act as obstacles to proactive corporate compliance and the creation of a strong, answerable data protection regime in India.

Suggestions 

• By making reforms in the Companies Act, 2013 to include board-level accountability for cyber security and data privacy, including risk management control.
• Specifically defining the term “data breach” in the IT Act, 2000 and DPDP Act, 2023 as per international norms like GDPR.
• Making directors accountable with personal liability for gross negligence and make cyber security training compulsory along with SEBI disclosures.
• Making companies compulsorily keep a Data Breach Response Plan (DBRP) and mandate centralized reporting through CERT-In or the Data Protection Board.

Conclusion

In this present age which is characterized by digital advancement, where data breaches can result into substantial and lasting damage to businesses, consumers, and public confidence, the board of director role becomes essential when it comes to keeping cyber security in check. This research points out that under the Indian legal framework, corporate boards do not only have the responsibility for ensuring adherence and strategic oversight but also to tackle cyber security risks and safeguard data effectively.

As companies grow more dependent on digital systems, it becomes imperative for directors to actively engage with cybersecurity readiness, incident handling protocols, and overall data protection frameworks. Legal instruments such as the ‘Information Technology Act, 2000,’ along with the anticipated ‘Digital Personal Data Protection Act, 2023,’ mark a transition towards greater board-level accountability for cyber governance failures. Courts and regulatory bodies have begun to acknowledge that directors are duty-bound to exercise diligence in preventing and addressing data security lapses.

Consequently, this study advocates for a forward-looking regulatory model one that embeds digital competence within boardrooms, mandates transparent disclosures, and articulates fiduciary responsibilities specifically tied to data governance. Reinforcing such accountability will not only safeguard the interests of stakeholders but also cultivate a culture of digital integrity and resilience. Ultimately, corporate liability for cyber incidents must be viewed as a fundamental governance obligation, not just a technical or compliance-related concern.

References

[1]  See Cost of a Data Breach Report 2022, IBM Security (2022), https://www.ibm.com/reports/data-breach.

[2] See Ratanlal & Dhirajlal, The Law of Torts 12–14 (28th ed. 2021).

[3] S.C. Srivastava, Corporate Criminal Liability: Evolution of Judicial Approach, 59 JILI 479, 482–83 (2017).

[4] Standard Chartered Bank v. Directorate of Enforcement, (2005) 4 S.C.C. 530 (India).

[5] Avtar Singh, Company Law 495–97 (18th ed. 2022).

[6] See Iridium India Telecom Ltd. v. Motorola Inc., (2011) 1 S.C.C. 74 (India).

[7] N.L. Mitra, Corporate Compliance and Governance in India, 45 J. Indian L. Inst. 537, 540–42 (2003).

[8] Melissa B. Hathaway, Data Breaches: The True Costs, 60 Comm. ACM 29, 31–32 (2017).

[9] Nicole Perlroth, Hackers Lurking in Vents and Soda Machines, N.Y. Times (Apr. 7, 2014), https://www.nytimes.com/2014/04/08/technology/the-spies-came-in-from-the-cold.html.

[10] See Kristin N. Johnson, Cyber Risks, Corporate Responsibility, and Director Oversight, 94 Wash. L. Rev. 1165, 1185–89 (2019).

[11] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).

[12]Universal Declaration of Human Rights, art. 12, G.A. Res. 217A (III), U.N. Doc. A/RES/3/217A (Dec. 10, 1948); International Covenant on Civil and Political Rights, art. 17, Dec. 16, 1966, 999 U.N.T.S. 171.

[13] Black’s Law Dictionary (11th ed. 2019) (referencing entries under “breach,” “data,” and “confidentiality”).

[14] Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 84–86 (6th ed. 2021).

[15] The Companies Act, No. 18 of 2013, § 166, Acts of Parliament, 2013 (India).

[16] Thomas J. Smedinghoff, The Emerging Law of Information Security: An Overview, 6 I/S: J.L. & Pol’y for Info. Soc’y 5, 15–18 (2010).

[17] Id.

[18] Lawrence A. Hamermesh, Calling Off the Lynch Mob: The Corporate Director’s Fiduciary Disclosure Duty, 49 Vand. L. Rev. 1087, 1091–92 (1996).

[19] Id

[20] J. W. Verret, Cybersecurity Oversight and the Board’s Fiduciary Duty, 4 Harv. Bus. L. Rev. 157, 160–62 (2014).

[21] Thomas J. Smedinghoff, The Developing U.S. Legal Standard for Cybersecurity and the Process-Oriented Approach to Compliance, 4 J.L. & Cyber Warfare 1, 2 (2015).

[22] Id.

[23] Id.

[24] Id.

[25] Id.

[26] Sean B. Gates, Corporate Governance and Cybersecurity: The Board’s New Role in Data Protection, 20 Bus. L. Today 22, 23–24 (2014).

[27] Id.

[28] Lisa R. Lifshitz, Cybersecurity and the Board of Directors: A Canadian and International Perspective, 31 Banking & Fin. L. Rev. 379, 381 (2016).

[29] The Information Technology Act, No. 21 of 2000, § 43A, INDIA CODE (2000).

[30] Id. § 72A.

[31] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Gazette of India, Apr. 11, 2011.

[32] Supra note 11

[33] The Digital Personal Data Protection Act, No. 22 of 2023, § 33, INDIA CODE (2023).

[34] Companies Act, No. 18 of 2013, § 166 (India).

[35] Id. § 149.

[36] Id. § 447.

[37] CERT-In, Ministry of Electronics & IT, Government of India, About CERT-In, https://www.cert-in.org.in/ (last visited Sept. 21, 2025).