The Information Technology Act 2000 (IT Act) is India's primary legislation addressing cybercrimes, electronic commerce, and digital governance. Amended significantly in 2008 (IT Amendment Act 2008), it introduced Section 43A mandating reasonable security practices for sensitive personal data, Section 66A (later struck down), and Section 69A enabling content blocking. The Act recognizes digital signatures, empowers CERT-In under Section 70B, and prescribes penalties for data breaches, hacking, identity theft, and publishing offensive content. It also introduced intermediary liability provisions under Section 79 and established Adjudicating Officers and the Cyber Appellate Tribunal for dispute resolution.

• Provides legal validity to electronic records and digital signatures (Sections 4-5), enabling legitimate e-commerce and reducing paperwork across banking, insurance, and government services
• Establishes corporate liability for data breaches under Section 43A, compelling organizations like HDFC Bank, ICICI, and Paytm to implement reasonable security practices and compensate affected individuals
• Empowers law enforcement with Section 69 (interception), Section 69A (content blocking), and Section 69B (monitoring) to combat cybercrimes, terrorism, and threats to national security
• Creates framework for CERT-In coordination (Section 70B) enabling national-level incident response, vulnerability management, and threat intelligence sharing across critical sectors
• Criminalizes hacking (Section 66), identity theft (Section 66C), phishing (Section 66D), and data theft with imprisonment and fines, providing deterrence against cyber fraud

• No explicit data localization or cross-border data transfer provisions, creating ambiguity until DPDPA 2023 implementation; companies like WhatsApp operated without clear data residency mandates
• Section 43A's 'reasonable security practices' remains vaguely defined without prescriptive technical standards, leading to inconsistent implementation across BFSI, healthcare, and e-commerce sectors
• Intermediary liability under Section 79 lacks clarity on proactive monitoring vs. safe harbor, causing platforms like Twitter, Facebook to face conflicting legal interpretations post-2021 IT Rules
• Weak enforcement mechanisms with under-resourced Adjudicating Officers and delayed Cyber Appellate Tribunal proceedings; cases like Aadhaar data leaks saw limited prosecution outcomes
• No mandatory breach notification timeline specified under Section 43A unlike GDPR's 72 hours, allowing companies like Juspay (2020, 35 million records) and BigBasket (2020, 20 million users) to delay disclosures

• UIDAI Aadhaar data breach (2018): Journalists accessed 1 billion Aadhaar details via unsecured APIs for ₹500, exposing Section 43A enforcement gaps as no organization was penalized despite massive sensitive personal data exposure affecting every Indian resident.
• Paytm Mall data breach (2019): Cybercriminals accessed details of 10 million users including credit cards and masked passwords; company invoked Section 43A compliance by claiming ISO 27001 certification, highlighting how certifications are treated as 'reasonable security practices' defense.
• Tamil Nadu woman arrested under Section 66A (2016) for social media post criticizing politician, despite Supreme Court striking down the provision in Shreya Singhal judgment (2015), revealing poor awareness and continued misuse by state police agencies.

• Adopt CERT-In's January 2022 directions mandating 6-hour breach reporting, synchronized incident logging, and KYC for VPN providers; integrate with DPDPA 2023 obligations for unified data protection compliance
• Implement technical standards beyond ISO 27001 including encryption at rest and transit, multi-factor authentication, third-party security audits, and vulnerability disclosure programs especially for fintech, healthtech handling sensitive personal data
• Establish dedicated cyber forensics capabilities and legal teams trained on IT Act provisions, evidence preservation under Section 65B, and coordination protocols with state Cyber Crime cells and CERT-In for faster incident response
• Conduct regular cyber hygiene training covering phishing, social engineering, password management, and Section 43A corporate liability to create organizational accountability beyond IT/security teams, especially for senior management and board members