Legal Liabilities Of An Entity In The Case Of A Data Breach | M S Sulthan Legal Associates
DISCLAIMER: As per the rules of the Bar Council of India, law firms are not permitted to solicit work or advertise. This article is solely for the purpose of providing informational updates on data protection laws and cybersecurity liabilities. The content herein should not be interpreted as legal advice or a solicitation of legal work.

Legal Liabilities Of An Entity In The Case Of A Data Breach

Cybersecurity Law & Data Privacy | By M S Sulthan Legal Associates | February 2026

In this day and age of the motto “the one with data rules”, any business or individual handling customers’ personal data must be as careful as, if not more than, a bank handling their money. Personal Information contained in the files of a business is a goldmine for hackers—they can now peek and monitor every aspect of a person’s life. A breach is something that could potentially interfere with the entire online presence of a person, leading to catastrophic results.

In any legal proceeding trying to claim damages or a statutory remedy, it is important to ascertain the legal liabilities of the concerned entities. This blog attempts to cover the legal liabilities of an entity in the case of a data breach from a global perspective.

Instances of a Data Breach

Although not exhaustive, the following are common instances of a data breach:

  1. Stolen Passwords or Weak Credentials: Stealing passwords for malicious activities. Easily preventable by using strong passwords.
  2. Back Door Failures: Hackers exploiting an existing vulnerability in a system. Prevented by regular software updates.
  3. Malware: Software hidden with malicious content that steals sensitive information. Can be controlled with anti-malware programs.
  4. Phishing/Social Media Scams: Luring people to reveal sensitive info. Businesses should restrict user permissions to minimize risk.
  5. Internal Threats: Breaches caused by "crooks" (intentional) or "careless" employees. Requires employee awareness and monitoring.

Who are the Parties Involved?

With the advent of cloud-based environments, data is often entrusted to third-party vendors. Usually, three parties are involved:

  • The User/Customer who avails the service.
  • Owner of Data: The business offering products/services.
  • Holder of Data: The third-party vendor (e.g., AWS, Microsoft Azure) hosting the data.

In a cloud-based environment, the Owner of Data (the business) typically bears the ultimate liability towards customers, regardless of whether the breach occurred at their end or the vendor's end.

Types of Liability

A data owner usually faces two types of liability:

  • Statutory Liability: Arising from contravention of enacted laws (e.g., GDPR, IT Act).
  • Civil Liability: arising from breach of contract (express or implied) or tort claims where plaintiffs seek damages for harm caused by the breach.

Global Scenario

The UK & EU

UK: The Companies Act, 2006 imposes fiduciary duties on directors. Failure to employ secure cyber protection can breach this duty. The UK is also governed by the UK GDPR and the Data Protection Act 2018. The Information Commissioner’s Office (ICO) can impose massive fines.

EU: The General Data Protection Regulation (GDPR) sets the gold standard. Non-compliance can lead to fines up to €20 million or 4% of global turnover. The NIS Directive also mandates security for essential services.

USA, Canada & Others

USA: While there is no single federal law, sector-specific laws like HIPAA (health) and GLBA (finance) apply. All states have breach notification laws. Federal agencies like the FTC and SEC also enforce data security.

Canada: The PIPEDA governs private sector data collection. Directors can be held liable under the Canada Business Corporation Act.

UAE: The Personal Data Protection Law (PDPL) imposes strict obligations. Directors can be personally liable under the Commercial Companies Law.

Indian Context

India is a major target for cyberattacks. The primary legal framework is the Information Technology Act, 2000 (amended in 2008):

  • Section 43A: Imposes liability on body corporates to pay damages/compensation if negligence in maintaining "reasonable security practices" leads to wrongful loss or gain.
  • Section 72A: Prescribes imprisonment (up to 3 years) and fines (up to ₹5 Lakhs) for disclosure of information in breach of a lawful contract.
  • Section 45: A residuary penalty clause for contraventions not covered elsewhere, imposing compensation up to ₹25,000.
  • DPDP Act 2023: The new Digital Personal Data Protection Act, 2023 has been enacted but is being rolled out. It imposes penalties up to ₹250 Crores for failure to prevent data breaches.

Conclusion

A data breach is an undesirable situation for any legal entity. It breaches the integrity, availability, and confidentiality of data. Once a breach happens, organizations must inform the concerned authority (e.g., CERT-In in India) without delay. Organizations must implement proper technological and organizational safeguards; otherwise, the legal and financial repercussions can be severe.

Office of M S Sulthan Legal Associates

For legal advisory on data privacy compliance, cyber incident response, and regulatory reporting, please refer to the contact details below.

Newsletter

Don't miss our future updates! Get subscribed today!

MS Sulthan

Legal Associates

POLICIES

Disclaimer

Privacy Policy

Terms and Conditions

Certificate Verification

MENU

Home

About

Contact

CONTACT

+919847980019

+91-4953552516

contact@mssulthan.com

T1, Ground Floor, Hi-Lite Business Park, Kozhikode, Kerala - 673014

136/2, Rameshwar Nagar, Model Town, New Delhi – 110033

© 2026 MS Sulthan Legal Associates. All rights reserved.

slsl