Manzill Surolia

Analysis · 16 Jul 2026

Cyber Crime & the Law in India

The IT Act 2000 is the spine of India’s cyber law — but the viral “crimes & penalties” charts are out of date. Here are the real sections, the real penalties, and the parts that have quietly changed.

2000IT Act enacted
2008amendment added 66A–F, 67A/B, 43A
Lifemax term (Sec 66F, cyber-terrorism)
66Athe one section struck down (2015)
2023BNS + DPDP reshape the map

India prosecutes cyber crime mainly under the Information Technology Act, 2000, heavily expanded by the IT (Amendment) Act, 2008. Most “cyber crimes and penalties” graphics floating around social media copy each other — and copy the same errors: they still cite a section the Supreme Court killed in 2015, and they predate the 2023 laws that now carry data-protection and general-crime pieces the IT Act never did. This is the corrected map.

⚠ This is general information for security & GRC context, not legal advice. Charges depend on facts and current law — consult a qualified lawyer.

1 · The Offences, by Section & Penalty

The core offences and their real punishments under the IT Act (as amended). “And/or” reflects the statute’s wording; several sections allow imprisonment, a fine, or both.

OffenceSectionPunishment
Damage to a computer / data (unauthorised access, extraction, contaminant)43Civil Compensation to the affected person (adjudication)
Body corporate’s failure to protect sensitive personal data43ACivil Compensation for negligence
Tampering with computer source documents65Up to 3 yrs and/or ₹2 lakh
Computer-related offences / hacking (dishonest or fraudulent)66Up to 3 yrs and/or ₹5 lakh
Dishonestly receiving a stolen computer resource or device66BUp to 3 yrs and/or ₹1 lakh
Identity theft (fraudulent use of e-signature, password, unique ID)66CUp to 3 yrs + ₹1 lakh
Cheating by personation using a computer resource (phishing, scams)66DUp to 3 yrs + ₹1 lakh
Violation of privacy (capturing/publishing private images)66EUp to 3 yrs and/or ₹2 lakh
Cyber terrorism66FSevere Imprisonment for life
Publishing / transmitting obscene material67Up to 3 yrs + ₹5 lakh (first); 5 yrs + ₹10 lakh (repeat)
Publishing sexually explicit material67AUp to 5 yrs + ₹10 lakh (first); 7 yrs (repeat)
Child sexual abuse material (CSAM)67BSevere Up to 5 yrs + ₹10 lakh (first); 7 yrs (repeat)
Breach of confidentiality & privacy (by a person with official access)72Up to 2 yrs and/or ₹1 lakh
Disclosure of information in breach of a lawful contract72AUp to 3 yrs and/or ₹5 lakh

▸ Two tracks run in parallel: Sec 43 (civil compensation, no criminal intent needed) and Sec 66 (criminal, requires dishonesty/fraud). The same hack can trigger both.

2 · What the Popular Charts Get Wrong

The most-shared “cyber crime & penalties” infographics repeat four errors. If a chart shows any of these, it predates the law as it stands in 2026.

The claim you’ll seeReality
“Offensive / defamatory posts → Sec 66AVoid Section 66A was struck down in Shreya Singhal v. Union of India (2015) as unconstitutional under Article 19(1)(a). No one can be charged under it — yet police occasionally still do, which courts keep condemning.
“Online defamation is an IT Act offence”Defamation is not in the IT Act. Online defamation is prosecuted under general criminal law — now Bharatiya Nyaya Sanhita (BNS) 2023, s.356 (which replaced IPC 499/500 from 1 July 2024).
“Cyberstalking → a dedicated IT Act section”There is no standalone cyberstalking section in the IT Act. It’s charged under the BNS stalking provision (successor to IPC 354D), with Sec 67 / 66E added where the content is obscene or privacy-invading.
“Phishing / forgery each have their own section”Phishing is charged under Sec 66D (cheating by personation) plus BNS cheating/forgery provisions — not a single “phishing law.”

⚠ The headline correction: Section 66A is dead law. Any 2026 chart still citing it is wrong, and any FIR under it is liable to be quashed.

3 · How the Ground Is Shifting (2022–2024)

The IT Act is no longer the whole story. Three changes moved large pieces of “cyber law” outside it — and any current compliance or incident-response posture has to account for them.

ChangeYearWhat it does
DPDP Act 20232023India’s first standalone data-protection law. Shifts breach/privacy duties off Sec 43A onto a consent-and-fiduciary framework, with penalties up to ₹250 crore via the Data Protection Board. Rules still rolling out.
Bharatiya Nyaya Sanhita (BNS)2023Replaced the IPC (effective 1 Jul 2024). Cyber-enabled crimes — fraud, defamation, stalking, forgery — now reference the BNS, often alongside IT Act sections.
CERT-In Directions2022Mandatory 6-hour incident reporting and log-retention duties for organisations — a compliance obligation, distinct from the criminal sections above.

▸ For a security team, the practical takeaway: the criminal exposure lives in the IT Act + BNS, while the regulatory exposure (breach fines, reporting) now lives in DPDP + CERT-In.

Bottom line

  • 66A is void — struck down in 2015; stop citing it, and challenge any charge under it.
  • Penalties scale with harm — cyber-terrorism (66F) and CSAM (67B) carry the heaviest terms; most data offences cap at 3 years.
  • Civil and criminal run in parallel — Sec 43 compensation is independent of a Sec 66 prosecution.
  • The map now spans three statutes — IT Act (computer offences) + BNS (general crime) + DPDP (data protection).
  • Breach exposure jumped — DPDP’s ₹-crore penalties dwarf the old Sec 43A compensation route.

Sources & method. Section references and penalties are from the Information Technology Act, 2000 (as amended by the IT (Amendment) Act, 2008); the 66A holding is Shreya Singhal v. Union of India, (2015) 5 SCC 1. Current context is the Bharatiya Nyaya Sanhita, 2023 (in force 1 Jul 2024), the Digital Personal Data Protection Act, 2023, and the CERT-In Directions, 2022. General information only, not legal advice. Original analysis; no third-party graphics or text reproduced.