India prosecutes cyber crime mainly under the Information Technology Act, 2000, heavily expanded by the IT (Amendment) Act, 2008. Most “cyber crimes and penalties” graphics floating around social media copy each other — and copy the same errors: they still cite a section the Supreme Court killed in 2015, and they predate the 2023 laws that now carry data-protection and general-crime pieces the IT Act never did. This is the corrected map.
⚠ This is general information for security & GRC context, not legal advice. Charges depend on facts and current law — consult a qualified lawyer.
1 · The Offences, by Section & Penalty
The core offences and their real punishments under the IT Act (as amended). “And/or” reflects the statute’s wording; several sections allow imprisonment, a fine, or both.
| Offence | Section | Punishment |
|---|---|---|
| Damage to a computer / data (unauthorised access, extraction, contaminant) | 43 | Civil Compensation to the affected person (adjudication) |
| Body corporate’s failure to protect sensitive personal data | 43A | Civil Compensation for negligence |
| Tampering with computer source documents | 65 | Up to 3 yrs and/or ₹2 lakh |
| Computer-related offences / hacking (dishonest or fraudulent) | 66 | Up to 3 yrs and/or ₹5 lakh |
| Dishonestly receiving a stolen computer resource or device | 66B | Up to 3 yrs and/or ₹1 lakh |
| Identity theft (fraudulent use of e-signature, password, unique ID) | 66C | Up to 3 yrs + ₹1 lakh |
| Cheating by personation using a computer resource (phishing, scams) | 66D | Up to 3 yrs + ₹1 lakh |
| Violation of privacy (capturing/publishing private images) | 66E | Up to 3 yrs and/or ₹2 lakh |
| Cyber terrorism | 66F | Severe Imprisonment for life |
| Publishing / transmitting obscene material | 67 | Up to 3 yrs + ₹5 lakh (first); 5 yrs + ₹10 lakh (repeat) |
| Publishing sexually explicit material | 67A | Up to 5 yrs + ₹10 lakh (first); 7 yrs (repeat) |
| Child sexual abuse material (CSAM) | 67B | Severe Up to 5 yrs + ₹10 lakh (first); 7 yrs (repeat) |
| Breach of confidentiality & privacy (by a person with official access) | 72 | Up to 2 yrs and/or ₹1 lakh |
| Disclosure of information in breach of a lawful contract | 72A | Up to 3 yrs and/or ₹5 lakh |
▸ Two tracks run in parallel: Sec 43 (civil compensation, no criminal intent needed) and Sec 66 (criminal, requires dishonesty/fraud). The same hack can trigger both.
2 · What the Popular Charts Get Wrong
The most-shared “cyber crime & penalties” infographics repeat four errors. If a chart shows any of these, it predates the law as it stands in 2026.
| The claim you’ll see | Reality |
|---|---|
| “Offensive / defamatory posts → Sec 66A” | Void Section 66A was struck down in Shreya Singhal v. Union of India (2015) as unconstitutional under Article 19(1)(a). No one can be charged under it — yet police occasionally still do, which courts keep condemning. |
| “Online defamation is an IT Act offence” | Defamation is not in the IT Act. Online defamation is prosecuted under general criminal law — now Bharatiya Nyaya Sanhita (BNS) 2023, s.356 (which replaced IPC 499/500 from 1 July 2024). |
| “Cyberstalking → a dedicated IT Act section” | There is no standalone cyberstalking section in the IT Act. It’s charged under the BNS stalking provision (successor to IPC 354D), with Sec 67 / 66E added where the content is obscene or privacy-invading. |
| “Phishing / forgery each have their own section” | Phishing is charged under Sec 66D (cheating by personation) plus BNS cheating/forgery provisions — not a single “phishing law.” |
⚠ The headline correction: Section 66A is dead law. Any 2026 chart still citing it is wrong, and any FIR under it is liable to be quashed.
3 · How the Ground Is Shifting (2022–2024)
The IT Act is no longer the whole story. Three changes moved large pieces of “cyber law” outside it — and any current compliance or incident-response posture has to account for them.
| Change | Year | What it does |
|---|---|---|
| DPDP Act 2023 | 2023 | India’s first standalone data-protection law. Shifts breach/privacy duties off Sec 43A onto a consent-and-fiduciary framework, with penalties up to ₹250 crore via the Data Protection Board. Rules still rolling out. |
| Bharatiya Nyaya Sanhita (BNS) | 2023 | Replaced the IPC (effective 1 Jul 2024). Cyber-enabled crimes — fraud, defamation, stalking, forgery — now reference the BNS, often alongside IT Act sections. |
| CERT-In Directions | 2022 | Mandatory 6-hour incident reporting and log-retention duties for organisations — a compliance obligation, distinct from the criminal sections above. |
▸ For a security team, the practical takeaway: the criminal exposure lives in the IT Act + BNS, while the regulatory exposure (breach fines, reporting) now lives in DPDP + CERT-In.
Bottom line
- 66A is void — struck down in 2015; stop citing it, and challenge any charge under it.
- Penalties scale with harm — cyber-terrorism (66F) and CSAM (67B) carry the heaviest terms; most data offences cap at 3 years.
- Civil and criminal run in parallel — Sec 43 compensation is independent of a Sec 66 prosecution.
- The map now spans three statutes — IT Act (computer offences) + BNS (general crime) + DPDP (data protection).
- Breach exposure jumped — DPDP’s ₹-crore penalties dwarf the old Sec 43A compensation route.
Sources & method. Section references and penalties are from the Information Technology Act, 2000 (as amended by the IT (Amendment) Act, 2008); the 66A holding is Shreya Singhal v. Union of India, (2015) 5 SCC 1. Current context is the Bharatiya Nyaya Sanhita, 2023 (in force 1 Jul 2024), the Digital Personal Data Protection Act, 2023, and the CERT-In Directions, 2022. General information only, not legal advice. Original analysis; no third-party graphics or text reproduced.