IT Act 2008, Section 43 :
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation, to the person so affected.
EXPANDING SCOPE OF EXISTING DATA
PROTECTION REGULATION
The upcoming Data protection regime will widen the scope by offering a
comprehensive data protection framework which shall apply to processing of
personal data by any means, and to processing activities carried out by both the
Government as well as the private entities- not only Body Corporate.

REFERENCE LINK :
https://digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf