Madras High Court rejects demand for data breach probe into Star Health Insurance

Justice M Dhandapani dismissed the plea noting that a civil suit filed by the company against Pathak was already pending in which a single judge had already issued an interim injunction. Thus, noting that the issues were connected and that there could not be parallel proceedings for the same issue, the court dismissed the plea. The court, however, gave liberty to Pathak to pursue his remedy before the appropriate authority.

On October 9 this year, the insurance company admitted that it was the victim of a malicious cyber attack that resulted in unauthorized and illegal access to data.

Pathak had approached the court to direct the Ministry of Electronics and Information, Ministry of Finance, Ministry of Home Affairs and Ministry of Corporate Affairs to take action based on his representation in which he had stated that the The company’s security system had vulnerabilities and anyone. could access your data. While the petition was pending, Star Health became a victim of the cyber attack.

When the matter came up on Wednesday, Pathak’s lawyer claimed that the hackers had claimed to have received the data from Star Health officials themselves. He claimed that when he approached the Meity, which was a body meant to deal with the matter, the Ministry informed him that they had asked Star to look into the matter. He added that a similar response has been received from the IRDAI, which was also looking into the matter. He argued that it was surprising to see a criminal being asked to investigate his own actions.

On behalf of the four Ministries, ASG ARL Sundaresan argued that the Ministry could not do anything in the matter as the competent authority was the IRDAI which was already taking necessary action under the Act. The ASG also informed the court that individual disputes were already pending before the petitioner and that the company and Star had already filed a civil suit which was pending. In this context, ASG argued that Pathak should have sought the appeal before the civil court or the IRDAI, which was the competent authority, and instead approached the High Court. Thus, he sought to dismiss the allegation.

On behalf of IRDAI, advocate MB Raghavan submitted that it had already issued guidelines and even after filing the petition, detailed guidance was also issued. It was also submitted that regular procedures were created to curb hackers and protect data. Further, Raghavan also informed that the authority could not act on the petitioner’s complaint as there was already a pending civil dispute.

Star Health, on the other hand, disputed Pathak’s site and argued that he himself was a hacker who entered the company’s data without authorization. The company claimed that although Pathak posed as a crusader, he entered the system uninvited, hacked it and told the company that its data is vulnerable. The company added that since Pathak’s actions could have criminal consequences, the company filed a civil suit seeking an injunction in which an injunction was also granted. The company, therefore, asked to dismiss the plea.

The court, after hearing all the parties, deemed it fit to dismiss the writ petition giving liberty to Pathak to dispose of his appeal before the appropriate authority.

Citation: 2024 LiveLaw (Mad) 397

Case Title: Himanshu Pathak Vs Ministry Of Electronics And Information And Others

Case No.: WP 12049 of 2023