The Delhi High Court has issued an injunction prohibiting any unauthorized use, disclosure, or publication of sensitive and confidential data belonging to Niva Bupa Health Insurance Company Limited by an unidentified data thief. The court's directives aim to safeguard the privacy rights of customers and prevent misuse of their personal data following a ransomware attack on the company.

Submissions on Ransomware Attack and Regulatory Compliance

Senior Advocate Mr. Pradeep K. Bakshi, along with the team from White & Brief Advocates & Solicitors, represented Niva Bupa. During the course of arguments, Mr. Bakshi informed the court that the company's robust security systems had been compromised in a targeted ransomware attack aimed at extortion. He further submitted that the data breached included personal details such as names, identity proofs, addresses, policy details, and mobile numbers—information collected as part of regulatory compliance.

The Plaintiff established a strong prima facie case for interim relief, arguing that the breach had the potential to cause significant damage to both the company and its customers.

Customer Privacy Takes Centre Stage

While passing the injunction Order, Justice Manmeet Pritam Singh Arora emphasised the potential risks arising from unauthorized access to sensitive data, such as identity theft, financial fraud, privacy violations, and unauthorized transactions. Recognizing the severity of the breach, the court underlined the critical need to protect personal information and issued an order for the immediate removal of any leaked data by intermediaries and platforms within 24 hours of notification by the Plaintiff.

Court-Directed Interventions

To mitigate the potential harm, the court issued a series of directives, including:

1. Restraining Order: The "John Doe" defendant is strictly prohibited from using, copying, publishing, or disclosing Niva Bupa's confidential information on any platform.

2. Action by ISPs and Platforms: Internet service providers and intermediaries have been directed to block and remove all unauthorized content, accounts, and domains associated with the misuse of the Plaintiff's trademarks and data.

3. Investigation Support: Defendants Nos. 1 to 6 have been instructed to provide all available information regarding Defendant No. 7, including digital footprints, to aid the ongoing investigation.

White & Brief Legal Team

The team from White & Brief Advocates & Solicitors, comprised of Partner Mr. Mohit Bakshi and Associate Mr. Akshaja Singh.

This judgment reaffirms the importance of customer data privacy in the digital age and serves as a crucial step in combating unauthorized data breaches and ransomware attacks.


CS10892024_Order_05122024Download

The influence of technology and the internet in our daily lives is greater than it was earlier and this scenario is here to grow manifold with the advent of AI. During the course of our lives, we share personal information online through various social media and online platforms to connect personally and professionally. The price that we pay while availing the digital services is in the form of our personal information which raises valid concerns surrounding data privacy and protection.

What is Privacy and Data Protection?

Right to Privacy allows you to keep your personal information confidential. Data protection refers to the measures and practices that ensure your personal data is safeguarded against data theft and misuse.

Why is Privacy and Data Protection Important?

Your personal information includes details like your name, address, phone number, financial data, and health record, this data can be misused by cyber criminals for identity theft or other financial scams. With the introduction of AI, various new areas of crimes have emerged using Deep Fake technology. Hence, protecting your data has become more important than it ever was. Privacy laws and data security regulations empower you with ownership over your personal information and restrict any unauthorized use.

There have been various instances wherein an individual’s personal data was subjected to various malicious uses by private entities. This data is sometimes taken without even the owner’s consent. The Cambridge Analytica Scandal in 2018 brought widespread attention to the issue of data privacy and misuse of data. It exposed that the personal information of Facebook users was collected without their consent for political advertising. In a similar incident in 2021, the Pegasus Spyware Case came into light wherein, it was alleged that Pegasus Spyware is used for illegal surveillance on journalists, activists, and politicians. This incident again highlighted the importance of data privacy.

Judicial intervention to safeguard personal data

The courts in various instances came to the rescue of people who were the victims in the hands of private entities. The personal data was either taken without their consent or through complicated interfaces wherein users did not even understand that they have given consent and for what purpose. This left the data subjects in a vulnerable position without any recourse. In such situations, judicial intervention provided appropriate remedy to the data subjects. It also ensured that the entities using personal data are not taking advantage of the data subject’s innocence or lack of technical knowledge.

In the case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. AIR 2017 SC 4161, Supreme Court confirmed that privacy is a fundamental right under the Indian Constitution, paving the way for stronger regulations to safeguard personal information.

In another notable case, WhatsApp LLC & Anr. v Competition Commission of India, LPA 163/2021, the Delhi High Court ruled that WhatsApp's updated privacy policy violated IT Act and rules and the judgement allowed users to opt out from providing forced consent. This case highlighted the importance of transparent and responsible data management practices.

Key Laws and Regulations in India

The Information Technology Act, 2000: The Information Technology Act of 2000 sets out rules for electronic governance and oversees how personal data is handled. It also includes penalties for cybercrimes such as hacking and data theft.

The Digital Personal Data Protection Act, 2023: The Digital Personal Data Protection Act of 2023 has established a strong data protection law in India. It outlines individual rights regarding personal data, creates a Data Protection Authority, and places responsibilities on data fiduciaries. The 2023 act permits personal data to be used for any legal purpose. Entities that collect, store, and process digital personal data (‘Data fiduciaries’) and have specific responsibilities of:               

(a) maintaining security measure;

(b) ensuring accuracy and completeness of personal data;

(c) reporting data breaches to the Data Protection Board of India (DPB) in a prescribed manner;

(d) deleting data upon consent withdrawal or when the specified purpose expires;

(e) appointing a data protection officer and establishing grievance redress systems; and

(f) obtaining parental/guardian consent for children/minors under eighteen years of age.

The Aadhaar Act, 2016: The Aadhaar Act, 2016 dictates how the Aadhaar unique identification system is used and lays down guidelines for gathering, storing, and using biometric data. The Supreme Court in Aadhar Judgement found that the Aadhaar Act was constitutional to the extent of using Aadhar for verifying an individual's identity to receive government-funded benefits like subsidies. However, private entities cannot use Aadhaar data without an individual's consent for any other purpose.

Your Rights under Data Protection Laws

Consent: When it comes to your personal data, companies and organizations are required to ask for your clear permission before they gather and handle it.

Purpose Limitation: Your data can only be used for the specific reason it was collected for or permitted for, and not for anything else.

Data Minimization: Additionally, only the necessary amount of data should be collected, and once the purpose is met, it should be removed.

Access and Correction: You also have the right to see and correct any inaccuracies in your personal data that the organizations holds.

Data Portability: Furthermore, you can move your personal data from one service provider to another in a standard format.

Right to Be Forgotten: You have the right to get your personal data removed or deleted from an organization's records under certain circumstances.

Protecting Your Privacy and Data

Be Cautious with Personal Information: When sharing personal information online, be cautious and think carefully about what you disclose, especially on social media platforms.

Use Strong Passwords: To protect your accounts, create strong, unique passwords for each account, especially banking and investment related information and consider using two-factor authentication if possible.

Keep Software Updated: Keep your operating systems, applications, and antivirus software up to date to prevent data security breaches.

Be Vigilant Against Phishing Attempts: Do not reply or provide personal information to unsolicited emails, messages, or calls requesting personal information.

Conclusion

Privacy and data protection are fundamental rights in the digital age. In a country like India where the majority of the population may not be technically-informed, it becomes even more dangerous to protect personal information. Many people might not be aware enough to understand their personal data being used for unintended purposes. The Internet has reached various parts of the country, with internet access and mobile usage, the issue of personal data protection has become more crucial than before. By understanding your rights and the laws that protect them, you can take steps to safeguard your personal information and maintain control over your data.

Subscribe to our

NEWSLETTER

Subscription Form