Introduction:

The Madras High Court, in Himanshu Pathak v. Ministry of Electronics and Information Technology, addressed a complex intersection of cybersecurity concerns, personal liability, and the scope of writ jurisdiction. The case arose from an appeal filed by Himanshu Pathak, a cybersecurity specialist, challenging the dismissal of his writ petition by a single judge. In his original petition, Pathak had sought directions to multiple governmental authorities—including the Ministry of Electronics and Information Technology, Ministry of Finance, Ministry of Home Affairs, Ministry of Corporate Affairs, the Insurance Regulatory and Development Authority of India (IRDAI), and the Securities and Exchange Board of India (SEBI)—to initiate an inquiry into alleged data security vulnerabilities in Star Health Insurance Company.

Pathak claimed that while accessing his own policy details on the company’s website, he discovered systemic vulnerabilities that allowed unauthorized access to sensitive information of other policyholders. According to him, this posed a serious threat to data privacy and security, warranting immediate regulatory intervention.

However, the matter was complicated by the fact that Star Health had already initiated civil and criminal proceedings against Pathak, alleging that he had unlawfully accessed and extracted data from its systems. The writ court dismissed his plea, holding that parallel proceedings could not be entertained when the same issues were already sub judice before competent courts.

Aggrieved by this decision, Pathak filed the present appeal before the Division Bench comprising Chief Justice S.A. Dharmadhikari and Justice G. Arul Murugan. The High Court ultimately dismissed the appeal, affirming the reasoning of the single judge and emphasizing the limits of writ jurisdiction in such circumstances.

Arguments by the Appellant:

The appellant, Himanshu Pathak, presented his case as one rooted in public interest and cybersecurity vigilance. He contended that as a policyholder of Star Health Insurance, he had accessed the company’s website to view his own policy details, during which he discovered significant vulnerabilities in the system.

Pathak argued that these vulnerabilities allowed unauthorized access to the profiles and sensitive data of other policyholders, thereby exposing the company’s entire database to potential misuse. He maintained that such flaws in the system posed a grave threat to data privacy and could lead to large-scale breaches if not addressed promptly.

According to the appellant, he acted in good faith by bringing these issues to the notice of the company. He claimed that the company initially acknowledged his findings and thanked him for highlighting the vulnerabilities. However, instead of rectifying the issues, the company allegedly turned against him and initiated legal proceedings.

Pathak further submitted that despite making representations to various ministries and regulatory authorities, no action had been taken to investigate the alleged data security lapses. This inaction, he argued, compelled him to approach the High Court seeking judicial intervention.

He also pointed out that during the pendency of his writ petition, Star Health itself became a victim of a cyber-attack on October 9, 2024. This, according to him, validated his concerns regarding the company’s inadequate cybersecurity measures.

The appellant contended that the existence of civil and criminal proceedings against him should not bar the Court from examining the larger issue of data security, which affects not just him but potentially millions of policyholders. He argued that the writ court had erred in dismissing his petition solely on the ground of pendency of other proceedings, without considering the broader public interest involved.

Additionally, Pathak maintained that his actions were not malicious but were intended to expose vulnerabilities and prompt corrective measures. He denied any wrongdoing and suggested that the legal actions initiated by the company were retaliatory in nature.

Arguments by the Respondents:

The respondents, including the Union of India and Star Health Insurance Company, strongly opposed the appeal and defended the decision of the writ court.

Star Health, in particular, presented a diametrically opposite narrative. It alleged that Pathak, under the guise of a cybersecurity expert, had unlawfully accessed its systems and extracted sensitive data without authorization. The company contended that his actions amounted to hacking and data theft, for which it had initiated both civil and criminal proceedings.

The respondents further submitted that an FIR had been registered against Pathak under Sections 66 and 43(b) of the Information Technology Act, and that a chargesheet had already been filed. A petition filed by Pathak seeking quashing of the criminal case had also been dismissed, indicating that the allegations against him were serious and prima facie sustainable.

The company also pointed out that it had obtained an interim injunction against Pathak in civil proceedings, which was later made final. This, according to the respondents, demonstrated that the appellant’s actions were not only unauthorized but also legally impermissible.

With regard to the alleged data breach, Star Health asserted that it had taken all necessary steps to address the issue, including reporting the incident to relevant authorities and implementing robust cybersecurity measures. It maintained that its systems were secure and that there was no ongoing threat to policyholders’ data.

The respondents argued that the writ petition was an attempt by Pathak to deflect attention from his own misconduct and evade legal consequences. They contended that the High Court should not entertain such petitions, especially when the issues involved were already being adjudicated in other proceedings.

The Union of India supported the position that the writ petition was not maintainable, emphasizing that the appellant had not demonstrated any violation of his own rights. It was argued that writ jurisdiction under Article 226 is primarily intended to protect fundamental and legal rights, and cannot be invoked in the absence of a personal grievance.

Court’s Judgment:

The Division Bench of the Madras High Court carefully considered the submissions of both parties and upheld the decision of the writ court, dismissing the appeal.

At the outset, the Court noted that the single judge had rightly granted the appellant liberty to pursue his remedies in the pending civil and criminal proceedings. It observed that when issues are already sub judice before competent courts, parallel proceedings under writ jurisdiction are generally not warranted.

The Court emphasized that any claim or action by the appellant would ultimately depend on the outcome of the pending cases. Therefore, it found no error or infirmity in the writ court’s decision to decline interference.

A significant aspect of the Court’s reasoning was its assessment of the appellant’s conduct. The Court noted that Pathak had accessed the company’s portal and obtained data of other policyholders without authorization. It observed that he had neither sought nor obtained permission from the company to do so, nor had the company engaged his services as a cybersecurity expert.

The Court remarked that such actions amounted to unauthorized access or intrusion, and could not be justified under the guise of exposing vulnerabilities. While refraining from making conclusive findings on this issue due to the pendency of proceedings, the Court made it clear that the appellant’s conduct raised serious concerns.

The Court also examined whether the appellant had any personal right that had been violated. It found that Pathak had not alleged any breach of his own data or any harm suffered by him personally. His claim was limited to the possibility of vulnerabilities affecting other users.

In this context, the Court held that the writ petition was not maintainable, as it was not based on any infringement of the appellant’s personal rights. It observed that the appellant appeared to have approached the Court only after his attempts to engage the company’s services had failed and he was faced with legal proceedings.

The Court further noted that in the absence of any proven data breach or lapse attributable to the company, there was no basis for directing an inquiry by the authorities. It emphasized that speculative or hypothetical concerns cannot form the basis for judicial intervention under Article 226.

Importantly, the Court reiterated that writ jurisdiction is discretionary and must be exercised judiciously, particularly when alternative remedies are available and have already been invoked.

In conclusion, the Court held that the appeal lacked merit and dismissed it, affirming the order of the writ court.