Read Time: 06 minutes
The court while emphasizing that “Disclosure of the sensitive and confidential customer data can be highly damaging to both the Plaintiff and its customers”, held that the damage caused by the misuse of such data could not be compensated through monetary relief and therefore passed ad-interim relief in favor of the insurance company.
The Delhi High Court, on Thursday, passed an order against an unknown data thief (John Doe) restraining them from disclosing sensitive and confidential data of the customer collected and stored by Niva Bupa Health Insurance Company Limited. The court, while emphasizing the importance of safeguarding the privacy rights of customers, passed a series of directions to identify, restrain, and delete any data published by the data thief within 24 hours.
The bench of Justice Manmeet PS Arora emphasized, “publication, sale or misuse of the data can result in identity theft, financial fraud, privacy violations and unauthorized transactions”.
Senior Advocate Pradeep K. Bakshi, representing the insurance company, submitted that the data thief had breached the company’s robust security measures through a ransomware attack aimed at extortion. Senior Advocate Bakshi clarified that the company had collected and stored the personal data of the customers, including customers' names, identity proofs, addresses, policy details, premium details, mobile numbers, and other personal information, for regulatory purposes under the applicable laws.
Senior Advocate Bakshi informed the court that on November 28, 2024, the company was approached by an unknown person claiming that they had accessed a substantial portion of the company’s sensitive information. They further communicated that they would release such data if the company did not fulfill their specific demands.
Upon reviewing the provisions of the IT Rules, the court determined that the company had established a strong prima facie case for the grant of ad-interim relief. It was observed that the disclosure of sensitive and confidential customer data could cause significant harm to both the company and its customers.
The court accepted the company’s contention that the publication, sale, or misuse of such data could lead to identity theft, financial fraud, privacy violations, and unauthorized transactions. Furthermore, the court observed that such data could be exploited for impersonating the company, thereby infringing the company's registered trademark and resulting in passing off. The potential damages arising from these actions were deemed irreparable and could not be adequately compensated monetarily, especially given that Defendant No. 7 was an unidentified entity, the court emphasized.
The court passed a series of directions including a temporary injunction against John Doe, restraining them from using, copying, publishing, or disclosing the Plaintiff’s confidential information through any platform. Infringing upon Plaintiff’s registered trademarks, including ‘Bupa’ and ‘Niva Bupa’, through unauthorized reproduction or circulation.
Further, the court ordered internet service providers and intermediaries to block and remove all content, accounts, and domains associated with the misuse of Plaintiff’s trademarks and data. Additionally, Defendant Nos. 1 to 6 were instructed to disclose all available details about Defendant No. 7, including KYC information and associated digital footprints, to aid the investigation.
Case Title: Niva Bupa Health Insurance Company Limited v Telegram FZ-LLC (CS(COMM) 1089/2024)
Please Login or Register
