Unauthorized 'Security Testing' Cannot Mask Illegal Data Access: Madras High Court Dismisses Writ Appeals Against Insurer

In a significant ruling regarding the boundaries of cyber security research and legal liability, the Madras High Court has dismissed a batch of writ appeals filed by a self-styled security expert. The court affirmed that unauthorized access to a private company’s web portal, even under the guise of identifying vulnerabilities, constitutes a prima facie illegal act that cannot be justified in writ jurisdiction.

The Breach of Boundaries

The case involves Himanshu Pathak, who claimed to have discovered security vulnerabilities in the web portal of a prominent insurance company (the 7th respondent). Pathak, the proprietor of a firm named "CyberX9," alleged that these vulnerabilities risked the data of millions of customers. However, the insurance company contended that Pathak had not only failed to seek prior authorization but had used the discovery to attempt to "sell" his security services to the insurer, culminating in a commercial demand of $65,000 USD to fix the identified "attack surface."

The insurer promptly obtained an interim injunction against Pathak and filed a criminal complaint, leading to an FIR under Sections 66 and 43(b) of the Information Technology Act, 2000 . Pathak subsequently filed multiple writ petitions, seeking to force government agencies—including IRDAI and CERT-In—to take action against the insurer for the alleged security lapses.

Arguments from the Fold

Counsel for the appellant argued that the insurer had failed to protect sensitive data and that statutory authorities, empowered under Section 70B of the IT Act, had a duty to intervene. They asserted that the pendency of a civil suit should not shield an entity from regulatory action.

Conversely, the insurance company argued that Pathak’s actions were born of a failed commercial negotiation. They submitted that they had already complied with reporting requirements, and that Pathak’s petitions were a tactical retreat intended to disrupt their operations after being hit with civil and criminal litigation.

Judicial Reasoning: The Sub-Judice Principle

A Division Bench comprising Chief Justice Sushrut Arvind Dharmadhikari and Justice G. Arul Murugan found no merit in the appellant's claims. The Court emphasized that there was no evidence that Pathak had suffered any personal data breach. Instead, the Court noted that his actions appeared to be an attempt to leverage illegal access for commercial gain.

The Court held that since the issue of data integrity and the legality of the access was already being adjudicated in a civil court and a criminal trial (pending in C.C. No. 564 of 2026), the writ court was correct in refusing to intervene. The Bench held that the appellant could not bypass the ongoing judicial process by invoking writ jurisdiction in the name of "public interest."

Key Observations

The High Court’s ruling included several pointed observations on the nature of cyber security advocacy:

• "The very test or access if had been made by the appellant in respect of the details of the other policy holders in the name of the test or random check can be construed only as an intrusion or unauthorised access."
• "The respondents cannot act in violation of a statute for which he is liable to be punished and claim that he should be permitted to publish such illegal activity."
• "The action pursued by the appellant on the face of it demonstrates that the intention lacks bonafides."
• "In the absence of any lapse or data breach by any one, the appellant himself, having committed an illegal access and data breach... the writ petitions filed itself is not maintainable."

Final Decision

The Court dismissed the writ appeals in their entirety, confirming that the ongoing criminal and civil proceedings were the appropriate forums for resolving the dispute. By upholding the lower court's decision, the Madras High Court has established a firm precedent: "security testing" involving the extraction of data from private servers without explicit consent is not a shield against legal consequence, nor does it provide automatic standing to trigger state-led regulatory investigations.

This judgment serves as a cautionary tale for cybersecurity professionals against conducting unauthorized probes into corporate infrastructure, reinforcing that judicial remedies cannot be used to circumvent ongoing criminal and civil accountability.