Delhi High Court Asks Centre's Counsel To Seek Instructions On Plea For CERT-In Led Investigation Into Data Breaches At Domino's, Big Basket, Etc.

A plea has been filed before the Delhi High Court seeking directions on Computer Emergency Response Team India (CERT-IN) to initiate investigation into large scale breaches in data maintained by companies namely BigBasket, Domino's, MobiKwik and Air India.

Acting on the grievances raised before it, Justice Rekha Palli on Friday, granted time to Central Government Standing Counsel Ajay Digpaul, to obtain instructions in the matter.

The matter will now be heard on September 23.

The petitioner, Y Kiran Chandra, is the General Secretary of FSMI (Free Software Movement of India), which is a national coalition of various regional and sectoral free software movements, operating in different parts of India.

Filed through Advocates Prasanth Sugathan, Prasanna S and Yuvraj Singh Rathore, the plea alleges that the data collected by these companies from mobile or online web applications has resulted in data breaches that have compromised sensitive personal and financial information of millions of users of these services.

It is the case of the petitioner, that while relying on newspaper reports covering data the aforementioned breaches, he had written to CERT-In urging it to investigate the same and update the citizens on what had transpired, as mandated by the CERT-In Rules notified under Section 70B of the Information Technology Act, 2000.

"The said breaches constitute threats to physical and financial safety of users of these services. The address data, emails, contact numbers, financial details - credit and debit card details, KYC details leak pose a grave threat to security of users," the plea reads.

Citing section 70B, the petitioner submits that CERT-In is responsible for collecting and analyzing information on cyber incidents, to issue guidelines and also to call for information and give directions to the service providers, intermediaries, data centres, body corporate and any other persons in this regard.

It is further averred that as per the Citizen Charter of CERT-In, it is required to acknowledge the grievances received by it, and redress the same within one month from the data of receipt of grievance. 

"Since there is no law governing data protection in India as of now. Thereby, the aggrieved users do not have any legislative recourse against such breaches. Therefore, an investigation and review by CERT-In on frequent data breaches at mass level becomes important to safeguard the privacy of users", the petition adds.

Moreover, the petition states that a legal notice was sent to Ajay Lakra, Public Grievance Officer, CERT-In on June 11, 2021 requesting him to investigate the data breaches.

The Petitioner also submitted the response received by him on June 25, 2021 that stated, "we would like to inform you that CERT-In is aware of its responsibilities and does not require your client's directions to investigate data breaches as highlighted by you. Organizations named in your notices have been directed to comply with the relevant provisions of law."

In this background, the petitioner has stated that CERT-In is not taking any action qua the incidents of cyber security breaches and has sought for directions on the authority to comply with its citizen's charter and respond to the grievances raised by the Petitioner.

Title: YARLAGADDA KIRAN CHANDRA v. UNION OF INDIA & ANR.

Click Here To Read Order