Indian Kanoon - Search engine for Indian Law

1) By this Petition filed under Section 9 of the Arbitration and Conciliation Act, 1996 (Arbitration Act), the Petitioner seeks interim measures prior to commencement of arbitral proceedings. The Petitioner has sought permission to conduct audit and inspection at Respondent's premises, systems and infrastructure in relation to the data theft incident through a third party. In the alternative, the Petitioner has sought direction for appointment of local commissioner to visit Respondent's premises for the purpose of identifying inventory and for recording the databases, servers, systems, devices and repositories on which the relevant confidential data is stored or processed. The Petitioner has also sought direction against the Respondent to preserve and maintain complete status quo in respect of confidential data, records, logs, backups, servers, databases and electronic system relating to the Petitioner and to restrain the Respondent from deleting, altering, destroying, overwriting, transferring or tampering with such data. The Petitioner has also sought direction for handing over all confidential data belonging to the Petitioner. The Petitioner has also sought direction against the Respondent to share findings, committee report or root cause analysis of its internal review or investigation of data theft incident.

3) The Petitioner claims that in August 2025, it became aware of a large scale fraud perpetrated on credit card holders of its customer- SBI Cards and Payment Services Ltd. (SBI Cards) through various media reports published on 16 August 2025 and email by SBI Cards on 19 August 2025. According to the Petitioner, the fraud was perpetrated by some of the employees of the Respondent, who facilitated unauthorised access, misuse and exploitation of highly sensitive customer data. According to the Petitioner, it informed the Respondent on 17 August _____________________________________________________________________________________________ PAGE NO. 3 of 30 3 FEBRUARY 2026 Neeta Sawant CARBP(L)-475-2026.docx 2025 about acquisition of knowledge about data theft incident through media reports and suspended operations of services under the Services Agreement. In its reply dated 17 August 2025, the Respondent sought to downplay the data theft incident and assured to the Petitioner that it would share the precise and comprehensive information regarding the data theft incident. On 18 August 2025, the Petitioner requested the Respondent to share the findings of fact of internal review undertaken by the Respondent. The Respondent failed to provide so. On 19 August 2025, the Petitioner received email from SBI Cards informing it that SBI Cards would conduct an investigative audit of Petitioner's process, including Petitioner's outsourcing activities.

29) In the meantime, Petitioner received notice from IFSO, Special Cell, Cyber Crime Unit calling it upon to provide internal/third party audit reports on Respondent's data, security monitoring and compliance check for the period 2020-2025. Petitioner was also directed to furnish comprehensive written explanation as to how credit card data was repeatedly stolen and leaked over several years despite outsourcing safeguards. Instead of permitting Petitioner to conduct audit, Respondent went ahead and terminated the contract by notice dated 31 August 2025 on the ground of failure to make due payments within a period of 15 days. In my prima facie view, the termination was resorted to possibly for avoiding the conduct of audit by the Petitioner. Be that as it may. Petitioner issued response dated 27 October 2025 rejecting termination of the contract. This time, Petitioner also terminated the Services Agreement on the grounds inter alia of failure to report Data Theft Incident, refusal to return confidential data. Petitioner called upon Respondent to allow it to conduct infosec audit either on standalone basis or jointly with SBI Cards. Respondent responded on 4 November 2025 and qua the requisition for conduct of audit and it stated in para- 8.1 of its response as under :

40) In my view therefore, interim measures cannot be denied to the Petitioner by accepting Respondent's objection that no mandatory injunction can be granted at interlocutory stage.

41) Respondent's objection that the 'root cause' cannot be determined by audit is speculative and merely an attempt to somehow avoid conduct of audit. Petitioner is contractually entitled to conduct audit of premises, documents, records of the Respondent if it wants to know whether Respondent has acted diligently or whether it is responsible or involved in the incident of data theft. It is not for the Respondent to determine whether Petitioner would be successful in securing necessary information in the audit or not. Respondent's employees are arrested for data theft involving possible vicarious liability of the Respondent towards the Petitioner. This Court has also noticed deliberate attempts on the part of the Respondent to avoid conduct of audit which are aimed at obvious objective of hiding the records from the Petitioner.