In a contemporary, hyper-connected economy, data flows across borders raise complicated legal questions in the event of cybersecurity breaches through unauthorised access and data exfiltration.

Ajoy RoyAjoy RoyAjoy Roy
Partner
Shardul Amarchand Mangaldas & Co
Delhi
Tel: +91 98 1009 8332
Email: ajoy.roy@amsshardul.com

Complexity arises when data subjects, processors and controllers operate across multiple jurisdictions, with inconsistent legal obligations regarding personal data. Such multi-party and multi-jurisdictional dynamics are prone to challenges concerning applicable laws and the enforceability of judgments, awards and decrees between the concerned parties, along with their respective insurers and reinsurers.

The stakes in such disputes are high, as a single incident of illicit data breach may unleash a cascading transnational trade in personally identifiable data, often on the dark web, threatening data integrity and individual security on a global scale. Against a backdrop of soaring cybercrime typologies, including malware intrusions, ransomware events, identity theft, and digital extortion, aggrieved data subjects frequently aggregate their claims into putative class actions, seeking compensatory and punitive damages, as well as injunctive and equitable relief.

In India, a global hub for IT and back-end services, such disputes assume cross-border dimensions when engaging with jurisdictions hosting vast technology and finance enterprises, including the US, particularly in the context of Indian cyber liability and insurance policies.

Cyber liability disputes differ from classical tort litigation due to specific laws governing the subject. Data breaches litigation generates mass claims, regulatory exposure, reputational risk, and associated costs for litigation, forensics, mandatory notifications and credit monitoring.

Class action litigation predominantly steers towards a settlement, considering the liability exposure, and the time and costs of a full-blown trial. Therefore, class-wide settlements are preferred. Empirical studies also confirm that most cyber incidents are resolved through negotiated settlements rather than full adjudication.

Coverage disputes in India frequently arise belatedly, post-conclusion of settlement, with the jurisdiction of courts or tribunals being invoked to interpret terms of the underlying insurance policy, for challenging coverage, reimbursement of settlement sums, and claims surrounding security breach exclusions and conditions that bar indemnity.

Aishani DasAishani DasAishani Das
Principal Associate
Shardul Amarchand Mangaldas & Co
Delhi
Tel: +91 79 8720 5128
Email: aishani.das@amsshardul.com

Contentious issues also include prior approvals, and settlement authority and caps, incurring defence costs and indemnity obligations, especially when carriers deny coverage, citing their non-participation in the primary proceedings and therefore not being bound by any judgment or decree passed.

The Supreme Court of India, in National Insurance Company v Nippon Paper Foodpac Pvt Ltd, while dealing with bifurcation of subject matter in the context of insurance claims, observed that “this invariably leads to confusion, multiple litigation, piecemeal decision, and chances of conflicting orders”.

Cross-border claims create challenges in harmonising domestic coverage with foreign proceedings, often leading to inconsistent outcomes and enabling insurers to deny claims. On conclusion of primary adjudication of liability proceedings in a foreign jurisdiction, the court or tribunal seated in India must preliminarily decide the binding (or non-binding) effect of the foreign judgment or settlement decree passed.

It must determine whether this has a preclusive or evidentiary effect in the coverage and insurance claim dispute, especially if the judgment or decree, although for a fixed debt, was in personam and not between the same parties, in the absence of the carrier in such primary litigation.

The burden of proof to demonstrate conclusiveness rests on the party seeking it. Based on principles of comity, res judicata and estoppel, courts and tribunals in India would have to consider whether there may be “preclusive effects” to issues or claims decided in foreign judgments or decrees.

This inquiry includes arbitrability, recognition, compatibility, evidentiary weightage, and reciprocity and consistency in relation to foreign judgments. In the Nippon Paper case, the Supreme Court questioned the Insurance Regulatory and Development Authority of India’s approach of treating quantum disputes as arbitrable while excluding repudiation and denial of claims from the scope, considering unintelligible bifurcation complicating arbitrability and uncertainty over the conclusiveness of foreign judgments.

The Indian regime on the treatment of foreign judgments and decrees (including settlement agreements) is codified under the Code of Civil Procedure, 1908 (CPC). Section 13 provides that a foreign judgment shall be conclusive “as to any matter directly adjudicated between the same parties”, save for certain exceptions, including when the judgment sustains a claim contrary to Indian law.

Section 44A provides for the execution of decrees from reciprocating territories. Section 19 of the Arbitration and Conciliation Act, 1996, permits tribunals’ procedural autonomy to determine admissibility and evidentiary value, without being bound by the CPC.

So, even a court-sanctioned settlement from a reciprocating territory may not be automatically conclusive in India. Its recognition depends on satisfying the requirements of section 13 of the CPC, and its binding force is limited to matters between the same parties, and where Indian law is not subverted.

This creates a structural difficulty in insurance disputes, where the final decree is typically between the defendants and the claimants only, without the insurers or reinsurers (from other jurisdictions) necessarily impleaded, thereby providing fertile ground for insurers to deny coverage or reimbursement liabilities.

The Canadian Supreme Court, while considering a stay of one of two parallel coverage proceedings in separate jurisdictions, examined multiple approaches to address the issue.

Balapragatha MoorthyBalapragatha MoorthyBalapragatha Moorthy
Associate
Shardul Amarchand Mangaldas & Co
Delhi
Tel: +91 94 8778 8256
Email: balapragatha.m@amsshardul.com

The International Law Association’s final report on res judicata and arbitration (2006) recommends that arbitral tribunals treat res judicata “autonomously” – governed not by the conflict rules of any domestic legal system, but by “transnational substantive and procedural rules” developed for arbitral practice.

Indian carriers often insist on strict compliance with contractual conditions in policy documents, especially those relating to notification requirements, prior authority and consents, and construction of exclusionary clauses, even when non-compliance may not apply (due to carve-outs or ambiguity), be material or prejudicial. They may do this only to unfairly deny coverage or reimbursement liability, despite there being a judgment affixing liability on the insured.

Carriers also tend to unreasonably withhold authority or approvals, or cause delay in granting consents to incur defence costs/defend/settle suits/claims, risking ballooning of the pending litigation. Insurers also insist on unequivocal statements, admissions of guilt, or negligence, which insureds are unable to provide, especially when the primary lawsuit on liability affixation is pending adjudication.

It should be noted that the Indian Supreme Court has recently held that an insurer cannot reject a claim on the grounds of breach of a policy condition, the performance of which is impossible or frustrated.

In coverage arbitrations, private settlements with third parties generally do not bind the insurer. Findings, if any, on liability or causation in settlements or consent decrees may carry initial persuasive value. However, questions on claims and coverage overall, exclusions, and performance of policy conditions remain within the tribunal’s scope of independent determination.The rise of cross-border class actions from data breaches has exposed critical misalignments in cyber insurance, often causing policies meant to protect insureds from catastrophic liabilities to fail. Foreign plaintiffs typically sue only the corporate defendant, excluding insurers or reinsurers from the proceedings.

As a result, any judgment or settlement that becomes res judicata in the forum state often lacks privity with the risk carriers. This forces insureds to initiate separate coverage actions in other jurisdictions to secure indemnification, creating inefficiency and uncertainty.

This problem is exacerbated by standard policy clauses – such as consent to settle, co-operation, and “no voluntary payments” – which rarely align with the accelerated timelines of class action settlements.

When settlements approach court approval, driven by certification deadlines and opt-out rights, insurers’ notice and consent requirements often lag behind, with little incentive for carriers to expedite and settle out of their own pockets. If insurers withhold or delay consent, insureds must choose between risking the settlement or proceeding without the insurer’s assent, potentially forfeiting coverage for breach of conditions precedent.

Strict enforcement of policy terms thus threatens the core risk-transfer function of cyber insurance. Courts and arbitral tribunals should interpret such clauses through the lens of commercial reasonableness, implying duties of good faith and co-operation.

Insurers should be barred from denying coverage on technical grounds if they had notice, an opportunity to participate and suffered no prejudice. Courts should require insurers and reinsurers to be impleaded from the outset, ensuring their interests are represented and reducing potential for subsequent disputes.

Recognition regimes should allow insurers to directly enforce indemnity obligations. Without such reforms, data-breach insurance will remain unreliable, leaving policyholders exposed to multi-jurisdictional disputes.

Shardul Amarchand Mangaldas & CoShardul Amarchand Mangaldas & CoSHARDUL AMARCHAND MANGALDAS & CO
Amarchand Towers 216
Okhla Industrial Estate
Phase III New Delhi 110 020, India
Tel: +91 11 4159 0700
Email: connect@amsshardul.com
www.amsshardul.com