Razer Southeast Asia headquarters in Singapore. (Screengrab of Google Street View)
A judge questioned Razer's lawyers on whether they were contributorily negligent, given that Razer failed to respond to a security consultant's repeated warnings when the leak happened in 2020.
Razer Southeast Asia headquarters in Singapore. (Screengrab of Google Street View)
SINGAPORE: IT vendor Capgemini’s lawyers argued in court on Monday (Jul 10) that it should have to pay “nominal damages” to gaming hardware maker Razer over a data leak, instead of the sum of US$6.5 million (S$8.7 million) it was ordered to fork out last year.
Lawyers for Razer countered that the amount of damages should not be reduced, while trying to establish that they had not been contributorily negligent or failed to mitigate the data leak.
Both companies were putting forth arguments in the Appellate Division of the High Court after Capgemini, a French multinational firm, lodged an appeal against the High Court’s decision last December to award Razer US$6.5 million in damages following a civil trial.
Three judges in the Appellate Division reserved their judgment on Monday.
Capgemini has accepted liability for damages after its former employee admitted mid-trial that he caused a cybersecurity breach that led to the leak.
However, it is challenging the quantum of damages awarded to Razer, which comprised US$6.1 million in loss of profits from Razer’s e-commerce platform.
It also included about US$320,400 for engaging a law firm, US$60,000 for paying an information technology forensic expert to investigate the matter, as well as US$2,000 to security consultant Bob Diachenko for discovering the leak.
The data leak in 2020 involved personal information, as well as order and shipping details, of about 100,000 Razer customers.
It made headlines after Mr Diachenko discovered the breach and posted a LinkedIn article about it on Sep 10, 2020.
Razer, co-founded by Singaporean Tan Min-Liang, has headquarters in both Singapore and California.
Lead counsel for Capgemini, Mr Andy Leck from Baker McKenzie Wong & Leow, put forth three grounds of appeal during the three-hour hearing.
He argued that High Court judge Lee Seiu Kin was wrong in finding that Razer discharged its burden of proving damages for loss of profit; that Razer did not fail to mitigate its losses by its delay in responding to Mr Diachenko’s repeated warnings; and that Razer was not contributorily negligent for said delay.
The issue began in June 2020 when a Capgemini employee was tasked with helping Razer with a login problem on an internal IT system.
Mr Argel Cabalag had added a “#” command to a configuration file that controlled security and access to an application. The misconfiguration then disabled the security settings of the application, eventually leading to the data breach.
Mr Diachenko first contacted Razer’s support team on Aug 19, 2020, saying he had come across an unprotected, publicly available database that appeared to contain the personal data of Razer’s customers.
When Razer did not respond, Mr Diachenko reached out another four times on Aug 20, Aug 22, Aug 27 and Sep 9.
Razer’s management team found out about the breach on Sep 9. Mr Cabalag resolved the issue within a day.
Among his arguments in court, Mr Leck noted Razer’s own evidence – that it would have provided an “orderly resolution” if its cyber security and compliance process architect at the time, Ms Tiong Lee Lan, took reasonable steps to ensure the data leak was brought to her attention.
Razer also admitted that Ms Tiong had failed to respond to Mr Diachenko immediately and escalate his warnings in accordance with protocol, added Mr Leck.
Razer had given evidence that Mr Diachenko would have released information on the data leak regardless of what Razer had done in response to his warnings, while Capgemini did not provide any evidence to suggest that the reverse was true.
Razer had also issued a warning letter to Ms Tiong – a point that Mr Leck said was “very important” to their case.
The letter stated that “the extent of the issue would have been significantly mitigated” if Ms Tiong had carried out the appropriate incident response or evaluated the veracity of Mr Diachenko’s initial email.
In finding that Razer was not contributorily negligent for the data breach, Justice Lee wrote in his judgment he did not think the "wording of an internal company reprimand" would "shed any light on whether Razer caused the damage or would have suffered less damages if it acted promptly".
Mr Leck argued that Justice Lee had failed to put adequate weight on the warning letter.
In response, Razer’s lead counsel, Mr Wendell Wong from Drew & Napier, asked what extent of reaction time could be deemed a breach. He also questioned how much Capgemini wanted to reduce the damages.
Judge of the Appellate Division Woo Bih Li told him: “Speaking for myself, your opponent may have a point. If you all had gotten back to Mr Diachenko promptly and assured him things would be done, maybe (the news articles reporting on the data leak) would have been done differently.
“But you didn’t and frankly speaking, that’s my concern. Why should it be zero when it comes to contributory negligence?” Justice Woo asked.
When Mr Wong said they agreed there had been a delay on Razer’s part, the judge challenged him on whether he accepted Razer was contributorily negligent.
Mr Wong responded: “I can only say this. In terms of evidence led, I understand about the internal letter and we were late in responding to Diachenko.
"But our humble submission is that when you look at overall schematics, they were not negligent in failing to respond within the three weeks we talked about.”
Mr Wong also said that Capgemini did not provide evidence on how Mr Diachenko would have reacted if Razer promptly responded to him.
In response, Justice Woo noted that ironically, one could argue that Razer was more negligent because Capgemini’s error “seemed inadvertent”.
“(Razer was) told about (the data breach) a few times over a few weeks. It was not that Ms Tiong forgot to respond to it,” the judge added.
“She was told about it a few times and then various other people in Razer’s team were also informed. This went back and forth for three weeks. Then Razer said, ‘I will sue you for negligence and we say we’re not negligent.’
“I find that very hard to accept.”
Justice Woo and the other two judges hearing the appeal – Justices Kannan Ramesh and Andre Maniam – eventually directed both parties to discuss whether they can agree on how much the awarded damages should be reduced. This is if the court finds contributory negligence or a failure to mitigate on Razer’s end, or a similar type of defence.
The court asked the lawyers to revert by Jul 17, and reserved its decision in the meantime.