THE APPEAL
Lead counsel for Capgemini, Mr Andy Leck from Baker McKenzie Wong & Leow, put forth three grounds of appeal during the three-hour hearing.
He argued that High Court judge Lee Seiu Kin was wrong in finding that Razer discharged its burden of proving damages for loss of profit; that Razer did not fail to mitigate its losses by its delay in responding to Mr Diachenko’s repeated warnings; and that Razer was not contributorily negligent for said delay.
The issue began in June 2020 when a Capgemini employee was tasked with helping Razer with a login problem on an internal IT system.
Mr Argel Cabalag had added a “#” command to a configuration file that controlled security and access to an application. The misconfiguration then disabled the security settings of the application, eventually leading to the data breach.
Mr Diachenko first contacted Razer’s support team on Aug 19, 2020, saying he had come across an unprotected, publicly available database that appeared to contain the personal data of Razer’s customers.
When Razer did not respond, Mr Diachenko reached out another four times on Aug 20, Aug 22, Aug 27 and Sep 9.
Razer’s management team found out about the breach on Sep 9. Mr Cabalag resolved the issue within a day.
Among his arguments in court, Mr Leck noted Razer’s own evidence – that it would have provided an “orderly resolution” if its cyber security and compliance process architect at the time, Ms Tiong Lee Lan, took reasonable steps to ensure the data leak was brought to her attention.
Razer also admitted that Ms Tiong had failed to respond to Mr Diachenko immediately and escalate his warnings in accordance with protocol, added Mr Leck.
Razer had given evidence that Mr Diachenko would have released information on the data leak regardless of what Razer had done in response to his warnings, while Capgemini did not provide any evidence to suggest that the reverse was true.
WARNING LETTER ISSUED
Razer had also issued a warning letter to Ms Tiong – a point that Mr Leck said was “very important” to their case.
The letter stated that “the extent of the issue would have been significantly mitigated” if Ms Tiong had carried out the appropriate incident response or evaluated the veracity of Mr Diachenko’s initial email.
In finding that Razer was not contributorily negligent for the data breach, Justice Lee wrote in his judgment he did not think the “wording of an internal company reprimand” would “shed any light on whether Razer caused the damage or would have suffered less damages if it acted promptly”.
Mr Leck argued that Justice Lee had failed to put adequate weight on the warning letter.
In response, Razer’s lead counsel, Mr Wendell Wong from Drew & Napier, asked what extent of reaction time could be deemed a breach. He also questioned how much Capgemini wanted to reduce the damages.
Judge of the Appellate Division Woo Bih Li told him: “Speaking for myself, your opponent may have a point. If you all had gotten back to Mr Diachenko promptly and assured him things would be done, maybe (the news articles reporting on the data leak) would have been done differently.
“But you didn’t and frankly speaking, that’s my concern. Why should it be zero when it comes to contributory negligence?” Justice Woo asked.
When Mr Wong said they agreed there had been a delay on Razer’s part, the judge challenged him on whether he accepted Razer was contributorily negligent.
Mr Wong responded: “I can only say this. In terms of evidence led, I understand about the internal letter and we were late in responding to Diachenko.
“But our humble submission is that when you look at overall schematics, they were not negligent in failing to respond within the three weeks we talked about.”
Mr Wong also said that Capgemini did not provide evidence on how Mr Diachenko would have reacted if Razer promptly responded to him.
In response, Justice Woo noted that ironically, one could argue that Razer was more negligent because Capgemini’s error “seemed inadvertent”.
“(Razer was) told about (the data breach) a few times over a few weeks. It was not that Ms Tiong forgot to respond to it,” the judge added.
“She was told about it a few times and then various other people in Razer’s team were also informed. This went back and forth for three weeks. Then Razer said, ‘I will sue you for negligence and we say we’re not negligent.’
“I find that very hard to accept.”
Justice Woo and the other two judges hearing the appeal – Justices Kannan Ramesh and Andre Maniam – eventually directed both parties to discuss whether they can agree on how much the awarded damages should be reduced. This is if the court finds contributory negligence or a failure to mitigate on Razer’s end, or a similar type of defence.
The court asked the lawyers to revert by Jul 17, and reserved its decision in the meantime.