Recourse following data breaches – what can companies do?

Singapore court finds third-party IT provider liable for employee's error

Recourse following data breaches – what can companies do?

Businesses face significant financial impact due to data breaches. These can include remediation and IT forensics investigation costs, notification costs to affected individuals, legal fees arising from regulatory investigations and fines, reputational damage, and business interruption losses. Given such financial ramifications, there is a growing trend in Singapore for organisations to consider recovering such expenses from third parties who may have potentially caused the underlying data breaches.

One example of this is the recent judgment in Razer (Asia-Pacific) Pte Ltd v. Capgemini Singapore Pte Ltd., [2022] SGHC 310.

Razer (Asia-Pacific) Pte Ltd (Razer), a local gaming gear company, discovered a data leak of its customers’ information including email addresses and order information, between June and September 2020. This, Razer argued, resulted in substantial expenses for Razer including forensics investigation expenses, legal costs, and reputational damage by reason of negative press coverage of the data breach. There was also a claimed loss of profits and loss of chance to secure potential business opportunities. 

Razer commenced a High Court action against its information technology consultant, Capgemini Singapore claiming damages in contract and negligence.

Razer engaged WhiteSky Labs (WSL) - which was subsequently acquired by Capgemini - as Razer’s information technology consultant to assist with the upgrade of Razer’s digital commerce platform. In June 2020, WSL’s Senior Consultant, Argel Cabalag, was asked to assist Razer to troubleshoot and resolve a problem logging into and accessing a server and/or its application. In resolving this issue, Cabalag, added “#” in a configuration file which had the unfortunate effect of disabling Razer’s security setting, resulting in the unauthenticated access to its application.

A recruitment firm’s data breach led to thousands of CVs and cover letters for First National job candidates leaked online.

Judgment 

The High Court found that Capgemini was in breach of its consulting services agreement for failing to take the appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of Razer’s systems. In addition to a breach of an express term of the contract, the High Court also found that there was a breach of an implied term of the contract to exercise reasonable care. 

Additionally, Razer succeeded in its negligence claim. The High Court found that it was foreseeable that any carelessness on Capgemini’s part would cause damage to Razer. The High Court also found that it was also reasonable to expect Capgemini to address technical matters without compromising Razer’s security and private data. Accordingly, Capgemini’s misconfiguration was found to be a breach of the standard of care resulting in damages to Razer. 

The High Court allowed Razer’s claim for loss of profits for the sale of video game systems and gaming peripherals from their site, legal costs incurred in engaging lawyers to advise and act for them, payment made under Razer’s bug bounty programme, and fees and disbursements paid to conduct forensic investigations, awarding it a judgment sum of USD $6,518,738.81. 

Most orgnaisations of a certain size must report all eligible data breaches to the Office of the Australian Information Commissioner under data breach laws.

Key takeaways 

Razer v. Capgemini highlights the opportunity available for companies that suffer data breaches to recover the damages, costs and expenses incurred in responding to the data breaches from any responsible third parties. This is equally applicable to cyber insurers with respect to subrogation opportunities. 

To preserve their recovery opportunities after a data breach and increase their chances of successfully recovering damages from the breach, companies should take the following steps:

  • Document the breach: Companies should carefully document all aspects of the data breach, including the nature and extent of the data that was lost or stolen, the timeline of events, and any actions taken in response to the breach. 
  • Preserve evidence: Companies should take steps to preserve all relevant evidence related to the breach, such as server logs, emails, and other digital records. This evidence can be important for identifying the cause of the breach and determining who is responsible.
  • Work with experts: Companies should work with legal and cybersecurity experts to develop a comprehensive incident response plan and to identify potential recovery options. Experts can also help to identify areas where the company can improve its cybersecurity measures to prevent future breaches.

As a risk mitigation measure, companies should also review their existing and future contracts and policies with vendors, customers, and other parties to determine what liabilities and responsibilities are assigned in the event of a data breach. This can help to ensure that the company is fully aware of its recovery options and obligations.

Sumyutha Sivamani is a Legal Director in the Singapore office of Clyde & Co specialising in insurance-related dispute resolution and advisory work with a focus on cyber risk, incident response, and data privacy matters.