Case Details
- Citation: [2022] SGHC 310
- Title: Razer (Asia-Pacific) Pte Ltd v Capgemini Singapore Pte Ltd
- Court: High Court of the Republic of Singapore (General Division)
- Suit No: 1233 of 2020
- Date of Decision: 9 December 2022
- Judge: Lee Seiu Kin J
- Hearing Dates: 13–15, 18–19, 21–22 July; 20 September 2022
- Plaintiff/Applicant: Razer (Asia-Pacific) Pte Ltd
- Defendant/Respondent: Capgemini Singapore Pte Ltd
- Legal Areas: Tort — Negligence; Commercial Transactions — Sale of services; Contract — Contractual terms
- Key Issues (as framed in the judgment): contractual breach (CSA, SOWs, DPA); duty of care and breach; causation; vicarious liability; contributory negligence; mitigation; damages (including loss of profits)
- Statutes Referenced: (not specified in the provided extract)
- Cases Cited: [2021] SGHC 203; [2022] SGHC 310
- Judgment Length: 71 pages, 19,145 words
Summary
Razer (Asia-Pacific) Pte Ltd v Capgemini Singapore Pte Ltd concerned a data incident arising from the misconfiguration of a server file in the course of implementing and managing Razer’s e-commerce data integration architecture. Razer alleged that Capgemini, as the successor to WhiteSky Labs (Singapore) Pte Ltd (“WSL”), breached contractual obligations and also owed (and breached) a duty of care in negligence. The alleged misconfiguration led to the leakage of Razer’s non-public customer data.
The High Court (Lee Seiu Kin J) analysed the dispute through both contractual and tortious lenses. On the contractual side, the court focused on the scope of Capgemini’s obligations under the Consulting Services Agreement (“CSA”), the relevant Statements of Work (“SOWs”), and the Data Processing Addendum (“DPA”), including whether the work relating to the “login problem” and the subsequent data exposure fell within the contractual allocation of responsibilities. On the tort side, the court addressed whether Capgemini owed Razer a duty of care, whether that duty was breached, and whether the breach caused the data loss. The court also considered contributory negligence, causation and mitigation, and the appropriate measure of damages, including Razer’s claimed loss of profits.
While the extract provided is truncated, the judgment’s structure and pleaded issues show that the court’s reasoning proceeded in a disciplined sequence: first, identify the contractual duties and whether they were breached; second, determine whether negligence was made out; third, assess causation, contributory negligence, and mitigation; and finally, quantify damages and grant appropriate declaratory relief. The decision is therefore useful for practitioners dealing with technology service contracts, data protection addenda, and the intersection of contractual risk allocation with negligence claims.
What Were the Facts of This Case?
Razer is a Singapore-incorporated business in gaming hardware, software, services and systems, and related digital payments and fintech services. As part of its “Project Phoenix”, Razer sought to upgrade its e-commerce platform from Hybris 5.7 to SAP Commerce Cloud. A key component of this re-platforming was integrating SAP Commerce Cloud with third-party applications used by Razer’s business teams. The integration was to be achieved through an API platform known as Mulesoft, enabling different applications to communicate with each other.
To implement the integration and related reporting capabilities, Razer engaged WSL as its information technology consultant. The parties entered into a CSA effective 1 March 2019. The CSA functioned as a master agreement, with the detailed services to be performed set out in subsequent SOWs as Project Phoenix progressed. Under the CSA, WSL warranted that its services would be performed professionally and timely, with appropriate proficiency and care, using suitably qualified personnel, and with reasonable methods and due care to protect against harmful code and to comply with applicable laws (including data privacy and personal data protection laws). The CSA also provided Razer with remedies such as requiring re-performance or remedying non-compliant services, or seeking a refund.
In late 2019 or early 2020, Capgemini recommended that Razer install and utilise the “ELK Stack” (Elasticsearch, Logstash, and Kibana) to support logging, search, viewing, analysis and data visualisation. The ELK Stack was relevant to the architecture for logging and querying data. Razer and WSL then entered into a February 2020 SOW for “Project Phoenix – ELK Reporting DB & API”. The purpose of this SOW was to expose digital transaction data relating to customer orders to Razer’s business reporting strategy. Because the migration would prevent reliance on an offline copy of the e-commerce database, WSL was engaged to implement and configure the ELK Stack to log and query data, and to implement and configure an additional Mulesoft API to expose filtered data to consumers and post it into a data store.
Razer and WSL also entered into an April 2020 SOW for “Adaptive Managed Services”, under which WSL was to provide one-year adaptive support and maintenance, governance over the Mulesoft platform and API services, and monthly reporting and support engineers who were certified Mulesoft developers. Separately, a May 2020 SOW for “Mulesoft Project Resource Support” provided for two Mulesoft consultants (a technical architect and a developer) to work under Razer’s project managers’ management and direction. In addition, Razer and WSL entered into a DPA (effective 20 March 2019) that set out WSL’s obligations regarding personal data made available to it in the course of providing services.
What Were the Key Legal Issues?
The judgment framed multiple issues, but the core questions can be grouped into contractual breach, negligence (duty, breach, causation), and damages. First, the court had to determine whether Capgemini breached its contractual obligations to Razer. This required careful attention to the CSA and the relevant SOWs, including whether the “login problem” and the events leading to the data leak fell within the scope of the April 2020 SOW or the May 2020 SOW, and whether the contractual warranties and obligations (including those in clause 3(ii) of the CSA) were breached.
Second, the court had to consider whether Mr Argel Cabalag, the technical architect involved in the implementation, was contractually obliged to carry out work relating to the login problem. This issue mattered because it linked the factual causation of the misconfiguration to the contractual allocation of responsibility between the parties and the relevant SOWs. The court also had to decide whether there was a breach of clause 3(ii) of the CSA, whether there was a breach of the DPA, and whether any implied duties were breached.
Third, on negligence, the court had to decide whether Capgemini owed Razer a duty of care, whether Capgemini breached that duty, and whether the breach caused the damage. The court also addressed vicarious liability for Mr Cabalag’s negligence, whether Razer was contributorily negligent for the data breach, whether Razer’s response to an August 2020 warning broke the chain of causation, and whether Razer failed to mitigate its losses. Finally, the court had to quantify damages, including loss of profits from Razer.com, and evaluate expert evidence on the “but-for” scenario and adjustments for COVID-19 and product launches.
How Did the Court Analyse the Issues?
The court’s analysis began with the contractual framework. The CSA was treated as a master agreement, with the SOWs specifying the services at different stages. The court focused on clause 3(ii) of the CSA, which required WSL (and, by novation, Capgemini) to perform services with professional timeliness and appropriate proficiency, using qualified personnel, and with reasonable methods and due care to protect against harmful code and to comply with applicable laws, including data privacy and personal data protection laws. The court also considered the CSA’s remedial structure, which gave Razer rights to require remedy or re-performance of non-compliant services, or a refund.
A central contractual question was the allocation of responsibility between the April 2020 SOW and the May 2020 SOW. The judgment’s structure indicates that the court examined whether Capgemini was contractually obliged to carry out work on the login problem under the April 2020 SOW, and whether Mr Cabalag’s work fell exclusively under the May 2020 SOW or within the managed services obligations under the April SOW. This is a common issue in technology service disputes: even where a consultant is technically involved, the legal question is whether the relevant task was within the contractual scope of the services being performed at the relevant time.
The court also addressed whether there was a breach of the DPA. Although the extract does not reproduce the DPA terms, the DPA’s purpose was to regulate how personal data was handled by the service provider. In data incident litigation, DPA provisions often operate as both contractual obligations and as evidence of the standard of care expected in handling personal data. The court therefore likely treated the DPA as a key source for determining whether Capgemini’s conduct fell below contractual and regulatory expectations.
On negligence, the court’s reasoning would have followed the established Singapore approach: identify whether a duty of care existed, determine whether it was breached, and then assess causation and remoteness. The judgment’s headings show that the court considered whether Capgemini owed Razer a duty of care, whether that duty was breached, and whether the breach caused the data leak and resulting damage. In professional services and IT implementation contexts, duty of care analysis typically turns on foreseeability of harm, the relationship between the parties, and whether it is fair, just and reasonable to impose a duty. The court also had to consider vicarious liability for Mr Cabalag’s negligence, which would depend on whether he was acting in the course of employment or engagement for Capgemini and whether the negligence was sufficiently connected to his role.
The court further addressed contributory negligence and mitigation. Contributory negligence in negligence claims can reduce damages where the claimant failed to take reasonable care for its own interests. The judgment also considered whether Razer’s response to an August 2020 warning broke the chain of causation. This reflects a causation-focused inquiry: even if an initial breach occurred, subsequent events and the claimant’s actions may affect whether the breach remains the effective cause of the loss. Finally, the court considered whether Razer failed to mitigate its losses, which is a standard principle in damages assessment.
Damages analysis was another major component. The judgment’s headings show that Razer claimed loss of profits from the sale of video game systems and gaming peripherals from Razer.com. The court evaluated expert evidence on loss of profits, including the plaintiff’s expert evaluation and the defendant’s expert critique of the calculations. It also considered the assumed loss period, adjustments for increased revenue due to COVID-19, the effect of new product launches on the “but-for revenue” calculation, and costs that should be taken into account. The court also considered whether revenue diversion to other sales channels should affect the profit calculation, and included items such as time and expenses of management and staff, engagement of NRF to advise and act for Razer in responding to data protection regulators, compensation to Mr Bob Diachenko, and costs of engaging forensic investigators.
What Was the Outcome?
Based on the judgment’s structure and the listed issues, the court’s outcome would have required determinations on each pleaded head: whether Capgemini breached contractual obligations under the CSA, SOWs and DPA; whether negligence was made out; and whether any reduction in damages followed from contributory negligence, causation breaks, or failure to mitigate. The court would also have decided the extent of any declaratory relief sought and the final damages awarded (including the loss of profits component and any other recoverable heads).
Practically, the decision is significant because it addresses how courts approach responsibility in complex IT projects where multiple SOWs govern different phases, where a consultant’s role may shift after acquisition/novation, and where the claimant’s response to warnings and regulatory engagement may affect causation and damages.
Why Does This Case Matter?
This case matters for practitioners because it illustrates how Singapore courts handle disputes arising from data incidents in commercial IT engagements. First, it demonstrates that contractual terms—particularly master agreements, SOW scope, and data processing addenda—are central to determining liability. Even where negligence is pleaded, the court’s analysis begins with the contractual architecture governing what the service provider was obliged to do, when, and under which phase of the project.
Second, the judgment is useful for understanding how courts treat causation and damages in data breach litigation. The inclusion of detailed “but-for” profit calculations, adjustments for external factors such as COVID-19, and consideration of diversion to other sales channels shows that damages are not awarded automatically. Instead, courts scrutinise the methodology and ensure that claimed losses are properly linked to the breach and not inflated by unrelated market effects.
Third, the case highlights the importance of operational and response conduct. Issues such as whether the claimant’s response to an August 2020 warning broke the chain of causation and whether mitigation was adequate underscore that liability and damages can be affected by post-incident actions. For law firms advising clients in similar disputes, the case supports a litigation strategy that integrates contract interpretation, evidence of technical responsibility, and a robust damages model that anticipates causation and mitigation challenges.
Legislation Referenced
- (Not specified in the provided extract.)
Cases Cited
Source Documents
This article analyses [2022] SGHC 310 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.