Corporate Cybercrime Liability in the Philippines

/ Administrative, Criminal and Civil Procedure and Litigation, Commercial and Business Law, Corporate Law, Criminal and Penal Law, Data Privacy Law and Compliance, Information Technology Law, Legal Advice on Philippine Law and Jurisprudence / By

Corporate Cybercrime Liability in the Philippines: Company Exposure for Hacking and Ransomware Cover-Ups

Introduction: why corporate cybercrime liability now matters

Ransomware incidents and illicit system access are no longer treated as purely “IT problems.” In the Philippines, these events can trigger criminal exposure not only for individual employees but also for the company as a juridical person, especially when (a) the attack leads to concealment or obstruction of investigation, or (b) company resources are used to intrude into a competitor’s systems.

This article explains how corporate liability works under the Cybercrime Prevention Act of 2012 (Republic Act No. 10175, approved September 12, 2012), how investigators compel disclosure of computer data, and how management decisions during an incident can aggravate legal risk.

Governing laws and issuances

Cybercrime Prevention Act of 2012 (Republic Act No. 10175, September 12, 2012). This is the primary statute defining cybercrime offenses, related offenses, enforcement powers, and special rules for cyber-enabled crimes. Two provisions are especially relevant to corporate exposure: (1) the “one degree higher” penalty rule for crimes committed through ICT, and (2) corporate liability when offenses are committed on behalf of or for the benefit of the company.

DOJ Department Circular No. 008 (2019). This issuance reflects how prosecutors track and monitor cybercrime and cyber-related cases, including offenses under RA 10175 and traditional crimes committed through ICT. It signals that cyber cases are handled with structured reporting and documentation requirements within the prosecution service.

DOJ Department Circular No. 013 (2026). This issuance emphasizes proactive prosecutorial involvement in cybercrime case build-up, underscoring that cyber incidents can escalate quickly into evidence-driven criminal investigations.

What “corporate liability” means under RA 10175

RA 10175 recognizes that cybercrime can be carried out through organizations and for organizational benefit. Under Section 9 (Corporate Liability), a company may be held liable for a fine when punishable acts are knowingly committed on behalf of or for the benefit of the juridical person by a natural person in a leading position (e.g., with authority to represent, decide for, or control the company), or when the offense is made possible by lack of supervision or control by such person. The corporate fine ranges up to PhP10,000,000 (depending on the statutory conditions), and it is without prejudice to the criminal liability of the natural persons involved. (Cybercrime Prevention Act of 2012, Section 9, September 12, 2012)

Read this article for additional information
What is the liability of a director or trustee of a corporation?

Separate from corporate fines, RA 10175 also penalizes aiding or abetting and attempt in cybercrime under Section 5, which may capture managers or teams who intentionally assist, facilitate, or partially execute prohibited acts even if the intended cybercrime is not fully completed. (Cybercrime Prevention Act of 2012, Section 5, September 12, 2012)

Cyber-enabled crimes: “one degree higher” penalty and why it affects incident decisions

RA 10175 extends coverage to all crimes under the Revised Penal Code and special laws if committed “by, through and with the use of” ICT. In such cases, the penalty is imposed one degree higher than what is normally prescribed. (Cybercrime Prevention Act of 2012, Section 6, September 12, 2012)

This matters because certain conduct during a ransomware incident—such as fabricated records, deceptive emails, or coordinated concealment through digital channels—may expose individuals to cyber-enabled versions of traditional offenses, with increased penalties, depending on the facts and the charge chosen by prosecutors.

Scenario A: failure to report a ransomware attack and “cover-up” conduct

RA 10175 does not contain a single, universal “failure to report ransomware” offense applicable to all private entities. However, corporate liability can still arise when the “cover-up” involves conduct that falls within RA 10175 offenses, related offenses, or cyber-enabled crimes.

How a ransomware “cover-up” becomes criminally relevant

Common fact patterns that may invite criminal scrutiny include:

  • Deleting or altering logs and other computer data to conceal unauthorized access or extortion demands.
  • Instructing staff to provide false narratives through emails/chats or to present manufactured incident reports.
  • Using company systems to obstruct lawful investigation (e.g., refusing compliance with valid court processes directed to service providers or data custodians).
Read this article for additional information
What is the penalty for a corporation that engages in fraudulent conduct of business?

Because RA 10175 is enforcement-heavy, cover-up behavior is often assessed in parallel with investigators’ attempts to preserve, obtain, and examine computer data through lawful processes.

Investigations: compelled disclosure, “service providers,” and what companies may be ordered to produce

Companies often assume only telcos and social media platforms are “service providers.” The Supreme Court has explained that the Cybercrime Prevention Act defines “service provider” broadly and imposes duties to cooperate with law enforcement in collecting or recording categories of data (including subscriber information and other computer data), subject to lawful orders such as a court-issued warrant. (Eastwest Rural Bank v. Philippine National Police Anti-Cybercrime Group, et al., G.R. No. 273720, 2025)

In Eastwest Rural Bank v. PNP Anti-Cybercrime Group (2025), the Court also held that RA 10175 did not repeal the Bank Secrecy Law, but it recognized that subscriber-identifying information may be disclosed under a valid warrant to disclose computer data, with statutory safeguards. This illustrates a broader point for corporations: once a cybercrime investigation ripens and warrants are obtained, data disclosure obligations can become immediate and time-bound, and mishandling compliance can magnify risk. (Eastwest Rural Bank v. Philippine National Police Anti-Cybercrime Group, et al., G.R. No. 273720, 2025)

When the company itself can be charged or penalized for ransomware-related conduct

A company’s exposure is most direct when the acts were done for the company’s benefit and with management participation or tolerance, bringing the case within Section 9 (Corporate Liability) of RA 10175. (Cybercrime Prevention Act of 2012, Section 9, September 12, 2012)

Even when a fine is the corporate penalty, the investigation typically targets the people who approved, knowingly permitted, or failed to supervise the conduct. Philippine jurisprudence recognizes the general principle that corporations cannot be imprisoned; thus, where imprisonment is involved, accountability is operationalized through responsible officers, while corporations may still be prosecuted where fines are imposable. (Ching v. Secretary of Justice, et al., G.R. No. 164317, 2006)

Scenario B: illegally accessing a competitor’s system (corporate-sponsored hacking)

Read this article for additional information
What constitutes prima facie evidence of corporate liability when the corporation is used for graft and corrupt practices?

If a company directs or tolerates intrusion into a competitor’s systems—whether done by internal IT staff, a contractor, or a “red team” acting beyond authorized testing—this can trigger (1) individual criminal liability for the actors and approving officers, and (2) corporate fines if the act was knowingly done on behalf of or for the benefit of the company or was enabled by a lack of supervision by leadership. (Cybercrime Prevention Act of 2012, Section 9, September 12, 2012)

Typical “competitor access” fact patterns that increase corporate exposure

  • Hiring a third party to obtain competitor credentials or scrape non-public data through unauthorized access methods.
  • Using phishing or malware to exfiltrate competitor trade information, bid details, or customer lists.
  • Directing an employee to bypass access controls on a competitor platform, including through reused credentials or leaked tokens.

Even if leadership does not personally type commands, RA 10175’s corporate liability framework focuses on “leading position” involvement and on whether the offense was made possible by lack of supervision or control. (Cybercrime Prevention Act of 2012, Section 9, September 12, 2012)

Corporate liability versus individual liability: a clearer comparison

IssueIndividuals (officers/employees/agents)Corporation (juridical person)
Who can be imprisonedNatural persons may be prosecuted for offenses carrying imprisonment.A corporation cannot be imprisoned; liability is typically via fines where the statute allows it.
Basis for liabilityDirect participation, aiding/abetting, attempt, or other criminal modes.Acts knowingly committed for the corporation’s benefit by persons in leading positions, or enabled by lack of supervision/control (RA 10175, Section 9).
Cyber-enabled crimesMay face increased penalties if the underlying offense is committed through ICT (RA 10175, Section 6).May face statutory fines under the corporate liability clause, plus collateral exposure (contracts, permits, reputational harm).

For the principle on charging responsible corporate officers and the reality that corporations cannot be jailed, see Ching v. Secretary of Justice (G.R. No. 164317, 2006). Although that case concerned a different special law, it is frequently cited for the logic of attributing criminal responsibility to responsible officers where imprisonment is involved.

Procedural realities: early prosecutor involvement and documentation expectations

Cybercrime investigations are documentation-intensive. DOJ issuances emphasize structured monitoring of cybercrime prosecutions and expanded reporting on cybercrime and cyber-related cases, including the specific provisions invoked and the status of the case. (DOJ Department Circular No. 008, 2019)

DOJ policy also supports earlier prosecutorial involvement in case build-up for cybercrime matters, which means companies should assume that preserved logs, communications, and chain-of-custody issues can be evaluated from the outset. (DOJ Department Circular No. 013, 2026)

Compliance and risk reduction for companies facing ransomware or suspected intrusions

The most defensible corporate posture is one that demonstrates good-faith supervision, preservation of evidence, and lawful cooperation with valid legal processes.

Recommended corporate measures (incident-ready and investigation-ready)

  • Incident response governance: define who can authorize containment steps, system restoration, external communications, and engagement of forensic vendors. Ensure decisions are documented.
  • Data preservation discipline: avoid “cleanup” actions that destroy logs or artifacts needed for forensic attribution. Adopt internal hold procedures once an incident is detected.
  • Lawful handling of competitor intelligence: prohibit any attempt to access competitor systems without explicit authority; treat “found credentials” or leaked datasets as high-risk contraband requiring legal review.
  • Officer oversight: implement supervision and approval controls for high-risk IT activities, including penetration testing, scanning, and credential management—because lack of supervision is expressly relevant under the corporate liability rule. (Cybercrime Prevention Act of 2012, Section 9, September 12, 2012)
  • Warrant readiness: train teams on how to respond to court-issued cybercrime processes and preserve responsive data accurately and promptly, consistent with the Supreme Court’s recognition of compelled disclosure under lawful warrants in cybercrime investigations. (Eastwest Rural Bank v. Philippine National Police Anti-Cybercrime Group, et al., G.R. No. 273720, 2025)

Conclusion: corporate exposure turns on benefit, leadership involvement, and supervision

Under Philippine law, a company can face corporate fines for cybercrime when offenses are committed for its benefit by leaders or enabled by leadership’s failure to supervise and control, while individuals remain exposed to criminal prosecution and potentially heightened penalties when crimes are committed through ICT. (Cybercrime Prevention Act of 2012, Sections 6 and 9, September 12, 2012)

For ransomware incidents, the legal danger often escalates not only from the attack itself but from what decision-makers do next—especially actions that compromise evidence, frustrate lawful processes, or transform an incident response into concealment. For competitor intrusions, corporate liability risks rise sharply when unauthorized access is tolerated, outsourced, or rewarded.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH

LATEST POST

Contact us Now!

CONTACT FORM

    ABOUT THE FIRM

    A full-service law firm dedicated to delivering a broad range of quality legal services which large firms are able to deliver but with the personal touch which only small firms can provide. We are located at the bustling Ortigas Central Business District in Pasig City, Metro Manila, Philippines.

    CONTACT US

    OUR PRACTICE AREAS

    OFFICE HOURS

    • Monday 8:30AM - 5:30PM
    • Tuesday 8:30AM - 5:30PM
    • Wednesday 8:30AM - 5:30PM
    • Thursday 8:30AM - 5:30PM
    • Friday 8:30AM - 5:30PM
    • Saturday Closed - Closed
    • Sunday Closed - Closed