Criminal Prosecution for Source Code, Client Lists, and Proprietary Processes in the Philippines

Introduction: Why BPO “sabotage” becomes a criminal case

In the BPO and tech sector, “sabotage” commonly refers to scenarios where a rival company—or a rogue executive—poaches teams, copies client lists, extracts proprietary processes, or takes source code to replicate a service. These acts often begin as “employee movement” or “business competition,” but they can cross into criminal liability when they involve theft or unlawful disclosure of confidential information and trade secrets.

This article explains how Philippine law can be used to criminally prosecute corporate espionage and trade secret theft affecting BPO and tech firms, and what evidence and steps are typically necessary to support a complaint.

Governing legal framework: where criminal exposure may arise

Philippine law does not have a single “BPO sabotage” statute. Instead, criminal prosecution is usually built from several legal sources that protect confidentiality and trade secrets, and that penalize unlawful disclosure or theft of protected information.

Trade secrets and confidential business information: what the courts recognize

Philippine jurisprudence recognizes that trade secrets are privileged and may be protected from compelled disclosure. The Supreme Court has described trade secrets (such as chemical formulations and similar proprietary information) as privileged and not to be compelled absent a compelling reason for doing justice, reinforcing that confidential commercial information is legally protectable in Philippine law. (Air Philippines Corporation v. Pennswell, Inc., 2007)

What BPO/tech assets usually qualify as protectable confidential information

In BPO and tech disputes, the following are commonly asserted as confidential assets:

• Source code and internal repositories (including scripts, automation tools, and proprietary integrations)
• Client lists, pricing, bid sheets, proposals, and client contact persons
• Standard operating procedures, QA frameworks, training modules, playbooks, and proprietary workflows
• Technical configurations, architecture documents, credentials management methods, and internal documentation

Whether these rise to the level of “trade secret” depends on context and proof—especially whether the company treated the information as confidential (access controls, NDAs, policies, and monitoring).

Limits of “corporation law” as a criminal tool (and what that means for BPO complainants)

A common mistake is attempting to file a criminal case solely based on “breach of fiduciary duty” under corporation law provisions. The Supreme Court has ruled that the provisions on directors’ and officers’ liabilities in the old Corporation Code (now reflected in the Revised Corporation Code framework) impose civil liabilities and are not automatically criminalized by the general criminal-penalty clause for “violations not otherwise specifically penalized.” (Ient, et al. v. Tullett Prebon (Philippines), Inc., 2017)

Implication: If the target is a rogue director/officer, criminal prosecution generally must be anchored on an actual penal statute (e.g., theft, unlawful revelation of secrets, cybercrime-related offenses where applicable), not only on a generalized “corporate fiduciary breach.”

Criminal prosecution theory: building a workable case for source code, client lists, and processes

Because BPO “sabotage” comes in many forms, prosecutors typically look for a clear criminal act supported by evidence of taking, copying, unauthorized access, or unlawful disclosure.

Common prosecution angles (typical fact patterns)

Below are common patterns that may support criminal complaints, depending on proof and the applicable penal law:

• Source code exfiltration: repository cloning to personal devices, exporting private repos, copying scripts to external drives, emailing code to a personal account, or sharing it with a competitor.
• Client list theft and solicitation: downloading CRM exports, copying account lists and contact persons, then using them at a competitor to solicit business.
• Process replication: copying internal playbooks, QA scoring templates, training content, and proprietary workflows to recreate the same delivery model elsewhere.
• Insider coordination with a competitor: a senior manager orchestrates team movement while simultaneously transferring protected information and leveraging it to damage the employer.

Confidentiality and “trade secret handling” rules matter to criminal viability

A criminal complaint is stronger when the company can show that the information was not treated as “public” or “ordinary work product,” but as protected confidential information. Even outside criminal law, Philippine regulations and jurisprudence show the legal system expects confidentiality to be meaningfully observed and respected.

Corporate records inspection rules and confidentiality: a useful analogy for BPO disputes

Even in the context of shareholders’ rights to inspect corporate records, the Revised Corporation Code expressly states that the inspecting party remains bound by confidentiality rules under prevailing laws, including trade secret and data privacy protections. (Revised Corporation Code of the Philippines, 2019; SEC Memorandum Circular No. 25, Series of 2020)

This underscores an important theme: access to information (even when lawful in some settings) does not grant the right to publicly disclose, misuse, or weaponize protected confidential information.

Employment-related cases: “confidential information” policies must be clear and defensible

While labor cases are not criminal prosecutions, Supreme Court rulings on confidentiality are still instructive for BPO employers. The Court has cautioned that company rules that are vague or overly broad in defining confidential information may not justify severe consequences, especially if disclosure was for a legitimate purpose and done in good faith. (Yonzon v. Coca-Cola Bottlers Philippines, Inc., 2021)

Implication for criminal cases: Your NDAs, information security policies, and classifications (confidential vs. public) should be concrete. Prosecutors are more receptive when the company can show well-defined confidentiality categories, training, and enforcement.

What to prepare before filing: evidence that typically determines success

For BPO and tech firms, criminal complaints often fail not because the harm is unreal, but because evidence is incomplete or not preserved properly. Prioritize proof that answers: what was taken, how it was taken, who took it, and how it was used.

Evidence checklist (high-impact items)

• Access logs (VPN, SSO, repo logs, DLP alerts, endpoint logs)
• Repo activity (unusual cloning, mass downloads, exports, new SSH keys, token generation)
• Email and messaging artifacts (sending attachments to personal emails, competitor domains, or file-sharing links)
• Endpoint evidence (USB usage logs, external drive mounts, screenshots, downloads folder artifacts)
• Company classification documents (confidentiality labels, document control, access restrictions)
• Contracts and policies (NDAs, employment contracts, codes of conduct, IP assignment agreements)
• Proof of use or attempted use by the competitor (copied content, similar workflow, identical templates, client solicitation using the same lists)
• Sworn statements from IT/security staff and custodians of records

Table: Matching the stolen asset to common proof sources

Asset allegedly stolen	Typical evidence sources	Common defense to anticipate
Source code	Git logs, access tokens, clone/fetch history, endpoint artifacts, DLP alerts	“It’s generic code,” “I wrote it,” “No confidentiality marking,” “No proof of transfer”
Client lists	CRM export logs, email attachments, screenshots, competitor solicitation records	“Clients are public,” “I used memory,” “No proof list came from employer”
Proprietary processes	Document management logs, downloads, printing records, identical templates	“It’s industry standard,” “No trade secret,” “No access controls”

Filing the criminal case: a step-by-step outline for BPO and tech companies

Criminal complaints typically start with a complaint-affidavit supported by documentary and digital evidence. The goal is to present a coherent narrative that makes probable cause straightforward to find.

Suggested sequence

1. Immediate containment: disable access, rotate credentials, preserve logs, and isolate affected machines.
2. Preservation and forensics: create forensic images where appropriate and ensure chain-of-custody documentation.
3. Internal fact-build: identify the information taken, custodians, and the timeline of exfiltration and use.
4. Demand and notice (optional but helpful): issue a cease-and-desist and preservation letter to the ex-employee/competitor to prevent spoliation.
5. Prepare the complaint-affidavit: attach sworn statements, logs, policy documents, and proof of confidentiality controls.
6. File with the prosecutor’s office: pursue preliminary investigation; be ready for counter-affidavits alleging legitimate competition or lack of secrecy.

Handling the “sabotage” narrative: competition vs. criminal conduct

“Mass resignation” and aggressive hiring alone are often framed as legitimate competition. The criminal case becomes clearer when supported by evidence of protected information being taken or misused, or confidential materials being disclosed to unauthorized persons.

The Supreme Court’s discussion in disputes involving alleged orchestration of employee movement highlights how complainants often attempt to characterize business conflict as “sabotage,” but criminal liability must still rest on a legally punishable act, not only allegations of disloyalty or competitive harm. (Ient, et al. v. Tullett Prebon (Philippines), Inc., 2017)

Confidentiality obligations extend beyond “inspection rights” and internal access

Philippine corporate regulation recognizes that even those with legitimate access to information may still be bound by confidentiality duties and may face penalties for abuse. The Revised Corporation Code expressly notes confidentiality constraints and even provides consequences for abuse of inspection rights. (Revised Corporation Code of the Philippines, 2019; SEC Memorandum Circular No. 25, Series of 2020)

For BPOs, this supports a broader compliance theme: access must be role-based, justified, monitored, and accompanied by enforceable confidentiality and data handling rules.

Risk management: how to reduce future trade secret theft and strengthen prosecution readiness

Companies that can show robust confidentiality governance tend to be more credible in criminal proceedings. The objective is to make it easy to prove that the information was genuinely confidential and that the accused knowingly acted without authority.

Controls that strengthen enforceability

• Clear information classification (confidential, restricted, public) with written definitions and examples
• Least-privilege access and periodic access reviews for repos, CRMs, and document systems
• Exit protocols for executives and engineers (device return, access shutdown, exit certifications)
• Logging and retention policies that preserve records long enough for investigation and litigation
• Training and acknowledgment (annual refreshers, signed acknowledgments of confidentiality and IP ownership)

Conclusion: what BPO and tech firms should do when trade secrets are taken

Criminally prosecuting corporate espionage in the BPO sector is feasible when the complaint is anchored on a punishable act and backed by strong digital and documentary evidence. Supreme Court rulings confirm that trade secrets are legally protectable, and that not all “corporate wrongdoing” automatically translates into criminal liability, so correct legal anchoring is essential. (Air Philippines Corporation v. Pennswell, Inc., 2007; Ient, et al. v. Tullett Prebon (Philippines), Inc., 2017)

Recommended next steps are to (1) preserve evidence immediately, (2) document the confidentiality measures surrounding the asset, (3) establish proof of taking and proof of use, and (4) prepare a prosecutor-ready complaint supported by logs, sworn statements, and policy documents.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.