Disciplinary Sanctions for Cybersecurity Breaches: When Violating IT Policies Becomes a Terminable Offense

Introduction: why cybersecurity lapses now show up in termination cases

Many Philippine employers handle foreign client data through shared systems, call center tools, cloud storage, and remote work setups. A single employee lapse—sharing account details to an unknown caller, bypassing access rules, deleting company records, or exposing client identifiers—can create regulatory exposure under the Data Privacy Act and, separately, raise an employment issue: can the mishandling of foreign client data be treated as serious misconduct or a trust breach that justifies dismissal?

This guide explains how to draft handbook provisions that (1) clearly define “mishandling of foreign client data” as a serious offense, (2) align with Philippine due process rules for discipline, and (3) are consistent with Supreme Court standards that require willfulness or wrongful intent for dismissal based on serious misconduct or loss of trust and confidence.

Governing Philippine rules you must align with

1) Data Privacy Act (RA 10173) and its Implementing Rules: why “client data” mishandling is more than an internal policy issue

Even if the data belongs to a foreign client, Philippine operations that process personal data within the Philippines are typically expected to follow Philippine data protection rules. RA 10173 penalizes certain acts involving personal and sensitive personal information, including unauthorized access or intentional breach of systems where such information is stored (Data Privacy Act of 2012, 2012).

Under the Implementing Rules and Regulations (IRR), acts such as unauthorized disclosure of personal information or sensitive personal information to a third party without consent may carry criminal penalties (IRR of RA 10173, 2016). For handbook drafting, this matters because employees must be told that certain behaviors are not merely “policy violations,” but may be statutory offenses that can expose the company and its people to investigations and sanctions.

2) Labor standards on just causes and due process for termination

For termination based on just causes such as serious misconduct, willful disobedience, gross and habitual neglect, or fraud/willful breach of trust, Philippine rules require both (a) a valid substantive ground and (b) compliance with procedural due process.

DOLE Department Order No. 147-15 (2015), which amends the IRR of Book VI of the Labor Code, describes the elements of common just causes. For example, serious misconduct requires misconduct that is grave and aggravated, work-related, and shows the employee is unfit to continue working. Willful disobedience must be intentional and marked by a wrongful attitude, involving a reasonable and lawful order related to the employee’s duties. Gross negligence must be both gross and habitual (DOLE D.O. No. 147-15, 2015).

Supreme Court guidance: when IT and data mishandling becomes terminable

1) Serious misconduct and loss of trust require willfulness, not honest mistake

The Supreme Court has stressed that for dismissal based on serious misconduct or loss of trust and confidence, the employer must show the act was willful, intentional, and attended by wrongful intent, not merely simple negligence or an honest mistake (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024). This is particularly relevant to information security cases because many incidents are “careless” rather than “malicious,” and dismissal can be struck down when intent is not established.

In the same case, the Court recognized the confidentiality context and discussed disclosure of a customer’s account information (e.g., contact details, address, account number, and account status), which the employer treated as a policy violation (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024). For handbook drafting, the lesson is that employers should define prohibited conduct clearly and build an internal process that distinguishes intentional disclosure from negligent handling, then impose penalties proportionate to the proven culpability.

2) Destruction or deletion of company records can support discipline, but facts still matter

In Rodriguez v. Sintron Systems, Inc. (2019), the employer alleged that the employee deleted contents of the company email account and removed documents; the decision highlights how IT actions (like deletion of files) are often framed by employers as serious misconduct, willful disobedience, or dishonesty/breach of trust. The case also shows a recurring litigation theme: even when misconduct appears present, the employer must still establish the correct legal conclusion supported by the record and the correct remedy depending on whether dismissal actually occurred (Rodriguez v. Sintron Systems, Inc., 2019).

How to draft handbook provisions that treat mishandling of foreign client data as serious misconduct

1) Define “foreign client data” and “confidential information” broadly but clearly

Your handbook should define covered information in a way employees can understand and compliance teams can enforce. Consider language that includes: customer identifiers, account numbers, contact details, authentication data, recordings, transcripts, tickets, screenshots, and any data accessed via client tools—even if the client is abroad.

Where appropriate, use the Data Privacy Act categories (personal information and sensitive personal information) so employees see the legal gravity of mishandling, and so internal investigations can be mapped to statutory terms (RA 10173, 2012; IRR of RA 10173, 2016).

2) Enumerate prohibited acts as “Serious Misconduct / Trust Breach” when willful

To support a serious misconduct or loss-of-trust theory, classify the following as terminable when established as willful or attended by wrongful intent (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024):

• Unauthorized disclosure of client data to any third party (including callers whose identity was not authenticated) or to personal email/chat/storage.
• Bypassing identity verification steps (e.g., disclosing account data without completing mandatory authentication scripts).
• Unauthorized access to systems or records (e.g., “snooping,” looking up accounts without a work-related ticket).
• Intentional breach or tampering with security controls, logging tools, or monitoring systems.
• Destruction, alteration, or deletion of company records or client-related files to conceal mistakes or impede review.

For “unauthorized access or intentional breach,” consider citing in your handbook that these acts may constitute offenses under RA 10173 (Data Privacy Act of 2012, 2012). For “unauthorized disclosure,” cite the IRR penalty provisions to reinforce seriousness (IRR of RA 10173, 2016).

3) Separate “negligent mishandling” from “willful misconduct” and match penalties

Because the Supreme Court demands willfulness/wrongful intent for serious misconduct and loss of trust dismissals, a well-designed handbook should include a tiered approach:

Category	Typical conduct	Suggested disciplinary track
Willful misconduct / intentional breach	Deliberate disclosure; deliberate bypass of controls; intentional system break-in; deletion to conceal	Charge as serious misconduct or willful breach of trust; dismissal may be pursued if evidence supports intent (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024; DOLE D.O. No. 147-15, 2015)
Gross negligence (gross and habitual)	Repeated major lapses despite retraining and prior warnings; repeated mishandling causing material risk	Progressive discipline; dismissal only when “gross and habitual” is documented (DOLE D.O. No. 147-15, 2015)
Simple negligence / isolated mistake	One-off mistake with prompt reporting and cooperation	Coaching, retraining, written warning; focus on corrective measures, not immediate dismissal (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024)

4) Build investigation rules that generate proof of willfulness (or lack of it)

Handbook provisions should require HR, InfoSec, and operations to document facts that typically decide these cases:

• System logs and access trails (what was accessed, when, and from where).
• Call/chat recordings and scripts (whether identity verification was skipped).
• Training records and acknowledgments (that the employee knew the rule).
• Prior similar incidents (to evaluate “habitual” negligence).
• Employee explanation (to assess intent, mistake, coercion, or confusion).

Procedural due process: what your handbook should reflect

Even with a strong policy, dismissals fail when procedure is mishandled. Your handbook should incorporate, at minimum, the due process elements recognized in DOLE Department Order No. 147-15 (2015), including written notice to explain the charge and a reasonable opportunity to respond, followed by a written decision notice (DOLE D.O. No. 147-15, 2015).

Include a clear internal timeline, who conducts the administrative conference, what evidence may be reviewed, and how the employee can submit a written explanation and supporting documents. Align this with your data-handling duties to avoid secondary violations (e.g., improper sharing of investigation materials containing personal data).

Telecommuting and remote work: add security and confidentiality clauses that match current rules

If employees work from home or hybrid, the handbook (or telecommuting policy) should expressly require data protection, confidentiality, and security standards consistent with the Telecommuting Act IRR and the Data Privacy Act (Department Order No. 237-22, 2022; RA 10173, 2012). This helps justify discipline for remote-work behaviors that increase risk, such as using personal devices without authorization, saving client files locally, or allowing family members to view screens.

Common scenarios and how to classify them in the handbook

Scenario 1: Agent discloses account details to an unauthenticated caller

Handbook approach: treat this as a major violation; classify as terminable if proven willful (e.g., knowingly skipping authentication, or knowingly disclosing to an unknown person). Cite confidentiality duties and the willfulness standard required for dismissal (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024).

Scenario 2: Employee sends client spreadsheet to personal email “to work faster”

Handbook approach: classify as unauthorized disclosure and/or unauthorized transfer. Provide that intent matters: deliberate transfer to personal storage may be treated as serious misconduct or breach of trust depending on proof of willfulness and risk created. Reinforce that unauthorized disclosure may carry penalties under the Data Privacy Act’s IRR (IRR of RA 10173, 2016).

Scenario 3: Employee deletes emails and files after receiving a turnover demand

Handbook approach: treat deletion/destruction of records as serious misconduct and possible dishonesty/breach of trust. Ensure the investigation preserves forensics and due process documentation; deletion cases often turn on logs and credibility (Rodriguez v. Sintron Systems, Inc., 2019).

Drafting tips: language that strengthens enforceability without overreaching

• Use plain definitions (what data is covered; what systems are covered; what “disclosure” includes).
• State the required mental state for terminable offenses (e.g., “willful,” “intentional,” “knowing”), consistent with Supreme Court standards for serious misconduct/trust dismissals (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024).
• Adopt progressive discipline for negligence, reserving dismissal for gross/habitual negligence or intentional acts (DOLE D.O. No. 147-15, 2015).
• Link to training and acknowledgment: require annual information security and privacy training and signed policy acknowledgment.
• Include reporting duties: require prompt incident reporting; explain that concealment or deliberate cover-up is an aggravating factor.

Conclusion: setting terminable offenses while meeting Supreme Court and DOLE standards

Company handbooks can validly classify mishandling of foreign client data as a dismissible offense, but enforceability depends on precision and proof. Under Supreme Court doctrine, dismissal for serious misconduct or loss of trust generally demands willfulness or wrongful intent, not mere mistake (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz, 2024). Align handbook categories with DOLE’s just-cause elements and incorporate due process steps in writing (DOLE D.O. No. 147-15, 2015). For remote work, expressly require data security standards consistent with telecommuting rules and the Data Privacy Act (Department Order No. 237-22, 2022; RA 10173, 2012).

Recommended next steps: (1) map your IT controls to specific handbook offenses, (2) implement tiered penalties that separate willful misconduct from negligence, (3) train supervisors on evidence preservation and due process, and (4) run a legal review of your handbook to ensure terms are consistent with current jurisprudence and privacy regulations.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.