How to Prosecute a Resigning Employee for Data Theft (Philippines): An Employer Guide for BPOs, Client Lists, Trade Secrets, and Customer Data

Introduction: why resignations and “last-day downloads” create serious legal exposure

For many employers—especially BPOs and companies handling customer accounts—the most damaging data incidents happen around an employee’s resignation: mass downloads, emailing files to personal accounts, taking screenshots, or copying client lists before turnover. These acts can trigger overlapping liabilities under Philippine data privacy and labor rules, and can also support criminal complaints if the evidence shows unauthorized taking, copying, or disclosure.

This article explains how employers can lawfully build a case against a resigning or recently resigned employee who takes proprietary client lists, trade secrets, or customer data; how to avoid common pitfalls (including vague “confidentiality” rules); and why BPO-related data breaches are treated as severe offenses because of the volume, sensitivity, and cross-border impact of the information involved.

Governing Philippine laws and regulations commonly used in “data theft by resigning employee” cases

Data Privacy Act of 2012 (Republic Act No. 10173; 2012) is often central when what was taken includes personal information or sensitive personal information of customers, clients, or employees. It penalizes unauthorized disclosure to third parties, with higher penalties when sensitive personal information is involved.

For instance, unauthorized disclosure is penalized under the Data Privacy Act, including disclosure of personal information or sensitive personal information without the data subject’s consent, subject to specific elements and defenses (Republic Act No. 10173, Section 32; 2012).

Implementing Rules and Regulations of the Data Privacy Act (2016) further operationalize compliance and enforcement concepts relevant to incident response, investigation, and organizational accountability (IRR of Republic Act No. 10173; 2016).

From the employment angle, rules on termination due process are governed by the Labor Code framework and its implementing rules. DOLE Department Order No. 147-15 (2015) details the two-notice rule and what constitutes a reasonable period to explain, as well as when hearings become mandatory upon request or when substantial disputes exist (DOLE D.O. No. 147-15; 2015).

Important Supreme Court rulings: confidentiality rules must be fair, and dismissal requires clear factual basis

Employers should note that “confidentiality” is not a magic word. The Supreme Court has struck down or refused to enforce overly broad and vague company rules used to punish alleged disclosures, especially when the rule fails to provide a clear standard of what is confidential and why.

In Yonzon v. Coca-Cola Bottlers Philippines, Inc. (G.R. No. 226244; 2021), the Court held that dismissal for loss of trust and confidence requires (1) that the employee occupies a position of trust, and (2) that the employer establishes an act justifying the loss of trust. The Court also found the employer’s rule on confidential information unfair and unreasonable due to vagueness when it was broad enough to cover almost anything the company might later label confidential (Yonzon v. Coca-Cola Bottlers Philippines, Inc.; 2021).

In Vallota, et al. v. NLRC, et al. (G.R. No. 185335; 2012), the Court reiterated that loss of trust and confidence must be based on a willful breach and clearly established facts, not mere suspicion or carelessness. The case also recognized that employees handling digital systems may naturally have access to sensitive information, which affects how “positions of trust” are assessed (Vallota, et al. v. NLRC, et al.; 2012).

In Citigroup Business Process Solutions Pte. Ltd. v. Corpuz (G.R. Nos. 208738-39; 2024), the Court emphasized that for dismissal to be valid on serious misconduct or loss of trust and confidence, the employer must prove willfulness or wrongful intent—showing that the act was intentional and attended by wrongful intent, not a simple mistake (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz; 2024).

What “data theft” usually looks like in resignations (common fact patterns)

Employers frequently encounter these scenarios shortly before or after a resignation:

• Exporting customer lists (names, phone numbers, addresses, account numbers) from CRM tools into spreadsheets.
• Emailing files to personal email or uploading to personal cloud storage.
• Printing or photographing client records, process documents, scripts, or internal playbooks.
• Copying repositories, knowledge bases, or ticket histories to external drives.
• Using the copied data for a competing business, freelancing, or solicitation of customers.

Legally, the theory may be framed as (a) unauthorized processing/disclosure of personal information (Data Privacy Act), (b) breach of confidentiality obligations under contract/company policy, (c) a labor offense supporting dismissal if still employed, and/or (d) other civil/criminal causes depending on what was taken and how it was used.

Step-by-step: how employers can lawfully pursue a resigning or resigned employee

1) Contain the incident without compromising evidence

Immediate containment should be done in a way that preserves logs and avoids “self-help” tactics that can backfire. Common measures include suspending access, rotating credentials, and preserving device images or system logs under internal IT/security protocols.

Documentation matters. You will generally need to show what was accessed, when, from which account, and what was done with the data afterward. Where possible, preserve metadata (timestamps, file hashes, access logs) and chain-of-custody notes for devices and copies.

2) Identify the type of data taken: personal data vs. trade secret vs. mixed datasets

This classification affects what laws apply and what you must prove.

Type of data	Examples	Main legal exposure
Personal information / sensitive personal information	Customer contact details, account numbers, addresses, identification data	Potential criminal liability for unauthorized disclosure under the Data Privacy Act (Republic Act No. 10173; 2012)
Confidential business information / trade secrets	Pricing models, non-public client terms, internal processes, scripts, proprietary playbooks	Contract/policy enforcement; labor discipline; possible civil claims depending on proof of misuse
Mixed dataset	Client list containing both business data and personal data fields	Often triggers both confidentiality enforcement and data privacy risk management

3) If the employee is still employed (including during notice period), follow DOLE due process before termination

If you intend to dismiss the employee during the notice period (or before effectivity of resignation), comply with procedural due process. DOLE Department Order No. 147-15 (2015) requires: (a) a first written notice specifying grounds and detailed facts, and giving a reasonable period of at least five calendar days to explain; (b) ample opportunity to be heard; and (c) a second written notice of termination after considering all circumstances (DOLE D.O. No. 147-15; 2015).

Also be mindful of Supreme Court standards: you must show that the employee is in a position of trust (if using loss of trust and confidence) and that the breach is supported by clearly established facts (Yonzon v. Coca-Cola Bottlers Philippines, Inc.; 2021; Vallota, et al. v. NLRC, et al.; 2012). If the alleged disclosure or access is not willful or lacks wrongful intent, dismissal may be ruled too harsh (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz; 2024).

4) For prosecution: determine the most legally sustainable complaint theory under the Data Privacy Act

Where the copied dataset includes personal information (e.g., customer lists with identifiers), employers often explore complaints anchored on unauthorized disclosure. Under Republic Act No. 10173, Section 32 (2012), unauthorized disclosure to a third party of personal information (or sensitive personal information) not covered by lawful exceptions, without the data subject’s consent, is penalized (Republic Act No. 10173; 2012).

What you should be prepared to prove includes: (a) the accused is a person covered by the law; (b) personal information or sensitive personal information is involved; (c) there was disclosure to a third party; (d) the disclosure was unauthorized; and (e) it was not covered by lawful grounds or exceptions. If the act involves a combination or series of punishable acts, penalties can increase under the “combination or series of acts” provision (Republic Act No. 10173, Section 33; 2012).

5) Build the evidence package: what employers typically need

Successful prosecution depends on admissible proof. Employers commonly compile:

• System and security logs showing downloads, exports, and external transfers (dates, times, user accounts, IPs, devices).
• Device forensics (company laptop/desktop images, USB connection history, browser activity where lawfully obtained).
• Access rights and role documentation proving the employee’s authorized scope and that the action exceeded it.
• Policies and agreements signed by the employee (confidentiality, acceptable use, privacy commitments), drafted with clarity to avoid “vagueness” arguments raised in jurisprudence (Yonzon v. Coca-Cola Bottlers Philippines, Inc.; 2021).
• Proof of third-party disclosure or use such as emails to personal accounts, uploads to external drives/cloud, messages offering customer lists, or evidence of solicitation using the copied list.
• Affidavits from IT/security officers and custodians of records, explaining how the logs were generated and preserved.

6) Avoid common mistakes that weaken criminal and labor cases

Employers frequently lose or compromise cases due to avoidable issues:

• Overbroad “confidentiality” definitions that allow the company to label anything confidential after the fact. The Supreme Court has criticized vague rules as unfair and unreasonable (Yonzon v. Coca-Cola Bottlers Philippines, Inc.; 2021).
• Weak showing of wrongful intent. Where the employer cannot establish willfulness or wrongful intent, dismissal and related claims may fail (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz; 2024).
• Relying on suspicion instead of clearly established facts (Vallota, et al. v. NLRC, et al.; 2012).
• Improper evidence handling (missing chain of custody, altered logs, undocumented device access).

Why BPO data breaches are treated as severe cyber-related offenses

BPO environments typically handle high-volume customer datasets and account-level information. When a resigning employee copies such information, the harm can extend beyond the employer to customers, foreign clients, and regulated industries, and may involve large-scale unauthorized disclosure.

From a Data Privacy Act perspective, unauthorized disclosure is penalized even for personal information, and penalties increase when sensitive personal information is involved (Republic Act No. 10173, Section 32; 2012). Where the facts show multiple punishable acts (for example, unauthorized access plus a series of disclosures), the law contemplates heightened exposure for a combination or series of acts (Republic Act No. 10173, Section 33; 2012).

From a workplace enforcement perspective, BPOs often position employees in roles that are functionally fiduciary because they are entrusted with confidential customer data. The Supreme Court has acknowledged that employees who handle electronic data can be “unwilling recipients” of confidential information and may fall under positions of trust depending on the nature of their access and responsibilities (Vallota, et al. v. NLRC, et al.; 2012).

Illustrative examples (how facts affect legal outcomes)

Example 1: Export of customer list to personal email for future solicitation. If the list contains customer identifiers (names, numbers, addresses, account numbers) and was emailed to a personal account or sent to a third party, the employer may consider a Data Privacy Act complaint for unauthorized disclosure, supported by email logs and DLP alerts (Republic Act No. 10173; 2012).

Example 2: HR employee uses colleague salary data for a labor case. Employers should be careful about overreaching confidentiality rules. The Supreme Court has recognized that vague “confidential information” policies can be unfair and unreasonable as a ground for discipline (Yonzon v. Coca-Cola Bottlers Philippines, Inc.; 2021).

Example 3: Bank/BPO agent discloses account details but claims honest mistake. If the evidence does not show willfulness or wrongful intent, dismissal may be considered too harsh under Supreme Court standards (Citigroup Business Process Solutions Pte. Ltd. v. Corpuz; 2024).

Employer recommendations (compliance and enforcement measures that support prosecution)

Employers can reduce data theft risk and strengthen future cases by combining clear governance with defensible evidence practices:

• Draft precise confidentiality classifications (what is confidential, what is restricted, and objective criteria), avoiding vague catch-all language criticized by jurisprudence (Yonzon v. Coca-Cola Bottlers Philippines, Inc.; 2021).
• Implement and document access controls based on role, with periodic review and offboarding checklists that immediately revoke access.
• Use DLP and audit logs and ensure logs are retained according to policy.
• Train employees on privacy obligations and prohibited transfers, including explicit examples.
• Follow DOLE due process when termination is pursued while still employed (DOLE D.O. No. 147-15; 2015).
• Preserve evidence properly with chain-of-custody documentation and affidavits from custodians.

Conclusion: pursue data theft cases with clear rules, clear facts, and clean evidence

Prosecuting a resigning employee for data theft requires more than asserting “confidentiality.” Employers should (1) identify whether personal data was involved to determine Data Privacy Act exposure, (2) build proof of unauthorized disclosure and willful intent where required, (3) comply with DOLE due process if termination occurs while still employed, and (4) avoid vague policies that the Supreme Court has found unfair or unreasonable.

For BPOs, the seriousness of the conduct is often amplified by the scale and sensitivity of customer datasets handled daily, making robust controls, disciplined offboarding, and evidence preservation essential to enforcement.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.