Illegal Access and Hacking: Prosecuting Former Employees Under the Cybercrime Prevention Act

Illegal Access and Hacking: Prosecuting Former Employees Under the Cybercrime Prevention Act

Introduction: when an ex-IT director logs in using old passwords

A recurring corporate risk arises after termination of high-level IT personnel: a former IT director still knows (or still possesses) administrator credentials and later uses them to enter a company’s private servers. In Philippine law, this situation can expose the former employee to criminal liability for unauthorized access and related cyber offenses, and it also raises evidence-preservation and coordination issues that can affect whether prosecutors can build a charge that survives dismissal.

Primary governing laws and leading Supreme Court rulings

R.A. No. 10175 (Cybercrime Prevention Act of 2012) is the main statute used to prosecute unauthorized system entry when done “without right,” including entry by someone who previously had legitimate access but no longer does. Section 4(a)(1) penalizes Illegal Access (access to all or any part of a computer system without right), while Section 4(a)(3) punishes Data Interference (alteration, damaging, deletion, or deterioration of computer data without right), and related provisions cover other modes of cyber intrusion such as system interference and misuse of devices (R.A. No. 10175, Sec. 4(a)(1) and Sec. 4(a)(3)).

The Supreme Court sustained the constitutionality of the Illegal Access and Data Interference provisions in Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014, recognizing the State’s legitimate power to prevent and punish hacking-type conduct and treating unauthorized access as a universally condemnable act (Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014).

Separately, R.A. No. 8792 (Electronic Commerce Act) includes penal provisions for hacking or cracking as unauthorized access into or interference in a computer system, including virus introduction, resulting in corruption, destruction, alteration, theft, or loss of electronic data messages or documents (R.A. No. 8792, Sec. 33).

On older charging theories, the Supreme Court in Laurel v. Abrogar, et al., G.R. No. 155076, June 29, 2006, held that theft under Article 308 of the Revised Penal Code contemplates only tangible personal property; intangible items like telecommunication services cannot be the subject of theft unless a statute expressly expands criminal liability. This matters because “theft of data” theories should be evaluated carefully and, in many cases, cybercrime statutes provide the clearer charging basis (Laurel v. Abrogar, et al., G.R. No. 155076, June 29, 2006).

What prosecutors generally need to show for “Illegal Access” by a former employee

Under R.A. No. 10175, the central element is that the former employee accessed a computer system “without right.”In the employment context, the usual prosecution theory is that whatever access authority existed during employment was terminated or revoked upon dismissal or separation, so any later login—even using a still-working password—becomes unauthorized (R.A. No. 10175, Sec. 4(a)(1)).

In assessing constitutionality and enforceability, the Supreme Court in Disini treated illegal access as condemnable conduct that does not ordinarily implicate protected speech; the focus is the wrongfulness of entering another’s system without authority (Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014).

Common companion charges if the ex-employee goes beyond logging in

Where facts support it, illegal access is often charged together with one or more of the following:

  • Data Interference if the former employee altered, deleted, damaged, or introduced malware/viruses into data or electronic documents (R.A. No. 10175, Sec. 4(a)(3); Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014).
  • System Interference if the conduct hindered or interfered with the functioning of the server/network (for example, taking systems offline, changing configurations to disrupt operations) (R.A. No. 10175, Sec. 4(a)(4)).
  • Misuse of Devices if the actor possessed or used access codes/passwords with intent to commit cyber offenses, depending on how the credential possession and intent are proven (R.A. No. 10175, Sec. 4(a)(5)).

Attempt and aiding/abetting: liability even if the intrusion fails

If the former IT director tries to log in but is blocked by updated security measures, attempt liability may still apply. In Disini, the Supreme Court upheld the punishability of attempts for specific cybercrime offenses and explained that a would-be hacker should not escape liability just because the lawful owner’s security prevented completion (Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014).

R.A. No. 10175 versus R.A. No. 8792: where “hacking or cracking” fits

R.A. No. 8792 penalizes “hacking or cracking” in terms that include unauthorized access or interference that results in corruption, destruction, alteration, theft, or loss of electronic data messages/documents (R.A. No. 8792, Sec. 33). In contrast, R.A. No. 10175 more directly defines cybercrime offenses, including Illegal Access even without proving the broader result elements described in R.A. No. 8792, and it is the principal modern statute relied on for cyber intrusion cases (R.A. No. 10175, Sec. 4(a)(1)).

Typical fact patterns and how they map to cybercrime offenses

Typical scenario involving a former IT directorPossible criminal exposureMain legal basis
Logs into private server after termination using old credentials that still workIllegal Access (access without right)R.A. No. 10175, Sec. 4(a)(1); Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014
Downloads, deletes, or alters sensitive files; changes logs; inserts scriptsData Interference; possibly other computer-related offenses depending on actsR.A. No. 10175, Sec. 4(a)(3); Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014
Disables services, causes outages, encrypts drives to halt operationsSystem Interference(hindering/interfering with functioning)R.A. No. 10175, Sec. 4(a)(4)
Attempts to log in but is blocked by MFA, new passwords, or IP restrictionsAttempt to commit applicable cybercrime offensesDisini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014

Evidence and documentation that often determines case viability

Cybercrime prosecutions commonly succeed or fail based on whether the complainant can show (a) access occurred, (b) the accused was the actor, and (c) the access was without right at the time it happened. In former-employee cases, the following are frequently important:

  • Offboarding records showing termination date/time, written revocation of access, and return of company devices.
  • Access logs and authentication logs showing account used, timestamps, source IP, device fingerprinting, and admin actions.
  • Internal policies on authorized access, credential ownership, and post-employment restrictions (helpful to show “without right”).
  • Forensic imaging and chain-of-custody documentation for affected servers/endpoints to preserve integrity of evidence.

Where the theory involves “stolen data,” prosecutors should be careful about characterizing the property interest. Laurel emphasizes that criminal theft under the Revised Penal Code is traditionally tied to tangible personal property, so counsel should align charging decisions with statutes that expressly cover cyber intrusions and interference with data/systems (Laurel v. Abrogar, et al., G.R. No. 155076, June 29, 2006; R.A. No. 10175, Sec. 4(a)(1) and Sec. 4(a)(3)).

Compliance and risk controls for employers (to prevent and to support prosecution)

To reduce incidents and strengthen eventual complaints, organizations commonly adopt controls that make “without right” and attribution easier to prove:

  • Immediate credential revocation upon termination (disable accounts, rotate passwords/keys, revoke tokens, invalidate VPN certificates).
  • Mandatory MFA and privileged access management for admin accounts.
  • Centralized logging and retention with tamper-evident storage.
  • Separation of duties so no single IT officer controls all access and logs.
  • Clear written policies on authorized access and monitoring, acknowledged by employees.

Final observations and recommendations

When a terminated IT director uses old passwords to enter private servers, Philippine law provides direct criminal remedies under R.A. No. 10175, particularly Illegal Access, and potentially Data Interference or System Interference if additional harmful acts occurred (R.A. No. 10175, Sec. 4(a)(1), Sec. 4(a)(3), and Sec. 4(a)(4); Disini, Jr., et al. v. The Secretary of Justice, et al., G.R. No. 203335, February 18, 2014). R.A. No. 8792 also penalizes hacking/cracking, but R.A. No. 10175 is typically the primary statute for cyber intrusion complaints (R.A. No. 8792, Sec. 33).

As a next step, companies should (1) preserve logs and images promptly, (2) document the exact point when access was revoked, and (3) prepare a clear incident narrative mapping facts to statutory elements. These measures improve the likelihood that a complaint will be filed with coherent charges and supported by admissible technical proof.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH