Malicious Disclosure of Data: Prosecuting Staff Who Leak Confidential Client Lists in the Philippines

Malicious Disclosure of Data: Prosecuting Staff Who Leak Confidential Client Lists in the Philippines

Introduction: Why leaked client lists often become a criminal case

In many industries—BPOs, lending platforms, insurance, real estate, and direct sales—client lists and consumer databases are among the most sensitive business assets. When call center agents or sales staff leak these databases (for example, by exporting a CRM list and selling it to a competing lead buyer), the incident may trigger criminal liability under Philippine data privacy laws, aside from termination, civil claims, and possible trade secret or unfair competition remedies.

This guide focuses on the criminal charges that commonly apply when employees or agents sell or disclose proprietary consumer databases to unauthorized parties, particularly under the Data Privacy Act of 2012 and, in limited situations, the Philippine Identification System (PhilSys) law.

Governing laws for prosecuting database leaks

R.A. No. 10173 (Data Privacy Act of 2012) is the primary criminal statute used when personal information is unlawfully disclosed or misused. It applies to personal information controllers and personal information processors, including their officials, employees, and agents.

If the leaked dataset includes PhilSys-related information (e.g., PhilSys Number or PhilID details), penalties may also arise under R.A. No. 11055 (Philippine Identification System Act) and the Revised IRR of R.A. No. 11055, which contain separate penal provisions for unlawful access, processing, and disclosure of PhilSys data.

When a leaked “client list” is covered by the Data Privacy Act

Many “client lists” qualify as personal information when they identify individuals directly or indirectly—such as names, phone numbers, email addresses, home addresses, purchase/loan history, and contact lists used for collection or marketing. If the list contains sensitive personal information (e.g., health details, government-issued identifiers, financial information in certain contexts), exposure becomes more serious and may affect charging and penalties.

Even if the database is “company property,” the law protects the data subjects (the consumers) whose personal data is being processed. A company may pursue a criminal complaint not only to protect business interests but also to address harm to data subjects.

Primary criminal charges against employees who leak client lists

1) Malicious Disclosure (Data Privacy Act)

Under R.A. No. 10173, Section 31, Malicious Disclosure penalizes a personal information controller/processor (or their officials, employees, or agents) who, with malice or in bad faith, discloses unwarranted or false information relating to personal information or sensitive personal information obtained by reason of their role.

Penalty: imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000 (R.A. No. 10173, Section 31).

What “malice or bad faith” may look like in database leaks:

  • Leaking a list to embarrass, harass, retaliate, or pressure consumers (e.g., debt shaming campaigns).
  • Sharing a database to injure a competitor or to profit while knowing disclosure is prohibited.

In Trimillos v. FCash Global Lending, Inc., G.R. No. 271360, 2025, the incident involved messages to a borrower’s contacts and the National Privacy Commission’s findings referenced Malicious Disclosure (Section 31) in the context of conduct showing intent to shame and harm reputation. While that case context differs from “selling databases,” it illustrates how malice can be inferred from the nature and purpose of disclosure.

2) Unauthorized Disclosure (Data Privacy Act)

Many “sold database” scenarios fit more naturally under R.A. No. 10173, Section 32, Unauthorized Disclosure, which penalizes disclosure to a third party of personal information (or sensitive personal information) without the data subject’s consent, when not covered by the preceding malicious disclosure provision.

Penalty (personal information): imprisonment of 1 to 3 years and a fine of PHP 500,000 to PHP 1,000,000 (R.A. No. 10173, Section 32[a]).

Penalty (sensitive personal information): imprisonment of 3 to 5 years and a fine of PHP 500,000 to PHP 2,000,000 (R.A. No. 10173, Section 32[b]).

For charging decisions, prosecutors typically examine (a) whether the dataset is personal or sensitive personal information, (b) whether there was consent or a lawful basis for the transfer, and (c) whether the employee’s disclosure was within the scope of authorized processing.

3) Other Data Privacy Act charges that may accompany a “sold database” case

Depending on how the leak happened, additional Data Privacy Act offenses may be considered (for example, if an employee accessed systems beyond their authority or used data for a purpose different from what was declared). In Trimillos v. FCash Global Lending, Inc., G.R. No. 271360, 2025, the records referenced recommended prosecution for Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes under Section 28, along with Section 31.

In employee-leak cases, these “processing for unauthorized purposes” theories may be used where the employee repurposed data collected for legitimate business operations into lead selling, scam marketing, or competitor targeting.

When PhilSys penalties may apply

If the leaked list includes PhilSys-related information, R.A. No. 11055 and the Revised IRR of R.A. No. 11055 impose distinct penalties for unlawful access, processing, or disclosure of PhilSys data, including harsher penalties where the act is committed by officials/employees with custody or responsibility over PhilSys, or where disclosure is malicious.

For example, the law penalizes malicious disclosure by personnel responsible for maintaining PhilSys with imprisonment of 10 to 15 years and a fine of PHP 5,000,000 to PHP 10,000,000 (R.A. No. 11055, Section 19[3]; Revised IRR of R.A. No. 11055, Rule VI, Section 23.6). It also penalizes unauthorized access/processing of PhilSys data (R.A. No. 11055, Section 19[3]; Revised IRR of R.A. No. 11055, Rule VI, Section 23.4[c]).

Not every call center database leak will involve PhilSys data. But if the database contains PhilSys identifiers, counsel should evaluate these provisions early because of the higher penalties.

Common fact patterns: How “client list selling” cases are built

Typical scenarios

  • CRM export and resale: An agent exports customer records from a CRM (names, numbers, product interest) and sells them to a third-party lead buyer.
  • Screen-scraping / screenshots: Staff members capture screenshots of customer profiles and send them via messaging apps to outsiders.
  • Collection account leakage: An employee shares delinquent borrower lists to unauthorized collectors who then harass contacts.
  • Insider referral scheme: A salesperson “feeds” consumer leads to competitors in exchange for commissions.

Evidence commonly used

Although the exact evidence is case-specific, companies and complainants commonly rely on:

  • Access logs (who accessed what, when, and from where);
  • Export/download records and CRM audit trails;
  • Messaging/email proof of transmission to third parties;
  • Witness statements from IT/security and affected consumers;
  • Data matching (showing leaked records correspond to internal databases).

Note that evidentiary objections should be timely raised. In Trimillos v. FCash Global Lending, Inc., G.R. No. 271360, 2025, the discussion highlights that failure to object at the earliest opportunity may be treated as waiver in certain proceedings, including those involving electronic evidence.

Consent, authority, and “company ownership” are not the same

A frequent misunderstanding in workplace investigations is treating consent to collect data as consent to sell it. Under the Data Privacy Act, disclosure to third parties generally requires a lawful basis and compliance with declared purposes. An employee’s argument that “the company owns the database” does not automatically authorize the employee to transfer personal data to outsiders.

Exceptions and defenses that may arise

Some defenses revolve around the absence of disclosure, lack of identity linkage (arguing data was anonymized), or asserting a lawful purpose. In general, the Data Privacy Act recognizes that some processing of sensitive personal information may be allowed for limited purposes such as court proceedings or legal claims. For instance, the rules on sensitive personal information (as discussed in Integrated Bar of the Philippines v. Purisima, et al., G.R. No. 211772, 2023) underscore that privacy protections remain strong, and disclosures require clear legal footing, especially where confidentiality and privacy rights are involved.

However, “selling consumer databases” to unrelated third parties is typically hard to justify as a lawful exception, especially when done for personal gain or outside the employer’s authorized channels.

Employer actions: parallel tracks with criminal complaints

Criminal prosecution often moves alongside internal discipline and labor proceedings. In Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, 2021, the Supreme Court emphasized that dismissal for loss of trust and confidence requires that the employee occupies a position of trust and that the act justifying the loss is clearly established; it also cautioned against vague or overly broad definitions of confidential information when used as a basis for dismissal. This is relevant where employers discipline staff for “confidential information” breaches: documentation and clarity matter.

Summary table: common charges for leaked client lists

ChargeWhat it targetsTypical leak scenarioPenalty (high level)
Unauthorized Disclosure (DPA)Disclosure of personal/sensitive personal info to a third party without consentSelling customer contact lists to lead buyers1–3 years (personal info) or 3–5 years (sensitive), plus fines (R.A. No. 10173, Section 32)
Malicious Disclosure (DPA)Disclosure with malice or bad faith of unwarranted or false infoLeaking lists to shame/harass or to injure reputation1 year 6 months–5 years, plus fines (R.A. No. 10173, Section 31)
PhilSys penal provisionsUnlawful access/processing/disclosure of PhilSys dataLeak includes PSN/PhilID detailsUp to 10–15 years and multimillion fines for malicious disclosure by responsible personnel (R.A. No. 11055; Revised IRR of R.A. No. 11055)

Action points for companies and complainants

  • Preserve evidence early: secure access logs, device images (when lawful), CRM audit trails, and communications showing disclosure.
  • Document authority limits: written role-based access policies and clear confidentiality clauses help establish “unauthorized” conduct.
  • Assess the dataset: determine whether it contains sensitive personal information or PhilSys identifiers to evaluate penalty exposure.
  • Coordinate HR and legal: ensure due process in discipline while preparing the criminal complaint, consistent with standards for loss of trust and confidence.
  • Notify affected persons when required: data breach response should be handled with counsel to reduce secondary liability.

Conclusion: treating leaked client lists as a privacy crime, not only a company dispute

In the Philippines, leaking and selling confidential client lists is not merely an internal policy violation. When the dataset contains personal information, disclosure to outsiders can support criminal charges under the Data Privacy Act, especially Unauthorized Disclosure and, in aggravated circumstances, Malicious Disclosure. If PhilSys identifiers are involved, exposure may increase under R.A. No. 11055 and its Revised IRR.

For both complainants and respondents, early issue-spotting—what data was disclosed, to whom, with what authority, and with what intent—usually determines whether the case becomes a straightforward unauthorized disclosure prosecution or a more serious malicious disclosure theory supported by surrounding circumstances.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH