Data breach


Dear Atty. Peachy,
I hope you can help me with a troubling situation. I am a marketing professional residing in Quezon City. Recently, I discovered that a competitor had accessed my company’s client database without authorization. They have been targeting our clients with offers that mirror our services, which is not only unethical but has upset many of our loyal customers. I found out that a former employee of ours, whom we let go for reasons related to poor performance, may have been the source of this data breach.
I feel like my company’s reputation and livelihood are at stake, and I am unsure of the legal steps I can take under Philippine law. Is there any legal recourse for us to hold the competitor accountable, and what actions can we take against the former employee who may have facilitated this breach?
I appreciate any guidance you can provide.
Maria
***
Dear Maria,
Thank you for reaching out and sharing your concerns. The situation you described is indeed troubling and highlights the critical importance of safeguarding sensitive client information in our increasingly digital market.
Under Philippine law, particularly the Data Privacy Act of 2012 (Republic Act 10173), the unauthorized access and processing of personal data by anyone, including former employees and competitors, is a serious violation. The Act protects personal data against manipulation and misuse, emphasizing the rights of data subjects (like your clients) regarding their information.
If your competitor accessed your client database unlawfully, they could potentially be held liable for violations of the Data Privacy Act. You can file a complaint with the National Privacy Commission (NPC) which has the authority to investigate such violations. They can impose administrative fines, issue cease and desist orders, and potentially take further action based on the severity of the violation. Additionally, if the competitor’s acts can be categorized as unfair competition or trademark infringement, you may explore civil remedies as well by filing a lawsuit for damages.
Your former employee, who may have leaked your database, could also face legal repercussions. Under the Data Privacy Act, individuals who unlawfully disclose or process personal data may be held criminally liable. You should document all evidence related to the breach, including emails, conversations, or any access logs that indicate the employee’s involvement. This documentation is essential for substantiating your claims to the NPC or in court.
As a proactive step, consider conducting an internal audit of your data security practices. Implement stricter access controls and training for current employees on the importance of data protection and the legal implications of breaches. This not only helps prevent future incidents but also demonstrates your commitment to safeguarding your clients’ information.
While the legal landscape can seem overwhelming, you are not without options. I hope this information helps you navigate this complex situation effectively.
Atty. Peachy Selda-Gregorio