Can an Employer Suspend You for Resetting a Work Security Token? Employee Rights Explained

An employer in the Philippines may suspend an employee who resets a work security token, but the reset alone does not automatically make the suspension lawful. The answer depends on what was reset, whether the employee had authority, the security risk created, the company rule allegedly violated, and whether the employer followed proper procedure. A routine troubleshooting step done in good faith is very different from resetting another person’s authentication token to bypass access controls.

What Does “Resetting a Work Security Token” Mean?

A work security token is any tool used to verify a person’s identity before granting access to company systems. It may include:

  • A hardware security key
  • A mobile authenticator application
  • A one-time password or OTP device
  • A multifactor authentication registration
  • A privileged-access token used by system administrators
  • An application programming interface or API token
  • An access credential issued for a customer or company account

A “reset” may involve removing an old device, enrolling a new authenticator, regenerating a credential, clearing multifactor authentication, or temporarily disabling a security requirement.

The legal consequences depend heavily on the surrounding facts. Important questions include:

  • Was the token assigned to you or to another person?
  • Did your job normally allow you to perform resets?
  • Was there an approved service ticket?
  • Did a supervisor, customer, or IT administrator instruct you to reset it?
  • Was the reset necessary to restore access during an emergency?
  • Did you follow the company’s verification procedure?
  • Did the reset expose company data, customer information, money, or systems?
  • Did you immediately document and report what happened?
  • Was there evidence of dishonesty, concealment, or personal gain?

An Employer’s Right to Discipline Is Not Unlimited

Philippine employers have management prerogative—the authority to operate their business, protect company property, establish security rules, and discipline employees. Cybersecurity policies, access-control procedures, identity-verification requirements, and prohibitions against sharing credentials are generally legitimate workplace rules.

Management prerogative, however, must be exercised fairly, in good faith, and consistently with the Labor Code.

Article 294 of the Labor Code protects an employee’s security of tenure. A regular employee may not be dismissed except for a just or authorized cause. Article 297 lists just causes such as serious misconduct, willful disobedience, gross and habitual neglect, fraud, and willful breach of trust. (Supreme Court E-Library)

Resetting a security token may lead to discipline, but the employer must still establish:

  1. A lawful and reasonable company rule or order;
  2. Proof that the employee committed the alleged act;
  3. Knowledge or proper communication of the rule;
  4. The employee’s level of authority and responsibility;
  5. The seriousness and actual or potential consequences of the reset;
  6. A penalty proportionate to the offense; and
  7. Compliance with procedural due process.

Preventive Suspension Versus Disciplinary Suspension

Employees should first determine what kind of suspension was imposed. The two forms have different purposes and legal requirements.

Type of suspension Purpose When it may be imposed Pay and duration
Preventive suspension Temporarily removes the employee while an investigation is pending Only when continued employment poses a serious and imminent threat to the life or property of the employer or co-workers Generally limited to 30 days; an extension requires actual or payroll reinstatement
Disciplinary suspension Punishes an employee after the employer finds a violation When supported by company rules, a collective bargaining agreement, or a valid disciplinary policy Duration depends on the applicable policy and proportionality of the penalty

Preventive suspension is not supposed to be punishment

Preventive suspension is a protective measure while the employer investigates. It should not be imposed merely because an accusation involves “security,” “IT,” or “data.”

Under Sections 8 and 9 of the implementing rules of the Labor Code, an employee may be placed under preventive suspension only if continued employment poses a serious and imminent threat to life or property. No preventive suspension may last longer than 30 days. After that period, the employer must reinstate the employee to the former or a substantially equivalent position, or extend the suspension while paying wages and benefits. (Lawphil)

Digital systems, credentials, confidential information, customer accounts, and financial platforms may form part of an employer’s property. A preventive suspension can therefore be justified where an employee still has the ability to:

  • Reset privileged credentials;
  • Alter or delete system logs;
  • Access customer or financial information;
  • Interfere with an internal investigation;
  • Approve unauthorized transactions;
  • Influence witnesses or subordinates; or
  • Repeat a potentially damaging security violation.

The employer should be able to identify a real risk. A vague statement that the employee “might compromise security” may be insufficient when access has already been disabled and the employee has no ability to affect the investigation.

What happens after 30 days?

The employer should complete the investigation within the 30-day preventive-suspension period. If no final result is available, the employee must generally be:

  • Returned to work;
  • Assigned to a substantially equivalent position; or
  • Placed on payroll while remaining away from the workplace.

A suspension beyond 30 days without reinstatement or pay may result in claims for unpaid salaries and, depending on the circumstances, constructive dismissal. The Supreme Court has emphasized that an employer must either conclude the investigation within the period or reinstate the employee actually or in the payroll. (Supreme Court E-Library)

The initial 30-day preventive suspension may be without pay when properly justified. If there was no sufficient basis for removing the employee, however, the employee may be entitled to recover the salary withheld during that period. (Lawphil)

Can the Token Reset Be Treated as Serious Misconduct?

Serious misconduct is not simply any mistake or policy violation. The misconduct must be grave, connected with the employee’s work, and accompanied by wrongful intent rather than mere error, confusion, or poor judgment.

A stronger case for serious misconduct may exist when an employee:

  • Intentionally resets someone else’s token without authority;
  • Bypasses identity-verification requirements;
  • Gives access to an unauthorized person;
  • Uses a reset to view information outside the employee’s duties;
  • Conceals the reset or provides false information about it;
  • Disables security controls to avoid monitoring;
  • Alters records after learning of an investigation; or
  • Repeats the same violation after prior warnings.

By contrast, dismissal may be excessive where the employee:

  • Reset their own token through an approved portal;
  • Acted on a supervisor’s instruction;
  • Followed a help-desk ticket that later turned out to be incomplete;
  • Made a single procedural mistake without dishonest intent;
  • Immediately reported the incident;
  • Caused no actual or likely security damage; or
  • Had never been informed of the rule allegedly violated.

The Supreme Court has repeatedly stressed that dismissal is reserved for grave infractions. A careless or thoughtless act does not automatically amount to the willful misconduct or deliberate breach of trust needed to justify termination. (Lawphil)

Can the Employer Claim Willful Disobedience?

Willful disobedience requires more than failure to follow an instruction. The employer must generally establish that:

  1. The order or rule was lawful and reasonable;
  2. It related to the employee’s work;
  3. The rule was made known to the employee; and
  4. The refusal or violation was willful and showed a wrongful or perverse attitude.

For example, a written policy requiring two-person approval before resetting an executive’s authentication token is likely reasonable. Intentionally ignoring that requirement after being trained and warned may support discipline.

The position is weaker where the procedure was unclear, changed without notice, conflicted with actual workplace practice, or required an approval that was unavailable during an urgent outage.

An employer should not rely solely on a statement that “all employees are expected to know the security policy.” It should be able to show how the policy was communicated—such as through onboarding documents, signed acknowledgments, training records, internal announcements, or accessible standard operating procedures.

Loss of Trust and Confidence Requires Clearly Established Facts

Employers sometimes characterize a token-reset incident as a “loss of trust and confidence.” This ground is commonly invoked against managers, supervisors, administrators, finance personnel, and employees handling sensitive systems.

The Supreme Court recognizes two broad categories of positions of trust:

  • Managerial employees entrusted with confidential or delicate responsibilities; and
  • Rank-and-file employees who routinely handle significant money, property, records, credentials, or other valuable assets.

Job title alone is not decisive. The employee’s actual functions matter.

The employer must also prove an act that genuinely justifies the loss of trust. The breach must be willful—intentionally, knowingly, and purposely committed without a valid excuse. A mere accusation, suspicion, or after-the-fact conclusion is not enough, particularly for rank-and-file employees. (Supreme Court E-Library)

An IT administrator with unrestricted access to privileged authentication systems will normally be held to a higher standard than an ordinary employee using a self-service password-reset page.

When Suspension Is More Likely to Be Lawful

Situation Likely legal assessment
Employee resets their own expired token using an authorized self-service tool Suspension is difficult to justify without additional misconduct
Employee follows a documented service ticket but misses one verification step Corrective discipline may be possible; dismissal may be disproportionate for a first offense
Employee resets a co-worker’s token after verbal approval that cannot be verified Depends on policy, evidence, urgency, and the employee’s good faith
Administrator resets an executive or customer token without required identity checks Preventive suspension may be justified because of continuing access and security risk
Employee gives the new token or code to an unauthorized person Serious misconduct or breach of trust may be established
Reset is used to access payroll, financial, customer, or confidential records Stronger grounds for suspension and investigation
Employee attempts to delete audit logs or conceal the reset Strong evidence of wrongful intent
Company has no clear reset procedure and similar conduct was previously tolerated Severe discipline may be arbitrary or inconsistent
Employee immediately reports an accidental reset and assists in containment Good faith and mitigation should be considered
Employer has already revoked all access but gives no other reason for suspension The required serious and imminent threat may be questionable

What Due Process Must the Employer Follow?

The exact procedure may depend on the penalty and the company’s rules, but an employee facing serious discipline or dismissal should receive meaningful notice and an opportunity to respond.

1. A specific written notice

The notice to explain should identify:

  • The date and approximate time of the token reset;
  • The account, system, or device involved;
  • The employee’s alleged action;
  • The applicable security rule or code-of-conduct provision;
  • The evidence relied upon, such as logs or tickets;
  • The possible disciplinary consequences; and
  • The Labor Code ground being considered, if dismissal is possible.

A notice simply stating “unauthorized security violation” may be too vague to allow an intelligent defense.

2. At least five calendar days to explain

Department Order No. 147-15 and the King of Kings Transport, Inc. v. Mamac doctrine treat a reasonable period as at least five calendar days from receipt of the notice. This allows the employee to study the accusation, consult a union officer or representative, and collect evidence. (Supreme Court E-Library)

The employee may submit earlier, but should not be pressured to sign an immediate confession or explanation without reviewing the records.

3. A meaningful opportunity to be heard

A trial-type hearing is not required in every administrative investigation. The employee must nevertheless have a genuine opportunity to explain, submit documents, challenge inaccurate allegations, and respond to important evidence.

A formal conference becomes particularly important when:

  • The employee disputes the system logs;
  • Witness accounts conflict;
  • The employee requested a hearing in writing;
  • The company’s own policy requires a hearing;
  • The employee is covered by a collective bargaining agreement; or
  • The case involves factual or technical issues that cannot be resolved from written statements alone.

4. A written decision

If the employer imposes a penalty, the decision should explain the established facts, the rule violated, and the reason for the chosen penalty. In dismissal cases, a second written notice must communicate the final decision after the employee’s explanation has been considered.

What an Employee Should Do Immediately

  1. Ask whether the suspension is preventive or disciplinary. Request a written memorandum stating the legal and policy basis, effective date, duration, and whether it is with or without pay.

  2. Do not alter any system, device, message, or log. Deleting data—even to “clean up” an accidental reset—may be interpreted as concealment.

  3. Preserve lawful copies of relevant records. Save service-ticket numbers, emails, chat messages, approval records, training materials, timelines, and notices. Do not improperly download customer data, confidential files, or trade secrets.

  4. Write a detailed chronology. Record who requested the reset, what verification was performed, which system was used, what happened afterward, and when the incident was reported.

  5. Request the specific policy allegedly violated. Ask for the version effective on the incident date, not a policy issued or revised afterward.

  6. Answer the notice point by point. State which allegations are admitted, denied, or require clarification. Explain your authority, instructions received, intent, mitigation steps, and relevant system limitations.

  7. Identify technical evidence that supports your account. Examples include audit trails, ticket histories, device-enrollment records, call recordings, approval workflows, VPN logs, and identity-verification records.

  8. Attend the administrative conference. Bring a union representative, colleague, or lawyer if allowed or necessary. Take careful notes and request a copy of the minutes.

  9. Monitor the 30-day period. Count from the effective date of preventive suspension. Before the period expires, request written instructions on reinstatement, payroll status, or the final decision.

  10. Use the grievance procedure. Review the employee handbook, disciplinary code, collective bargaining agreement, whistleblower process, and internal appeal rules.

Documents That Usually Matter Most

Document or evidence Why it matters
Notice to explain and suspension memorandum Shows the exact accusation and stated basis for suspension
Security policy effective on the incident date Establishes whether the procedure existed and applied
Signed policy acknowledgments and training records Shows whether the employee knew the rule
Help-desk or change-management ticket May prove authorization, urgency, or assigned responsibility
System and authentication logs Shows who performed the reset, when, and from which device
Emails, chats, and call records May prove instructions or escalation attempts
Job description and access matrix Shows the employee’s normal authority
Previous disciplinary record May affect proportionality, especially for repeat violations
Records of similar incidents May reveal inconsistent or discriminatory penalties
Payroll records Establishes salary lost during suspension
Collective bargaining agreement May provide stricter procedures or appeal rights

Notarization is generally unnecessary for an internal explanation unless the employer’s rules specifically require a sworn statement. Affidavits submitted in an NLRC case are normally signed under oath or notarized in accordance with the applicable procedural requirements.

Common Employer Mistakes

An otherwise legitimate investigation can become legally questionable when the employer:

  • Uses preventive suspension as an automatic punishment;
  • Gives no explanation of the serious and imminent threat;
  • Suspends the employee indefinitely;
  • Continues an unpaid suspension beyond 30 days;
  • Issues a vague notice without dates, acts, or policy provisions;
  • Gives less than a reasonable period to respond;
  • Refuses to disclose enough information for the employee to answer;
  • Treats an accidental reset as intentional misconduct without evidence;
  • Invokes loss of trust against an employee who held no position of trust;
  • Ignores approvals, tickets, or supervisor instructions;
  • Applies a harsher penalty than those given for similar incidents;
  • Forces the employee to resign during the investigation; or
  • Blocks the employee’s access and later accuses the employee of absence or abandonment.

When Cybercrime or Data-Privacy Laws May Become Relevant

Most token-reset disputes remain employment matters. Criminal or regulatory issues arise only when the facts go beyond a workplace mistake.

The Cybercrime Prevention Act of 2012, Republic Act No. 10175, penalizes illegal access to a computer system when access is made without right. A token reset may become relevant if it was intentionally used to obtain unauthorized system access. It does not follow that every breach of an internal IT procedure is a cybercrime. (Lawphil)

The Data Privacy Act of 2012, Republic Act No. 10173, may also be relevant when the reset exposes or permits unauthorized processing of personal information. Employers themselves have duties to implement reasonable security measures and should investigate incidents without unnecessarily disclosing employee or customer data. (National Privacy Commission)

An employer’s use of words such as “fraud,” “hacking,” or “data breach” in an internal notice does not by itself prove a criminal offense.

Where to Raise an Illegal Suspension Complaint

An employee who believes the suspension is unjustified may first use the company’s grievance or appeal procedure. The employee may also file a Request for Assistance under the Department of Labor and Employment’s Single Entry Approach, or SEnA.

SEnA provides a 30-day conciliation-mediation process intended to resolve labor disputes quickly and inexpensively. A settlement reached through SEnA is binding and immediately executory. The process was institutionalized through Republic Act No. 10396. (Department of Labor and Employment)

Possible settlement terms may include:

  • Lifting the suspension;
  • Actual or payroll reinstatement;
  • Payment of withheld salaries;
  • Correction of employment records;
  • Reduction or withdrawal of the penalty;
  • Transfer to a role with controlled access;
  • Issuance of a neutral certificate of employment; or
  • Voluntary separation with agreed financial terms.

If no settlement is reached and the dispute falls within its jurisdiction, the employee may file a verified complaint before the appropriate NLRC Regional Arbitration Branch. Workers may personally file complaints without first hiring a lawyer. (National Labor Relations Commission)

Claims for unpaid wages and other monetary benefits are generally subject to a three-year prescriptive period. Illegal-dismissal actions are generally filed within four years, although waiting is risky because evidence, logs, and witnesses may become difficult to obtain. (National Labor Relations Commission)

Special Considerations for Foreign Employees

Foreign nationals employed by a Philippine-based employer generally remain protected by Philippine labor laws governing their local employment relationship.

A suspension may also affect practical immigration matters. Foreign employees should separately review:

  • The validity of their Alien Employment Permit;
  • Their pre-arranged employment or 9(g) visa;
  • Employer reporting obligations;
  • Passport and ACR I-Card custody; and
  • Any proposed visa cancellation or downgrading.

Under current DOLE rules, foreign nationals intending to work for a Philippine-based employer generally need an Alien Employment Permit. A temporary suspension does not necessarily cancel the permit or visa, but termination of employment may trigger separate DOLE and Bureau of Immigration procedures. (Department of Labor and Employment)

The employer should not retain a foreign employee’s original passport as leverage in a disciplinary dispute.

Frequently Asked Questions

Can my employer suspend me immediately without hearing my side?

An employer may impose preventive suspension before completing the investigation if your continued employment creates a serious and imminent threat. The employer must still give you notice of the accusation and a meaningful opportunity to respond before imposing a final disciplinary penalty.

Can preventive suspension be without pay?

The initial lawful preventive-suspension period of up to 30 days may generally be unpaid. If the employer extends the suspension beyond 30 days, it must reinstate you actually or in the payroll. Salary may also be recoverable if the preventive suspension had no sufficient basis.

Is resetting my own token a dismissible offense?

Not ordinarily, when the reset was authorized and done through an approved process. Dismissal becomes more plausible when the reset involved deception, bypassing controls, unauthorized access, concealment, serious damage, or repeated violations.

What if my supervisor told me to perform the reset verbally?

Include the supervisor’s name, date, time, communication method, and surrounding circumstances in your explanation. Identify witnesses, call records, chats, or ticket activity supporting the instruction. Verbal authority can be relevant even when the company later argues that written approval was required.

What if the company refuses to show me the security logs?

Request enough details to understand and answer the accusation. Employers may protect confidential technical information, but they should not rely on undisclosed evidence while preventing a meaningful defense. Ask for relevant extracts, timestamps, transaction IDs, or a supervised review.

Can my employer suspend me for more than 30 days?

A preventive suspension may be extended only if you are reinstated in the payroll and continue receiving wages and benefits. An unpaid preventive suspension exceeding 30 days is generally improper.

Can a first-time mistake justify termination?

It depends on the gravity of the act. A single offense may justify dismissal when it is extremely serious, deliberate, or destructive of trust. A minor procedural mistake committed in good faith usually calls for a proportionate penalty rather than immediate dismissal.

Should I resign while the investigation is pending?

Resignation may waive practical opportunities for reinstatement and can complicate later claims about whether you were dismissed. Do not sign a resignation, quitclaim, or admission without understanding its contents and consequences.

Can I be charged with hacking for resetting a token?

Only facts establishing the elements of an offense can support criminal liability. An internal-policy violation is not automatically illegal access under Republic Act No. 10175. Authority, intent, system access, and the manner in which the token was used are crucial.

Can I file a case even if I have not been dismissed?

Yes. Employees may raise claims involving illegal suspension, withheld wages, constructive dismissal, or other labor-standard and employment disputes even when no formal termination notice has been issued.

Key Takeaways

  • Resetting a work security token does not automatically justify suspension or dismissal.
  • Preventive suspension requires a serious and imminent threat to life or property.
  • An unpaid preventive suspension should not exceed 30 days.
  • A final disciplinary penalty must be supported by evidence, a communicated rule, due process, and proportionality.
  • Honest error, emergency action, authorization, immediate reporting, and lack of damage are important defenses.
  • Unauthorized resets involving another person’s account, privileged access, concealment, or data exposure may support serious discipline.
  • Preserve tickets, messages, policies, logs, notices, payroll records, and a detailed chronology.
  • Unresolved disputes may be raised through the company grievance process, DOLE SEnA, or the NLRC.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.