Cybersecurity Breach by a Former Contractor in the Philippines

Introduction

A cybersecurity breach by a former contractor is a serious legal, operational, and reputational problem. In the Philippines, many businesses rely on contractors, freelancers, consultants, IT vendors, developers, virtual assistants, digital marketers, accountants, cloud administrators, website managers, and outsourced service providers. These people may receive access to company systems, email accounts, source code, customer databases, payment platforms, cloud storage, social media accounts, internal documents, or confidential business information.

The legal risk becomes severe when a former contractor, after termination or completion of engagement, accesses company systems without authority, downloads files, deletes records, changes passwords, copies client data, locks the company out of accounts, leaks confidential information, plants malware, diverts customers, impersonates company representatives, or refuses to return digital assets.

In the Philippine context, the company may have remedies under contract law, the Civil Code, the Cybercrime Prevention Act, the Data Privacy Act, the Revised Penal Code, intellectual property law, labor and commercial law principles, and court rules on injunction and damages. The correct response depends on the facts: what the contractor accessed, whether access was authorized, whether personal data was involved, whether the company suffered loss, whether the act was intentional, and what contracts or confidentiality obligations existed.

This article explains what a cybersecurity breach by a former contractor means, what immediate steps to take, what laws may apply, what evidence to preserve, where to complain, how to pursue civil and criminal remedies, and how Philippine businesses can prevent similar incidents.

This is general legal information, not legal advice for any specific case.

I. What Is a Cybersecurity Breach by a Former Contractor?

A cybersecurity breach occurs when there is unauthorized access, use, disclosure, alteration, destruction, copying, interference, or compromise of digital systems, accounts, networks, devices, or data.

When the actor is a former contractor, the issue often involves access that was once legitimate but later became unauthorized.

Examples include:

  1. a former web developer logging into the website after contract termination;
  2. a former IT consultant using old admin credentials to access cloud storage;
  3. a former virtual assistant opening company email after resignation or contract expiry;
  4. a former social media manager refusing to surrender page access;
  5. a former accountant downloading financial records after disengagement;
  6. a former software developer copying source code or customer data;
  7. a former digital marketer exporting leads from a CRM;
  8. a former contractor deleting files, records, or backups;
  9. a former vendor changing passwords to lock out the company;
  10. a former contractor using client lists to solicit customers;
  11. a former system administrator installing backdoors before leaving;
  12. a former freelancer disclosing confidential business data to competitors;
  13. a former contractor accessing personal information of customers or employees;
  14. a former service provider using company credentials to impersonate the business;
  15. a former contractor threatening to leak data unless paid.

The key legal question is whether the contractor had authority at the time of access or use. Access that was permitted during the engagement may become unlawful once authority is revoked, the contract ends, the contractor exceeds the agreed purpose, or the contractor uses access for a prohibited purpose.

II. Why Former Contractors Are a High Cybersecurity Risk

Former contractors are uniquely risky because they often know the company’s systems, workflows, passwords, vulnerabilities, key personnel, customers, and internal weaknesses.

Common reasons breaches happen include:

  1. accounts were not disabled after termination;
  2. passwords were shared informally;
  3. there was no written offboarding procedure;
  4. the contractor retained administrator rights;
  5. the contractor owned or controlled important accounts;
  6. systems lacked multi-factor authentication;
  7. cloud folders were shared through personal email accounts;
  8. source code repositories remained accessible;
  9. no logs were monitored;
  10. company assets were created under the contractor’s personal accounts;
  11. there was no non-disclosure agreement;
  12. the company had no data processing agreement;
  13. there was no inventory of credentials;
  14. contractors used personal devices;
  15. backups were not protected;
  16. the contractor was disgruntled over payment, termination, or dispute.

A former contractor may also believe, wrongly, that unpaid fees give them the right to hold digital assets hostage. In general, a payment dispute does not automatically authorize hacking, deletion, data leakage, extortion, or unauthorized access.

III. Common Types of Breaches

1. Unauthorized System Access

This occurs when the former contractor logs into company systems after access has been revoked or after the engagement ended.

Systems may include:

  • email accounts;
  • admin dashboards;
  • cloud drives;
  • databases;
  • accounting software;
  • website CMS;
  • e-commerce platforms;
  • CRM systems;
  • payroll systems;
  • source code repositories;
  • messaging platforms;
  • social media pages;
  • ad accounts;
  • payment gateways.

Even if the contractor still knows the password, continued use after authorization has ended may be unlawful.

2. Data Theft or Unauthorized Copying

The former contractor may download, export, screenshot, copy, or transfer data.

Data may include:

  • customer lists;
  • employee records;
  • payroll files;
  • contracts;
  • invoices;
  • financial statements;
  • source code;
  • trade secrets;
  • marketing plans;
  • lead databases;
  • supplier information;
  • pricing models;
  • personal information;
  • confidential communications.

Copying data without authority may create civil, criminal, contractual, privacy, and intellectual property liability.

3. Deletion or Sabotage

A former contractor may delete website content, erase files, disable backups, remove users, terminate hosting, alter code, or destroy records.

This can cause business interruption, loss of revenue, reputational damage, and operational paralysis.

4. Password Lockout

A common scenario is the former contractor changing passwords or recovery emails, preventing the company from accessing its own assets.

This may involve:

  • domain registrar accounts;
  • web hosting;
  • Facebook pages;
  • Google Business Profile;
  • email admin accounts;
  • ad accounts;
  • e-commerce stores;
  • payment systems;
  • cloud drives;
  • GitHub or GitLab repositories.

5. Data Leakage

The contractor may disclose confidential data to competitors, customers, the public, or social media.

If personal data is involved, the company may also have duties as a personal information controller or processor.

6. Ransom or Extortion

The former contractor may demand payment in exchange for restoring access, returning files, deleting copied data, or not leaking information.

This can shift the case from a contract dispute into a serious criminal and cybercrime matter.

7. Impersonation

The former contractor may send messages using company accounts, contact clients, redirect payments, or represent themselves as still connected with the company.

This can create fraud, estafa, cybercrime, unfair competition, and civil liability issues.

8. Malware, Backdoors, and Spyware

A technically skilled contractor may leave hidden access methods before leaving.

Examples include:

  • hidden admin accounts;
  • SSH keys;
  • API tokens;
  • scheduled scripts;
  • malicious plugins;
  • modified source code;
  • unauthorized remote access tools;
  • keyloggers;
  • compromised backup accounts.

A technical forensic review may be needed.

IV. Immediate Response: First 24 to 72 Hours

The first response is critical. The company must stop the breach, preserve evidence, protect affected persons, and avoid actions that destroy proof.

Step 1: Activate an Incident Response Team

Identify who will handle:

  1. legal strategy;
  2. technical containment;
  3. evidence preservation;
  4. communications;
  5. customer or employee notice;
  6. regulatory reporting;
  7. business continuity;
  8. insurance notification, if any.

For small businesses, the team may simply be the owner, IT consultant, lawyer, data protection officer, and operations head.

Step 2: Revoke Access Immediately

Disable or rotate:

  1. email accounts;
  2. admin accounts;
  3. shared passwords;
  4. API keys;
  5. SSH keys;
  6. database credentials;
  7. VPN access;
  8. cloud storage permissions;
  9. social media roles;
  10. payment gateway access;
  11. source code repository access;
  12. third-party app integrations;
  13. domain registrar credentials;
  14. hosting panel access;
  15. device management profiles.

Do not merely change one password. Former contractors may have multiple access points.

Step 3: Preserve Logs

Before making major changes, preserve logs where possible.

Important logs include:

  1. login history;
  2. IP addresses;
  3. device identifiers;
  4. file access logs;
  5. file download logs;
  6. deletion logs;
  7. admin activity logs;
  8. email forwarding rules;
  9. cloud sharing history;
  10. database query logs;
  11. Git commit history;
  12. server logs;
  13. firewall logs;
  14. VPN logs;
  15. audit logs.

Logs are often overwritten. Export them quickly.

Step 4: Take Screenshots and Backups

Document:

  1. unauthorized login notices;
  2. changed passwords;
  3. deleted files;
  4. threatening messages;
  5. access history;
  6. user permissions;
  7. email forwarding rules;
  8. account recovery details;
  9. suspicious code;
  10. altered website pages;
  11. social media posts;
  12. client complaints.

Back up affected systems before further changes when feasible. A forensic copy may be needed for serious cases.

Step 5: Stop the Damage

Depending on the breach, the company may need to:

  1. restore from backup;
  2. take the website offline temporarily;
  3. suspend compromised accounts;
  4. notify payment processors;
  5. freeze suspicious transactions;
  6. warn customers not to follow fraudulent payment instructions;
  7. disable compromised email accounts;
  8. revoke public links;
  9. remove unauthorized posts;
  10. coordinate with cloud providers.

Step 6: Determine Whether Personal Data Was Involved

If customer, employee, supplier, user, patient, student, or applicant personal information was accessed, copied, leaked, or altered, the Data Privacy Act may apply.

The company must determine:

  1. what personal data was involved;
  2. whose data was affected;
  3. whether sensitive personal information was involved;
  4. whether the data was encrypted;
  5. whether the breach is likely to harm affected individuals;
  6. whether notification to the National Privacy Commission or data subjects is required;
  7. what remedial steps are needed.

Step 7: Avoid Retaliatory or Illegal Acts

Do not hack back, access the contractor’s personal accounts, publish accusations online, threaten the contractor, or seize personal devices without lawful authority.

The company should act firmly but legally.

V. Key Legal Issues

A. Was There Authorization?

The contractor may argue that they had access because the company gave them credentials. The company must show that the authority was limited, expired, revoked, or exceeded.

Important evidence includes:

  1. contract termination notice;
  2. end date of engagement;
  3. resignation or disengagement messages;
  4. written revocation of access;
  5. access policy;
  6. NDA;
  7. data processing agreement;
  8. email instructing return of assets;
  9. logs showing post-termination access;
  10. messages admitting access.

Access can be unauthorized even if the password still works.

B. Was the Contractor an Independent Contractor or Employee?

The classification matters for contracts, obligations, vicarious liability, labor issues, and internal discipline.

A contractor is usually governed by a service agreement. An employee is governed by labor law as well as company policies. Some “contractors” may legally be employees depending on control and circumstances.

Regardless of classification, unauthorized access, theft, deletion, extortion, and disclosure can create liability.

C. Was Personal Data Involved?

If personal information was involved, the company may face its own regulatory duties even though the former contractor caused the breach.

The company may be considered a personal information controller if it determines the purpose and means of processing. The contractor may be a personal information processor if they processed data on the company’s behalf.

The company should not assume that blaming the contractor eliminates its duty to investigate, secure systems, and notify when required.

D. Was Confidential Business Information Involved?

Even if no personal data was involved, disclosure of trade secrets, source code, customer lists, pricing, strategies, or financial records may support civil and contractual claims.

E. Was There Financial Loss?

Financial loss affects damages and urgency.

Loss may include:

  1. lost sales;
  2. downtime;
  3. forensic costs;
  4. restoration costs;
  5. refunds;
  6. lost clients;
  7. reputational harm;
  8. regulatory penalties;
  9. legal fees;
  10. ransom payments;
  11. cost of customer notification;
  12. cost of credit monitoring or remediation;
  13. replacement of systems.

F. Was There Criminal Intent?

For criminal complaints, it is important to show intent, knowledge, deceit, intimidation, unauthorized access, or malicious acts depending on the offense.

VI. Philippine Laws That May Apply

1. Cybercrime Prevention Act

The Cybercrime Prevention Act is one of the most relevant laws for unauthorized access, system interference, data interference, computer-related fraud, computer-related forgery, misuse of devices, identity-related offenses, cyberlibel, and other computer-related acts.

A former contractor may face cybercrime liability if they:

  1. access company systems without right;
  2. exceed authorized access;
  3. delete, alter, damage, or suppress computer data;
  4. interfere with system operations;
  5. use credentials without authority;
  6. use company systems to commit fraud;
  7. create fake electronic records;
  8. publish defamatory statements online;
  9. misuse digital identity;
  10. use malware or unauthorized access tools;
  11. obtain data through unauthorized means.

The exact charge depends on the specific act.

Unauthorized Access

This may apply when a former contractor logs into a system after the contract ended or after access was revoked.

Data Interference

This may apply when files, databases, records, or code are deleted, altered, damaged, or suppressed.

System Interference

This may apply when the contractor disrupts the normal operation of a system, website, server, or platform.

Computer-Related Fraud

This may apply when a contractor uses computer systems to cause damage or obtain benefit through deceit.

Computer-Related Forgery

This may apply when electronic documents, instructions, approvals, invoices, or communications are manipulated or fabricated.

Misuse of Devices

This may apply where access tools, passwords, credentials, scripts, or programs are used or retained for unlawful access.

Cyberlibel

This may apply if the contractor publicly posts defamatory statements online against the company, owners, officers, or employees.

2. Data Privacy Act

The Data Privacy Act applies when personal information is collected, processed, stored, accessed, disclosed, or compromised.

A breach by a former contractor may trigger duties if the compromised data includes:

  1. names;
  2. addresses;
  3. phone numbers;
  4. email addresses;
  5. IDs;
  6. financial information;
  7. payroll records;
  8. HR records;
  9. customer accounts;
  10. health information;
  11. educational records;
  12. biometrics;
  13. government-issued identifiers;
  14. sensitive personal information.

Possible Privacy Violations by the Contractor

The former contractor may be liable for:

  1. unauthorized processing;
  2. accessing personal information due to negligence or intentional conduct;
  3. improper disposal;
  4. processing for unauthorized purposes;
  5. unauthorized disclosure;
  6. malicious disclosure;
  7. concealment of security breach;
  8. other unlawful processing acts.

Duties of the Company

If the company is the personal information controller, it may need to:

  1. assess the breach;
  2. contain the incident;
  3. document the facts;
  4. notify the National Privacy Commission where required;
  5. notify affected data subjects where required;
  6. implement remedial measures;
  7. cooperate with investigation;
  8. maintain breach records;
  9. review contractor access controls;
  10. improve security.

A company can be both victim and regulated entity. That means it may pursue the former contractor while also complying with its own duties.

3. Revised Penal Code

Depending on the facts, the Revised Penal Code may apply.

Possible offenses include:

Estafa

If the contractor used deceit or abuse of confidence to obtain money, property, access, or benefit.

Qualified Theft

If property or assets were taken with grave abuse of confidence. Digital assets and confidential information may raise complex issues, but related tangible or financial assets may support charges.

Malicious Mischief

If the contractor deliberately damaged property, including systems or business assets, depending on how the damage is characterized.

Grave Threats or Light Threats

If the contractor threatened to leak data, destroy systems, harm reputation, or cause unlawful injury unless paid.

Coercion

If the contractor used intimidation to force the company to do something, such as pay money or surrender control.

Libel or Slander

If the contractor made defamatory statements, subject to whether the publication was online or offline.

Falsification

If documents, electronic records, invoices, receipts, or authorizations were falsified.

Unjust Vexation

In lesser cases, repeated harassment or malicious disturbance may be considered, depending on the facts.

4. Civil Code

The Civil Code provides the basis for civil actions for damages.

A company may sue for:

  1. breach of contract;
  2. abuse of rights;
  3. acts contrary to law;
  4. acts contrary to morals, good customs, public order, or public policy;
  5. quasi-delict;
  6. damages caused by fraud, negligence, or bad faith;
  7. interference with business relations;
  8. recovery of property or value;
  9. injunction;
  10. attorney’s fees.

Possible damages include:

  1. actual damages;
  2. moral damages, where legally available;
  3. exemplary damages;
  4. nominal damages;
  5. temperate damages;
  6. attorney’s fees;
  7. litigation expenses.

For companies, moral damages are generally more limited than for natural persons, but reputational and business harm may still support appropriate claims depending on facts.

5. Contract Law

Most contractor breach cases start with the contract.

Relevant clauses include:

  1. confidentiality;
  2. non-disclosure;
  3. data protection;
  4. intellectual property ownership;
  5. return of materials;
  6. access revocation;
  7. non-solicitation;
  8. non-compete, if enforceable and reasonable;
  9. service levels;
  10. security obligations;
  11. audit rights;
  12. indemnity;
  13. liquidated damages;
  14. dispute resolution;
  15. governing law;
  16. venue;
  17. termination;
  18. survival clauses.

Even without a detailed contract, obligations may arise from law, equity, and the nature of the engagement.

6. Intellectual Property Law

If the former contractor copied or misused source code, designs, creative materials, databases, website content, software, trademarks, logos, photos, documents, or proprietary materials, intellectual property issues may arise.

Important questions include:

  1. Who owns the work product?
  2. Was there a written assignment of copyright?
  3. Was the contractor hired to create software, content, or designs?
  4. Was the work paid for?
  5. Was there a license or transfer?
  6. Did the contractor reuse company-owned materials?
  7. Did the contractor copy code into another project?
  8. Were trade secrets or confidential materials disclosed?

A company should not assume it owns every contractor-created work unless the agreement clearly provides for assignment or ownership.

7. E-Commerce, Consumer, and Sectoral Rules

Additional rules may apply if the breached company is in a regulated industry, such as:

  1. banking or fintech;
  2. insurance;
  3. health care;
  4. education;
  5. telecommunications;
  6. e-commerce;
  7. payment processing;
  8. BPO;
  9. government contracting;
  10. critical infrastructure.

Some industries have separate reporting duties, cybersecurity requirements, contractual obligations, or regulator expectations.

VII. Civil Remedies Against the Former Contractor

A civil case may be appropriate when the company wants compensation, injunction, return of assets, or enforcement of contractual obligations.

A. Breach of Contract

The company may sue for breach if the contractor violated:

  1. confidentiality obligations;
  2. return-of-property provisions;
  3. data security obligations;
  4. access restrictions;
  5. intellectual property clauses;
  6. non-solicitation provisions;
  7. non-disparagement clauses;
  8. post-termination obligations.

The company must prove the contract, the obligation, the breach, and resulting damages.

B. Damages

The company may claim actual damages for:

  1. forensic investigation;
  2. system restoration;
  3. downtime;
  4. lost revenue;
  5. customer refunds;
  6. emergency IT services;
  7. legal costs;
  8. replacement systems;
  9. public relations costs;
  10. cost of notifying affected persons;
  11. business interruption;
  12. loss of clients;
  13. reputational harm, if provable.

The court generally requires proof, not speculation.

C. Injunction

If the contractor is still accessing systems, using data, threatening disclosure, or soliciting customers using stolen information, the company may seek injunctive relief.

The company may ask the court to order the contractor to:

  1. stop accessing systems;
  2. stop using confidential information;
  3. stop contacting clients using stolen data;
  4. return or delete company data;
  5. surrender credentials;
  6. stop publishing false statements;
  7. preserve evidence;
  8. refrain from disclosing personal data.

Temporary restraining orders and preliminary injunctions are technical remedies requiring urgent proof and legal assistance.

D. Replevin or Recovery of Property

If the contractor retains company devices, laptops, drives, tokens, hardware security keys, or physical records, the company may pursue recovery remedies depending on the facts.

E. Accounting and Restitution

If the contractor diverted payments, clients, subscriptions, ad revenue, or e-commerce sales, the company may seek accounting and restitution.

VIII. Criminal Remedies

Criminal action may be appropriate when the former contractor’s conduct involves unauthorized access, deletion, extortion, threats, fraud, or malicious disclosure.

A. Where to Report

Depending on the facts, the company may report to:

  1. Philippine National Police Anti-Cybercrime Group;
  2. National Bureau of Investigation Cybercrime Division;
  3. City or Provincial Prosecutor’s Office;
  4. local police, for immediate threats or related physical incidents;
  5. sectoral regulator, if applicable.

B. Complaint-Affidavit

A criminal complaint usually requires a complaint-affidavit with supporting evidence.

It should state:

  1. identity of complainant;
  2. authority of the company representative;
  3. identity of respondent;
  4. nature of engagement;
  5. date access was granted;
  6. date access ended or was revoked;
  7. acts committed after termination;
  8. systems accessed;
  9. data copied, altered, or deleted;
  10. threats or demands made;
  11. damage caused;
  12. evidence attached;
  13. witnesses.

C. Important Criminal Evidence

Attach:

  1. service contract;
  2. NDA;
  3. termination notice;
  4. access revocation notice;
  5. logs showing unauthorized access;
  6. IP logs;
  7. screenshots;
  8. messages from contractor;
  9. forensic report;
  10. employee affidavits;
  11. customer complaints;
  12. proof of deleted files;
  13. backup restoration records;
  14. evidence of ransom demands;
  15. evidence of financial loss.

The stronger the technical evidence, the stronger the criminal complaint.

IX. Data Privacy Response

If the breach involves personal data, the company should treat it as both a cybersecurity incident and a privacy incident.

A. Determine Whether It Is a Personal Data Breach

A personal data breach may involve:

  1. accidental or unlawful destruction;
  2. loss;
  3. alteration;
  4. unauthorized disclosure;
  5. unauthorized access;
  6. compromise of availability, integrity, or confidentiality of personal data.

B. Classify the Data

Determine whether the data includes:

  1. ordinary personal information;
  2. sensitive personal information;
  3. privileged information;
  4. financial data;
  5. government IDs;
  6. health records;
  7. children’s data;
  8. employee disciplinary records;
  9. passwords or authentication data.

The sensitivity affects urgency and notification analysis.

C. Assess Risk of Harm

Consider whether affected persons may suffer:

  1. identity theft;
  2. fraud;
  3. financial loss;
  4. discrimination;
  5. reputational harm;
  6. physical risk;
  7. embarrassment;
  8. phishing;
  9. blackmail;
  10. employment harm.

D. Notify When Required

If notification is required, the company may need to notify the National Privacy Commission and affected data subjects. The timing and content of notification should be handled carefully.

A notification may include:

  1. nature of the breach;
  2. data involved;
  3. measures taken;
  4. risks to data subjects;
  5. recommended protective steps;
  6. company contact person or data protection officer;
  7. remedial actions.

E. Do Not Conceal a Serious Breach

Concealing a reportable breach can create additional legal exposure. Even when the former contractor caused the incident, the company may still be expected to respond responsibly.

X. Evidence Preservation

Evidence is the foundation of the case. Poor evidence handling can weaken both civil and criminal claims.

A. Preserve Technical Evidence

Preserve:

  1. server logs;
  2. access logs;
  3. audit trails;
  4. user activity logs;
  5. cloud storage logs;
  6. admin console logs;
  7. database logs;
  8. email logs;
  9. firewall logs;
  10. endpoint security alerts;
  11. SIEM records;
  12. source code repository logs;
  13. file metadata;
  14. screenshots;
  15. backup copies;
  16. malicious files or scripts;
  17. suspicious accounts;
  18. API tokens;
  19. IP addresses.

B. Preserve Communications

Save:

  1. emails;
  2. text messages;
  3. messaging app chats;
  4. voice notes;
  5. demand messages;
  6. threats;
  7. admission statements;
  8. negotiation messages;
  9. termination notices;
  10. access revocation instructions.

C. Preserve Contractual Records

Keep:

  1. contractor agreement;
  2. statement of work;
  3. purchase orders;
  4. invoices;
  5. receipts;
  6. payment records;
  7. NDA;
  8. data processing agreement;
  9. security policy acknowledgments;
  10. handover checklist;
  11. exit clearance;
  12. IP assignment documents.

D. Maintain Chain of Custody

For serious cases, document:

  1. who collected the evidence;
  2. when it was collected;
  3. where it was stored;
  4. how it was copied;
  5. whether it was altered;
  6. who had access to it;
  7. hash values of files, if available;
  8. forensic imaging details.

A forensic expert may be needed if litigation is likely.

XI. Internal Investigation

A company should conduct a structured investigation.

A. Define the Scope

Ask:

  1. What systems were accessed?
  2. When did access occur?
  3. What credentials were used?
  4. What data was viewed, copied, altered, or deleted?
  5. Was personal data affected?
  6. Was confidential information affected?
  7. Was money diverted?
  8. Was there malware or a backdoor?
  9. Are there other compromised accounts?
  10. Is the contractor acting alone?

B. Interview Key Personnel

Interview:

  1. IT staff;
  2. project managers;
  3. employees who worked with the contractor;
  4. clients who received suspicious messages;
  5. finance staff;
  6. HR or admin staff;
  7. data protection officer;
  8. account owners.

Document each interview.

C. Review Access History

Check whether the contractor had access to:

  1. production systems;
  2. backups;
  3. admin consoles;
  4. databases;
  5. cloud storage;
  6. customer records;
  7. payment systems;
  8. code repositories;
  9. credentials vaults;
  10. internal chat systems.

D. Determine Root Cause

Possible causes:

  1. failure to revoke access;
  2. weak passwords;
  3. shared credentials;
  4. no MFA;
  5. contractor-owned accounts;
  6. excessive permissions;
  7. lack of logging;
  8. no offboarding;
  9. unsecured API keys;
  10. poor vendor management.

The company must fix the root cause, not just the incident.

XII. Demand Letter to the Former Contractor

A demand letter may be useful before or alongside legal action, unless immediate criminal reporting or injunctive relief is needed.

A demand letter may require the contractor to:

  1. stop accessing systems;
  2. return all company data;
  3. delete all unauthorized copies;
  4. surrender credentials;
  5. identify all accounts accessed;
  6. preserve evidence;
  7. stop using confidential information;
  8. stop contacting clients;
  9. stop publishing false statements;
  10. compensate the company for losses;
  11. certify compliance under oath;
  12. confirm whether data was shared with anyone.

The letter should avoid defamatory statements and should be drafted carefully.

Sample Demand Letter

Subject: Demand to Cease Unauthorized Access, Return Company Data, and Preserve Evidence

Dear [Name]:

We write regarding your former engagement with [Company Name] and your unauthorized access to company systems and data after the termination/completion of your engagement.

Our records show that on or about [date/s], access was made to [system/account/platform] using credentials associated with you or previously assigned to you. The activity included [describe: download, deletion, password change, data export, unauthorized messages, etc.].

You are hereby formally demanded to:

  1. immediately cease and desist from accessing any company system, account, platform, database, file, or communication channel;
  2. return all company property, credentials, files, records, source code, documents, customer data, and confidential information in your possession;
  3. permanently delete all unauthorized copies only after preserving them as required by law and after coordinating with the company’s authorized representative;
  4. disclose all systems, accounts, devices, storage locations, and third parties to whom company data was copied, transferred, disclosed, or made available;
  5. surrender or transfer all administrative access, recovery emails, passwords, tokens, and keys relating to company assets;
  6. preserve all communications, devices, files, logs, and records relevant to this incident;
  7. stop contacting company clients, employees, suppliers, or partners using company data or credentials;
  8. stop using or disclosing confidential, proprietary, or personal information obtained from the company.

This demand is without prejudice to all civil, criminal, administrative, contractual, data privacy, and other remedies available to the company under Philippine law.

Sincerely, [Authorized Representative] [Company Name] [Date]

XIII. Notice to Customers, Employees, or Affected Persons

If the breach affects customers, employees, suppliers, or users, the company may need to communicate with them. The message should be factual, calm, and not speculative.

It should usually include:

  1. what happened;
  2. what data may have been affected;
  3. what the company has done;
  4. what affected persons should do;
  5. how to contact the company;
  6. warning against phishing or fraudulent messages;
  7. assurance that investigation is ongoing.

Avoid accusing the contractor publicly unless advised by counsel and supported by evidence.

XIV. Public Communications and Defamation Risk

A company may want to post online that the former contractor hacked them. This can create defamation risk if not carefully worded.

Safer public wording may say:

“We recently detected unauthorized access to certain company systems. We have secured the affected accounts, are investigating the incident, and are coordinating with appropriate advisers and authorities.”

Avoid naming the former contractor publicly unless necessary, legally justified, and reviewed by counsel.

XV. If the Former Contractor Claims Unpaid Fees

Many breaches arise from payment disputes. A contractor may say:

“I will not return the files until you pay.” “I will keep the admin access until my invoice is settled.” “I own the website because I built it.” “I will delete the project unless you pay.” “I will contact your clients if you do not pay.”

Unpaid fees do not normally justify unauthorized access, deletion, data leakage, threats, or retention of personal data.

However, the company should also evaluate whether it actually owes valid amounts. A payment dispute may be resolved separately through negotiation, settlement, arbitration, small claims, or civil action. The company should avoid mixing legitimate payment issues with unlawful cybersecurity conduct.

A practical approach:

  1. secure systems first;
  2. preserve evidence;
  3. separate undisputed payments from disputed claims;
  4. demand return of company assets;
  5. negotiate only in writing;
  6. do not pay ransom without legal and risk assessment;
  7. document all communications;
  8. consider escrow or settlement if commercially sensible;
  9. reserve rights in any payment.

XVI. If the Contractor Controls Company Accounts

This is common when a contractor created accounts using their own email address or phone number.

Affected accounts may include:

  1. domain names;
  2. hosting accounts;
  3. cloud servers;
  4. Google Workspace or Microsoft 365;
  5. Facebook pages;
  6. Instagram accounts;
  7. TikTok accounts;
  8. YouTube channels;
  9. Google Business Profile;
  10. payment gateways;
  11. ad accounts;
  12. analytics accounts;
  13. source code repositories;
  14. app store developer accounts.

The company should:

  1. check contracts for ownership provisions;
  2. gather proof that the account was created for the company;
  3. collect invoices and payment records;
  4. request transfer in writing;
  5. contact platform support;
  6. submit business documents to prove ownership;
  7. preserve proof of refusal;
  8. consider legal action for transfer and damages.

Future contracts should require all accounts to be created under company-controlled emails from the beginning.

XVII. If Source Code or Software Is Involved

Software contractor disputes can be complex because possession, access, copyright, licensing, and payment may overlap.

Key questions:

  1. Was the code custom-developed for the company?
  2. Was there a written IP assignment?
  3. Was the contractor paid?
  4. Did the contractor use pre-existing libraries or templates?
  5. Did the company receive repository access?
  6. Did the contractor delete or withhold the repository?
  7. Did the contractor copy the code into a competing product?
  8. Was customer data stored in the application?
  9. Were there hidden backdoors?
  10. Are credentials or secrets embedded in the code?

The company may need both legal and technical review.

XVIII. If Trade Secrets or Client Lists Were Taken

Client lists, pricing, strategies, internal processes, and supplier information may be valuable confidential information.

To protect them, the company should prove:

  1. the information was confidential;
  2. the contractor had access only for a limited purpose;
  3. the company took reasonable steps to keep it confidential;
  4. the contractor copied, used, or disclosed it;
  5. the company suffered or may suffer harm.

Evidence may include NDAs, access restrictions, confidentiality labels, internal policies, and logs.

XIX. If the Contractor Contacted Clients

If the former contractor used company data to contact clients, redirect business, collect payments, or damage the company’s reputation, the company should act quickly.

Steps:

  1. identify affected clients;
  2. preserve emails or messages;
  3. warn clients about unauthorized communications;
  4. confirm official payment channels;
  5. review whether payments were diverted;
  6. issue formal notice to contractor;
  7. file complaints if fraud or impersonation occurred;
  8. consider civil action for damages and injunction.

Client affidavits may be important.

XX. If Money Was Diverted

A contractor may change bank details, redirect invoices, alter payment instructions, access payment gateways, or impersonate the company.

Immediate steps:

  1. notify banks and payment processors;
  2. freeze or trace transactions where possible;
  3. preserve altered invoice copies;
  4. notify affected customers;
  5. file incident reports;
  6. report to law enforcement;
  7. review email compromise;
  8. check whether more invoices were altered;
  9. change payment instructions publicly and privately;
  10. pursue recovery.

This may involve fraud, estafa, cybercrime, and civil claims.

XXI. Working With Law Enforcement

When reporting to cybercrime authorities, bring organized evidence.

Prepare:

  1. company authorization or board secretary’s certificate;
  2. IDs of representative;
  3. complaint-affidavit draft;
  4. contract with contractor;
  5. termination notice;
  6. access logs;
  7. screenshots;
  8. forensic report, if available;
  9. list of compromised systems;
  10. estimated damage;
  11. messages or threats;
  12. details of respondent;
  13. device or server information;
  14. contact person for technical questions.

Law enforcement may request access to devices, logs, or accounts. Coordinate with counsel and IT to avoid disrupting business or compromising privacy obligations.

XXII. Working With the National Privacy Commission

If personal data was compromised, prepare:

  1. breach report or incident summary;
  2. timeline of events;
  3. nature of personal data affected;
  4. number or categories of affected data subjects;
  5. cause of breach;
  6. containment measures;
  7. risk assessment;
  8. notification decision;
  9. remedial actions;
  10. data protection officer contact details;
  11. contracts with the contractor;
  12. security policies;
  13. logs and evidence;
  14. communications with affected persons.

A company that promptly investigates, documents, and mitigates the breach is in a better position than one that ignores it.

XXIII. Court Action and Injunction Strategy

When the harm is ongoing, civil court action may be necessary.

A complaint may include causes of action for:

  1. breach of contract;
  2. injunction;
  3. damages;
  4. unfair competition or interference;
  5. violation of confidentiality;
  6. recovery of property;
  7. accounting;
  8. intellectual property infringement;
  9. privacy-related claims;
  10. other appropriate relief.

The company may seek:

  1. temporary restraining order;
  2. preliminary injunction;
  3. permanent injunction;
  4. damages;
  5. return or deletion of data;
  6. surrender of credentials;
  7. transfer of accounts;
  8. prohibition on client contact;
  9. preservation of evidence.

Court filings must be carefully drafted because technical facts should be translated into legal claims.

XXIV. Arbitration or Contractual Dispute Resolution

The contractor agreement may require mediation, arbitration, or a specific venue before court action. Review the dispute resolution clause.

However, urgent cybersecurity issues may still require immediate relief depending on the contract and law. A lawyer should evaluate whether the company can seek emergency injunctive relief despite an arbitration clause.

XXV. Insurance Considerations

Some companies have cyber insurance, professional liability insurance, crime insurance, or business interruption coverage.

Check whether the policy covers:

  1. data breach response;
  2. forensic investigation;
  3. notification costs;
  4. legal fees;
  5. business interruption;
  6. cyber extortion;
  7. funds transfer fraud;
  8. third-party liability;
  9. regulatory proceedings;
  10. public relations costs.

Notify the insurer promptly if required. Late notice may affect coverage.

XXVI. Preventive Measures: Contract Drafting

A strong contractor agreement should include:

  1. clear scope of work;
  2. confidentiality clause;
  3. data protection obligations;
  4. cybersecurity standards;
  5. prohibition on unauthorized access;
  6. obligation to use company-approved accounts;
  7. prohibition on copying data outside approved systems;
  8. return and deletion of data upon termination;
  9. IP ownership and assignment;
  10. non-solicitation of clients and employees;
  11. audit rights;
  12. breach notification obligations;
  13. indemnity;
  14. liquidated damages, where appropriate;
  15. survival of confidentiality and data obligations;
  16. account ownership provisions;
  17. credential transfer obligations;
  18. cooperation after termination;
  19. dispute resolution;
  20. venue and governing law.

The contract should state that all access ends upon termination or completion unless expressly extended in writing.

XXVII. Preventive Measures: Access Management

Legal documents are not enough. Technical controls are essential.

Best practices include:

  1. unique user accounts for each contractor;
  2. no shared admin passwords;
  3. multi-factor authentication;
  4. least privilege access;
  5. time-limited access;
  6. role-based access controls;
  7. regular access review;
  8. password manager or secrets vault;
  9. logging and monitoring;
  10. immediate offboarding checklist;
  11. removal of API keys and tokens;
  12. device management;
  13. separate development and production access;
  14. approval for data exports;
  15. monitoring for unusual downloads;
  16. backup protection;
  17. incident response plan;
  18. contractor security training;
  19. periodic penetration testing;
  20. vendor risk assessment.

The best legal case is still weaker if the company had no access controls and no logs.

XXVIII. Contractor Offboarding Checklist

When a contractor leaves, the company should:

  • confirm end date of engagement;
  • send written notice terminating access;
  • disable all accounts;
  • rotate shared passwords;
  • revoke MFA devices;
  • remove cloud storage permissions;
  • remove email delegation;
  • revoke VPN access;
  • revoke repository access;
  • revoke database access;
  • rotate API keys;
  • rotate SSH keys;
  • change recovery emails and phone numbers;
  • transfer ownership of accounts;
  • collect company devices;
  • collect hardware keys or tokens;
  • obtain return/deletion certification;
  • preserve project files;
  • confirm IP assignment;
  • notify internal teams;
  • monitor logs after exit;
  • remind contractor of confidentiality obligations.

Offboarding should be done before disputes escalate.

XXIX. Red Flags Before a Breach

Watch for warning signs:

  1. contractor refuses to use company accounts;
  2. contractor insists on personal email for admin access;
  3. contractor avoids documentation;
  4. contractor refuses to share credentials with authorized company personnel;
  5. contractor creates systems only they can access;
  6. contractor resists MFA or logging;
  7. contractor downloads large data sets without reason;
  8. contractor asks for excessive permissions;
  9. contractor threatens to withhold work;
  10. contractor copies clients in payment disputes;
  11. contractor becomes hostile after termination;
  12. contractor asks employees for passwords;
  13. contractor disables notifications or logs;
  14. contractor creates unknown admin accounts;
  15. contractor stores company data in personal cloud accounts.

Early action can prevent litigation.

XXX. Common Defenses by Former Contractors

A former contractor may argue:

  1. access was authorized;
  2. contract had not ended;
  3. company failed to pay;
  4. files belonged to the contractor;
  5. no data was copied;
  6. another person used the credentials;
  7. logs are inconclusive;
  8. company shared passwords with many people;
  9. no damage occurred;
  10. company consented to the use;
  11. data was publicly available;
  12. the contractor was merely preserving files;
  13. the company breached first;
  14. the contractor had a lien or right to retain work.

The company must be prepared with documents, logs, and clear proof of revocation, ownership, and damage.

XXXI. Mistakes Companies Should Avoid

Do not:

  1. delete logs during cleanup;
  2. fail to preserve screenshots;
  3. publicly accuse without evidence;
  4. pay ransom without documentation and advice;
  5. ignore data privacy duties;
  6. delay containment;
  7. keep using compromised systems without review;
  8. let the same contractor “fix” the breach;
  9. threaten unlawful action;
  10. access the contractor’s personal accounts;
  11. overlook hidden backdoors;
  12. forget to rotate API keys;
  13. assume changing email password solves everything;
  14. fail to notify affected persons when required;
  15. sue without identifying the correct defendant;
  16. rely only on verbal agreements;
  17. ignore platform recovery procedures;
  18. omit customer communications when fraud risk exists.

XXXII. Sample Incident Timeline

Date Event Evidence
March 1 Contractor engagement ended Termination email
March 2 Access revocation notice sent Email and acknowledgment
March 5 Unauthorized login detected Admin log
March 5 Files exported from CRM Export log
March 6 Clients received suspicious messages Client screenshots
March 6 Contractor demanded payment to return access Chat screenshot
March 7 Company disabled accounts and rotated credentials IT report
March 8 Forensic review began Engagement letter
March 9 Complaint prepared Complaint-affidavit

A clear timeline helps lawyers, investigators, regulators, and courts understand the incident.

XXXIII. Sample Board or Management Resolution

For corporate complaints, the representative should be authorized.

A simple resolution may state:

“RESOLVED, that [Name], [Position], is authorized to represent [Company Name] in connection with the cybersecurity incident involving unauthorized access, data compromise, and related acts by [Former Contractor], including authority to execute affidavits, file complaints, coordinate with law enforcement, engage counsel, submit documents, and perform all acts necessary to protect the company’s rights and interests.”

Corporate authority matters when filing complaints.

XXXIV. Practical Legal Strategy

A strong strategy usually has four tracks:

1. Technical Containment

Secure systems, rotate credentials, restore operations, and prevent further access.

2. Evidence Preservation

Export logs, preserve communications, document damage, and obtain forensic support.

3. Regulatory and Criminal Action

File with cybercrime authorities, prosecutors, or privacy regulators when warranted.

4. Civil Recovery

Seek damages, injunction, account transfer, return of data, and contractual enforcement.

The company should not focus only on punishment. It must also restore business operations and protect affected persons.

XXXV. Final Checklist for Companies

When a former contractor causes or is suspected of causing a cybersecurity breach:

  • disable all known access;
  • rotate credentials and keys;
  • preserve logs before they expire;
  • identify affected systems;
  • determine if personal data was involved;
  • consult legal counsel;
  • engage forensic support if needed;
  • document the timeline;
  • preserve contracts and termination notices;
  • notify affected persons if required;
  • prepare regulatory or criminal complaints;
  • send demand letter if appropriate;
  • recover account ownership;
  • restore from clean backups;
  • check for backdoors;
  • review insurance;
  • strengthen contractor onboarding and offboarding.

Conclusion

A cybersecurity breach by a former contractor in the Philippines is not merely an IT problem. It can involve cybercrime, data privacy liability, breach of contract, civil damages, intellectual property disputes, business interruption, reputational harm, and regulatory exposure.

The company’s first priority should be containment: disable access, rotate credentials, preserve logs, and stop the damage. The second priority is legal and evidentiary: document what happened, identify the former contractor’s authority and post-termination acts, preserve communications, and determine whether personal data or confidential business information was compromised.

Philippine remedies may include criminal complaints under cybercrime and penal laws, civil actions for damages and injunction, complaints before privacy regulators, contractual claims, intellectual property remedies, and platform recovery procedures. The strongest cases are built on clear contracts, access revocation records, technical logs, forensic evidence, documented losses, and careful compliance with data privacy obligations.

For businesses, prevention is just as important as litigation. Contractor access should be limited, monitored, documented, and revoked immediately upon termination. Company accounts should remain under company control. Confidentiality, cybersecurity, data protection, intellectual property, and return-of-assets clauses should be standard in every contractor agreement. A former contractor may once have been trusted, but once authority ends, continued access to company systems can become a serious legal violation.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login