A Philippine Legal Article

I. Introduction

A dispute with a former worker can become more than a labor or employment issue when money, company accounts, customer data, devices, passwords, online platforms, confidential files, or digital systems are involved. In the Philippines, an employer, business owner, client, or principal may consider legal action when a former employee, contractor, virtual assistant, agent, staff member, or service provider allegedly misappropriates funds, diverts payments, keeps company property, accesses accounts after termination, deletes files, changes passwords, impersonates the business, or uses confidential information for personal gain.

Depending on the facts, the conduct may give rise to complaints for estafa, qualified theft, cybercrime offenses, unauthorized access, computer-related fraud, data interference, identity-related offenses, unjust vexation, grave coercion, malicious mischief, breach of confidentiality, civil damages, labor claims, and administrative or regulatory complaints.

The legal analysis must be careful. Not every unpaid account, failed business arrangement, bad resignation, refusal to turn over files, or post-employment dispute is automatically criminal. Criminal liability requires specific elements, proof of intent, and competent evidence. At the same time, the use of digital systems can aggravate or transform ordinary misconduct into cybercrime.

---

II. Typical Situations Involving Former Workers

Complaints against former workers commonly arise from acts such as:

1. collecting payments from customers and failing to remit them;
2. diverting client payments to personal bank or e-wallet accounts;
3. using company logins after resignation or termination;
4. changing passwords to company email, Facebook page, website, Shopify store, Lazada/Shopee account, Google Workspace, Meta Business Suite, bank portal, CRM, or cloud storage;
5. deleting business files, messages, invoices, customer lists, or transaction records;
6. downloading confidential files before leaving;
7. taking company laptop, phone, SIM card, inventory, cash, tools, documents, or access devices;
8. impersonating the business or owner online;
9. contacting clients and pretending to still represent the company;
10. using the company’s customer database for a competing business;
11. refusing to surrender administrative access;
12. using saved passwords or former credentials to enter systems;
13. transferring digital assets to a personal account;
14. creating fake transactions, invoices, receipts, or screenshots;
15. manipulating payroll, commissions, inventory, or delivery records;
16. using company funds for personal purchases;
17. making unauthorized withdrawals or transfers;
18. locking the business owner out of accounts;
19. threatening to delete files unless paid;
20. selling or leaking confidential data.

The correct legal remedy depends on the exact act, the worker’s authority, the property involved, the timing of access, the existence of entrustment, and the evidence available.

---

III. Distinguishing Employment Dispute From Criminal Complaint

A former worker may owe money, fail to perform duties, or violate company policy. But criminal liability is not presumed merely because the worker breached a contract or caused loss.

A case becomes potentially criminal when there is evidence of:

1. deceit;
2. abuse of confidence;
3. misappropriation or conversion;
4. intent to gain;
5. unauthorized taking;
6. unauthorized access;
7. fraudulent manipulation of computer systems;
8. damage, deletion, or alteration of data;
9. impersonation or identity misuse;
10. concealment or falsification;
11. refusal to return property after demand, where legally relevant;
12. use of access beyond authority.

The complainant must identify the criminal theory that best fits the facts. Filing every possible charge without factual basis may weaken the complaint.

---

IV. Estafa in the Context of a Former Worker

Estafa is a felony under the Revised Penal Code. It generally involves defrauding another by abuse of confidence, deceit, or fraudulent means, causing damage.

In former worker cases, estafa commonly arises when the worker received money, property, documents, merchandise, or funds in trust or under an obligation to deliver, return, or account for them, and then misappropriated or converted them.

Common examples

1. A cashier receives sales proceeds but keeps them.
2. A sales agent collects customer payments but deposits them into a personal account.
3. A delivery staff receives cash-on-delivery payments but fails to remit.
4. A virtual assistant receives funds for advertising spend but uses them personally.
5. A project staff receives client deposits on behalf of the company and does not turn them over.
6. A worker is entrusted with inventory for sale and refuses to account for the proceeds.
7. A bookkeeper diverts company funds while pretending they were paid to suppliers.

---

V. Estafa by Abuse of Confidence

A common form of estafa against workers is estafa with abuse of confidence. The usual theory is that the worker received property, money, or goods under an obligation to deliver, return, or account for them, but later misappropriated or converted them to personal use.

The important concepts are:

1. receipt of property or money by the worker;
2. fiduciary or trust relationship, such as agency, administration, employment, or commission;
3. obligation to return, deliver, or account;
4. misappropriation or conversion;
5. prejudice or damage to the owner;
6. often, demand, when useful to show misappropriation.

Demand is not always an element in the strict sense, but it is often important evidence. A written demand can show that the worker was required to account for the property and failed or refused to do so.

---

VI. Estafa by Deceit

Estafa may also arise when the former worker used false pretenses to obtain money or property.

Examples include:

1. pretending to be authorized to collect payments after termination;
2. sending fake invoices to clients;
3. using the company name to solicit payments;
4. claiming that the employer approved a transaction when no authority existed;
5. falsifying screenshots or proof of payment;
6. creating fake supplier accounts;
7. inducing the business to release money based on false statements.

In deceit-based estafa, the false representation must generally be made before or at the time the offended party parted with money or property. If the deception occurred only after the money was already received, the better theory may be abuse of confidence or another offense.

---

VII. Estafa Versus Qualified Theft

A key distinction in former worker cases is whether the property was entrusted to the worker or taken without the owner’s consent.

Estafa

Estafa is more likely when the worker lawfully received possession of money or property but later misappropriated it.

Example: A collection agent is authorized to receive customer payments but keeps the collections.

Qualified theft

Qualified theft is more likely when the worker unlawfully takes property belonging to the employer, especially where grave abuse of confidence is involved.

Example: A warehouse employee secretly removes inventory from the stockroom and sells it.

The distinction matters because the facts must match the charge. If the worker had juridical or material possession, or merely physical access, the correct charge may differ.

---

VIII. Estafa Versus Simple Debt

A complaint should not be framed as estafa if the issue is merely failure to pay a personal debt, salary advance, loan, or civil obligation without proof of fraud or misappropriation.

A worker’s inability to pay is not automatically estafa. There must be criminal fraud, abuse of confidence, or conversion.

Examples of civil matters that may not automatically be estafa:

1. unpaid personal loan to the worker;
2. disagreement over commissions;
3. dispute over final pay deductions;
4. failure to reimburse expenses due to accounting disagreement;
5. poor performance of contractual services;
6. unfinished project;
7. ordinary breach of employment contract.

Criminal complaints should be based on evidence of criminal conduct, not merely frustration with a former worker.

---

IX. Cybercrime in the Employment Context

The Cybercrime Prevention Act of 2012 penalizes various offenses committed through or against computer systems. In former worker disputes, cybercrime may be involved if the worker used computers, phones, emails, social media accounts, online platforms, cloud systems, payment apps, or digital credentials in committing the act.

Cybercrime may be relevant in two ways:

1. the act itself is a cybercrime, such as illegal access or data interference; or
2. a traditional crime, such as estafa, is committed through information and communications technology, making it cybercrime-related.

This is important because penalties may be higher, digital evidence becomes central, and specialized law enforcement units may investigate.

---

X. Unauthorized Access or Illegal Access

Unauthorized access, often called illegal access, generally refers to accessing a computer system or part of it without right.

In the employment context, this may occur when a former worker:

1. logs into company email after termination;
2. uses saved passwords after authority has ended;
3. accesses cloud storage without permission;
4. enters company social media accounts after removal from employment;
5. logs into an admin dashboard without authorization;
6. uses another employee’s credentials;
7. accesses payroll, HR, accounting, or customer databases after separation;
8. bypasses revoked access through alternate accounts;
9. uses a backdoor account created while employed;
10. accesses a system beyond the scope of assigned authority.

The central issue is whether the worker had a right to access at the time and for the purpose of access. A person who once had authority may become unauthorized after resignation, termination, reassignment, or revocation of access.

---

XI. Authorized Access That Becomes Unauthorized

A former worker may argue: “I had the password,” or “I was the admin before.” That is not always a defense.

Access can become unauthorized when:

1. employment ended;
2. contract was terminated;
3. access was expressly revoked;
4. the worker was instructed to turn over accounts;
5. the worker used access for a purpose outside work authority;
6. the worker entered systems to damage, steal, copy, or conceal data;
7. access was retained through deception or failure to disclose admin accounts;
8. the worker used credentials belonging to another person.

Having the password is different from having legal authority to use it.

---

XII. Exceeding Authorized Access

Some cases involve a worker who was still employed or had some access but used it for an unauthorized purpose.

Examples:

1. an HR staff downloads all employee records for personal use;
2. a sales employee exports customer data to join a competitor;
3. a bookkeeper accesses payroll files to alter entries;
4. a social media manager deletes posts after being informed of termination;
5. an IT worker creates hidden admin access;
6. a VA accesses client files unrelated to assigned tasks.

The legal theory may be illegal access, data interference, computer-related fraud, breach of confidentiality, or civil liability, depending on the act.

---

XIII. Data Interference

Data interference may arise when a former worker intentionally or recklessly alters, damages, deletes, deteriorates, or suppresses computer data without right.

Examples include:

1. deleting customer records;
2. erasing invoices;
3. deleting email archives;
4. wiping Google Drive folders;
5. removing website files;
6. deleting social media posts or ad accounts;
7. changing product listings;
8. altering inventory records;
9. deleting chat history needed for business;
10. encrypting files and refusing to provide the key.

This offense focuses on damage or interference with data, not merely access.

---

XIV. System Interference

System interference may apply when the act seriously hinders the functioning of a computer system.

Examples include:

1. locking the owner out of an account;
2. changing admin credentials;
3. disabling a website;
4. interfering with order processing systems;
5. shutting down business email;
6. disabling payment channels;
7. changing DNS settings;
8. blocking access to cloud systems;
9. flooding or disrupting business systems;
10. intentionally causing platform suspension.

The complainant should document how the system was impaired and what business loss resulted.

---

XV. Computer-Related Fraud

Computer-related fraud may apply when a person uses computer data or systems to cause economic loss through fraudulent input, alteration, deletion, suppression, or interference.

In former worker cases, examples may include:

1. altering payment details in invoices;
2. redirecting customer payments to personal accounts;
3. changing checkout bank details on a website;
4. manipulating accounting entries;
5. creating fake orders or refunds;
6. using company accounts to generate unauthorized payouts;
7. changing payroll details;
8. submitting falsified digital reimbursement claims;
9. manipulating platform balances;
10. using admin access to transfer credits or digital assets.

This offense overlaps with estafa but focuses on the fraudulent use or manipulation of computer systems or data.

---

XVI. Computer-Related Identity Theft

Identity-related cybercrime may arise when a former worker uses another person’s identifying information or digital identity without authority.

Examples:

1. using the owner’s name to email clients;
2. using the owner’s account credentials;
3. pretending to be the company representative after separation;
4. using the company’s logo, page, email, or brand identity to collect money;
5. creating fake accounts using the employer’s identity;
6. sending messages under another worker’s name;
7. using saved IDs, signatures, or digital certificates;
8. taking over a business profile.

The issue is not merely impersonation in ordinary conversation; it is the use of identity information through ICT without right, usually causing damage, confusion, or gain.

---

XVII. Cyber-Related Estafa

If estafa is committed using a computer system, online account, email, messaging app, e-wallet, website, or digital platform, it may be treated as a cybercrime-related offense.

Examples:

1. former worker sends clients a bank account or GCash number and claims it belongs to the company;
2. former VA uses company email to collect money;
3. former social media admin receives orders through the business page and keeps the payments;
4. former staff uses online invoices to divert funds;
5. former worker uses messaging apps to deceive customers into paying him or her;
6. former employee manipulates online records to conceal misappropriation.

The underlying estafa must still be proven. The use of ICT may affect jurisdiction, evidence, and penalty.

---

XVIII. Unauthorized Access to Social Media and Business Pages

Many businesses operate through Facebook pages, Instagram accounts, TikTok shops, YouTube channels, Meta Business Suite, online marketplaces, and messaging apps. A former worker who refuses to surrender or wrongfully uses admin access may create serious legal issues.

Possible legal concerns include:

1. illegal access;
2. data interference;
3. system interference;
4. computer-related fraud;
5. identity misuse;
6. unfair competition;
7. civil damages;
8. intellectual property issues;
9. breach of confidentiality;
10. conversion of business assets.

The complainant should preserve proof of ownership, page creation, business registration, admin history, messages demanding turnover, and platform logs.

---

XIX. Unauthorized Access to Email Accounts

Email accounts are often central to business operations. Former workers may still have access to Gmail, Outlook, domain email, or helpdesk systems.

Unauthorized post-employment access may involve:

1. reading confidential emails;
2. forwarding emails to personal accounts;
3. deleting messages;
4. changing recovery details;
5. resetting passwords of connected accounts;
6. impersonating the owner;
7. intercepting client communications;
8. diverting invoices;
9. obtaining trade secrets;
10. hiding evidence.

Email logs, recovery settings, IP logs, device history, and forwarding rules may become important evidence.

---

XX. Unauthorized Access to Banking, Payment, and E-Wallet Systems

If a former worker accessed bank portals, payment processors, GCash, Maya, PayPal, Stripe, Shopify Payments, marketplace wallets, or other financial systems, the case may involve both cybercrime and financial fraud.

Potential offenses may include:

1. estafa;
2. qualified theft;
3. computer-related fraud;
4. illegal access;
5. identity theft;
6. falsification;
7. unauthorized transactions;
8. money laundering concerns in serious cases.

The complainant should urgently secure accounts, notify financial institutions, request transaction records, freeze suspicious activity where possible, and preserve digital logs.

---

XXI. Unauthorized Access to Company Devices

A former worker may have used a company laptop, phone, tablet, SIM card, hard drive, or storage device. If the device is not returned, the issue may include theft, estafa, or civil recovery depending on how the device was entrusted.

If the worker accessed or copied data from the device without authority, cybercrime and data privacy issues may arise.

Important evidence includes:

1. asset issuance forms;
2. acknowledgment receipts;
3. device serial numbers;
4. employment contract;
5. return demand;
6. messages admitting possession;
7. device logs;
8. mobile number ownership records;
9. remote management logs;
10. inventory records.

---

XXII. Unauthorized Use of SIM Cards and Mobile Numbers

Business SIM cards are often tied to bank OTPs, e-wallets, customer calls, delivery apps, and social media recovery codes.

A former worker who retains a business SIM may be able to:

1. receive OTPs;
2. reset passwords;
3. access e-wallets;
4. impersonate the business;
5. intercept customer calls;
6. receive payment confirmations;
7. continue business transactions;
8. lock out the real owner.

The business should immediately request SIM replacement or account recovery, notify platforms, revoke access, and document all unauthorized use.

---

XXIII. Data Privacy Issues

If the former worker accessed, copied, used, sold, leaked, or disclosed personal information of customers, employees, suppliers, or clients, the matter may also involve the Data Privacy Act.

Personal information may include:

1. names;
2. addresses;
3. phone numbers;
4. email addresses;
5. government ID details;
6. payment information;
7. health information;
8. employee records;
9. customer purchase history;
10. account credentials;
11. photos, videos, and private messages.

The employer or business may need to assess whether a personal data breach occurred and whether reporting or notification obligations arise.

---

XXIV. Confidentiality and Trade Secrets

Former workers may also misuse confidential business information, such as:

1. customer lists;
2. pricing;
3. supplier contacts;
4. marketing strategies;
5. recipes;
6. source code;
7. designs;
8. financial records;
9. business plans;
10. internal processes;
11. ad campaign data;
12. scripts and templates.

This may lead to civil claims for breach of contract, injunction, damages, unfair competition, or intellectual property-related remedies. Criminal charges may depend on the specific act and evidence.

---

XXV. Non-Compete, Non-Solicitation, and Confidentiality Clauses

Employment and contractor agreements often contain clauses restricting the worker’s use of company information or solicitation of clients.

A non-compete clause is not automatically enforceable in every situation. Courts may examine reasonableness as to time, place, scope, and public policy.

Confidentiality and non-solicitation clauses are generally easier to enforce if they are clear, reasonable, and supported by evidence of actual misuse.

Even if a non-compete clause is weak, unauthorized access, theft of data, and fraud may still be actionable.

---

XXVI. Former Employee Versus Independent Contractor

The legal analysis may differ depending on whether the person was an employee, independent contractor, agent, consultant, virtual assistant, sales representative, cashier, driver, bookkeeper, or freelance worker.

However, criminal liability does not depend solely on employment status. A contractor can commit estafa, cybercrime, or unauthorized access just as an employee can.

What matters is:

1. what authority was given;
2. what property or access was entrusted;
3. what obligation existed;
4. whether authority ended;
5. what act was done;
6. what damage resulted.

---

XXVII. Labor Law Considerations

If the worker was an employee, the employer should be careful not to confuse criminal prosecution with labor discipline.

During employment, suspected misconduct may justify administrative investigation, preventive suspension in proper cases, notice to explain, hearing or opportunity to be heard, and notice of decision.

After separation, the employer may still file criminal and civil complaints if evidence supports them.

However, employers should avoid illegal dismissal, withholding wages without legal basis, public shaming, coercion, or threats. A valid criminal complaint should stand on evidence, not retaliation.

---

XXVIII. Final Pay and Property Return

A common problem occurs when the employer wants to withhold final pay until the former worker returns property or accounts for money.

Employers must be cautious. Final pay, unpaid wages, and benefits are governed by labor law. Deductions may require legal or contractual basis, written authorization where required, or a lawful determination of liability.

If the former worker owes property or money, the employer may pursue recovery, demand return, or file appropriate complaints. But improper withholding of wages may expose the employer to labor claims.

---

XXIX. Demand Letter

A demand letter is often useful before filing a complaint, especially in estafa by misappropriation.

A demand letter may require the former worker to:

1. return money or property;
2. account for collections;
3. surrender devices;
4. turn over passwords and admin access;
5. stop accessing company accounts;
6. cease contacting clients;
7. preserve data;
8. explain disputed transactions;
9. pay liquidated obligations;
10. respond within a definite period.

The letter should be factual and avoid defamatory language. It should be sent through a verifiable method, such as personal service with acknowledgment, courier, registered mail, or email with proof of receipt.

---

XXX. Importance of Demand in Estafa Cases

Demand can help prove misappropriation or conversion. If a worker was entrusted with property and later refuses to return or account for it after demand, that refusal may support the inference of conversion.

However, demand alone does not create estafa if the elements are absent. The complaint must still prove entrustment, obligation to return or account, misappropriation, and damage.

A demand letter should not exaggerate facts or threaten unlawful action.

---

XXXI. Evidence Needed for Estafa

A strong estafa complaint may include:

1. employment contract, service agreement, agency agreement, or job description;
2. proof that the worker was authorized to receive money or property;
3. receipts, invoices, collection reports, delivery records, or customer acknowledgments;
4. bank statements, e-wallet records, remittance records;
5. screenshots of payment instructions;
6. customer affidavits;
7. accounting summaries;
8. inventory records;
9. admission by the worker;
10. demand letter and proof of receipt;
11. failure or refusal to account;
12. computation of loss;
13. affidavits of the owner, accountant, customers, or other witnesses.

The evidence should show the money trail and the worker’s obligation to remit or return.

---

XXXII. Evidence Needed for Unauthorized Access

For illegal access or unauthorized access complaints, useful evidence includes:

1. account ownership records;
2. access logs;
3. login timestamps;
4. IP addresses, device names, browser history, or location logs;
5. platform security alerts;
6. screenshots of unauthorized activity;
7. emails showing password changes;
8. admin role history;
9. messages from the former worker admitting access;
10. termination notice or revocation of access;
11. demand to stop accessing accounts;
12. proof that the worker had no authority at the time;
13. forensic reports, if available;
14. affidavits from IT personnel or platform administrators;
15. business records showing damage or loss.

Screenshots should be preserved carefully. Where possible, export logs directly from the platform.

---

XXXIII. Evidence Needed for Data Deletion or Tampering

For data interference, the complainant should preserve:

1. before-and-after records;
2. file deletion logs;
3. audit trail;
4. cloud storage activity logs;
5. website logs;
6. database logs;
7. backup records;
8. recovery attempts;
9. witness affidavits;
10. platform notifications;
11. screenshots of missing or altered data;
12. proof of the worker’s account activity;
13. proof of lack of authority;
14. cost of restoration;
15. business interruption evidence.

The more technical the case, the more useful an IT forensic report becomes.

---

XXXIV. Evidence Needed for Computer-Related Fraud

Computer-related fraud evidence may include:

1. original payment instructions;
2. altered payment instructions;
3. customer messages;
4. bank or e-wallet destination records;
5. platform logs showing who changed data;
6. invoices and receipts;
7. screenshots of fraudulent entries;
8. audit logs from accounting systems;
9. user access roles;
10. proof of economic loss;
11. affidavits from affected customers;
12. admissions or explanations by the worker;
13. device or IP connection to the worker;
14. records showing the worker benefited from the fraud.

The complaint should clearly connect the computer manipulation to the financial damage.

---

XXXV. Preserving Digital Evidence

Digital evidence is fragile. The complainant should act quickly to preserve it.

Recommended steps include:

1. take screenshots showing dates, URLs, usernames, and full context;
2. export account logs;
3. download transaction histories;
4. preserve email headers where relevant;
5. save original files, not just edited copies;
6. avoid altering metadata;
7. keep devices secured;
8. document who handled the evidence;
9. request platform logs before they expire;
10. back up relevant records;
11. have key screenshots notarized or supported by affidavits when appropriate;
12. engage a digital forensic specialist for serious cases.

Poorly preserved screenshots may be challenged as incomplete, altered, or unauthenticated.

---

XXXVI. Chain of Custody

While chain of custody is often discussed in drug cases, the concept is also useful for digital evidence. The complainant should be able to explain where the evidence came from, who obtained it, how it was stored, and whether it was altered.

For devices, the complainant should avoid unnecessary use after discovering the incident. Continued use can overwrite logs or change metadata.

For accounts, the complainant should export logs and preserve security alerts before making changes, when safe to do so.

---

XXXVII. Immediate Protective Measures

Before or while pursuing legal remedies, the business should secure itself.

Immediate steps include:

1. revoke all access of the former worker;
2. change passwords;
3. enable two-factor authentication;
4. remove recovery emails and phone numbers;
5. check admin roles;
6. review forwarding rules;
7. secure domain and hosting accounts;
8. rotate API keys;
9. invalidate active sessions;
10. recover business pages and platform accounts;
11. notify banks and payment processors;
12. preserve logs before they disappear;
13. inform customers of correct payment channels, when necessary;
14. suspend compromised accounts;
15. conduct an internal audit.

The priority is to stop continuing damage.

---

XXXVIII. Avoiding Self-Help That Creates Liability

The complainant should avoid unlawful retaliation.

Risky acts include:

1. hacking into the former worker’s personal accounts;
2. publicly accusing the worker without proof;
3. threatening violence or humiliation;
4. posting personal information online;
5. refusing lawful wages without basis;
6. seizing personal property;
7. coercing confession;
8. using spyware;
9. accessing the worker’s private messages without authority;
10. fabricating evidence.

A complainant should secure business accounts lawfully and document the incident properly.

---

XXXIX. Where to File the Complaint

Depending on the case, a complaint may be filed with:

1. the prosecutor’s office for preliminary investigation;
2. law enforcement cybercrime units;
3. police authorities for blotter and investigation;
4. National Bureau of Investigation cybercrime division;
5. Philippine National Police anti-cybercrime units;
6. barangay, only for matters covered by barangay conciliation and where applicable;
7. civil courts for damages, injunction, replevin, or specific relief;
8. labor authorities, if employment claims are involved;
9. regulatory agencies, if data privacy or financial regulations are implicated.

For cybercrime, specialized cybercrime units are often better equipped to preserve logs, trace accounts, and assist in digital evidence handling.

---

XL. Barangay Conciliation

Some disputes between individuals residing in the same city or municipality may require barangay conciliation before court action. However, criminal offenses above certain penalty thresholds, offenses involving juridical entities in some situations, urgent cases, and cybercrime matters may not be suitable for barangay settlement.

The need for barangay proceedings depends on the parties, location, offense, penalty, and nature of relief sought.

A complainant should not assume that barangay conciliation is always required or always unnecessary.

---

XLI. Preliminary Investigation

For offenses requiring preliminary investigation, the complainant files a complaint-affidavit and supporting evidence. The respondent may be required to submit a counter-affidavit. The prosecutor determines whether probable cause exists.

A good complaint-affidavit should:

1. narrate facts chronologically;
2. identify the respondent;
3. describe the employment or service relationship;
4. specify authority given and when it ended;
5. explain the act complained of;
6. identify the law allegedly violated;
7. attach documentary and digital evidence;
8. attach witness affidavits;
9. quantify damage;
10. explain how evidence links the respondent to the act.

A disorganized complaint may fail even if the underlying grievance is real.

---

XLII. Complaint-Affidavit Structure

A complaint-affidavit may be organized as follows:

1. identity of complainant;
2. identity of respondent;
3. relationship between parties;
4. nature of business;
5. respondent’s role and access;
6. property, money, or accounts entrusted;
7. date and manner of termination or separation;
8. unauthorized acts discovered;
9. evidence of misappropriation, access, deletion, or fraud;
10. demands made;
11. respondent’s response or refusal;
12. losses suffered;
13. legal offenses charged;
14. prayer for investigation and prosecution;
15. verification and certification, if required.

The complaint should avoid speculation. It should state facts supported by exhibits.

---

XLIII. Respondent’s Common Defenses

A former worker may raise defenses such as:

1. authority to access the account;
2. no formal termination or revocation;
3. ownership or co-ownership of the account;
4. business partnership rather than employment;
5. consent of the owner;
6. lack of intent to gain;
7. accounting dispute only;
8. no demand was made;
9. money was used for business expenses;
10. commissions or salary were unpaid;
11. passwords were shared openly;
12. another person accessed the account;
13. screenshots are fabricated or incomplete;
14. civil dispute only;
15. no damage or loss;
16. lack of proof linking respondent to the IP, device, or transaction.

The complainant should anticipate and address these defenses with evidence.

---

XLIV. Importance of Access Policies

Businesses are in a stronger legal position when they have clear written policies on account access.

Useful documents include:

1. employment contract;
2. confidentiality agreement;
3. acceptable use policy;
4. password policy;
5. device issuance form;
6. account access authorization;
7. offboarding checklist;
8. data privacy policy;
9. non-disclosure agreement;
10. return of property acknowledgment;
11. admin access logs;
12. separation notice.

Without clear access rules, the respondent may argue that continued access was tolerated or unclear.

---

XLV. Offboarding Failures

Many disputes happen because the business failed to properly offboard the worker.

Common failures include:

1. allowing the worker to create accounts under personal email;
2. sharing one password among all staff;
3. not using company-owned emails;
4. not removing admin access after termination;
5. not changing recovery numbers;
6. not tracking devices;
7. not documenting account ownership;
8. not securing customer lists;
9. not requiring turnover;
10. not maintaining backups.

These failures do not excuse criminal conduct, but they can make proof more difficult.

---

XLVI. Account Ownership Issues

Digital accounts can be legally complicated. The former worker may claim he or she created the page, email, store, website, or ad account.

Relevant factors include:

1. who paid for the account or domain;
2. whose business name appears;
3. whose products or services were sold;
4. who controlled the content;
5. who received revenues;
6. whether the account used company branding;
7. whether creation was part of work duties;
8. whether the worker was reimbursed;
9. whether the account was registered under personal or company email;
10. whether contracts define ownership.

A complaint is stronger if the business can prove that the account is a company asset.

---

XLVII. Civil Remedies

Even when criminal prosecution is pursued, civil remedies may be necessary.

Possible civil actions include:

1. collection of sum of money;
2. damages;
3. replevin for recovery of personal property;
4. injunction to stop use of data or accounts;
5. specific performance to compel turnover;
6. accounting;
7. rescission or termination of contract;
8. recovery of possession;
9. unfair competition-related claims;
10. breach of confidentiality action.

Criminal cases punish offenses, but they do not always quickly restore access or recover property. Civil remedies may be needed for immediate business protection.

---

XLVIII. Injunction and Temporary Relief

If the former worker continues to use accounts, contact clients, or threaten deletion of data, the business may consider injunctive relief.

A court may be asked to order the person to stop certain acts, preserve data, surrender access, or refrain from using confidential information, depending on the case.

Injunction requires proof of a clear right, violation or threatened violation, urgency, and inadequacy of ordinary remedies.

---

XLIX. Replevin for Company Devices

If a former worker refuses to return a company laptop, phone, equipment, or documents, a civil action for recovery of personal property may be considered.

Replevin may allow provisional recovery of personal property before final judgment, subject to legal requirements.

This may be useful where the device contains business data or is needed for operations.

---

L. Civil Liability Arising From Crime

A criminal offense may also give rise to civil liability. If the respondent is convicted, the court may order restitution, reparation, or damages.

However, the complainant should not rely solely on the criminal case if urgent recovery or account control is needed. Criminal proceedings can take time.

---

LI. Data Privacy Complaints

If personal data was accessed, disclosed, or used without authority, a complaint may also be considered before the privacy regulator.

A data privacy complaint may involve:

1. unauthorized processing;
2. unauthorized disclosure;
3. malicious disclosure;
4. failure to protect personal data;
5. personal data breach;
6. misuse of customer or employee records.

The business itself may also have obligations as a personal information controller. If a former worker caused a breach, the business should still assess whether it must notify affected data subjects or regulators.

---

LII. Employer’s Data Protection Duties

Businesses should implement reasonable and appropriate safeguards for personal data.

When a former worker accesses or copies personal data, regulators may ask whether the business had:

1. access controls;
2. least-privilege permissions;
3. confidentiality agreements;
4. data processing policies;
5. audit logs;
6. breach response procedures;
7. employee training;
8. secure offboarding;
9. password management;
10. contractual safeguards with contractors.

A complaint against a former worker does not automatically protect the business from scrutiny if its own controls were weak.

---

LIII. Money Trail and Asset Recovery

In financial fraud cases, tracing the money is crucial.

The complainant should gather:

1. customer payment proof;
2. bank account details used;
3. e-wallet numbers;
4. transaction reference numbers;
5. dates and amounts;
6. screenshots of payment instructions;
7. account names;
8. withdrawal records, if available;
9. admissions;
10. customer affidavits.

Law enforcement or prosecutors may request records from banks or platforms through proper legal processes.

---

LIV. Affidavits of Customers and Witnesses

Customer affidavits can be decisive. A customer can state:

1. who contacted them;
2. what representations were made;
3. what account they were told to pay;
4. how much they paid;
5. whether they believed they were paying the company;
6. screenshots or receipts;
7. what happened after payment.

Employee or co-worker affidavits may also prove access, duties, entrustment, termination, and turnover obligations.

---

LV. Internal Audit Report

A company should prepare an internal audit report summarizing:

1. amount lost;
2. affected transactions;
3. dates;
4. customers;
5. accounts involved;
6. documents reviewed;
7. responsible user accounts;
8. missing inventory;
9. unauthorized changes;
10. supporting exhibits.

The report should be factual, not speculative. It can help the prosecutor understand complex transactions.

---

LVI. Use of Screenshots

Screenshots are useful but should be handled carefully.

Good screenshots should show:

1. full screen where possible;
2. date and time;
3. URL or platform;
4. account name;
5. message sender and recipient;
6. transaction reference;
7. surrounding conversation;
8. file path or folder name;
9. unedited content;
10. device used.

The complainant should save originals and avoid cropping unless full versions are also preserved.

---

LVII. Notarization of Digital Evidence

In some cases, a party may execute an affidavit identifying screenshots, messages, logs, and files. A notary does not prove that digital evidence is true, but a sworn affidavit helps establish how the evidence was obtained and preserved.

For important cases, digital forensic examination is stronger than mere notarized screenshots.

---

LVIII. Cyber Libel Risk in Public Accusations

Business owners sometimes post online warnings about former workers. This can create cyber libel risk if accusations are made publicly without sufficient legal basis or are phrased maliciously.

Even if the business has a valid complaint, public shaming can backfire.

Safer alternatives include:

1. private notices to affected clients;
2. factual fraud alerts without naming unnecessarily;
3. direct account recovery notices;
4. legal demand letters;
5. formal complaints with authorities.

---

LIX. Extortion, Threats, and Coercion

If a former worker threatens to delete files, expose data, damage accounts, or withhold access unless paid, additional offenses may be considered depending on the facts.

Possible issues include:

1. grave coercion;
2. unjust vexation;
3. threats;
4. robbery or extortion theories in extreme cases;
5. cybercrime offenses;
6. data privacy violations;
7. civil injunction.

All threats should be preserved exactly as sent.

---

LX. Falsification

Falsification may arise if the former worker fabricated or altered documents.

Examples include:

1. fake receipts;
2. fake invoices;
3. altered bank slips;
4. fake acknowledgment forms;
5. forged signatures;
6. fake delivery confirmations;
7. edited screenshots;
8. falsified payroll records;
9. fake liquidation reports;
10. altered digital documents.

If falsification was used to obtain money, it may accompany estafa.

---

LXI. Malicious Mischief

If the former worker damaged physical property, devices, office equipment, or possibly digital assets in a way treated as damage to property, malicious mischief or related offenses may be considered.

For purely digital deletion or interference, cybercrime provisions may be more directly applicable.

---

LXII. Unjust Vexation

Unjust vexation may be alleged when the former worker’s acts annoy, irritate, torment, or distress the complainant without necessarily fitting a more specific offense.

However, it should not be used as a catch-all when the facts support more specific offenses. Prosecutors may prefer the charge that directly matches the conduct.

---

LXIII. Grave Coercion

Grave coercion may arise when a former worker uses violence, threats, or intimidation to compel the employer or business to do something against its will, or prevent something not prohibited by law.

Example: threatening to permanently delete accounts unless the employer pays an unlawful amount.

The exact charge depends on the nature and gravity of the threat.

---

LXIV. Qualified Theft of Data?

Philippine law traditionally treats theft as involving personal property. Whether data itself can be the object of theft is more complex. If the worker stole a physical device, storage medium, SIM card, money, or inventory, theft analysis is clearer.

For copying, downloading, deleting, or misusing data, cybercrime, data privacy, breach of confidentiality, or civil remedies may be more appropriate.

---

LXV. Intellectual Property Issues

If the former worker took creative works, source code, designs, product photos, videos, marketing materials, or brand assets, intellectual property law may also be relevant.

Issues may include:

1. copyright ownership;
2. work-for-hire or commissioned work;
3. trademark misuse;
4. unfair competition;
5. passing off;
6. unauthorized use of business name;
7. domain name disputes;
8. takedown requests on platforms.

Ownership should be proven through contracts, payment records, project briefs, and account histories.

---

LXVI. Jurisdiction and Venue in Cybercrime Cases

Cybercrime cases can raise venue issues because acts may occur across cities, provinces, or countries. Relevant places may include:

1. where the complainant resides or does business;
2. where the respondent acted;
3. where the computer system is located;
4. where damage was suffered;
5. where accessed accounts are maintained;
6. where payments were received;
7. where the offended party discovered the offense.

Venue should be evaluated carefully to avoid dismissal or procedural delay.

---

LXVII. If the Former Worker Is Abroad

Many virtual assistants, freelancers, and overseas workers may be located outside the complainant’s city or country.

Practical issues include:

1. service of subpoenas;
2. identifying real name and address;
3. preserving platform evidence;
4. tracing payments;
5. cross-border cooperation;
6. enforcing civil judgments;
7. obtaining platform records;
8. immigration or extradition limitations for serious cases.

Even if the person is abroad, a Philippine complaint may still be possible if the offended party, system, business, or damage is connected to the Philippines, subject to jurisdictional rules.

---

LXVIII. If the Employer Is a Corporation or Business Entity

If the complainant is a corporation, partnership, or registered business, the complaint should be filed by an authorized representative.

Documents may include:

1. secretary’s certificate;
2. board resolution;
3. special power of attorney;
4. business registration;
5. articles of incorporation or partnership;
6. authorization to file complaint;
7. proof of ownership of accounts and assets.

Lack of authority of the signatory can cause procedural issues.

---

LXIX. If the Business Is a Sole Proprietorship

A sole proprietor may file personally, but should attach business registration documents if the accounts, payments, or customers were under the business name.

The proprietor should show that the diverted funds or accessed accounts belonged to the business.

---

LXX. If the Worker Claims Partnership

A former worker may defend by claiming that the arrangement was a partnership, not employment. This can affect ownership, authority, and whether funds were misappropriated.

The complainant should prepare evidence showing the true relationship:

1. employment records;
2. salary payments;
3. contractor invoices;
4. job description;
5. tax treatment;
6. communications assigning tasks;
7. business registration ownership;
8. who bore profit and loss;
9. who owned customer accounts;
10. whether the worker had capital contribution.

A genuine partnership dispute may be more civil than criminal unless fraud or unauthorized access is shown.

---

LXXI. If the Worker Claims Unpaid Salary or Commission

A worker may argue that he or she kept money because the employer owed salary, commissions, reimbursement, or final pay.

This is generally not a safe justification for taking company funds unless there was lawful authority or agreement. A worker cannot usually unilaterally collect by diverting company money.

However, unpaid compensation claims may complicate the case and may lead to labor proceedings. The employer should keep payroll and commission records clear.

---

LXXII. Settlement and Compromise

Some cases are settled through payment, return of property, turnover of access, and quitclaim. Settlement may be practical, especially when business recovery is urgent.

However:

1. some criminal offenses are public offenses;
2. settlement may not automatically extinguish criminal liability;
3. affidavits of desistance do not always bind prosecutors or courts;
4. settlement terms should be written;
5. access turnover should be verified before dismissal or withdrawal;
6. data deletion and confidentiality obligations should be included;
7. payment schedules should be secured.

The complainant should avoid signing a broad waiver before receiving full restitution and account control.

---

LXXIII. Affidavit of Desistance

An affidavit of desistance may state that the complainant no longer wishes to pursue the case. Prosecutors and courts may consider it, but they are not always bound by it, especially if the offense affects public interest or evidence independently supports prosecution.

A complainant should not execute desistance unless settlement is complete and consequences are understood.

---

LXXIV. Preventive Measures for Employers and Businesses

Businesses can reduce risk by implementing:

1. written contracts;
2. confidentiality and data protection clauses;
3. clear account ownership provisions;
4. company-controlled emails;
5. password managers;
6. role-based access;
7. two-factor authentication controlled by the owner;
8. regular access audits;
9. device issuance records;
10. inventory accountability forms;
11. collection and remittance policies;
12. approval workflows for payments;
13. offboarding checklist;
14. backup systems;
15. platform admin redundancy;
16. customer payment verification notices;
17. prohibition on personal account collections;
18. clear disciplinary rules;
19. incident response plan;
20. cyber hygiene training.

Prevention is often easier than prosecution.

---

LXXV. Offboarding Checklist

When a worker leaves, the business should immediately:

1. disable email access;
2. remove admin roles;
3. change shared passwords;
4. revoke cloud access;
5. recover devices;
6. recover SIM cards;
7. rotate API keys and tokens;
8. remove payment permissions;
9. change bank portal credentials;
10. check auto-forwarding rules;
11. transfer ownership of files;
12. revoke ad account access;
13. remove marketplace access;
14. recover keys, IDs, and documents;
15. secure backups;
16. document turnover;
17. remind the worker of confidentiality obligations;
18. notify clients if the worker handled payments or accounts.

A written offboarding record can become crucial evidence.

---

LXXVI. Drafting Employment and Contractor Agreements

Contracts should clearly state:

1. all accounts created for work belong to the company;
2. all passwords and recovery methods must be turned over;
3. use of personal accounts for company transactions is prohibited unless approved;
4. company data must not be copied or retained;
5. confidentiality continues after separation;
6. devices and files must be returned;
7. customer payments must go only to official channels;
8. unauthorized access after termination is prohibited;
9. access may be monitored;
10. violations may lead to civil, criminal, and administrative action.

Clear contracts do not guarantee conviction, but they make authority and ownership easier to prove.

---

LXXVII. Customer Payment Controls

To avoid estafa or diversion by workers, businesses should:

1. prohibit payment to personal accounts;
2. publish official payment channels;
3. use automated invoices;
4. require dual approval for refunds;
5. reconcile collections daily;
6. send receipts from official systems;
7. verify unusual payment instructions;
8. segregate collection and accounting roles;
9. require liquidation reports;
10. audit customer accounts regularly.

A customer should never have to rely solely on a worker’s private message for payment instructions.

---

LXXVIII. Practical Complaint Checklist

Before filing, the complainant should prepare:

1. narrative timeline;
2. respondent’s full name and address;
3. proof of employment or engagement;
4. proof of authority and access;
5. proof that authority ended;
6. proof of money, property, or data involved;
7. proof of unauthorized act;
8. proof of damage;
9. demand letter;
10. proof of receipt of demand;
11. screenshots and logs;
12. customer or witness affidavits;
13. bank or e-wallet records;
14. internal audit report;
15. contracts and policies;
16. company authorization to file;
17. digital evidence storage plan.

The complaint should be coherent and supported by exhibits.

---

LXXIX. Legal Strategy: Choosing the Correct Charges

A complaint may include multiple charges if supported by the facts, but each charge should have a clear factual basis.

Possible combinations include:

1. estafa and cybercrime-related fraud;
2. illegal access and data interference;
3. computer-related identity theft and estafa;
4. qualified theft and unauthorized access;
5. falsification and estafa;
6. data privacy complaint and civil damages;
7. replevin and criminal complaint for stolen device;
8. injunction and cybercrime complaint.

The stronger strategy is not necessarily to file the most charges, but to file the right charges with strong evidence.

---

LXXX. Avoiding Overcharging

Overcharging can weaken credibility. For example, if a worker merely failed to return a laptop after a payment dispute, alleging hacking, identity theft, estafa, theft, grave threats, and cyberterrorism without basis may distract from the provable claim.

A well-prepared complaint explains:

1. what happened;
2. why it is unlawful;
3. what evidence proves it;
4. what damage resulted;
5. which law applies.

Precision is more persuasive than volume.

---

LXXXI. Role of Intent

Many relevant offenses require criminal intent, fraudulent intent, intent to gain, or intentional unauthorized access.

Intent can be proven through circumstances, such as:

1. concealment;
2. deletion of records;
3. use of personal accounts;
4. false explanations;
5. refusal to return after demand;
6. changing passwords;
7. transferring funds;
8. impersonation;
9. creating backdoor access;
10. continued access after warning.

Direct confession is not required, but circumstantial evidence must be strong enough.

---

LXXXII. Damage or Prejudice

Estafa and fraud-related complaints require proof of damage or prejudice. Cybercrime offenses may also involve damage depending on the provision.

Damage may include:

1. money lost;
2. property not returned;
3. cost of restoring accounts;
4. lost sales;
5. lost customers;
6. reputational harm;
7. cost of forensic services;
8. platform suspension losses;
9. penalties paid to customers;
10. unauthorized refunds;
11. lost data;
12. business interruption.

The complaint should quantify damage as much as possible.

---

LXXXIII. Return of Money Does Not Always Erase Liability

A respondent may offer to return money after being caught. Restitution may affect settlement, damages, or prosecutorial discretion, but it does not always erase criminal liability if the offense was already committed.

However, restitution can be relevant to resolving the dispute. The complainant should document any payment and avoid vague verbal settlement.

---

LXXXIV. Good Faith Defense

A former worker may claim good faith. For example:

1. they believed they were still authorized;
2. they thought the money represented unpaid commission;
3. they accessed the account only to help transition;
4. they downloaded files for backup;
5. they changed the password to protect the account;
6. they did not know termination was effective.

Good faith may negate criminal intent. The complainant should show facts inconsistent with good faith, such as prior warnings, concealment, personal benefit, false statements, or refusal after demand.

---

LXXXV. Importance of Written Revocation

To defeat a good faith defense, the business should issue clear written revocation of access.

The notice should state:

1. employment or engagement has ended;
2. authority to access all company accounts is revoked;
3. the worker must not log in or use any credentials;
4. all devices and data must be returned;
5. all admin access must be transferred;
6. all company information remains confidential;
7. unauthorized access may result in legal action.

This creates a clean line between authorized and unauthorized access.

---

LXXXVI. If the Former Worker Still Has Files

A former worker may have copies of documents, customer lists, designs, credentials, or chats.

The business may demand:

1. return of all company files;
2. deletion of unauthorized copies;
3. written certification of deletion;
4. turnover of storage accounts;
5. non-use of confidential information;
6. non-contact with customers for fraudulent purposes;
7. preservation of evidence.

Forensic verification may be difficult, so contractual and injunctive remedies may be useful.

---

LXXXVII. Account Recovery Before Litigation

Platform account recovery should usually be pursued immediately. Legal complaints may take time, while business damage may continue.

The business should contact:

1. email provider;
2. hosting provider;
3. domain registrar;
4. social media platform;
5. marketplace platform;
6. payment processor;
7. bank;
8. e-wallet provider;
9. CRM or SaaS provider;
10. ad platform.

Proof of business ownership, registration, IDs, invoices, and prior admin history may be required.

---

LXXXVIII. Cooperation With Platforms

Platforms may not disclose user data without legal process. However, they may help recover accounts, preserve data, or suspend unauthorized activity under their internal policies.

The complainant should submit clear reports with:

1. business registration;
2. proof of identity;
3. account URL or ID;
4. proof of ownership;
5. screenshots of unauthorized changes;
6. police report or complaint, if available;
7. explanation of urgency.

---

LXXXIX. Police Blotter

A police blotter is not the same as a criminal case. It is a record of an incident.

It may be useful to document:

1. date of discovery;
2. property missing;
3. unauthorized access;
4. threats;
5. refusal to return property;
6. account takeover.

But a blotter alone does not prosecute the former worker. A formal complaint and supporting evidence are still needed.

---

XC. NBI or PNP Cybercrime Assistance

For cyber incidents, specialized cybercrime units may assist with:

1. cyber incident reporting;
2. preservation of digital evidence;
3. tracing accounts;
4. preparing for complaints;
5. requesting platform cooperation through proper channels;
6. forensic examination;
7. identifying suspects.

The complainant should bring organized evidence and a concise timeline.

---

XCI. Prescription of Offenses

Criminal offenses have prescriptive periods. The period depends on the offense and penalty. Cybercrime-related offenses and Revised Penal Code offenses may have different considerations.

The complainant should act promptly. Delay can cause loss of logs, weaker witness memory, platform data expiration, and prescription issues.

---

XCII. If the Worker Was a Minor

If the former worker is a minor, special rules on children in conflict with the law apply. The matter may involve diversion, social welfare intervention, and special procedures.

The complainant may still seek recovery of property or damages, but criminal handling differs.

---

XCIII. If the Worker Used Another Person’s Account

Sometimes the former worker uses a relative’s bank account, e-wallet, or online identity. This complicates proof.

The complaint should distinguish between:

1. the person who accessed the system;
2. the person who received money;
3. the account owner;
4. possible conspirators or accomplices;
5. innocent account holders used without knowledge.

Evidence must connect each person to the unlawful act.

---

XCIV. Conspiracy and Cooperation

If multiple former workers cooperated, conspiracy may be alleged if there is proof of common design and coordinated acts.

Examples:

1. one worker changes passwords while another diverts payments;
2. one creates fake invoices and another receives funds;
3. one deletes records while another contacts clients;
4. one provides credentials to an outsider.

Conspiracy should not be alleged lightly. It must be supported by facts.

---

XCV. Role of Admissions and Apologies

Messages such as “I will return the money,” “I used it first,” “I changed the password because you did not pay me,” or “I will give back access after you pay” can be powerful evidence.

The complainant should preserve full conversations, not isolated snippets. Full context prevents claims of selective editing.

---

XCVI. Restoring Business Operations

Legal action should be paired with business recovery.

Important operational steps include:

1. notify affected clients of official channels;
2. review all recent transactions;
3. reverse unauthorized changes;
4. restore backups;
5. reset permissions;
6. audit customer data exposure;
7. document business losses;
8. preserve evidence before cleanup;
9. implement new controls;
10. communicate carefully to avoid defamation.

The business must stop the bleeding while building the case.

---

XCVII. Ethical and Practical Considerations

A complainant should pursue legal remedies responsibly. Criminal law is serious. It should not be used merely to pressure a worker in a salary dispute or to avoid labor obligations.

At the same time, workers who exploit trust, steal funds, hijack accounts, or misuse access should not be shielded by the fact that they were once authorized users.

The fairest approach is evidence-based: identify the act, preserve proof, assess the correct legal theory, secure the business, and file the appropriate complaint.

---

XCVIII. Common Red Flags Before Hiring or During Employment

Businesses should watch for:

1. refusal to use company email;
2. insistence on using personal payment channels;
3. reluctance to document transactions;
4. refusal to share admin access with owner;
5. unexplained refunds or discounts;
6. mismatched receipts;
7. customer complaints about payment instructions;
8. sudden deletion of messages;
9. frequent password changes without approval;
10. unusual data exports;
11. forwarding rules to personal email;
12. unauthorized installation of remote access tools;
13. unexplained inventory discrepancies.

Early detection can prevent larger losses.

---

XCIX. Model Legal Theory by Scenario

Scenario 1: Former cashier kept collections

Possible charge: estafa by abuse of confidence or qualified theft, depending on possession and facts.

Key evidence: receipts, collection records, job description, accounting report, demand letter.

Scenario 2: Former VA changed passwords to business accounts

Possible charge: illegal access, system interference, coercion if used as leverage.

Key evidence: admin logs, password change notices, termination notice, demand to surrender access.

Scenario 3: Former social media manager collected customer payments

Possible charge: estafa, computer-related fraud, identity-related cybercrime.

Key evidence: customer chats, payment receipts, account ownership proof, bank or e-wallet details.

Scenario 4: Former employee downloaded customer list and joined competitor

Possible claims: breach of confidentiality, data privacy violation, civil damages, possible cybercrime depending on access and use.

Key evidence: access logs, file export records, confidentiality agreement, customer solicitation proof.

Scenario 5: Former IT worker deleted files

Possible charge: data interference, system interference, malicious mischief-related theories, civil damages.

Key evidence: deletion logs, backups, user account activity, forensic report.

Scenario 6: Former worker kept company laptop

Possible charge: estafa, theft, or civil recovery depending on entrustment and facts.

Key evidence: device issuance form, demand letter, acknowledgment of possession, refusal to return.

---

C. Conclusion

A complaint against a former worker for estafa, cybercrime, or unauthorized access in the Philippines requires a careful match between facts, law, and evidence. The strongest cases are not built on accusations alone, but on a clear timeline, proof of authority and its revocation, proof of entrusted property or digital access, evidence of misuse, proof of damage, and proper preservation of digital records.

Estafa may apply when the former worker misappropriated money or property received in trust, or obtained money through deceit. Cybercrime may apply when the worker accessed systems without authority, altered or deleted data, interfered with accounts, manipulated computer records, used digital identity without right, or committed fraud through ICT. Civil, labor, data privacy, and regulatory remedies may also be necessary depending on the situation.

For businesses, the practical response should be immediate and organized: secure accounts, preserve evidence, send a proper demand, audit losses, recover access, prepare affidavits, and file the appropriate complaint. For prevention, businesses should use written contracts, company-owned accounts, access controls, offboarding procedures, and clear payment policies.

The central principle is simple: a worker’s past authority does not give permanent permission to access, use, control, or profit from company property, funds, accounts, or data. Once authority ends, continued access or misuse may become unlawful. Conversely, criminal prosecution must be based on solid proof, not mere suspicion, employment resentment, or an ordinary accounting dispute.