Forgery of Electronic Signature by an Employee (Philippines): Criminal and Administrative Remedies

This article is for general information only and is not a substitute for legal advice.

1) What counts as an “electronic signature” and when is it valid?

E-Commerce Act (Republic Act No. 8792) and the Rules on Electronic Evidence (A.M. No. 01-7-01-SC) recognize “electronic signatures” (e.g., a typed name, a click-to-sign mark, a cryptographic/digital signature, a stylus “wet” e-signature on a touchscreen) as functionally equivalent to handwritten signatures when they identify the signer and indicate consent to the content.

A secure electronic signature (typically backed by cryptographic tech, certificates, audit trails, and integrity controls) enjoys a stronger presumption of authenticity and integrity.
Admissibility is governed by the Rules on Electronic Evidence: electronic documents are admissible if relevant; authenticity may be shown by evidence of how the record was generated, stored, and maintained, including system logs, hashes, timestamps, and testimony of a qualified custodian.

Key takeaway: If the company’s system reliably links the signature to a specific employee and shows the process the signer had to complete (e.g., unique credentials + two-factor + audit trail), that signature will often be treated like a handwritten signature.

2) When does forging an e-signature become a crime?

Several criminal theories may apply, depending on the facts:

a) Falsification of Documents (Revised Penal Code)

Public documents: Falsification by a public officer or by a private individual in a public document (Articles 171–172).
Private documents: Falsification by a private individual (Article 172) and use of falsified document as a separate offense.
Courts have treated electronic documents as “documents” for purposes of falsification, consistent with functional equivalence under RA 8792 and the Rules on Electronic Evidence.
Core elements include: (i) the document purports to be what it is not, (ii) imitation or counterfeiting of another’s signature, or (iii) making untruthful statements in a narration of facts causing damage or with intent to cause damage.
Use of a forged e-signature (e.g., submitting a falsified e-approved expense, altered e-contract, or doctored payroll authorization) is commonly charged in addition to falsification.

b) Computer-Related Offenses (Cybercrime Prevention Act, RA 10175)

If the forgery involved unauthorized access to a company system or account, data interference, or computer-related forgery/fraud, charges under RA 10175 may accompany RPC falsification.
Venue and jurisdiction rules under cybercrime law are broader (e.g., where any element occurred or where any computer system is located), which can be helpful when acts spanned multiple locations or were remote.

c) E-Commerce Act (RA 8792) offenses

RA 8792 penalizes acts like unauthorized access (hacking) and related interference with electronic data or systems that may occur during the forging of e-signatures (e.g., credential theft, bypassing security features).

d) Estafa (Swindling)

If the forged e-signature was used to obtain money, property, or an advantage (e.g., payroll diversion, fake reimbursements, vendor payments), estafa may be charged together with falsification.

e) Data Privacy Act (RA 10173)

If personal data was misused to impersonate a co-employee/executive (e.g., using their credentials or certificates), unauthorized processing or access to personal information may be implicated, with separate criminal liability.

3) Civil liability

Even if criminal liability is pursued, the employer (or affected counterparty) may claim actual, moral, and exemplary damages under the Civil Code for fraud, abuse of rights (Arts. 19–21), and tort.

Contracts “signed” via forged e-signature are void as to the person impersonated; the employer may seek annulment, rescission, or restitution (e.g., recovery of funds paid on a falsified authority).

4) Administrative remedies against the employee (private sector)

a) Grounds for dismissal (Labor Code, Art. 297 [formerly 282])

Serious misconduct
Fraud or willful breach of trust (loss of trust and confidence)
Commission of a crime or offense against the employer or his family/representatives
Gross and habitual neglect (if relevant to control failures)

Any of the above can justify termination for just cause if supported by substantial evidence.

b) Due process requirements (the “twin-notice” rule)

First Notice (charge sheet): state the facts, the specific rules/laws violated (e.g., falsification, breach of trust), and the evidence; give reasonable time to explain.
Opportunity to be heard: written explanation and/or conference/clarificatory hearing.
Second Notice: communicate the decision, factual and legal bases, and the penalty.

Preventive suspension (up to 30 days) may be used if the employee’s continued presence poses a serious and imminent threat to company property or investigation integrity (e.g., risk of data tampering).

c) Ancillary internal measures

Access freezes and credential revocation
Preservation of evidence (see Section 7 below)
Recovery of losses (set-off if lawful, restitution agreements)
Reporting to insurers (crime fidelity policies, cyber insurance)
Notifying affected counterparties if forged documents were used externally

5) Administrative remedies (public sector employees)

Under the Civil Service regime (2017 Revised Rules on Administrative Cases in the Civil Service and related issuances), forging an e-signature in official records constitutes Dishonesty, Falsification of Official Document, and/or Grave Misconduct—typically grave offenses penalized by dismissal, forfeiture of benefits, and perpetual disqualification, separate from criminal liability.

6) Where and how to file criminal cases

Evidence building (see Section 7).
File a complaint-affidavit with the Office of the City/Provincial Prosecutor where any essential element occurred, or (for cyber-related acts) with units such as NBI Cybercrime Division or PNP Anti-Cybercrime Group; they may conduct forensic examinations and assist in identifying the perpetrator.
Prosecutors may conduct inquest (if arrest was made) or regular preliminary investigation, then file the Information with the appropriate court.

Note on venue: Cybercrime allows more flexible venue—e.g., the place where the computer system is located or where any element of the offense occurred, which can simplify multi-site misconduct.

7) Proving the forgery: evidence and forensics checklist

A. Document-level proof

The electronic document allegedly signed (native file, not just a screenshot/PDF)
Audit trail entries: signer identity, IP/device, timestamps, authentication events (2FA/SMS/OTP/email confirmations), geolocation (if any)
Hash values and system metadata proving integrity (no post-sign alteration)
Platform signature certificates, public keys, and validation reports (for digital signatures)
System architecture and controls: who can create, approve, or alter records; change logs; segregation of duties

B. Identity and access evidence

Login history, SSO logs, VPN logs, endpoint logs, MDM/EDR alerts
Password-reset records; MFA registration logs; possession factors (hardware tokens)
Any credential compromise indicators (phishing emails, keyloggers, shoulder surfing)

C. Attribution & alternative-perpetrator defenses

Comparative behavior analysis: typical login times/locations vs. the suspicious event
Device fingerprints; MAC/serial numbers; workstation proximity (CCTV, badge logs)
Statements from the impersonated employee and witnesses

D. Chain of custody

Use forensic images and preserve originals; document every hand-off
Keep immutable storage copies (WORM) of key logs and documents
Prepare a custodian of records affidavit describing systems and record-keeping processes

E. Expert testimony

IT/security custodian (to explain the system and logs)
Digital forensics expert (to validate attribution and integrity)
If handwriting/stylus signature is involved, a forensic document examiner may still be useful (e.g., stylus dynamics)

8) Company controls that reduce risk and strengthen cases

“Secure” e-signature platforms with strong identity proofing and MFA
Role-based access, maker–checker workflow, and approval thresholds
Certificate-based digital signatures for high-risk transactions
Automated alerts for anomalous sign-events (new device/location, after-hours)
Immutable audit trails with time-stamping and hash chaining
Least-privilege credentials; periodic credential rotation
Vendor diligence: contract clauses on audit logs, data retention, subpoena cooperation
Employee training on phishing and credential hygiene
Incident response playbook for signature disputes (freeze, preserve, investigate, notify)

9) Data Privacy: breach assessment and notifications

If forging the e-signature involved unauthorized access to personal data (e.g., IDs, biometrics, credential vaults), evaluate whether the event is a personal data breach under the Data Privacy Act (RA 10173).

Consider breach notification to the National Privacy Commission (NPC) and to affected individuals where risks of harm exist.
Maintain evidence of timely assessment, containment, and remediation.

10) Common fact patterns and how they’re treated

Impersonation of a manager to approve payouts
- Criminal: falsification (private document) + computer-related offenses; possible estafa.
- Administrative: dismissal for fraud/breach of trust.
- Civil: recovery of disbursed funds; damages.
Forged e-acknowledgment of receipt of company property
- Criminal: falsification; use of falsified document if presented to HR/Finance.
- Administrative: serious misconduct; loss of trust.
Altered e-contract with counterparty signature block swapped
- Criminal: falsification (private or public, depending on nature); potential cybercrime if hacking used.
- Civil: contract nullity or rescission; reputational and reliance damages.

11) Practical playbook for employers

Immediately

Isolate risk: disable access; issue holds and legal preservation notices.
Preserve evidence: export native documents, complete audit logs, server/application logs, email and messaging records.
Forensic snapshot: image implicated devices/accounts; compute hashes; record time sources.
Interview & notices: twin-notice due process if employee is in scope; preventive suspension if warranted.
Counterparty management: retract suspect documents; issue no-reliance notices.

Within days 6) Loss quantification: money flows, approvals, bank proofs. 7) Charging theory memo: map facts to RPC falsification, RA 10175, RA 8792, estafa, RA 10173 as applicable. 8) File the criminal complaint with the Prosecutor/NBI/PNP-ACG; consider civil action for damages/restoration. 9) HR resolution: finalize administrative decision with detailed findings and policy citations. 10) Controls remediation: credential resets, platform hardening, additional MFA, policy updates.

Documentation pack (typical annexes)

Custodian affidavit on systems and logs
Platform vendor certification/validation report
Audit trail printouts and native exports with hashes
Copies of company policies, user agreements, and consent/notice banners
HR notices, minutes, and employee explanations

12) Defenses and how they’re addressed

“It wasn’t me; my account was hacked.” → Prove exclusive control or negligence (e.g., shared passwords). Logs, 2FA events, device telemetry, and physical presence contradicting the claim are decisive.
“The doc isn’t reliable.” → Show secure platform, unbroken audit trail, hashes, and vendor attestations.
“No damage.” → For falsification, intent to cause damage or actual damage may matter depending on the modality; show actual/likely prejudice (e.g., risk to company funds or third-party reliance).
Procedural due process lapses → Cure with proper notices and documented hearings; penalty must fit the gravity.

13) Penalties (high-level)

Falsification (RPC): imprisonment and fines that vary by whether the document is public or private and by the offender’s status (public officer vs. private individual). Use of a falsified document is separately punishable.
Cybercrime (RA 10175): penalties calibrated to the underlying offense when committed by/through a computer system (often higher than the base offense).
E-Commerce Act (RA 8792): fines and imprisonment for unauthorized access and interference.
Data Privacy Act (RA 10173): fines and imprisonment for unauthorized processing/access, plus NPC enforcement.
Administrative (labor/civil service): termination or dismissal; forfeiture of benefits and disqualification (public service).

(Specific penalty ranges change over time; check the latest text and jurisprudence before filing.)

14) Contract and policy drafting tips

Define “electronic signature” and approve platforms that meet “secure e-signature” standards.
Require MFA and prohibit credential sharing; set personal accountability for credentials.
Retention schedules for logs and certificates long enough to cover limitation periods.
Representations/warranties from vendors on auditability and legal cooperation.
Clear sanctions in the Code of Conduct for falsification and misuse of credentials.
Incident response clause with immediate access freezes and evidence preservation steps.

15) Quick Q&A

Is a typed name enough? Sometimes. If your system ties the typed name to a verified identity through credentials, device, IP, and a secure workflow, it can be valid—but it is easier to repudiate than a cryptographic signature.

Do we need a handwriting expert? Not usually for platform-based e-signatures; what matters is the system proof (audit trails, certificates). For stylus “ink,” dynamics can be analyzed, but logs still carry the day.

Can we discipline first and file criminal charges later? Yes. Administrative action is independent of criminal proceedings, but document your basis and comply with due process.

Final word

Forgery of an electronic signature blends classic falsification doctrines with modern cyber rules. Strong system design, disciplined evidence preservation, and proper charging strategy (RPC + RA 10175 + RA 8792, with DPA where applicable) give employers—and public agencies—the tools to hold employees accountable while protecting due process and data rights.