MANILA - The Court of Appeals has upheld a business process outsourcing company’s decision to fire an employee caught using the computer, username and password of his co-employees.

BPO Stream Global Services, a firm later acquired by Convergys, dismissed Christer Jansen Gallaza after he was caught using the computer of his team manager and the username and password of his former team manager in August 2013.

Gallaza worked as a senior customer support professional who was tasked to assist team managers.

He explained that he was authorized by his team manager, who supposedly had a stomach problem at the time, to access her profile so he could help his teammates get updates and statistics they needed.

His team manager, however, denied granting him any authorization.

Gallaza filed an illegal dismissal case before the Labor Arbiter, who ordered his reinstatement and awarded him backpay amounting to more than P700,000.

But the National Labor Relations Commission reversed this decision and ruled in favor of Stream Global Services.

In a 15-page decision dated October 15, 2018, CA Associate Justice Edwin Sorongon affirmed the NLRC’s ruling, finding that Gallaza committed serious misconduct when he “transgressed company rules and regulations pertinently on Information Security.”

Under the Labor Code, serious misconduct is one of the grounds for lawful termination of employment.

The company’s rules provide that the use of somebody else’s computer and/or network account, IDs and password without authorization is classified as a level 3 offense which warrants immediate dismissal on the first offense.

The CA justified Gallaza’s dismissal as a “managerial prerogative” and the company’s rules “reasonable and necessary” given the “sensitivity and intricacies” of the industry.

“Stream Global is in the BPO industry which is one of the economic drivers of this country. Given the nature of its business and the personal and sensitive data it processes daily, it is but necessary for the BPO industry to step up on data privacy and cyber security
measures in order to sustain its global prominence,” the CA decision said.

One of these security measures, according to the CA, is the “role-based security” where the degree of access to certain sensitive data is limited to the specific roles employees perform, thus, the importance of ensuring the confidentiality of login credentials such as username and password.

“Authorities have reported that the BPO industry is among the high-risk sectors in terms of data breaches and cyber security threats. As trust is becoming a big factor in today’s business environment, authorities believe that privacy is equated to trust in this industry," read the ruling.

"Thus, it is not just about the English-speaking proficiency and the empathy of Filipinos in the BPO industry but also the data privacy culture and data privacy measures employed and taken into consideration by the BPO companies that matter,” it noted.

In upholding the dismissal, the CA brushed aside Gallaza’s claim of his “5-year exemplary performance” in the company.

“[T]he longer an employee stays in the service of the company, the greater is his responsibility for knowledge and compliance with the norms of conduct and the code of discipline in the company,” the decision read.

Aside from ruling on the merits of the case, the CA also faulted Gallaza for failing to inform the Court, despite repeated reminders, about other pending related cases or proceedings involving the same parties, subject matter and issues in other courts and tribunals, in compliance with the rule against forum-shopping.