Misuse of customer data – termination of the IT employee without notice justified

The labor court in Siegburg confirmed the immediate dismissal of an IT employee due to misuse of customer data from his own company.

The termination without notice of an IT employee can be justified if he exploits security gaps and misuses customer data – so the Siegburg Labor Court ruled with its judgment of January 15, 2020 (Az .: 3 Ca 1793/19).

An IT employee had sued his employer. The court dismissed the lawsuit.

Violation of the duty to consider the interests of the employer

In the present case, the IT employee violated the employer’s obligation to be considerate and put the customer relationship at risk.

The labor court determined that it was not permissible to misuse sensitive customer data even to uncover security gaps. Even if the aim of the employee was to inform the customer about the security gap, his approach significantly disrupted the customer’s trust in the employer. The customer expects the defendant employer to protect his sensitive data. The employer should also expect his employees not to exploit these security gaps, but to inform the employer about them. IT employees in particular are obliged to protect sensitive data. In the present case, the IT employee’s termination without notice was therefore justified.

IT employees saw themselves as “whistleblowers”

The plaintiff had already been working as a SAP consultant for the defendant employer since 2011. Instead of informing his employer about the security gaps he found, he had misused the customer’s data to place orders, pay by direct debit and send them to the customer’s board of directors. He wanted to make the customer aware of the vulnerability. The employee wanted to be understood as a “whistleblower” in court.

Specifically, the employee had downloaded data from the customer’s encrypted computer onto a stick. The data included names, addresses and bank details of customers of the customer. He used the computer in a casino to order headache pills for members of the customer’s board of directors and sent them to them with the message that they could see from this example how quickly data was being misused and that the tablets sent with them were intended to alleviate the resulting headaches.

The judgment shows that the misuse of data is not permitted even for a supposedly good cause and that IT employees in particular are obliged to protect sensitive data. If you violate this obligation, you must expect extraordinary termination and the assertion of claims for damages.

Would you like to sensitize your employees to data protection and IT security? We offer eLearnings on these topics! Just ask us about it. Call us on 08505 919 27-0 or fill out our contact form.