Misuse of sensitive customer data? Notice!

An IT employee is obligated to protect sensitive customer data and may not misuse it for other purposes. A breach of these duties usually justifies termination without notice by the employer.

Key Facts

IT employees must protect sensitive customer data and must not misuse it.
The Siegburg Labor Court ruled on a case of data misuse.
The plaintiff used privately stored customer data for personal purposes.
Termination without notice was justified due to a blatant breach of duties.
The plaintiff massively jeopardized the customer's trust in the defendant.
The decision is not yet legally binding; an appeal may be lodged.
Misuse of data is not permitted, even to uncover security vulnerabilities.

This was decided by the Siegburg Labor Court a few days ago.

The plaintiff had been working for the defendant as an SAP consultant since 2011. The plaintiff ordered headache pills for two board members of a customer of the defendant from the computer of a casino, using names, addresses and bank account details of customers of the customer previously downloaded from an encrypted computer of the customer to a private memory stick for the purpose of payment by direct debit. As part of the order, the plaintiff made the comment to this customer’s board that because of the order, they could see how easy it was to misuse data, which should give them a headache, and the headache pills they ordered could definitely help. He had not previously informed the defendant about existing security vulnerabilities at the customer. The plaintiff received a termination without notice on Aug. 26, 2019. He filed an action for unfair dismissal against this.

In its judgment of January 15, 2020, the Siegburg Labor Court dismissed the action and ruled that the termination without notice was justified. The 3rd Chamber was convinced that the plaintiff had blatantly violated his duty to show consideration for the interests of the employer by his actions. Sensitive customer data must be protected. The plaintiff misused his data access and exploited a security vulnerability at the customer’s site. Customers may expect the defendant and its employees to protect and in no way abuse any security vulnerabilities. Customer data must also not be misused for the purpose of uncovering supposed security gaps. The plaintiff has thus massively disturbed the customer’s trust in the defendant and its employees and thus massively endangered the customer relationship. This justifies termination without notice.

The decision is not yet final. The judgment may be appealed to the Cologne Regional Labor Court.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Bank Kündigung Labor Court Lawsuit Sicherheit