A consultant employed at an IT company (M) had discovered a security vulnerability in a customer’s IT system. Thereafter, M used personal data to warn the customer about this flaw. To this end, on the basis of this vulnerability, M obtained personal data related to the customer’s executives and, subsequently, used their account details to order headache pills in their names. In the context of this order for pills, M advised the customer’s executives of the serious security vulnerability. Thereupon, the reaction of the employer of the IT consultant M was termination of his employment without notice.
The Siegburg court rejected the action for unfair dismissal in its ruling from 15.1.2020 (case reference: 3 Ca 1793/19, see under www.justiz.nrw.de). While pointing out a security vulnerability is indeed legitimate, nevertheless, the means chosen to do so was disproportionate. Through his actions the IT consultant M had undermined the customer’s trust in his employer and had thus jeopardised the customer relationship.