º¬Ðß²ÝÉçÇø

In a complex business environment, companies frequently encounter various forms of unlawful infringement. While defending one¡¯s rights is legitimate, improper methods may turn the victim into a criminal suspect. This article draws on a case handled by the authors ¨C in which an employee erased company content in retaliation and the company responded with a false police report ¨C to serve as a warning to enterprises and provide guidance on lawful rights protection.

Case review

Company A is a technology enterprise. Before resigning, employee Qian, dissatisfied with the company, used unrecovered back-end access that had not been revoked to delete all articles from the company¡¯s official website, including a large number of research achievements and project cases. The data could not be restored.

Although company A promptly conducted an internal investigation, the large number of employees with deletion privileges made it difficult to quickly identify the responsible party. To resolve the issue swiftly, the actual controller, Sun, decided to report the incident to the police as a ¡°crime of sabotaging a computer information system¡±. As the case did not meet the threshold for criminal filing, under Sun¡¯s instructions, company A entered into a fictitious website repair contract with company B, an information technology service provider, and fabricated an invoice, falsely claiming a repair cost of RMB50,000 (USD7,030) as proof of loss. This enabled the case to be filed, and following an investigation, Qian was subjected to criminal detention.

During the investigation, Sun was told by associates that the fabricated evidence chain was incomplete. To reinforce the evidence, Sun arranged for a transfer of RMB50,000 to company B. However, during the review for approval of the arrest, the procuratorate discovered inconsistencies in the timing of the remittance, which exposed the fabrication. As a result, not only was the arrest of Qian not approved, but the clues regarding company A¡¯s falsification of evidence were referred to the public security authorities. Sun, the actual controller of company A, and Wang, the employee who, under Sun¡¯s instructions, signed the website repair contract and handled the police report, were both placed under criminal investigation by the public security authorities for suspected false accusation and framing. The relevant cases are currently under investigation.

Missteps

In this case, company A made three major operational mistakes.

Mistaking personal connections for shortcuts. Sun relied on the suggestion from an acquaintance that ¡°the higher the amount, the heavier the sentence¡±, hoping to use personal relationships with investigators as a shortcut instead of pursuing rights protection through lawful procedures. This approach ignored the fundamental requirement of ¡°evidence legality¡± in criminal proceedings. Ultimately, the fabrication of evidence was uncovered, resulting not only in the failure to protect the company¡¯s rights but also in exposing its own criminal conduct.

Substituting fabricated losses for lawful proof. Regarding the company¡¯s actual losses, company A did not lawfully substantiate its losses through audit calculations of labour costs or data recovery expenses. Instead, in pursuit of a ¡°heavier sentence¡±, it fabricated repair costs using false contracts to meet the threshold for case filing. Although this approach appeared effective in the short term, it created significant risks for subsequent criminal liability.

Lack of legal counsel led to misguided decision-making. During the reporting process, the company neither involved in-house counsel nor engaged external legal counsel. From the selection of charges and evidence collection to responding to the investigation, all decisions were made by Sun based on personal judgement. Had professional legal counsel or lawyers been involved from the outset, they could have accurately analysed the nature of the case, advised on the appropriate path, whether it be civil claims or criminal reporting, and lawfully collected evidence, helping the company avoid criminal risks.

Guidelines

Enterprises must clearly delineate management permissions for critical data and information. Sun¡¯s decision to pursue criminal reporting to identify the responsible party stemmed from the company¡¯s overly lax management of website backend permissions, which made it impossible to directly pinpoint the operator through internal systems. Enterprises should establish a comprehensive information management compliance system, clarify employee permissions, and ensure that key operations are traceable, reducing the risk of malicious employee actions that could render data irrecoverable. Specific measures include regularly reviewing employee permissions, promptly revoking access on resignation, backing up important data, and implementing multiple recovery mechanisms. At the same time, compliance training should be strengthened to enhance legal awareness and foster a culture of compliance.

Enterprises must protect their rights through lawful procedures. In this case, Sun and others failed to scientifically calculate and lawfully present the company¡¯s actual losses, instead fabricating evidence in an attempt to ¡°punish¡± Qian, which ultimately resulted in criminal liability and severe consequences. Private enterprises often lack sound compliance systems and risk warning mechanisms. Amid social transformation, it is even more essential to adhere to the law and protect rights through legal means, rather than blindly relying on so-called ¡°associates¡± or engaging in unlawful guidance and command, which can lead to significant criminal risks.

Legal decisions should be made with professional consultation. Private firms often prize business over legal affairs. But when it comes to defending their rights, they should put lawyers, whether in-house or external, in charge. From classifying the conduct and mapping the legal path to judging the risks, professionals ought to be involved from the start. Among the cases that the authors have handled, a company argued that it suffered losses after an employee deleted data from its IT system. In this case, an audit report can help put a figure on staff time and recovery costs, and, combined with legal analysis, show whether the losses meet the threshold for a criminal case, paving the way to the most effective and lawful remedy.

Enterprises must always prioritise legality and legitimacy in defending their rights and must not allow blind trust in so-called associates or impulses of retaliation to trigger fundamental errors in approach and cross legal boundaries. In this case, company A, initially the victim of employee sabotage, ended up exposed to criminal risk because of unlawful measures taken in the course of protecting its rights. The lesson for operators of private firms is clear: Only by strictly observing the law and pursuing remedies through proper legal channels can the true purpose of rights protection be fulfilled and the steady development of the enterprise assured.

Xu Rui is a partner and Li Rujia is an associate at Starrise Law Firm