Legal Alert: Bank Held Liable for Ex-Employee’s Data Leak

Recently the Federal Court ordered Public Bank Bhd to pay RM90 million in equitable, exemplary and aggravated damages to the National Feedlot Corporation (NFCorp) and four others, reinforcing the bank’s duty of confidentiality and civil liability for breach of the said duty.  

The decision serves as a strong caution to financial institutions that the absence of actual financial loss does not shield the bank from being ordered to pay exemplary or aggravated damages where the breach has caused reputational harm or distress to the customer. Nor will banks be absolved merely because the disclosure was made without authority, disciplinary action was taken against the responsible employee, or that no regulatory enforcement action was pursued by Bank Negara Malaysia.  

Background: The Leak and the Lawsuit 

NFCorp had sued Public Bank for leaking details of their accounts and a proposed purchase of properties at KL Eco City, which was later used by a political figure (Rafizi) to make public allegations against NFCorp in a press release which were distributed to the media on 07.03.2012 together with an ‘expose’ captioned as ‘Bukti Bagaimana Dana Awam Untuk Projek Fidlot (sic) Digunakan Sebagai ‘Jaminan’ Pinjaman Peribadi Untuk Membeli 8 Unit Hartanah Mewah Di KL Eco City, Bangsar’.  

The leaked data included the customers’ profile, account balance summaries, and details of properties intended to be used as security stored electronically in the bank’s IBM mainframe system. Eventually it was discovered that the disclosure was leaked by a former senior clerical staff of Public Bank, who was no longer with the bank at the time the suit was brought against the bank. 

The said clerical staff was found to have, without authority, accessed restricted areas of the bank’s credit information systems in connection with NFCorp and three others and printed the customers’ profile and account balance summaries. He did so while using his supervisor’s user ID, who had asked the staff to assist with credit-related work due to a heavy workload. The bank’s domestic inquiry panel later found the former employee guilty of the charges of misconduct. 

NFCorp sued Public Bank for losses and damages arising from the bank’s wrongful disclosure of their confidential banking information. During trial, Public Bank in its defence argued that: 

  1. The disclosure was made by a former employee, without the bank’s knowledge or consent, 
  1. The employee’s actions were unauthorised and contrary to the bank’s policies, 
  1. The impugned documents were not the bank’s documents, and it did not know who gave the impugned documents to Rafizi, 
  1. Disciplinary action had been taken when the breach was discovered, and 
  1. Bank Negara Malaysia had investigated the matter and decided not to take enforcement action. 

The Bank denied liability, contending that the documents were disclosed by a former employee acting without authority. It also took disciplinary action against the officer involved and argued that it had complied with its regulatory obligations.  

High Court dismissed NFCorp’s claim 

The High Court initially dismissed NFCorp’s claim, finding that the former employee acted without authority and that the bank had exercised due diligence by putting in place policies and procedures to safeguard the confidentiality of its customer’s information and transactions.  

Court of Appeal’s findings  

The High Court’s decision was subsequently overturned by the Court of Appeal who held Public Bank liable for breach of its implied duty of confidentiality.  

In reversing the High Court’s decision, the Court of Appeal reaffirmed the bank’s implied contractual duty to keep customers’ banking information confidential established by English law in the case of Tournier v. National Provincial and Union Bank of England [1924] 1 KB 461 and statutory duty of confidentiality imposed by the Banking and Financial Institutions Act 1989 (now repealed and replaced by the Financial Services Act 2013).  

The Court of Appeal found that the High Court had erred in rejecting the domestic inquiry notes as being irrelevant to the issue of liability and in disregarding their evidential value after having ruled them admissible. The court also noted inconsistencies in the testimony of the bank’s investigation officer in that the officer had found the former employee responsible for the leak at the domestic inquiry, but at trial denied that the leaked documents were bank’s documents.  

Based on the evidence, the Court of Appeal found that it would take very little to tilt the probabilities in favour of the conclusion that it was the former employee who had handed over the impugned documents to third parties and these then eventually found their way into Rafizi’s hands. Ultimately, it was what the former employee did that facilitated the disclosure of the impugned documents to Rafizi. 

The Court of Appeal awarded only a nominal damage of RM10,000 on the basis that NFCorp failed to prove damages and denied NFCorp’s claim for exemplary and aggravated damages. The Court of Appeal observed that in fact the bank clearly did not ‘gain’ from the wrongful disclosure and if anything, the bank had sustained reputational damage. 

Federal Court’s Ruling  

On further appeal, the Federal Court dismissed Public Bank’s motion for leave to appeal to the Federal Court, affirming the finding of liability. More significantly, it allowed NFCorp’s cross-appeal, and on 18 June 2025, ordered Public Bank to pay RM90 million in total damages, comprising RM30 million in equitable damages, RM30 million in exemplary damages and RM30 million in aggravated damages as well as 2% interest on the total sum, effective from the date of the order until payment of damages is settled. 

The Federal Court was satisfied that sufficient evidence has been adduced by NFCorp to prove its claim for damages through production of its audited accounts and financial reports through its expert witness, which Public Bank failed to effectively rebut and held that the Court of Appeal had erred in awarding only nominal damages.  

Public Bank was also ordered to pay RM300,000 in costs. 

Conclusion 

The Federal Court’s decision affirms several important principles relevant to financial institutions: 

  1. Bank’s Duty of Confidentiality is non-delegable 

The duty of confidentiality exists vis-à-vis the customer and the customer’s rights remain enforceable against the bank regardless of the bank’s internal enforcement actions. Liability may attach even if the leak is by a former employee without authority.  

Reliance on internal policies and procedures put in place to safeguard the confidentiality of its customer’s information alone is insufficient. Courts will scrutinise how such safeguards are implemented in practice and whether they are genuinely effective. Internal disciplinary action and the absence of regulatory penalties do not absolve the bank from liability. 

  1. Exemplary and aggravated damages are now a real risk in breach of confidence claims even where the customer does not suffer quantifiable financial loss 

The award of punitive damages by the Federal Court suggests that a modified approach to the question of damages may now be taken by courts as the plaintiff will often not be able to prove a loss in breach of confidence claims as a result of the wrongful disclosure of confidential information. 

  1. Internal investigation records, such as domestic inquiry findings may be subject to disclosure and carry evidentiary weight 

Inconsistencies in handling or testifying on such matters may weaken the bank’s defence.  

The case underscores that a bank’s duty of confidentiality extends beyond regulatory compliance and into civil liability. This decision should prompt all financial institutions to re-evaluate their internal protocols on customer data confidentiality, especially on: 

  1. Staff onboarding and offboarding and delegation of access to restricted systems, 
  1. Internal disciplinary documentation and consistency of testimony,
  1. Escalation and investigation procedures, and 
  1. Employee training on data handling and secrecy obligations,  

to safeguard against breaches. 

In an era where data protection and privacy are paramount, banks must ensure robust confidentiality controls are not only in place but are actively and effectively enforced. Training, monitoring, and immediate escalation procedures for data breaches are more important than ever.  

Banks should ensure that customer express consent is obtained before confidential information is divulged or disclosed to third parties, unless it is compelled to do so by a court order or by law, or the circumstances give rise to a public duty of disclosure, or the protection of the bank’s own interests requires it. 

error: Content is protected !!