Facts
Decision
Comment
In Decision 14564/2017, the Supreme Court found that if an employee breaches internal policies regulating access to and use of a company's IT systems, he or she can be prosecuted for illegally accessing an IT system under Article 615ter of the Criminal Code.
The case concerned an employee who sent three emails to which he had attached a database regarding company know-how and files containing data on the company's revenue. The employee sent the emails to external email addresses using his business email account, even though company policy prohibited sharing reserved information via email.
According to the Employment Tribunal, the employee could not be prosecuted for illegally accessing an IT system because the company had authorised his access to the databases in order to carry out his work duties. Further, the tribunal found that the employee could not be prosecuted for illegally connecting to the company's IT system considering the short amount of time needed to send an email message. According to relevant case law, access to an IT system must take place for a sufficient amount of time in order for it to be considered a crime.
The tribunal found that the employee had behaved according to his work duties without any drastic breach of the company's employment policies.
The employer challenged the Employment Tribunal's decision before the Supreme Court, arguing that sending an email implies preliminary operations which take enough time to complete to trigger Article 615ter of the Criminal Code. The employee's defence argued that the violation of Article 615ter did not imply a drastic breach of internal policy, as affirmed by the tribunal.
The Supreme Court considered the employer's claim to be well grounded and revoked the tribunal's decision.
In an earlier decision (4694/2012), the Supreme Court affirmed that a breach of an IT system owner's policy is sufficient to find that unlawful access to that system has occurred. If an employee performs activities which are different to those authorised by his or her employer, the employee can be prosecuted under Article 615ter of the Criminal Code. The aims of an employee who unlawfully accesses an IT system are irrelevant.
According to the Supreme Court, company policy can prohibit employees from sharing reserved information via email or transferring information digitally. The breach of such internal rules, which can be different from one company to another, constitutes illegal access to or unlawful entry into an IT system under criminal law. Further, the Supreme Court clarified that sending an email is an activity that has a notable temporal dimension under Article 615ter of the Criminal Code.
For further information on this topic please contact Andrea Stanchi at Stanchi Studio Legale by telephone (+39 02 546 9522) or email ([email protected]).