On 8 January 2019 the Criminal Court of Cassation confirmed a Milan Court of Appeal judgment which had found that an employee who had emailed confidential data (in this case an Excel file) to a colleague who was not authorised to access said information had committed the crime of unauthorised access to a computer system under Article 615ter of the Criminal Code.
An employee of a major international banking group asked a colleague for some data relating to the current accounts of certain bank customers (ie, account holder names and balances). The employee did not have access to this data, but it was available to his colleague, who was employed by the same credit institution. The colleague sent the employee an Excel file containing said information from an email account that the bank had assigned to him.
The bank reported the employee's conduct to the competent authorities. The first-instance proceedings found the employee guilty of the offence referred to in Article 615ter of the Criminal Code and liable to the bank under civil law.
The employee appealed against this judgment. The Milan Court of Appeal revoked the first-instance judgment and exonerated the employee from the crime referred to in Article 615ter of the Criminal Code (because it was statutory barred), while the bank's civil liability was confirmed.
According to the Milan Court of Appeal, the employee's liability – which was limited to civil liability only, relative to the crime referred to in Article 615ter of the Criminal Code – had arisen from his involvement with his colleague, who had actually sent the confidential data through the bank's protected computer system.
The employee's involvement consisted essentially in having asked his colleague to commit the crime.
The Criminal Court of Cassation confirmed the Milan Court of Appeal's decision based on the following Joined Chambers decisions regarding abusive access to computer systems.
- Judgment 4694 of 27 October 2011 stated that:
anyone who accesses a protected computer or telecommunications system or operates it in violation of the conditions and limits resulting from the set of instructions issued by the owner of the system to objectively delimit access to it, even if he/she personally is granted powers, commits the crime referred to by article 615-ter of the Criminal Code, whilst, for the purposes of detecting the existence of the crime, the matters and purposes that gave subjective reasons for allowing access into the system remain irrelevant.
- Judgment 41210 of 18 May 2017, which concerns a public official or a person in charge of a public service (Article 615ter(2)(1)), but applies to the private sector with regard to employee duties of trustworthiness and loyalty, which undoubtedly characterise private employment relationships. In Judgment 41220 it was stated that the crime referred to in Article 615ter of the Criminal Code has also been committed in cases where a person:
even though he/she is authorized and does not violate the formal prescriptions issued by the owner of a protected computer or telematic system to delimit access to it, enters or remains in the system for reasons ontologically unrelated to those for which the right of access is granted to him/her.
In the light of the abovementioned principles, the court concluded that:
any behaviour of an employee that is in contrast with the aforesaid duties is illegal and abusive, thus manifesting the "ontological incompatibility" of the access to the computer system, inherent to a use of the same extraneous to the ratio of the conferral of the relative power.(1)
In the case at hand, having ascertained that there were practices and policies at the bank in question whereby confidential data concerning customers belonging to a certain department was accessible only to the employees of that department and not to members of other departments, the court concluded that the transmission of data from the bank's computer system by an employee authorised to access such data to an employee without authorisation constituted an offence under Article 615ter of the Criminal Code, since these operations were not permitted by the employer (the owner of the computer system) and were therefore carried out by means of an unauthorised use of its computer system.
The Joined Chambers decision appears unchallengeable. The crime of unauthorised access to a computer system punishes:
- those who illegally enter a protected system (to access the data contained therein); and
- persons who retain unauthorised access to a protected system following a lawful or random introduction thereto, notwithstanding the contrary will of the rights holder.
Unauthorised access to a computer system does not always involve a party accessing a program, archive or computer database. As the Court of Cassation stated, even parties entitled to access data can commit a criminal offence if they use said data in an improper manner (ie, contrary to the instructions given by the system's owner). Moreover, authorisation to access a computer system for certain purposes does not permit access for reasons that are not expressly permitted.
In addition to the criminal consequences of such conduct, it exposes data controllers to potentially serious violations of the EU General Data Protection Regulation (GDPR) (2016/679). For example, in the case under review, the employee had the file in question sent to his private email address.
Under the GDPR, employers, as data controllers, must take appropriate security measures to ensure the availability and integrity of information systems and data, including preventing misuse that may give rise to liability.
For further information on this topic please contact Luca Daffra at Ichino Brugnatelli e Associati by telephone (+39 (0)2 48193249) or email (email@example.com). The Ichino Brugnatelli e Associati website can be accessed at www.ichinobrugnatelli.it.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.