On June 20th, the Supreme Court filed judgment no. 23158, affirming that administrative access used for unauthorized activities involving employees’ e-mail accounts constitutes the offences of unauthorized access to an IT system and violation of correspondence.
Background of the case
The defendant, an administrator and operator of an IT system used by the company he worked for, had been convicted of unauthorized access to an IT system for unlawfully entering the system in order to gain knowledge, in a massive, prolonged, and indiscriminate manner, of the confidential correspondence of an employee, and of violation of correspondence for unlawfully obtaining knowledge of the contents thereof.
The petition before the Court of Cassation
The defendant filed an appeal, arguing that he was authorized to access the system by virtue of his role as system administrator, and that the e-mails had been filtered according to a specific and proportionate temporal criterion, aimed at carrying out a legitimate control activity.
With regard to the aggravating circumstance of the alteration of the IT system, the defendant argued that the deactivation of the specific component had no impact on the IT system, did not compromise its functionality, and did not render it temporarily unfit for operation. In fact, it did not concern an essential component of the IT system, but merely an ancillary service used by system administrators, the deactivation of which would not have altered the functioning of the IT system in any way.
With regard to the offence of violation of correspondence, the defendant argued that the reasoning was merely apparent, as it failed to provide an explanation of the conduct as it actually occurred.
The Court of Cassation’s assessment
The Court of Cassation observed that employers are allowed to carry out monitoring activities, including technological controls, aimed at protecting assets unrelated to the employment relationship or at preventing unlawful conduct. However, certain requirements must be met: a well-founded suspicion of the commission of an unlawful act; a proper balance between the protection of corporate interests and assets and the employee’s right to dignity and privacy; and, finally, the monitoring must concern data acquired only after the suspicion has arisen.
The Supreme Court therefore found that, in the present case, the defendant had not complied with these requirements, as the access to corporate e-mail accounts concerned not only the victim but also another individual, with 1,542 messages downloaded and 97 viewed. Accordingly, the Court deemed the access lacking in both reasonableness and proportionality, and concluded that the purposes pursued were of a strictly personal nature, unrelated to any corporate interest.
The rule of law regarding the crime of unlawful access to an IT System
The Supreme Court highlighted that the offence of unauthorized access to an IT system is committed by a person who, although formally authorized and not in breach of the technical or procedural rules set by the system owner to restrict access, accesses or remains within the system for purposes that are fundamentally unrelated to those for which the access was granted.
The aggravating circumstance of damage to the IT System
The Court of Cassation further clarified that the aggravating circumstance of damage to the IT system is applicable in cases where the access password to an e-mail account and its recovery credentials are altered, as such actions result in the modification of an essential component of the IT system, rendering it temporarily unfit for operation.
The violation of correspondence
The Supreme Court further clarified that, in the case of unauthorized access to an e-mail account protected by a password, the offence of unauthorized access to an IT system is applicable and may concur with the offence of violation of correspondence, with regard to the acquisition of the contents of the e-mails stored in the account.
The ruling on the appeal
The Court dismissed the appeal and ordered the appellant to pay the legal costs.
The law firm Dal Pozzo in Milan provides legal assistance to private individuals, public entities, and businesses, including matters related to cybercrimes.