“Violates the employer’s directives (even if implicit, but clear) the employee who, although in a hierarchically superior position to the holder of the access credentials to a company’s IT system, has them revealed in order to gain access without specific authorization: the protection of data through access credentials alone is sufficient to make such directives clear”. This has been established by the Supreme Court of Italy, Criminal Section V, no. 40295/2024.
The case
An employee of a hotel in Chianciano Terme (Italy) had requested from another employee, directly subordinate to him, the access keys to the company’s IT system for the storage and promotional purposes of the customer database, which included about 90,000 individual records, accessing it for purposes unrelated to the mandate received. In the first two levels of judgment, was established the commission of the crime of «Unauthorized access to an IT or telematic system», under Article 615-ter, paragraph 1, of the Italian Penal Code.
The employee appealed to the Italian Supreme Court, claiming that it was not an abuse access, both because he had the power «in his capacity as director and superior manager of the employee» from whom he had requested for the credentials, «also for the purpose of supervising her work» and because until shortly before, he had a personal and direct access to those data.
The position of the Supreme Court
The Supreme Court of Italy ruled that the offence of unauthorized access to IT systems (under Article 615-ter, paragraph 1, of the Italian Penal Code) also occurs in the case of a hierarchical superior using the access credentials provided by the employee.
The judges of the Italian Supreme Court did not find convincing the appellant’s argument that relied on his power to access any company location in order to carry out checks on those hierarchically subordinate to him. In the case of an IT system protected by credentials, the Court pointed out that «each authorized person has his/her own ‘key’ (i.e., the access credentials)». «This is because it is data which, quite simply, the owner considers should be protected, both by limiting access to those who are provided with such credentials and, at the same time, by ensuring that a digital trace is left of the individual access and of who carries them out ».
It is therefore incorrect to hold that the defendant «solely by virtue of his duties, automatically had the power to access data that, on the other hand, according to the employer’s discretionary assessment, were to remain available only to certain employees (even if subordinate to the appellant) »
Moreover, by doing so, the appellant made it «falsely appear that the access had been made by the employee who, imprudently, had revealed her credentials to him».
Other related insights:
