INFORMATION TECHNOLOGY
Supreme Court of Cassation: the crime of unauthorised access to the computer system also includes access by the manager using the employee's credentials.
The manager of a hotel acquired from a female collaborator access credentials to the company's protected computer system for the storage and management for promotional purposes of the customer base comprising approximately 90 thousand individual cards, accessing it for purposes unrelated to the mandate received.
The Supreme Court intervened on the matter. The appellant argued that in his capacity as director and superior of the employee he was entitled to ask for her credentials, also for the purpose of controlling her work, and further pointed out that shortly before, he had first-hand access to that data. For the Court, that fact is irrelevant.
The Court states that in the case of a computer system protected by credentials, each authorised person has his own personal ‘key’. That is because it is data which, quite simply, the owner considers must be protected, both by limiting access to those who are provided with those credentials and, at the same time, by ensuring that a digital trace is left of the individual accesses and of who carries them out.
It is wrong to take the view that, in the present case, the director alone, by reason of his duties, automatically had the power to access data which, on the other hand, according to the employer's discretionary assessment, were to remain available only to certain employees, however subordinate to the applicant. The latter gained access to a database for which he did not have the credentials and, moreover, falsely claimed that the access was carried out by the employee who had unwittingly revealed his credentials to him.
In conclusion, the Supreme Court states that ‘an employee who, although in a hierarchically superordinate position with respect to the holder of access credentials to a company computer system, reveals his credentials in order to gain access to it without having specific authorisation, infringes the employer's directives (even if implicit, but clear), since the very protection of data by means of access credentials is sufficient to make such directives manifest’.
The Supreme Court intervened on the matter. The appellant argued that in his capacity as director and superior of the employee he was entitled to ask for her credentials, also for the purpose of controlling her work, and further pointed out that shortly before, he had first-hand access to that data. For the Court, that fact is irrelevant.
The Court states that in the case of a computer system protected by credentials, each authorised person has his own personal ‘key’. That is because it is data which, quite simply, the owner considers must be protected, both by limiting access to those who are provided with those credentials and, at the same time, by ensuring that a digital trace is left of the individual accesses and of who carries them out.
It is wrong to take the view that, in the present case, the director alone, by reason of his duties, automatically had the power to access data which, on the other hand, according to the employer's discretionary assessment, were to remain available only to certain employees, however subordinate to the applicant. The latter gained access to a database for which he did not have the credentials and, moreover, falsely claimed that the access was carried out by the employee who had unwittingly revealed his credentials to him.
In conclusion, the Supreme Court states that ‘an employee who, although in a hierarchically superordinate position with respect to the holder of access credentials to a company computer system, reveals his credentials in order to gain access to it without having specific authorisation, infringes the employer's directives (even if implicit, but clear), since the very protection of data by means of access credentials is sufficient to make such directives manifest’.
