Unauthorized Access and Monitoring of Corporate Email: When Accessing a Company System Becomes a Crime

The Court of Cassation, Fifth Criminal Section, with judgment no. 542 of June 20, 2025, addressed a very interesting case revolving around the improper use of IT tools by a former company administrator. The case arose from the conduct of the latter, who, despite having technical permissions to access company IT systems, used these authorizations to enter the email accounts of colleagues and collaborators, reading confidential emails, some containing sensitive information. The judges confirmed that, even if one has credentials to access a system, the purpose of the access is crucial: if access is for personal reasons and not for work, it may constitute a crime.

This principle was already established by the Court itself in 2017, in the well-known "Savarese" judgment (Cass., SSUU, judgment of May 18, 2017), where it was ruled that accessing a company IT system is a crime even when the person has formal authorization, if done for purposes unrelated to their work activity (Article 615-ter of the Criminal Code).

In the case examined, the former administrator had downloaded over 1,500 email messages and directly read almost a hundred, many of which contained discussions between other employees of the company and their lawyers. According to the judges, there was no concrete reason to suspect illicit behavior by the senders or recipients of those emails that could justify, even potentially, the systematic access and reading of the messages in question. For this reason, the defendant's activity was considered a violation of privacy and not a legitimate control carried out in the interest of the company.

Generally speaking, under certain circumstances, privacy regulations may consider so-called defensive systems admissible, that is, controls—also through technological tools—carried out by the employer to protect company assets or information or to prevent unlawful conduct, in the presence of a well-founded suspicion of an offense, provided that a proper balance is ensured between the need to protect company interests and assets, related to the freedom of economic initiative, and the essential protection of the worker’s dignity and privacy, as long as the control concerns data acquired after the suspicion arises.

In Italy, the law allows the employer to monitor company tools, but only under certain conditions. These controls must be justified, proportionate, and never overly invasive. Furthermore, they must be communicated to employees, at least in a general form. In particular, according to the territorial Court, the controls were unlawful as they violated the principles of proportionality and reasonableness in the processing of employees’ personal data, as expressed by the Data Protection Authority as early as 2007 and in connection with the introduction of Legislative Decree 151/2015. The established regulations and case law do not allow for massive, prolonged, and indiscriminate monitoring of employee activity.

In this specific case, the Court of Cassation held that the actions of the former administrator violated not only these rules but also the right to the secrecy of correspondence, as provided by Article 616 of the Criminal Code. It was clarified that reading others’ emails, even if one has technical access, can constitute a crime when there is no real work-related reason.

Another aspect discussed concerns a modification made by the defendant to a company program that tracked IT activities, with the aim—according to the judges—of leaving no trace of his actions. Although this modification was technically reversible, it effectively prevented the system from functioning normally for several months, making it inaccessible to others. The Court of Cassation established that a temporary but significant alteration of the system can aggravate the crime, as provided by the second paragraph of Article 615-ter.

The defendant was also ordered to reimburse the company for the costs incurred for the technical investigation that led to the discovery of his activities. His lawyer argued that those costs were related to a defensive investigation, not to actual damage. However, the Court reiterated that when the company is forced to hire experts to determine whether unlawful conduct occurred, and these investigations confirm the crime, the costs are considered direct damage, compensable under Article 185 of the Criminal Code.

Finally, the former administrator requested not to be punished, claiming that the act was of minor significance. Indeed, there is a rule—Article 131-bis of the Criminal Code—that allows for avoiding conviction when the crime is particularly minor. But the Court also rejected this request: it emphasized the seriousness of the privacy violation, the number of messages read, the duration of the deactivation of the monitoring system, and the absence of signs of remorse or cooperation after the events.

For these reasons, the Court of Cassation confirmed the conviction, rejecting all grounds for appeal and ordering the defendant to pay court costs.

The judgment teaches us, therefore, that: