Emailing Confidential Data To Colleagues May Be Criminal Offence

the following case is a salient lesson for all employees of all jersey firms but especially those in financial institutions (or those in large organisations)

Under the GDPR, employers, as data controllers, must take appropriate security measures to ensure the availability and integrity of information systems and data, including preventing misuse that may give rise to liability.

The story

1. An employee of a major international banking group asked a colleague for some confidential data relating to the current accounts of certain bank customers (ie, account holder names and balances).
2. The employee did not have access to these confidential data, which were instead available to a colleague employed by the same credit institution.
3. The colleague, using the email account that the bank had assigned to him, sent the said information, laid down in an Excel file, to the employee.
4. The bank reported the employee’s conduct to the competent authorities.

The case and guilty judgement

1. At the end of the first-instance legal proceedings the employee was found guilty of the offence referred to in Article 615-ter of the Criminal Code, and liable to the bank under civil law.

The appeal

1. The employee appealed against this judgment.
2. Milan Court of Appeals revoked the first-instance judgment and exonerated the employee from the crime referred to in Article 615-ter  of the Criminal Code (because it was statutory barred), whilst the civil liability to the bank was confirmed.
3. According to Milan Court of Appeals, the employee’s liability had arisen from his involvement with his colleague, who had actually sent the confidential data through the bank’s protected computer system.
4. On 8th January 2019, the Criminal Court of Cassation confirmed the judgment of the Court of Appeals of Milan.

The courts view

1. As the Court of Cassation stated, even subjects entitled to access certain data can commit a criminal offence if they use these data in an improper manner (i.e. contrary to the instructions given by the system’s owner).
2. Moreover, an authorization to access a computer system for certain purposes does not permit the access for other reasons than those expressly indicated thereby.

SUMMARY

1. In the case at hand, having ascertained that there were practices and policies at the bank in question whereby confidential data concerning customers belonging to a certain department were accessible only to the employees of that department and not to members of other departments, the Court concluded that the transmission of data from an employee authorized to access such data to an employee without authorization through the bank’s computer system constituted an offence under Article 615-ter  of the Criminal Code, since these operations were not permitted by the employer (the owner of the computer system) and were therefore carried out by means of an unauthorized use of its computer system.
2. In addition to the criminal consequences of such conduct, it exposes data controllers to potentially serious violations of the EU General Data Protection Regulation (GDPR) (2016/679). For example,
   1. in the case under review, the employee had the file in question sent to his private email address.
3. Under the GDPR, employers, as data controllers, must take appropriate security measures to ensure the availability and integrity of information systems and data, including preventing misuse that may give rise to liability.

Please click here to read original article