Recognition of the importance of the secrecy related to usernames and passwords and compliance with IT security measures is one of the issues arising out of a recent decision of the Italian Supreme Court (Corte di Cassazione, sez. Lavoro, n. 19554/2005). According to this decision the, violation of the general obligations imposed on employees to keep strictly confidential the password to access a company’s IT system, even by disclosing such password to other employees, is considered a just cause for dismissal.
An Italian company ascertained during some controls on access to its LAN that the user credentials of one of its employees had been used for several remote accesses to the LAN through a telecommunication connection originating in a place very far away from the place where the company had its premises, and at the same time as the user credentials were in use at the company. This remote access also continued after the date on which the employee, whose user credentials were improperly used (employee A), changed his password.
It was ascertained that the remote access was made through the telecommunication connection held by the wife of a former employee of the company who used to work in close contact with employee A and who had been recently dismissed (employee B). It was also proved that, after the change of employee A’s password, the remote access to the LAN continued (by using the recently changed password) as soon as employee A and employee B had had a chance to have a phone conversation.
The company consequently dismissed employee A for the violation of his obligations of confidentiality, diligence and loyalty to the employer.
The dismissal was challenged before the competent Italian Court which rejected each of the justifications given by employee A. The decision of the Court was very practical and consistent with the IT security solutions currently in use: it was considered impossible that the system administrator could have accessed the system to obtain the password of employee A for its disclosure to employee B. In fact the system automatically assigns a password to each new employee who must change it at his/her first access. Should the system administrator disable the user’s password, the user would be alerted at his/her first subsequent access since the system could not log him/her into the LAN. This did not happen.
It was also extremely unlikely, according to the Court, that another employee of the company could detect employee A’s password, since the physical position of employee A in the office ensured that nobody could see employee A’s keyboard. Needless to say that it was extremely that the password could be known by employee B simply by guessing it: in fact the security system required that each password was of no less than six characters and no more than thirty-two and contained alphanumeric characters.
In light of the above the Supreme Court confirmed the lawfulness and proportionality of the sanction (i.e. dismissal) since the disclosure of the credentials is to be considered as disclosure of data, enabling third parties to access confidential information of the company.
Importance of strong security measures
Independently from employment issues, we would like to emphasise the real importance for companies to implement strong security measures, including physical and organisational measures (e.g. a proper layout of the seats in each office), but mainly IT measures.
It is clear that, unless the company had a strong implemented security policy and equipment for the control of access to its information system, important information belonging to the company (know-how, manufacturing processes, industrial plans and other reserved data) could have been improperly disclosed causing significant damages to the company from a confidential information and trade secrets, as well as under the data protection perspective.