Abusive access to a computer system: commentary on Judgment no. 2905 of 2024

Judgment no. 2905 of 23 October 2024 offers important clarifications on the subject of abusive access to computer or telematic systems, addressing the issue of the security measures necessary for their protection. This topic is particularly relevant, given the exponential increase in cybercrime and the growing need to protect sensitive data.

The case and the legal context

In the judgment in question, the Court examined a case in which the defendant, D. G., was accused of abusive access to a computer system, specifically the Galileo system, reserved for members of the Agency for Internal Information and Security (AISI). The Court reiterated that the configurability of the crime does not depend solely on technical security measures, but can also include organizational measures.

• Technical security measures: access controls, firewalls, encryption.
• Organizational measures: internal regulations, staff training, access procedures.
• Court's resolution: the Galileo system was protected by adequate measures for its purpose.

The legal principle affirmed

Abusive access to a computer or telematic system - Security measures protecting the system - Organizational measures - Configurability of the crime - Existence - Case. For the purpose of configuring the crime of abusive access to a computer or telematic system, the protection of the system can also be adopted through organizational measures that regulate access methods, allowing it exclusively to authorized subjects for specific purposes or for the achievement of company goals. (In application of the principle, the Court correctly qualified the Galileo system as a computer or telematic system protected by security measures, even though it could also be used to search open sources, as it was reserved for members of the AISI for the performance of the Agency's specific purposes).

The Court therefore confirmed that the protection of a computer system can also be guaranteed through organizational measures. This is a crucial aspect, especially for companies and organizations that handle sensitive data. Organizational measures must be clear and well-defined, establishing who can access what information and under what circumstances.

Conclusions

Judgment no. 2905 of 2024 represents an important step forward in understanding the measures necessary for the protection of computer systems. The Court of Cassation has clarified that it is not enough to implement technical solutions, but it is also essential to adopt organizational procedures capable of ensuring controlled and secure access. Staff awareness and training are therefore key elements in preventing the crime of abusive access, making organizations more resilient to cyber threats.