Supreme Court of Lithuania (cassation) – 15 February 2023 – No 2K-27-976/2023

In 2020, a former employee of a company accessed several times, from home, the company’s document management system SharePoint and his (former) email account, which was not deactivated, without the consent of the company. He thereby unlawfully accessed and monitored non-public electronic data uploaded to the system, which contained information on the operational and strategic indicators of the company’s management, budget and sales plans.

On 15 February 2023, the Supreme Court convicted the defendant under Article 198(1) CC and Article 198/1(1) CC of having unlawfully accessed an information system and unlawfully monitored non public electronic data. The defendant appealed against the ruling, arguing that the court should have found that the offences were of minor relevance. First of all, the defendant had been providing services to the company for several years, and was therefore generally aware of the content of the electronic documents uploaded to the system.

Secondly, following the termination of the employment of the defendant, the company did not delete his Microsoft account, and he did not conceal the fact that he had access to it. Finally, the company had not made any claims regarding the removal or alteration of electronic data, and no damage had been caused to it. Based on Article 37 CC, a perpetrator of an offence may be exempted from criminal liability if the extent of the damage, the subject matter of the offence or any other specific features of the offence render the offence to be of minor relevance.

Also, in accordance with case-law, in cases where an act does not substantially cause damage to social relations or other legal goods protected by criminal law, or does not give rise to a real risk of such damage, it shall be regarded as insignificant to the values protected by that law (i.e. it shall be recognised as being of minor relevance). The court has clarified, through its case-law, that unlawful access to an information system cannot, as a general rule, be regarded as insignificant, especially if such access has enabled the commission of other illegal acts in the system.

The fact that no civil action has been brought does not in itself diminish the gravity of the offence. The court therefore concluded that the acts could not be considered as being of minor relevance, as the defendant had unlawfully accessed the system more than 60 times and subsequently viewed (downloaded) non-public electronic data, some of which were also altered.