The Bottom Line
- Insider Threats Go Beyond Employees: This case highlights that anyone with legitimate but limited access to company devices—including partners, contractors, or even family members using a work laptop—can become an insider threat if they exceed their authority.
- Device-Level Security Isn’t Enough: Relying on a single laptop password to protect sensitive applications like corporate email is a critical vulnerability. This opinion underscores the need for layered security, such as multi-factor authentication for key services.
- Prosecution Hinges on Technical Precision: For businesses seeking to prosecute data breaches, this case is a reminder that legal charges must be technically precise. Proving how a system was accessed is as important as proving that it was accessed.
The Details
A recent advisory opinion from the Advocate General (AG) at the Dutch Supreme Court provides a critical lesson on the nuances of computer trespass, particularly in situations where the lines of authorized access are blurred. The case involved a woman who, while on holiday, used her ex-husband’s laptop—provided for their daughter to watch videos—to access his email account. She proceeded to read, forward, and delete emails and files. The lower court convicted her of computer trespass, ruling that her unauthorized use of the email address amounted to breaking in with a false key under the Dutch Criminal Code.
The concept of a false key in Dutch cybercrime law is interpreted broadly and is highly relevant for corporate security policies. It extends beyond stolen passwords or hacking tools. As established in previous landmark cases, even an employee using their own valid login credentials to access systems for a purpose outside their job function can be deemed to be using a false key. The “falseness” comes not from the key itself, but from the unauthorized intent and purpose of its use. This principle effectively criminalizes the misuse of otherwise legitimate access, a cornerstone of combating internal data theft and corporate espionage.
In this instance, however, the AG identified a crucial technical distinction. The evidence showed that the laptop’s password was the sole security barrier; once the device was unlocked, the email program was open and accessible without a separate login. Therefore, the “key” to the system was the laptop password, not the email address. The prosecution had incorrectly identified the email address as the false key used for intrusion. While the AG concluded that the woman’s conviction for unauthorized access should stand—as she clearly acted without permission—the opinion serves as a powerful reminder for legal and executive teams. In the world of cybercrime, the devil is in the details. A successful prosecution requires not just proving a breach occurred, but precisely demonstrating the method of intrusion.
SOURCE: Advocate General at the Supreme Court of the Netherlands
