Thanks to Alice Gogni for collaborating on this article.
A phishing incident is far more than an IT problem: it triggers a notifiable data breach, a potential disciplinary offence, and employer liability on multiple fronts — data protection, NIS 2 cybersecurity, and entity liability under Legislative Decree 231/2001. The recent Orders of the Italian Supreme Court No. 326/2026 and No. 23186/2025 (Ferrieri v. Unicredit) confirm that a breach of IT/security procedures, whether through the negligent execution of a fraudulent wire transfer or through unauthorised access to corporate systems, may constitute just cause for dismissal. This article examines the legal framework, the case law, and the practical steps that employers must take.
1. The triggering event: how an attack works and why it matters legally
The cyber threats facing businesses take different forms but share a common denominator: employee conduct is almost invariably the weakest link. Two scenarios warrant analysis:
- Classic phishing and spear phishing: The attack relies on e-mails impersonating trusted senders (a supplier, the CFO, a financial institution) to induce the recipient to click a link, enter credentials on a cloned page, or wire funds to a fraudulent account. In the BEC (Business E-mail Compromise) variant, the attackers compromise a genuine e-mail account and use it to issue payment instructions. The success of the attack hinges on the employee’s failure to follow the company’s verification protocols;
- Unauthorised access to IT systems: The employee uses his or her own credentials to access corporate data for no business related reason. This is the scenario at the heart of Ferrieri v. Unicredit (Cass. No. 23186/2025): the access is “unauthorised” not because the credentials have been stolen but because their use falls outside the authorised scope; and
- Why both scenarios carry immediate legal consequences. In either case the following arise: (i) unauthorised processing of personal data, potentially qualifying as a data breach under Article 4(12) GDPR; (ii) noncompliance with the security measures required by Article 32 GDPR and the NIS 2 Directive (Legislative Decree 138/2024); and (iii) a disciplinary offence. Overlooking even one of these planes exposes the company to separate and cumulative liabilities.
2. Dismissal for just cause: requirements, burden of proof, and proportionality
2.1 The regulatory framework
The legal basis for disciplinary dismissal rests on four provisions: Article 2104 of the Italian Civil Code (duty of diligence commensurate with the nature of the work); Article 2119 (termination for just cause where circumstances preclude the continuation of the employment relationship); Article 2106 (proportionality of disciplinary sanctions); and Article 7 of Law 300/1970 (procedural safeguards, including the employee’s right to be heard).
2.2 Gross negligence suffices: intent is not required
The Supreme Court’s case law is settled: a serious breach of IT/security procedures — even absent intent — may constitute just cause for dismissal. The gravity of the conduct must be assessed in light of Article 2119 of the Italian Civil Code, having regard to the impact on the fiduciary relationship and the purposes underlying the disciplinary rules (Cass. No. 326/2026; Cass. No. 23186/2025).
2.3 The phishing wire-transfer case (Cass. No. 326/2026) — detailed analysis
In Order No. 326 of 13 February 2026, the Court of Cassation upheld the dismissal for just cause of a long-serving administrative assistant in the accounts department who had processed a payment in response to a phishing e-mail purportedly sent by the company’s chairman without carrying out the verification checks required by ordinary professional diligence. The employee had the entire day to detect the deception: the real chairman had sent a warning e-mail as early as 01:22, and the bank could still have been instructed to block the payment, which would have prevented a loss exceeding €15,000. Following the disciplinary procedure, the company dismissed her on 8 September 2022. The employee challenged the dismissal before the Court of Tivoli; both the Court of First Instance and the Court of Appeal of Rome dismissed her claims.
The Supreme Court rejected all four grounds of appeal, holding that: (i) the absence of a formalised written procedure for foreign wire transfers was not decisive, since the employee had failed to fulfil her ordinary duties of prudence; (ii) the absence of specific phishing training was irrelevant, it being reasonable to expect that a long-serving specialist would exercise the caution required by ordinary diligence; (iii) the lower court’s decision not to obtain the criminal complaint did not constitute a failure to rule on the merits; and (iv) the proportionality of the sanction had been correctly assessed, the argument regarding the absence of intent being irrelevant given the gross negligence demonstrated. The ruling establishes a principle of considerable practical significance: the absence of specific training does not exempt a qualified employee from the minimum standard of professional diligence.
2.4 The unauthorised-access case (Cass. No. 23186/2025, Ferrieri v. Unicredit) — detailed analysis
In Order No. 23186 of 9 September 2025, the Court of Cassation upheld the dismissal for just cause of a bank employee who had repeatedly accessed (several hundred times over a period of months) the accounts and personal data of customers and colleagues without any business related justification. The accesses were detected through the bank’s internal audit and logging systems. The employee argued that they had been motivated by mere curiosity and that no data had been disclosed to third parties. Both lower courts rejected these defences, holding that the unauthorised nature of the access depended on the objective absence of a legitimate business reason, and that the volume and duration of the conduct demonstrated a systematic disregard for the employer’s IT/security policies and confidentiality obligations.
The Supreme Court clarified three points: first, access to a corporate IT system is “authorised” only insofar as it is carried out within the limits defined by the employer’s security policies — any use beyond that scope breaches Article 2104 of the Italian Civil Code, irrespective of whether the employee holds valid credentials; second, the absence of data exfiltration or disclosure does not diminish the gravity of the breach, since the violation of trust is consummated by the mere act of unauthorised access; and third, in sectors subject to heightened regulatory obligations, the standard of diligence is correspondingly higher, and a systematic pattern of unauthorised access is inherently incompatible with the continuation of the employment relationship.
2.5 Proportionality of the sanction
The assessment of gravity is a finding of fact entrusted to the lower court (Cass. No. 16628/2004). The factors to be weighed include: the employee’s role and specialisation — sensitive functions call for a higher standard of diligence; the repetitive or systematic character of the conduct; the extent of actual or potential harm; the employee’s disciplinary record; and the degree of IT/security training received. Documented training strengthens the employer’s case; its absence may be invoked as a mitigating factor but does not, of itself, preclude a finding of just cause.
3. Training as the key element: prevention, compliance, and defence
3.1 Training as a regulatory obligation
Employee training in IT security is an obligation rooted in converging sources: Article 23 of Legislative Decree 138/2024 (NIS 2 transposition) expressly imposes it on essential and important entities; Article 32 GDPR ranks it among the appropriate technical and organisational measures; and Legislative Decree 231/2001 treats it as a component of the 231 Model. The absence of a structured training programme exposes the entity to liability on each of these fronts.
3.2 Training as a defensive tool in disciplinary proceedings
Where the employee has received specific, documented, and periodic training on IT/security procedures (recognition of phishing, verification of payment instructions, prohibition of access to unrelated systems) the employer can demonstrate that the employee knew the rules breached, foreclose any defence based on ignorance, and lend greater weight to the gravity of the conduct for the purposes of proportionality.
Conversely, the absence of documented training weakens the employer’s position in the proportionality assessment, exposes it to proceedings before the Garante Privacy and the National Cybersecurity Agency (ACN), and strips the 231 Model of an essential element of effective implementation.
3.3 Minimum content of the training programme and phishing simulations
An adequate training programme must cover at least: recognition of phishing and social engineering techniques; mandatory multichannel verification procedures for payment instructions; rules governing access to IT systems, i.e., access permitted only for business-related reasons, with a prohibition on sharing credentials; internal incident reporting procedures; a minimum annual frequency, with additional sessions following incidents or regulatory updates; and documentation by means of a nominative register recording date, content, and attendance. Phishing attack simulations are a complementary tool enabling the organisation to measure vulnerability and calibrate training accordingly. Such simulations are compatible with the GDPR provided they are properly designed, with an adequate privacy notice and data minimisation, and, where integrated into the 231 Model, bolster the evidence of effective implementation.
4. Conclusions
The two Orders converge on a single principle: gross negligence in the handling of IT/security obligations suffices to shatter the bond of trust and justify dismissal for just cause. The practical takeaway is threefold: first, invest in documented, periodic training — it is at once a regulatory obligation, a preventive measure, and the strongest card in any disciplinary proceeding; second, ensure that IT/security policies, access controls, and incident response procedures are formalised and integrated into the 231 Model; and third, act promptly when a breach occurs, since delayed or procedurally defective action risks undermining an otherwise well-founded case. As cyber threats grow in sophistication and regulatory expectations tighten, the annual review of the entire compliance architecture is no longer best practice: it is a necessity.
