Company policy fixes this.
If there is a policy saying 'you are expressly not authorised to use your knowledge of the company or its IT systems, including any passwords or other methods allowing you to access corporate systems to do X, Y,Z'.
Then this not only makes the case for civil lawsuits simpler, but makes it clear that any access doing those things is unauthorised, and brings in the referred to law on unauthorised access, making it a criminal act, simply because the defence "my company authorised me" goes away.
Biting the hand that feeds IT
