How do we know he did not have legitimate access?
I mean, what if he was an administrator?
I accept that the data should have been encrypted and the keys held only by those authorised, however, tryign to get a non techie to adhear to this kind of security policy is difficult, often futile.
So as a failsafe, to make sure somebody could still access it all when the suits / generals had forgotton the keys, they let the IT dept have a key also.
Let;s be honest, anyone that runs an email server can access all of the inboxes in there.
I bet there are thousands of people here who have been able to look at sensitive company documents because they are the IT people.
Who watches the watchers?