The Computer Misuse Act 1990

The Computer Misuse Act 1990 captures a wide variety of cybercrime offences including most cyber-dependent crimes as well as many cyber enabled crimes.

The Computer Misuse Act is far reaching and prosecutions with an international element can be brought under the legislation if there is “at least one significant link with the domestic jurisdiction” in England and Wales. In practice this could mean an Accused may be prosecuted if the offending conduct passed through a server based in this jurisdiction or even if the offending began abroad but the target was based here.

Section 1 Computer Misuse Act – the “Unauthorised Access” Offence

The most commonly charged Computer Misuse Act provision is the section 1 offence which criminalises “unauthorised access” to a computer system defined as:

where a person causes a computer to perform any function with intent to secure unauthorised access to any program or data held on that computer.

The wording of the offence is deliberately broad to catch a wide spectrum of conduct so whenever “unauthorised access” to a computer system is alleged the offence can be triggered. It can therefore cover most hacking offences and also cases where e.g. an employee accesses their company database to view confidential information or disruption or damage is caused to the functioning of a computer or network from malware, viruses, trojans, worms, spyware or denial of service (TDS) or distributed denial of service (DDOS) attacks.

The section 1 is also relatively easy to prove in comparison to the other Computer Misuse Act offences.

To be guilty of this offence it must be shown that an offender intended “to secure access to any program or data held in any computer” knowing at the time that the access intended to be secured was unauthorised.

As for when the accessing of a computer can be said to be “unauthorised” the guidance from caselaw is mixed. A common issue that often arises when this Computer Misuse Act offence is prosecuted concerns employees. A defence to this charge that is often raised concerns defendants – normally employees – who claim that their conduct was not “unauthorised” as they had permission to access specific data on a computer or network. To determine the limits of an employee’s authority the courts will refer to any relevant documentation or evidence such as for example a contract of employment for the accused together with any other information available such as the companies IT policies.

The section 1 charge is designated as an either way offence and carries a maximum sentence of two years imprisonment – a lower maximum sentence than other Computer Misuse Act charges.

Section 2 Computer Misuse Act offence – “Unauthorised Access for Gain”

This is an enhanced version of Section 1 of the Computer Misuse Act 1990 which makes it an offence to commit the section 1 “Unauthorised access” offence with an extra ingredient i.e. with the intent to commit or facilitate the commission of a more serious further offence.

This could apply for example where an accused gains unauthorised access to a victim’s email account and persuades the victim to divert funds to another account– the unauthorised access would then be said to be committed with intent to commit fraud.

The Section 2 offence carries a higher maximum sentence of five years imprisonment in comparison to the two year maximum for the section 1 offence.

Section 3 Computer Misuse Act Offence – Unauthorised Access Impairing the Operation of A Computer

Section 3 of the Computer Misuse Act creates a further offence with the same ingredients as the section 1 offence with the addition of a new element i.e. where someone obtains on authorised access to a computer “intending or being reckless as to whether the conduct causes” any of the following consequences:

• To impair the operation of a computer

• prevents or hinder access to any program or data held in any computer

• Impair the operation of any such program or the reliability of any such data

The Crown Prosecution Service guidance for the prosecution of Computer Misuse Act offences states that the section 3 offence should be considered in cases involving Distributed Denial of Service Attacks (“DDOS”).

The CPS guidance goes on to define a DDOS as follows:-

“where the attack source is more than one, and often thousands of, unique IP addresses. A common method is to flood an internet server with so many requests that they are unable to respond quickly enough. This can overload servers causing them to freeze or crash, making websites and web-based services unavailable to users.”

The maximum penalty for the section 3 offences is 10 years imprisonment.

Section 3ZA Computer Act 1990

A new Computer Misuse Act offence was introduced in 2015 (by way of section 41(2)) of the Serious Crime Act 2015.) The s3ZA Computer Misuse Act offence is another enhanced version of the section 1 offence that is triggered where it can be shown that the “unauthorised access” causes direct damage to critical national infrastructure.

The section 3ZA offence carries a maximum of 14 years imprisonment and caters for cases when the ten-year maximum for the section 3 offence might be considered too low.

Section 3A Computer Misuse Act Offence – Articles for Use in Hacking

The Section 3A Computer Misuse Act offence has a maximum sentence of two years imprisonment and is aimed at offenders who can be proved to

“make, adapt, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.”

It is aimed at offenders who offer or supply instruments used in the commission of a section 1, 3 or 3XA offence such as hacking activity – for example programs that can be used to break in or compromise computer systems.

Data Protection Act 2018 Offences

There is some overlap between the Computer Misuse Act offences and other offences often charged as cyber enabled crimes.

Where a Computer Misuse Act offence is charged it will often be accompanied with charges which under section 173 of the Data Protection Act 2018 which criminalises the knowing or reckless obtaining of disclosing personal data without the consent of the person concerned.

See BSQ’s guidance on offences under the Data Protection Act here.

Sentencing

The Sentencing Guidelines Council has not provided any definitive guidelines for Computer Misuse Act offences. A selection of the main sentencing cases follows below and they provide a useful summary of sentencing practice in the area. A regularly updated guide to the most recent Computer Misuse Act prosecutions is also available here. - https://www.computerevidence.co.uk/Cases/CMA.htm

R v Mangham [2012] EWCA Crim 973, [2013] 1 Cr App R (S) 11 (62) provides general guidance on the factors to be taken into account when sentencing in Computer Misuse Act cases. A sentence of eight months imprisonment imposed by Southwark Crown Court was substituted with four months imprisonment by the Court of Appeal, who also issued guidelines on the aggravating features that should be considered in these types of cases. Margam had pleaded guilty to downloading confidential data from Facebook which did not include personal data but which cost the company $200,000 to remedy. He pleaded guilty to offences contrary to section 1 and section 3 of the Computer Misuse Act The Court of Appeal identified the following aggravating features in computer misuse cases:

(i) whether the offence was planned or persistent,

(ii) (nature of the damage caused to the system and to the wider public interest,

(iii) motive (including revenge) and extent of gain by the offender and (iv) whether the information had been passed on to others.

(iv) The value of the intellectual property involved may also be relevant to sentencing.

Among the mitigating factors the psychological profile of the offender would be important.

DDOS Attacks

R v Mudd [2017] EWCA Crim 1395, [2018] 1 Cr App R (S) 7 (33) Having pleaded guilty to offences coutrary to section 1 and section 3 of the Computer Misuse Act a 17-year-old offender was sentenced for creating a distributed denial of service program which he then sold on and which was widely used – over 500,000 domain names and IP addresses were targeted and 1.7 million DDOS attacks carried out. The Court of Appeal reduced the sentence imposed from two years in a young offenders institution to 21 months, noting that the defendant had been diagnosed with autism.

In R v Martin [2013] EWCA Crim 1420, [2014] 1 Cr App R (S) 63 (414) a sentence of two years imprisonment was upheld by the Court of Appeal in relation to an offender who was accused of orchestrating DOS attacks against websites owned by Kent police and the Oxford and Cambridge universities. Martin pleaded guilty to Computer Misuse act offences under sections One, two, three and 3A. The court noted that for offences on this scale, sentences would be measured in “years, not months.”

Cyber fraud

R v Brown (Charles) [2014] EWCA 695 concerned an offender who had obtained access to online bank accounts and customer bankcards with PIN numbers. Around 83 accounts were accessed. While there was no loss to any of the account holders the potential loss was assessed at 200,000. The Court of Appeal substituted a sentence of two years imprisonment for that imposed in the Crown Court of three years.

Cyber bullying

In R v Crosskey [2012] EWCA Crim 1645, [2013] 1 Cr App R (S) 76 (420)

having gained unauthorised access to the Facebook account of an actress and her stepfather, the offender tried to sell this information on to other publications. He pleaded guilty to offences country to sections 1 and 3 of the Computer Misuse Act and was sentenced to 12 months custody at Southwark Crown Court. The Court of Appeal substituted a sentence of eight months imprisonment.

BSQ’s solicitors have extensive experience in defending cyber crime charges. Contact us for a no obligation call about your case.