I recently advised in a case where a lady, who faced marital difficulties, accessed her husband’s private e-mail account in order to view his emails in order to see if he was having an affair. It came as a surprise to her that what could be seen as mere snooping, can in fact amount to a serious criminal offence.

The case highlighted to me how crucial it is to understand the legal boundaries of cyber activity. The Computer Misuse Act 1990 was brought in by government to tackle cyber-crime and is a powerful tool in the prosecutor's arsenal. It does however raise important questions about intent, security, and digital rights. In this rough and ready guide to the Act, I will outline the key offences, looking at the law in practical terms. I should highlight that there are textbooks written on this subject and the below should not be taken to be a comprehensive guide to what is a very practical very extensive error of law. If you have queries in respect of this then it is advisable to seek specialist legal counsel at the earliest opportunity.

Overview of the Computer Misuse Act 1990

The Computer Misuse Act 1990 was introduced to criminalise unauthorised access to computer systems and data. The Act primarily covers hacking, fraud, and cyberattacks and establishes penalties based on the severity of the offence.

Key Offences under the Computer Misuse Act

Unauthorised Access to Computer Material (Section 1 Computer Misuse Act 1990)

This offence is committed when a person:

•              Intentionally accesses a computer system.

•              Lacks authorisation to access the system.

•              Knows that their access is unauthorised.

I gave an example of this in the introduction- Hacking into an individual’s email account without permission. The penalties for this offence upon conviction are upon summary conviction in the Magistrates Court: Up to 12 months imprisonment or a fine. Upon conviction on indictment in the Crown Court: Up to 2 years imprisonment or a fine.

Unauthorised Access with Intent to Commit or Facilitate Further Offences (Section 2 Computer Misuse Act 1990)

This offence applies where unauthorised access is used to commit a secondary crime (e.g., fraud, identity theft). An example of this could be accessing a company’s database to steal credit card details. Penalties upon conviction can be upon summary conviction: Up to 12 months imprisonment or a fine and upon conviction on indictment: Up to 5 years imprisonment or a fine.

Unauthorised Acts with Intent to Impair, or Recklessness as to Impairing, the Operation of a Computer (Section 3 Computer Misuse Act 1990)

This offence criminalises deliberate or reckless interference with a computer system, even if unauthorised access is not obtained. An example of this offence is launching a Distributed Denial of Service (DDoS) attack to disrupt a website. Penalties upon conviction can be upon summary conviction: Up to 12 months imprisonment or a fine and upon conviction on indictment: Up to 10 years imprisonment or a fine.

Unauthorised Acts Causing, or Creating Risk of, Serious Damage (Section 3ZA Computer Misuse Act 1990)

This is a very serious offence under the Act and the section applies to cases where a cyberattack causes serious harm to:

•              Human welfare.

•              The economy.

•              National security.

•              The environment.

An example of this offence would be hacking into a power grid and shutting down energy supplies. This offence is Sufficiently serious that it can only be heard in the Crown Court. Penalties are severe and upon conviction on indictment can be up to 14 years imprisonment or, in cases affecting national security, life imprisonment.

Making, Supplying, or Obtaining Tools for Cybercrime (Section 3A Computer Misuse Act 1990)

This offence covers the creation, distribution, or possession of hacking tools intended for committing cyber offences. An example of the offence would be selling software designed to steal passwords or bypass security. Penalties upon conviction can be upon summary conviction: Up to 12 months imprisonment or a fine and upon conviction on indictment: Up to 2 years imprisonment or a fine.

Defences to Computer Misuse Act offences

It is always difficult to outline potential defences too criminal offences, as much will depend upon the factual basis of the alleged offence. Obviously, the prosecution must prove each element of the offence beyond reasonable doubt, and often success can be gained in forcing the prosecution to prove their case and seeking to undermine the elements of the offence. While the Computer Misuse Act 1990  is broad in scope, It is possible to outlined some broad defence principles which include:

Authorised access: If permission was granted, the act is not criminal. This can be a matter of fact as to whether an individual is granted either formal or informal permission to access the system. A classic example of permission would be a System Administrator or a penetration tester, who would have explicit permission to access security vulnerabilities in a computer system and would therefore have authorised access within the remit granted to them. It is worth noting however, that just because an individual is granted access to a system this does not mean that they have unfettered right to access all the information. There are a number of high profile examples of police officers, who have the rights to access the police national computer facing prosecution due to them accessing the computer to gain information that was not necessary in the course of their employment.

Intent is a specific element of each of the offences under the Computer Misuse Act 1990, if the prosecution cannot prove The requisite intent beyond reasonable doubt then the defendant would be entitled to be acquitted of the offence.

Accidental access: If a system is accessed unintentionally, liability may be reduced. For example if an individual inadvertently enters the wrong credentials due to an auto complete error, this may not constitute a crime.

It is worth noting that our courts have generally taken a strict stance on cybercrime, particularly in cases involving financial harm or threats to national security (see the case of Mangham [2012] EWCA Crim 973).

Enforcement and Recent Developments

Due to a rise in cybercrime, UK enforcement agencies have intensified efforts to combat digital offences. The National Crime Agency (NCA) and National Cyber Security Centre (NCSC) play a key role in investigating and preventing cyber threats. Additionally, legislative amendments continue to modernise the Computer Misuse Act 1990 to keep pace with evolving technology.

Final Thoughts

In my experience the Police and Crown Prosecution Service were relatively slow in adopting prosecutions under the Computer Misuse Act 1990. They often sought a specific underlying fraudulent motive before they would consider a prosecution. I have however seen a marked increase in the number of standalone prosecutions taken under the Act in recent years, it appears that the message from above is getting through, that prosecutions can, and should be brought when offences of this sort are committed.

For those facing allegations under the Computer Misuse Act 1990, seeking expert legal representation is advisable.

Quentin Hunt is a specialist criminal defence barrister who is an expert in defending prosecutions under the Computer Misuse Act 1990. He accepts instructions both through solicitors and from members of the public directly. He is particularly adept at taking on cases at the pre charge stage in order to attempt to ensure that the matter does not reach court. If you find yourself accused of a crime under the act or require advice, you may contact Quentin for a free, no obligation discussion about how he may assist in your case.