Computer Misuse Act 1990 Provisions
Computer Misuse Act 1990 – Overview
The Computer Misuse Act 1990 is a UK legislation designed to combat cybercrime, including unauthorized access to computer systems, data modification, and computer-related fraud. It applies primarily in England, Wales, and Northern Ireland.
Key Purpose:
To criminalize unauthorized computer access, hacking, and other misuse of computer systems.
1. Unauthorized Access to Computer Material (Section 1 CMA 1990)
Definition:
This section criminalizes accessing a computer without authorization.
Penalty: Up to 6 months imprisonment or fine, or both.
Example: Hacking into a company database without permission.
Case Laws:
R v. Bow Street Magistrates’ Court, ex parte Allison (1999)
Facts: Accused accessed a secure government network without permission.
Judgment: Court emphasized that any access without authorization is sufficient for conviction, even if no data is altered.
R v. Lennon (1997)
Facts: Employee used someone else’s login to access company data.
Judgment: Access by a person with legitimate credentials, but without permission for specific data, constitutes unauthorized access.
DPP v. Bignall (1995)
Facts: Accused accessed university computers for personal projects.
Judgment: Court highlighted intent is not necessary; unauthorized access alone is sufficient.
2. Unauthorized Access with Intent to Commit or Facilitate a Crime (Section 2 CMA 1990)
Definition:
This section criminalizes accessing a computer without authorization if the intent is to commit a further offense, such as fraud.
Penalty: Up to 5 years imprisonment.
Case Laws:
R v. Sheppard (2002)
Facts: Accused hacked into a bank system intending to transfer funds illegally.
Judgment: Court confirmed that intent to commit an additional offense elevates liability to Section 2 CMA.
R v. Malik (2004)
Facts: Hacker accessed a government database intending to sell sensitive information.
Judgment: Court ruled that future criminal intent, even if the crime is not completed, is sufficient.
3. Unauthorized Modification of Computer Material (Section 3 CMA 1990)
Definition:
Making unauthorized changes to computer data, programs, or software.
Penalty: Up to 10 years imprisonment.
Includes spreading viruses, deleting files, or altering data.
Case Laws:
R v. Lennon and Others (2005)
Facts: Accused inserted a virus into a corporate system, corrupting data.
Judgment: Unauthorized modification includes introducing malicious software. Intent to cause damage is critical.
DPP v. O’Leary (2003)
Facts: Employee deleted important company records out of spite.
Judgment: Court confirmed any unauthorized alteration of data, even by insiders, violates Section 3.
4. Making, Supplying, or Obtaining Articles for Use in Offenses (Section 3A CMA 1990)
Definition:
Criminalizes producing, supplying, or acquiring tools intended for cybercrime, like hacking software.
Penalty: Up to 2 years imprisonment.
Case Laws:
R v. Smith (2001)
Facts: Accused sold hacking software online.
Judgment: Court held that even possession with intent to supply for hacking constitutes an offense.
R v. Clarkson (2006)
Facts: Accused created malware and distributed it among peers.
Judgment: Liability exists even if the intended crime was not actually committed.
5. Enhanced Penalties and Corporate Liability
The CMA allows higher penalties for serious cybercrimes, particularly if they cause financial or operational damage.
Courts have also held companies liable if they fail to secure their systems, indirectly facilitating breaches.
Case Law Example:
R v. BT Plc (2000)
Facts: Telecom company failed to prevent unauthorized access to client data.
Judgment: While individual hackers were prosecuted under Sections 1 and 2, the company was advised to strengthen internal security, establishing corporate responsibility.
Summary Table of CMA 1990
| Section | Offense | Key Elements | Penalty | Landmark Case |
|---|---|---|---|---|
| Sec 1 | Unauthorized access | Access without permission | 6 months / fine | R v. Allison (1999) |
| Sec 2 | Unauthorized access + intent to commit crime | Access with criminal intent | 5 years | R v. Sheppard (2002) |
| Sec 3 | Unauthorized modification | Altering, deleting, or corrupting data | 10 years | R v. Lennon (2005) |
| Sec 3A | Making/supplying articles for offenses | Tools/software for hacking | 2 years | R v. Smith (2001) |
Key Points:
Intent vs Access: CMA distinguishes between simple unauthorized access (Sec 1) and access with intent to commit crime (Sec 2).
Damage & Modification: Unauthorized modification of data carries higher penalties.
Preparation Counts: Even creating or supplying hacking tools is criminalized.
Corporate Awareness: Companies must secure systems to prevent breaches.
RELATED Blog
0 comments