Computer Misuse Act 1990

The Computer Misuse Act 1990 has been amended by the Police and Justice Act 2006.

Where amendments have been made, these are specifically highlighted in the text below. 

The Computer Misuse Act is designed to meet the general threat of unauthorised access, often called hacking. There are three offences in the Act:

• Unauthorised access to computer material

• Unauthorised access with intent to commit or facilitate committing another offence

• Unauthorised modification to computer material – an additional offence (3A) has been added to penalise the making, supplying or obtaining of articles for use in offences contrary to sections 1 or 3 of the CMA.

Unauthorised access to computer material

A person is guilty of an offence if:

                  They cause a computer to perform any function with intent to secure access to any programme or data held in any computer

AND

                  Access or intended access is unauthorised

AND

                  They know this is the case when the action is carried out

Unauthorised access to computer material is the lowest level of offence. It includes such practices as:

                  Finding or guessing someone's password

                  Using another's password to access a computer system

The offence occurs even if no changes to data are made, and no damage done. It is the act of accessing materials without authorisation that is illegal. As amended by the Police and Justice Act 2006 this now carries a penalty of up to two years’ imprisonment and/or a fine.

Unauthorised access with intent to commit or facilitate committing further offences

This expands on the first offence. It is the term 'intent to commit...further offences' that increases both the severity of the offence and the severity of the possible penalty, which is up to five years' imprisonment and/or a fine.

Unauthorised modification to computer material

This offence includes such practices as:

                  Deleting files

                  Changing the desktop build

                  Introducing viruses

The key element of this offence is 'intent', in that it is aimed at deliberate acts. It extends to the access of one computer through which damage is perpetrated on another, remote computer.

The Police and Justice Act 2006 now specifically states that  Distributed Denial of Service attacks (DDoS) should be considered within this Section (DDoS is when an attacker floods a particular website with messages, endlessly repeated.  This ties up the system and denies access to legitimate users).

This offence now carries a penalty of up to ten  years' imprisonment and/or a fine.

The new Section 3A deals with those who produce, for example, malicious scripts or software designed to enable modification of television set top boxes.  Again ‘intent’ is key here – it is aimed at deliberate acts.

This offence carries a possible penalty of up to two years’ imprisonment and/or a fine.