The Computer Misuse Act 1990 is the main legislation in the United Kingdom dealing with computer hacking and related activities such as ransomware.
Here's what you need to know about what the law is, what it requires, how to comply, and what penalties you can face if you don't comply.
- 1. Principle of the Computer Misuse Act 1990
- 2. Where Does the Computer Misuse Act 1990 Apply?
- 3. Criminal Offenses Under the Computer Misuse Act 1990
- 3.1. Section 1
- 3.2. Section 2
- 3.3. Section 3
- 3.4. Section 3A
- 3.5. Section 3ZA
- 4. Prosecution and Criminal Penalties Under the Computer Misuse Act 1990
- 5. Legal Status of The Computer Misuse Act 1990
- 6. Summary
Principle of the Computer Misuse Act 1990
The main principle of the Computer Misuse Act is to ban unauthorized access to computers. This includes direct physical access and remote access such as over the internet.
Despite the term being in its name, the Computer Misuse Act does not strictly define "computer." Instead, it leaves it to courts to define the term as necessary based on the stated aims of the law.
Courts have updated their interpretation as technology evolves. In one high-profile case the judge used the definition "a device for storing, processing and retrieving information."
Where Does the Computer Misuse Act 1990 Apply?
Somebody can only be held liable for an offense under the Act if they have a significant link to the UK. This covers a wide range of links including:
- The offender being in the UK when they committed the offense.
- The target of the offense (the computer or its owner) being in the UK.
- The offense involving data passing through a server in the UK.
The jurisdiction is wider for the most serious form of the offense (gaining unauthorized content and acting in a way that risks national security or harms welfare), in which case the UK's security being at risk is enough to count as a significant link. This is particularly relevant when it comes to extraditing an alleged offender to the UK.
Somebody can have a significant link to the UK, and thus be liable for an offense, whether or not they are a British citizen.
Criminal Offenses Under the Computer Misuse Act 1990
In its latest form, the Computer Misuse Act covers five specific offenses, sometimes referred to by the section of the act which details them. Section 1 is the primary offense; most of the other offenses involve committing a section 1 offense and then doing something else.
Section 1
This offence is gaining unauthorized access to a computer. This requires three things to be true:
- The offender "causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured." (The last part of this includes encrypting data such as in a ransomware attack).
- The offender accessed the computer without authorization.
- The offender knew they did not have authorization.
Unlike data privacy laws, it does not matter what program or data the offender accessed.
The definition we've quoted in the first requirement may look confusing as it mentions "computer" twice. The first mention of "computer" in this definition can refer to either:
- A computer somebody physically accessed without authorization
- A computer the offender uses to gain the access (eg through remote hacking)
The important point is that the offender has to use a computer in some way as part of the offense. This means that simply looking over somebody's shoulder without permission and seeing data on their computer doesn't count.
Somebody with limited authorization to a computer can still commit an offense if they go beyond this authorization. For example, an employee might be allowed to use a computer but not to access specific files.
Legitimate searches by law enforcement officials, such as searching somebody's computer for evidence, are exempt even if the computer owner has not authorized the search.
Section 2
This is gaining unauthorized access to a computer (ie a section 1 offense) with the intent to commit further criminal offenses, for example identify theft or fraud.
Section 3
This is gaining unauthorized access to a computer (ie a section 1 offense) with the intent to impair the operation of, or hinder access to, a computer, program or data.
Section 3A
This is making, supplying or obtaining materials (including physical devices and software) with the intent they be used to commit a Section 1, Section 3 or Section 3ZA offence. This includes creating, distributing or obtaining malware or hacking tools.
Note that somebody creating or distributing these materials doesn't have to commit a Section 1 offence themselves to be guilty of a Section 3A offence. In other words, it's a crime to make the hacking tools even if you don't hack a computer yourself.
Section 3ZA
This is gaining unauthorized access to a computer (ie a section 1 offense) and either causing or risking serious damage. This includes damaging human welfare, a country's economy, or a country's national security.
The Crown Prosecution Service gives some guidance on this topic:
The National Crime Agency gives some examples of ways people could technically commit each of these offences. As we'll note later, these breaches would not necessarily result in a prosecution:
Prosecution and Criminal Penalties Under the Computer Misuse Act 1990
The maximum prison penalties for breaching the act are as follows:
- Section 1 (Gaining unauthorized access to a computer): Two years.
- Section 2 (Getting unauthorized access to a computer with the intention to commit other offenses:) 5 years, though this increases to 10 years if the other offences involve stealing data or accessing data to use for fraud.
- Section 3 (Gaining unauthorized access to a computer to impair the operation of, or hinder access to, a computer, program or data: 10 years.
- Section 3A (Creating, supplying or obtaining materials to use for unauthorized access to a computer): Two years.
- Section 3ZA (Gaining unauthorized content and acting in a way that causes or risks serious damage): 14 years, increasing to life in prison if national security or human wellbeing was threatened.
In each situation, a judge can also impose an unlimited fine as well as, or instead of, a jail sentence.
These maximum penalties all apply to cases brought in the Crown Court (the UK criminal courts which hear more serious cases). For all but the last of these offenses, prosecutors have the option to instead bring the case in a magistrate's court in England, Wales or Northern Ireland, or a Justice of the Peace or Sheriff's Court in Scotland.
In these situations, the penalties would be limited to the maximum which such courts have the power to impose (for any crime), which is currently 12 months in prison and/or a fine of £5,000.
In each case, the court can impose a fine, a prison term, or both.
Somebody who has technically breached the law will not always be prosecuted under the Computer Misuse Act. Here's the Crown Prosecution Service's guidance on what might affect the decision to prosecute:
Legal Status of The Computer Misuse Act 1990
The Computer Misuse Act 1990 remains in force in the United Kingdom today, having been updated several times. This included changes made by the Police and Justice Act 2006 and the Serious Crime Act 2015.
The main changes included increases to the original maximum penalties and extending jurisdiction in the most serious form of the offense (risking national security or harming welfare) to simply require that the risk is to the UK or somebody in it. The main effect of this is on extradition procedures.
The UK government began a review into updating, revising or replacing the Computer Misuse Act in 2021 but this has not resulted in any formal proposals or changes at the time of writing.
Summary
The Computer Misuse Act 1990 is the UK's main law on computer hacking. It's based on the core offense of gaining unauthorized access to a program or data on a computer, whether that involves physically accessing the computer or hacking it remotely. The offender must know the access was not authorized.
The maximum penalty starts at two years in prison and/or an unlimited, though the maximum allowable prison sentences increase if the offender planned to carry out other offenses using the unauthorized access; if they planned to steal data or use it for fraud; if they modified content; or if they caused or risked serious harm through the unauthorized hacking. It's also an offense to create, share or get tools used for unauthorized access.
The offender must have a significant link to the UK to come under the law. This can include the offender, the computer in question, or any servers being in the UK. For the serious harm offense, the significant link can simply be that UK national security was threatened.
