The government has toughened its stance on cyber-crime with changes to the Computer Misuse Act 1990 (the CMA) due to come into force on 3 May 2015. The changes, which involve the creation of a new offence and extension of existing provisions, are aimed at strengthening the law to allow it to keep up with the ever changing, sophisticated and globalised nature of cyber-crime.
In the context of combatting cyber-crime, there are three main changes to note:
1. A new offence: cyber-crime which causes material damage
In the CMA there is already an offence under section 3 relating to unauthorised acts with intent to impair the operation of a computer. The maximum penalty for this offence is 10 years' imprisonment.
Under the new offence, a person is guilty if they commit an unauthorised act in relation to a computer which causes, or creates a significant risk of damage to:
- human welfare in any place;
- the environment in any place;
- the economy in any country; or
- the national security of any country.
The person is guilty if, at the time of the act, they are aware that it is unauthorised and intend to cause serious damage or are reckless as to whether such damage is caused.
The new offence aims to catch situations where the impact of the act causes serious harm. Consequently, the maximum penalty is life imprisonment if the act causes serious damage to human welfare (which results in a loss of life, illness or injury) or serious damage to national security. For all other types of damage, the maximum penalty is 14 years' imprisonment.
The new offence is, in effect, an aggravated version of the existing section 3 offence. Damage is defined extremely widely and is not limited to damage caused in the UK. The section will apply to a wide range of cyber-crime where the outcome causes serious damage - so notably to cyber-criminals intent on causing disruption and harm to public services and national infrastructure.
2. Closing a loop hole
Section 3A(3) of the CMA has been amended so that it is an offence for a person to obtain an article intending to use it to commit, or assist in the commission of, a relevant offence under the CMA. For example, a person who obtains virus creating software with the intention of committing an offence may be caught by the section. Prior to the amendment, a person could only be guilty of an offence under the section if he obtained an article with a view to it being supplied for use to commit, or assist in the commission of, an offence.
As a result of the change, the prosecution need not prove an intention to supply, as an intention to personally use the article to commit, or assist in the commission of, an offence, is sufficient.
3. Extending the territorial scope of the CMA
The CMA already has extra-territorial jurisdiction thereby making it possible to prosecute a person in the UK for an act they commit abroad if there is a 'significant link' to the relevant UK jurisdiction.
The territorial scope provisions in the CMA and the meaning of 'significant link' have been extended further. The main change is that in relation to the offences under the CMA, where the accused is in a country outside the UK at the time of the act, that person can be prosecuted in the UK for the relevant offence if:
- the accused was a UK national at that time, and
- the act constituted an offence under the law of the country in which it occurred.
This means that, for example, an English court will have jurisdiction in a case where a UK national has hacked a US government database while living in France, provided that such an act is an offence in France. The effect of the amendment is to give English courts jurisdiction over offences which have little connection with the UK, thereby underlining the international reach of the CMA and the fact that cyber criminals are rarely constrained by territorial borders.
The principal objective of the legislation is to ensure that law enforcement agencies have effective legal powers to deal with the threat from serious and organised crime. The amendments appear to be widely drafted so as to allow a wide range of situations to be caught and should lead to more prosecutions.
Patrick leads the IT & Outsourcing Dispute Resolution team which advises regularly on data and cyber security issues.