Computer Misuse Act 1990

Computer Misuse Act 1990

The Computer Misuse Act 1990 was developed in response to a high profile security breach which gained access to the mailbox of The Duke of Edinburgh. The hackers Stephen Gold and Robert Schifreen could not be prosecuted after accessing the login details of 50,000 Prestel customers because relevant legislation did not exist.

The perpetrators were taken to court for forgery but they were acquitted. To close this loophole the Computer Misuse Act 1990 was introduced which made it against the law to gain access to a computer without permission.

The Act states that any attempt does not necessarily require an intention to target a specific computer and the conditions of the Act make it unlawful to use software or hardware to scan, detect and target vulnerable systems.
Computer Misuse Act 1990

When the Act was introduced it defined three main criminal offences:

  • Access to material on computers which is unauthorised
  • Access to material with the primary intention to commit or facilitate additional offences such as identity theft

The modification of computer material which has not been authorised

  1. Unauthorised access to computer material.

Individuals are guilty of this offence if;

  • They take action that will result in a computer carrying out any function with the primary purpose of accessing programs or stored information, the access to the system has not been authorised and the individual recognises this when they start the unlawful act.
  • Intention in relation to the Act can be directed toward a particular system or set of data, programs or a data storage facility.

Anyone found guilty under unauthorised access to computer material is liable for a period of imprisonment which will not exceed six months in duration or a level 5 fine. In certain situations both a custodial sentence and a fine can be handed down by the court.

  1. Unauthorised access with an intention of committing or allowing another person to commit additional offences

To commit an offence in this category, the offender must be found guilty under the first category above but with full intention of committing an offence or to facilitate an offence to be committed by themselves or a third party. Penalties for offences committed by those 21 and over and who have not previously been convicted will be sentenced to a prison term of five years.

  1. Unauthorised modification of computer material.

Guilt under this category is defined when an individual undertakes anything which results in unauthorised changes to a computer or its contents and at the time the individual acts with intent and knowledge of the implications. Intent for the purposes of this section will include; damage to the routine operation of the computer, to hinder or prevent access or to impair the operation of the software or computer or the reliability of its data.


Towards the end of 2006, amendments were made to the Computer Misuse Act by the Police and Criminal Justice Act. The updated Act combined both the first and second offences outlined above to create a new section one to incorporate Section 3A a completely new addition. Section 3A incorporated the creation, supply or acquisition of articles to be used in offences under the computer misuse legislation.

There are many offences covered under the Act including unauthorised access to computer systems, hacking or distributing malware to cause damage through viruses or other issues.

In terms of unauthorised access this means changing passwords or settings to prevent others from accessing systems, causing problems for the general operation of the system or altering data or software.

The regulations state that it is still an offence to attempt or gain access to a computer without permission. If a hacker were to attempt to gain access to a system but they fail they can be prosecuted. The Act also covers software used by hackers such as packet sniffers which can be used to explore system weaknesses.

However the intention to cause damage to a computer system is one that cannot be proved easily. Offences are also committed of the hacker assumes another identity, or uses another person’s email address for the purpose of carrying out an offence under the Computer Misuse Act 1990.

The impact of the Computer Misuse Act 1990

Offences under the Computer Misuse Act do have implications with penalties being particularly severe. The penalties associated with this Act have been divided up into two categories. The first is a summary penalty which is a case that goes to court but the trial does not have a jury. The second is an indictment penalty which is a trial that is heard by a jury.

Current penalties for offences under the Act include:

Section 1 Computer Hacking

Summary penalties can result in a twelve month prison sentence and a fine of anything up to the statutory maximum

Indictment Penalties incur up to two years in prison and a fine

Section 3 unauthorised Acts in relation to a computer

Summary penalty – The courts can hand down a term of up to 12 months in prison and a fine at the discretion of the court up to the statutory maximum

Indictment Penalty – Offenders can receive up to 10 years custodial sentence in addition to a fine

Section 3A Creating, Distributing or Acquiring Articles)

Summary Penalty can result in a period of up to twelve months in prison and a fine up to the statutory maximum

An indictment penalty can hand down a prison term of up to two years and/or a fine which is to be determined by the court

The Computer Misuse Act 1990 is just one of the many pieces of legislation which have been introduced to help protect individuals and businesses from data loss or information breaches and gives the courts the power to hand down penalties to those found guilty of misusing computers.

About the author:

This article was written by a member of the Expert Answers legal advice team. Expert Answers provides online legal advice on all aspects of UK Law to users in the United Kingdom.