CMA 1990
Computer Misuse Act 1990
Principal cybercrime statute — criminalises unauthorised access, unauthorised access with intent, unauthorised modification, and supplying tools for use in offences.
Self-test
Sections
Section 1 — Unauthorised access to computer material
Causing a computer to perform any function with intent to secure unauthorised access to any program or data, knowing the access is unauthorised.
- Either-way — max 2 years on indictment.
- Includes guessing/sharing passwords, snooping on a colleague's account, basic hacking.
Section 2 — Unauthorised access with intent to commit further offence
Section 1 offence committed with intent to commit (or facilitate) a further indictable offence (e.g., fraud, blackmail).
- Either-way — max 5 years on indictment.
Section 3 — Unauthorised acts impairing operation of computer
Doing any unauthorised act in relation to a computer with intent or recklessness as to impairing operation, preventing/hindering access to data, or impairing reliability/operation of programs/data.
- Either-way — max 10 years on indictment.
- Covers DDoS attacks, deploying malware, ransomware, wiping data.
Section 3ZA — Unauthorised acts causing or creating risk of serious damage
Unauthorised act in relation to a computer causing, or creating a significant risk of, serious damage to human welfare, the environment, the economy, or national security.
- Indictable only — up to LIFE imprisonment where damage to human welfare/national security.
- Targets attacks on CNI — power grids, water, NHS systems, transport networks.