What is the Computer Misuse Act?

Today we’re going to be talking about the UK’s Computer Misuse Act of 1990. If you don’t know what this Act is, or don’t know what it’s all about, this article is the one for you.  If you work in IT or information security, this is an important Act to know about.

The Computer Misuse Act was introduced way back in 1990 and was designed to protect personal data held by organisations from unauthorised access and modification. The Act was originally introduced after the failure to charge the hackers of Prestel – BT’s nascent email system at the time – and was designed to deal with hacking, unauthorised access to computer systems and intentionally spreading malicious software (malware), such as viruses. 

The Act is primarily made up of the following clauses:

• Perform unauthorised access to computer material or systems, basically saying that if you don’t have permission, you are breaking the law.
• Perform unauthorised access to computer materials with intent to commit a further crime. This refers to entering a computer system to steal data or destroy a device or network, this could include hacking and or implanting computer viruses and worms, such as ransomware.
• Perform unauthorised modification of data. This refers to modifying or deleting data and covers the introduction of malware or spyware onto a computer.
• By making, supplying, or obtaining anything which can be used in computer misuse offences.

These clauses cover a wide range of offences including hacking, computer fraud, blackmail and viruses. By not complying with the above, you will be failing to comply with the Computer Misuse Act which can then lead to fines and potentially imprisonment.

Over the years, the Act has had minor updates to try and stay current with times, such as in 2006, when section 37 of the Police and Justice Act of 2006 was inserted into the Computer Misuse Act.  This was known as 3A, this section stipulates that making, supplying, or obtaining any articles for use in a malicious Act using a computer is classified as criminal Activity.

In 2015 it had several amendments made to it and the Act was aligned with another one, the Serious Crime Act of 2015. This was due to Computer Misuse being added to the list of serious crimes which came with a maximum penalty for being found guilty increasing to a prison sentence of 14 years and the possibility of a fine.

Now that the Act is 31 years old, it is way overdue for a complete refresh. Then on the 11^th  of May, the Government, or more specifically the Home Office, issued a call for information about what should go into it. This call for information has been launched to gather information and consult with key stakeholders within the country later this year.

So, we’ll have to wait and see what the outcome is, either way, I can see a lot more information being added in about social media, online usage and I wouldn’t be surprised is a lot of clauses around encryption is somehow added into the Act.

Computer Misuse Act 1990 – https://www.legislation.gov.uk/ukpga/1990/18/section/1

Police and Justice Act 2006 – https://www.legislation.gov.uk/ukpga/2006/48/contents

Serious Crime Act 2015 – http://www.legislation.gov.uk/ukpga/2015/9/contents/enActed

Call for information – https://www.gov.uk/government/consultations/computer-misuse-Act-1990-call-for-information