The Serious Crime Act 2015

08 April 2015

Author: Olivia O'Kane
Practice Area: Litigation and Dispute Resolution, Media and Defamation, and Public and Administrative Law

As we become increasingly reliant on technology, cyber-attacks present an ever-increasing risk to individuals and businesses as well as the economy, national security, the environment and even human welfare.  With this in mind, the Government proposed amendments to the Computer Misuse Act 1990 (the “1990 Act”) in the form of the Serious Crime Bill which was given Royal Assent on 3 March 2015.  This article looks at the current offences under the 1990 Act and the recent amendments proposed due to enter into force by virtue of the Serious Crime Act 2015.

Offences Under The Computer Misuse Act 1990

The Computer Misuse Act 1990 deals with the offences associated with interfering with a computer and the associated tools that enable computer systems to be breached. The 1990 Act makes unauthorised access to, or modification of, computer material unlawful, creating four offences.

In the UK, a hacker might be guilty of one or more of the following offences under the Computer Misuse Act 1990:

  • Unauthorised Access: Obtaining unauthorised access to computer material for example, by using another person’s ID and password to log onto a computer and access data.
  • Unauthorised Access with Intent: Obtaining such access in order to commit or facilitate the commission of another offence, such as theft of funds or data.
  • Unauthorised Acts with Intent to Impair: Obtaining such access in order to intentionally or recklessly impair the operation of any computer, a program or the reliability of data held on a computer; prevent or hinder access to any program or such data.
  • Making, supplying or obtaining articles for use in any of the above offences

The Serious Crime Bill

In June 2014, the Queen announced the Serious Crime Bill.  The aim of this Bill was to amend the Computer Misuse Act so that that law enforcement agencies would have effective legal powers to deal with the threat from serious and organised crime.

There were two main changes proposed by the Bill:

(1)  The creation of a new offence

This new offence would be committed where unauthorised acts are carried out on a computer resulting in serious damage to the economy, the environment, to national security or human welfare, or which create a significant risk of such damage even whilst physically outside the UK.

Commission of this offence would be punishable by up to 14 years’ imprisonment and/or a fine. Where the act causes loss of human life, serious illness or injury, or serious damage to national security, the offence would carry a maximum sentence of life imprisonment. 

(2)  Implementation of the EU Directive on Attacks Against Information Systems (2013/40/EU)

This Directive is designed to ensure that the EU has minimum rules on cyber offences and sanctions, and to ensure co-operation between EU member states in relation to cyber-attacks. The UK is already compliant with the Directive, except with regard to the following two aspects:

  • Tools for the commission of an offence

The existing Section 3A offence under the 1990 Act of making, supplying or obtaining articles for use in another offence under the Act requires the prosecution to prove that the defendant obtained the tool with a view to it being supplied for use to commit or assist in the commission of the other offence. The Bill amends this offence so that it covers circumstances where an individual obtained a tool with the intention to use it themselves to commit or assist in the commission of a separate offence.

  • Extension of the extra-territorial jurisdiction of the Act

The Directive requires EU member states to establish their jurisdiction over cyber offences which are committed by their nationals. The 1990 Act currently requires the prosecution to demonstrate a “significant link” to the UK for the section 1 and 3 offences. The Bill extends the UK’s extra-territorial jurisdiction to prosecute individuals for certain offences under the 1990 Act to include the defendant’s nationality. This would mean that a UK national could be prosecuted for an offence where the only link to the UK is their nationality, provided that the offence is also an offence in the jurisdiction where it took place.

Serious Crime Act 2015

The Serious Crime Bill received Royal Assent on 3 March 2015. Now the Serious Crime Act 2015, it includes the amendments to the 1990 Act, to ensure that sentences for attacks on computer systems fully reflect the damage they cause. 

The Act can be viewed at: http://www.legislation.gov.uk/ukpga/2015/9/contents/enacted

For more information please contact Olivia O'Kane.

Back