Amendments to the Computer Misuse Act 1990 (“CMA”) introduced by Part 2 of the Serious Crime Act 2015 (“2015 Act”) came into effect on the 3rd May 2015. The 2015 Act makes 4 changes to the CMA, in particular these:
- Create a new offence to ensure that the most serious cyber attacks attract penalties commensurate with the harm caused;
- Extend the section 3A offence to cover articles (or tools) for personal use;
- Extend the extra-territorial reach of the CMA offences; and
- Clarify the savings provision for law enforcement agencies.
Section 41 of the 2015 Act inserts new section 3ZA into the CMA creating a new offence of unauthorised acts in relation to a computer causing, or creating a significant risk of serious damage of a material kind. Damage is of a “material kind” for the purposes of this section if it is—
(a) damage to human welfare in any place;
(b) damage to the environment of any place;
(c) damage to the economy of any country; or
(d) damage to the national security of any country.
Where the unauthorised act results in serious damage to human welfare or to national security, the maximum sentence is life imprisonment. Where the unauthorised act results in serious damage to the economy or the environment the maximum sentence is 14 years’.
Section 42 of the 2015 Act amends the offence of making, supplying or obtaining articles (that is “hacker tools” or malware) for use in an offence under section 1 (unauthorised access to computer material or data), 3 (unauthorised acts with intent to impair the operation of a computer) or 3ZA (Unauthorised acts causing, or creating risk of, serious damage) of the CMA. Section 42 extends the section 3A offence so that it also covers obtaining a tool for use to commit a section 1 or 3 or the new section 3ZA offence, regardless of an intention to supply that tool and therefore extends the existing offence to capture the personal use of tools to commit computer misuse offences.
Section 43 of the 2015 Act extends the territorial scope of computer misuse offences by adding “nationality” to the categories of “significant link to the domestic jurisdiction” in section 5 of the CMA. This provides a legal basis to prosecute a UK national who commits any section 1 to 3A offence whilst outside the UK, where the offence has no link to the UK other than the offender’s nationality, provided that the offence was also an offence in the country where it took place.
Section 44 of the 2015 Act clarifies savings provision in the CMA whereby criminal investigations by law enforcement agencies did not fall foul of the offences in the Act. Privacy International, a privacy body suing GCHQ and the Foreign Office for illegal surveillance, accused the UK government of rewriting hacking laws in order to make law enforcement agencies exempt from being prosecuted, just before its court case began. However the government assert that the changes do not extend law enforcement agencies’ powers but merely clarify the use of existing powers (derived from other enactments, wherever exercised) in the context of the offences in the CMA.