Computer Misuse Act 1990

Computer Misuse Act 1990

The Computer Misuse Act 1990 [CMA] provides the legislative framework, together with the University's own Regulations, for the control of the use of IT equipment. It links with the GDPR over the requirement to control access to, and safeguard, personal data stored on IT systems. The key points are:

  • Section 1(1) makes unauthorised access, such as hacking, an offence;
  • Unauthorised access can be external to the University;
  • Unauthorised access can be internal to the University as the user may be an authorised user, but accessing for an unauthorised purpose;
  • Levels of authorisation need to be clearly outlined to legitimate users - a requirement of the Data Protection Act 1998;
  • Unauthorised access can be quasi-internal by, for example, former students or staff;
  • Unauthorised modification includes virus authoring & dissemination.
  • Section 1(2) states that there need be no intention to cause harm.
  • Section 2 applies to unauthorised access with intention to commit, or aid the commission of, an offence.
  • The intent to commit a further offence is not dependent on whether the event takes place nor on whether it is even possible.
  • Section 3 concerns the unauthorised modification of the contents of any computer.
  • There is a consequential liability on the University for the failure to protect systems in the event of an attempt at a Distributed-Denial-of-Service attack.
  • Sections 4 & 5 state that if either the person committing the offence, or the computer against which it is committed, are in the UK, then the UK courts will have jurisdiction.

Following an All-Party Parliamentary Group recommendation, a Statutory Instrument was passed in 2007 that established that an explicit distributed denial of service (DDoS) attack was illegal. A DDoS attack occurs when a server or network is deliberately overloaded with near-simultaneous messages which may cause it to collapse. In addition, it is also an offence to distribute tools which are 'likely' to be used for facilitating illegal and unauthorised access to computer systems.