Cyber criminals can now face life imprisonment under a new offence in the Computer Misuse Act 1990 which came into force on 3 May 2015. The new offence under section 3ZA of the 1990 Act covers unauthorised acts in relation to a computer so as to “cause serious damage of a material kind”.
Prior to the new offence, the maximum penalty for unauthorised acts with the intent to impair the operation of a computer was 10 years’ imprisonment. However, with the constantly developing landscape and sophistication of cybercrime, the U.K. Government considers the 10 year penalty inadequate in cases where the impact of the cybercrime causes serious damage to human welfare (i.e. loss of life) or a critical attack to national infrastructure. In both of these instances, the maximum penalty is now life imprisonment. For other types of serious damage under the new offence, the maximum penalty is 14 years’ imprisonment.
The new offence under s.3ZA is similar to the existing section 3 offence. A person will be guilty of an offence if he does an unauthorised act in relation to a computer and at the time of the offence he knows it is unauthorized. The act must “cause, or create a significant risk of, serious damage of a material kind ” (s.3ZA(1)(c)) or is “reckless as to whether such damage is caused” (s.3ZA(1)(d)).
Serious damage is of a “material kind” if it causes:
(a) damage to human welfare in any place;
(b) damage to the environment of any place;
(c) damage to the economy of any country; or
(d) damage to the national security of any country.
What’s notable is that the above categories are broadly defined to allow the courts to prosecute serious cyber attacks for wide ranging circumstances; the key ingredient under the new offence is that the offence must cause serious damage. While the new s.3ZA provides a definition for “material kind”, it is silent on what would constitute “serious damage” and therefore it will ultimately be for the courts to provide an interpretation on a case by case basis.
The new offence is far-reaching such that a person can be prosecuted in the U.K. even if the offence is committed in another country and against “any country”, so long as the person was a U.K. national at that time of the offence, and the offence is punishable under the law of the country in which it occurred. So for example, a U.K. court will be able to prosecute a U.K. national located in China carrying out cyber attacks on U.S government systems. Cyber criminals can no longer avoid the severe penalties under this new offence by hiding behind the borders of other jurisdictions and their less severe laws.