Skip to Content

Computer Law


Computer Law and Cybercrime

Computer law covers the legal rules governing computers, digital information, software, networks, online services and electronic communications. It affects individuals, businesses, public bodies, technology providers and anyone who creates, stores, processes, accesses or transmits information electronically.

Modern computer systems can contain significant amounts of confidential and commercially valuable information, including:

  • names, addresses and identity documents;
  • banking and payment information;
  • credit and debit card details;
  • medical and health records;
  • customer and employee information;
  • emails, messages and communications;
  • internet access and usage records;
  • commercial contracts and financial records;
  • software code and technical information;
  • trade secrets, research and product designs;
  • government and public-sector information; and
  • mailing lists and marketing databases.

Unauthorised access, alteration, disclosure or destruction of this information can lead to criminal prosecution, regulatory action, civil claims and serious financial and reputational damage.

The Computer Misuse Act 1990

The Computer Misuse Act 1990 is the principal UK legislation dealing with unauthorised access to computers and computer systems. The Act can apply to laptops, mobile phones, servers, cloud platforms, online accounts, databases, networks and other systems that store or process data.

An offence can be committed even where no information is stolen, and no damage is caused. The central issue is often whether the person knowingly caused a computer to perform a function with the intention of gaining access to data or a program when that access was unauthorised.

Unauthorised Access to Computer Material

It is a criminal offence knowingly to gain unauthorised access to computer material. This is sometimes described as hacking, although the offence is not limited to sophisticated technical attacks.

Examples may include:

  • guessing or stealing another person’s password;
  • entering somebody else’s email or social media account;
  • accessing an employer’s database without permission;
  • using valid login details after authority has been withdrawn;
  • accessing files outside the limits of an employee’s role;
  • entering a computer network through a security weakness; or
  • accessing an online account using credentials obtained through phishing.

A person can exceed their authorised access even if they are permitted to use part of the system. For example, an employee who is entitled to access customer records for their work may act without authority if they search those records for personal, dishonest or unrelated reasons.

Unauthorised Access with Intent to Commit Another Offence

A more serious offence may arise where unauthorised access is obtained with the intention of committing or assisting another offence.

This might include accessing a system to:

  • steal money or confidential information;
  • commit fraud;
  • make unauthorised bank transfers;
  • obtain payment card details;
  • blackmail an individual or organisation;
  • facilitate identity theft;
  • alter financial or business records; or
  • assist another person in committing an offence.

The further offence need not be completed before criminal liability can arise.

Unauthorised Acts Intended to Impair a Computer

It is also an offence to carry out an unauthorised act while intending to impair the operation of a computer, prevent or hinder access to programs or information, impair the reliability of data or enable any of those consequences.

This may cover conduct such as:

  • installing malware or ransomware;
  • introducing a computer virus;
  • deleting or corrupting files;
  • encrypting data without authority;
  • changing passwords to lock out authorised users;
  • disrupting a website or online service;
  • launching a denial-of-service attack;
  • damaging backup systems; or
  • interfering with computer-controlled equipment.

Recklessly causing one of these consequences may also amount to an offence in some circumstances, even where causing the particular damage was not the person's primary intention.

Serious Damage Caused by Computer Misuse

More serious offences can arise where an unauthorised act causes or creates a significant risk of serious damage. This can include serious damage to human welfare, the environment, a country's economy, or national security.

These provisions may be relevant to attacks affecting hospitals, transport networks, energy supplies, communications systems, financial infrastructure, public services or other critical systems.

Making or Supplying Hacking Tools

The Computer Misuse Act can also apply to making, adapting, supplying or offering to supply an article intended for use in a computer misuse offence. An article may include software, scripts, passwords, access codes or other tools.

Many cybersecurity tools have legitimate uses. Whether an offence has been committed will depend on matters including the person's intention, knowledge, authorisation and the circumstances in which the tool was created, supplied or obtained.

Authorisation and Permission

Whether access was authorised is often central to a computer misuse case. An employment contract, computer-use policy, client instruction, licence, system permissions or the specific terms of a cybersecurity engagement may limit permission.

Technical ability to access a system does not necessarily confer legal authority. The fact that a password still works, that a file has not been protected, or that a security vulnerability is easily exploited does not, by itself, permit a person to access the information.

Organisations commissioning penetration testing, vulnerability assessments or security research should provide clear written authority. The agreement should identify:

  • the systems and accounts that may be tested;
  • the permitted testing techniques;
  • the start and end dates;
  • systems and information that are excluded;
  • how personal or confidential information must be handled;
  • when testing must stop;
  • how vulnerabilities should be reported; and
  • who is authorised to approve changes to the scope.

A vague instruction to "test the system" may not provide sufficient protection where the tester accesses third-party systems, exceeds the agreed scope or disrupts live services.

Data Protection and Computer Security

Where computer systems contain information about identifiable individuals, the UK General Data Protection Regulation and the Data Protection Act 2018 may apply.

Personal data can include names, contact details, identification numbers, online identifiers, location information, account information and other data capable of identifying a person directly or indirectly.

Some personal information requires additional protection because of its sensitive nature. This can include information about health, racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric identification and a person's sex life or sexual orientation.

The Duty to Keep Personal Information Secure

Organisations must use appropriate technical and organisational measures to protect personal information. The measures required will depend on the nature of the information, the risks involved, available technology and the cost of implementation.

Appropriate measures may include:

  • access controls and user permissions;
  • multi-factor authentication;
  • secure password arrangements;
  • encryption;
  • software updates and security patching;
  • firewalls and malware protection;
  • secure backups;
  • staff training;
  • monitoring and audit logs;
  • incident-response procedures;
  • supplier and processor checks; and
  • secure destruction of information and equipment.

Cybersecurity is not solely an IT issue. Directors and senior management may need to ensure that risks are understood, responsibilities are allocated, appropriate resources are available, and incident plans are regularly reviewed and tested.

Personal Data Breaches

A personal data breach is not limited to information being stolen by a hacker. It can include accidental or unlawful destruction, loss, alteration, disclosure of or access to personal information.

Examples include:

  • sending an email or attachment to the wrong recipient;
  • losing an unencrypted laptop or storage device;
  • publishing personal information online accidentally;
  • allowing an unauthorised employee to view records;
  • a ransomware attack that makes information unavailable;
  • deleting data without an adequate backup;
  • an employee taking a customer database; or
  • a cyberattack in which information is copied or disclosed.

Organisations should record personal data breaches and assess the likely risk to the affected individuals. Where a breach is likely to result in a risk to people's rights and freedoms, it must generally be reported to the Information Commissioner's Office without undue delay and, where feasible, within 72 hours of the organisation becoming aware of it.

Where the breach is likely to create a high risk for affected individuals, the organisation may also have to inform those individuals without undue delay. Legal advice may be needed to determine whether notification is required and how it should be worded.

Claims Following a Data Breach

A person affected by a failure to comply with data protection law may complain to the organisation and, where appropriate, to the Information Commissioner's Office.

Depending on the circumstances, an individual may also seek compensation through the courts for material damage, such as financial loss, or non-material damage, such as distress. Compensation is not automatic merely because a breach occurred. The claimant must establish the legal basis of the claim and the loss or damage suffered.

Computer-Related Fraud

Computers and online accounts are frequently used to commit fraud. Conduct involving deception, false representations, dishonest concealment or abuse of a position may fall within the Fraud Act 2006 in England, Wales and Northern Ireland. Different criminal legislation applies in Scotland.

Computer-related fraud may include:

  • online banking fraud;
  • payment diversion and invoice fraud;
  • business email compromise;
  • identity fraud;
  • phishing and fraudulent websites;
  • online shopping and auction fraud;
  • investment and cryptocurrency scams;
  • using stolen payment-card information;
  • altering electronic records to obtain money;
  • creating false customer or supplier accounts; and
  • employees abusing access to divert payments or assets.

The same conduct may involve several offences. For example, accessing an email account without permission and using information found there to redirect a payment could engage computer misuse, fraud, theft, money laundering and data protection law.

Identity Theft and Identity Fraud

The phrase "identity theft" is commonly used when someone obtains or uses another person's personal information without permission. The precise criminal offences will depend on what was done with the information.

Using another person's details to make false representations, obtain credit, access an account, redirect money or acquire goods or services may amount to fraud. Possessing false identity documents or articles intended for use in fraud may also constitute separate offences.

Victims should preserve evidence, contact their bank or payment provider, change affected passwords and report the matter through the appropriate official reporting channels. Credit-reference agencies and organisations holding compromised accounts may also need to be contacted.

Malware, Ransomware and Cyber Extortion

Malware is software designed to interfere with systems, obtain access, collect information, or cause damage. Ransomware commonly encrypts data or prevents access to systems before making a payment demand.

A ransomware incident can create several legal issues, including:

  • computer misuse offences;
  • blackmail or extortion;
  • personal data breach reporting;
  • contractual notification obligations;
  • insurance conditions;
  • regulatory reporting;
  • sanctions and payment risks;
  • preservation of evidence; and
  • claims from customers, employees or business partners.

Businesses should obtain specialist technical, legal and insurance advice before making decisions about communications, negotiations or payments. Paying a ransom does not guarantee that information will be recovered or that copied data will be deleted.

Interception and Monitoring of Communications

Accessing a computer account is not the only activity regulated by law. Intercepting emails, telephone calls, messages, internet traffic, or other communications may engage separate surveillance and investigatory powers, as well as privacy and data protection legislation.

Businesses may have legitimate reasons to monitor systems, including preventing fraud, maintaining security, investigating misconduct and checking compliance with workplace policies. However, monitoring should be necessary, proportionate and transparent.

Before monitoring employees or users, an organisation should consider:

  • the purpose of the monitoring;
  • whether a less intrusive method is available;
  • the lawful basis for processing personal information;
  • whether workers have been adequately informed;
  • who can access the monitoring information;
  • how long the information will be retained;
  • whether a data protection impact assessment is required; and
  • whether private or legally privileged communications may be captured.

Secret monitoring will only be justified in limited circumstances and should not be undertaken routinely.

Employees and Misuse of Computer Systems

Computer misuse frequently occurs within an organisation rather than through an external attack. Employees and contractors may have legitimate access to systems but use that access for an unauthorised purpose.

Examples include:

  • searching customer records out of curiosity;
  • viewing records relating to friends, relatives or public figures;
  • taking client information to a new employer;
  • copying confidential documents before resigning;
  • using customer details for personal business;
  • altering or deleting records to conceal misconduct;
  • sharing passwords with colleagues;
  • installing unapproved software; or
  • retaining access after employment has ended.

The conduct may lead to disciplinary proceedings, dismissal, an injunction, a civil claim or criminal investigation. Employers should lawfully preserve evidence, avoid interfering with relevant logs, and seek advice before searching personal devices or accounts.

Employment contracts and policies should clearly explain permitted computer use, monitoring, confidentiality, data protection, intellectual property ownership and what happens to access rights when employment ends.

Confidential Information and Trade Secrets

Computer systems often contain confidential business information that may be protected through contracts, the law of confidence and trade-secret protections.

Protected information may include:

  • customer and supplier lists;
  • pricing arrangements;
  • business plans;
  • software source code;
  • technical specifications;
  • formulas and manufacturing processes;
  • research and development information;
  • security credentials; and
  • commercial negotiations.

A business seeking to enforce confidentiality will usually need to show that the information had the necessary quality of confidence, was disclosed in circumstances importing an obligation of confidence and was used or disclosed without authority.

Businesses should restrict access according to genuine need, label sensitive information, use confidentiality agreements and maintain records showing how valuable information is protected.

Software, Websites and Intellectual Property

Computer programs, source code, databases, website content, graphics and technical documentation may be protected by intellectual property law. Copyright commonly protects original software code and associated materials, while patents may protect certain qualifying technical inventions.

Disputes can arise over:

  • ownership of software created by employees or contractors;
  • unauthorised copying of source code;
  • breach of software licence terms;
  • use of open-source components;
  • ownership of websites, domain names and databases;
  • development delays or defective software;
  • access to source code when a supplier fails; and
  • use of data to train or operate artificial intelligence systems.

A person or business commissioning software does not necessarily own every intellectual property right merely because they paid for the work. Development contracts should expressly address ownership, licensing, source code access, third-party components, confidentiality, support, and termination.

Computer and Technology Contracts

Technology agreements should clearly define what each party must provide, the required performance standards and what happens if the system fails.

Common agreements include:

  • software development agreements;
  • software licences;
  • cloud-computing contracts;
  • software-as-a-service agreements;
  • website development and hosting agreements;
  • IT support and maintenance agreements;
  • data-processing agreements;
  • cybersecurity and penetration-testing agreements;
  • hardware supply contracts; and
  • technology outsourcing agreements.

Important provisions may include service levels, acceptance testing, security standards, data location, backup arrangements, business continuity, intellectual property ownership, subcontracting, liability, termination and assistance when changing providers.

Cloud Services and Third-Party Providers

Using an external cloud or software provider does not remove an organisation's legal responsibility for its information. Businesses should assess providers before entrusting them with confidential or personal data.

Checks may include:

  • where information will be stored and processed;
  • what security controls are used;
  • whether subcontractors are involved;
  • how quickly incidents must be reported;
  • what backups and recovery arrangements exist;
  • how access is controlled;
  • how information can be returned or deleted;
  • whether international data-transfer rules apply; and
  • what liability the provider accepts.

Where a supplier processes personal information on behalf of a customer, data protection law typically requires a written contract that includes specified provisions.

What to Do Following a Cyber Incident

A cyber incident may require immediate technical, legal, regulatory and commercial action. Organisations should activate their incident-response plan and ensure that decisions are recorded.

Initial steps may include:

  • containing the incident without unnecessarily destroying evidence;
  • securing affected accounts and systems;
  • preserving logs, messages, devices and other evidence;
  • identifying what information and services are affected;
  • contacting cybersecurity specialists;
  • notifying insurers in accordance with the policy;
  • assessing data protection reporting obligations;
  • considering contractual and regulatory notifications;
  • informing banks or payment providers where money is at risk;
  • preparing accurate internal and external communications; and
  • reporting criminal conduct through the appropriate channels.

Organisations should avoid making unsupported public statements before the nature and scale of the incident are understood. Communications should be accurate, coordinated and regularly reviewed as new information becomes available.

Preserving Digital Evidence

Digital evidence can be altered or destroyed easily. An organisation should avoid deleting accounts, wiping devices, reinstalling systems or changing extensive records before obtaining technical advice, unless immediate action is necessary to contain continuing harm.

Evidence may be required for a criminal investigation, an insurance claim, a regulatory enquiry, an employment process or civil proceedings. A clear record should be kept of who collected the evidence, when it was obtained and how it has been stored.

Civil Claims Relating to Computer Misuse

In addition to criminal prosecution and regulatory enforcement, computer misuse may lead to civil proceedings. Depending on the facts, possible claims may involve:

  • breach of confidence;
  • breach of contract;
  • misuse of private information;
  • copyright or database-right infringement;
  • data protection breaches;
  • fraud or deceit;
  • interference with goods or property;
  • breach of employment duties; or
  • claims against directors, employees or contractors.

The court may be asked to grant an injunction, order the return or deletion of information, award damages, require an account of profits or make orders preserving evidence and identifying wrongdoers.

Urgent legal advice may be necessary where information is about to be published, transferred overseas, disclosed to a competitor or permanently destroyed.

Defending an Allegation of Computer Misuse

An allegation of unauthorised access or cybercrime should be taken seriously. The legal issues may include:

  • whether the accused person accessed the system;
  • whether the access was authorised;
  • the extent and terms of any permission;
  • whether access continued after permission was withdrawn;
  • what the person knew or intended;
  • whether data was copied, changed or deleted;
  • whether another person used the device or account;
  • the reliability of system logs and forensic evidence; and
  • whether the investigation and seizure of equipment were lawful.

A person under investigation should avoid deleting information, contacting witnesses inappropriately or attempting to alter devices or accounts. A criminal defence solicitor with experience in computer misuse and digital evidence can advise before a police interview and throughout the investigation.

How a Computer Law Solicitor Can Help

A solicitor specialising in computer, technology or cyber law may advise on:

  • computer misuse and hacking allegations;
  • data breaches and ICO reporting;
  • cybersecurity incidents and ransomware;
  • online and computer-related fraud;
  • employee misuse of systems and information;
  • privacy and workplace monitoring;
  • software development and licensing;
  • cloud and technology contracts;
  • confidential information and trade secrets;
  • intellectual property in software and databases;
  • urgent injunctions and evidence preservation;
  • regulatory investigations;
  • compensation claims; and
  • criminal defence proceedings.

Finding a Computer Law Solicitor

Computer law is a broad and technical area. A cyber incident or allegation may involve several areas of criminal, civil, and regulatory law simultaneously. Early advice can help protect evidence, reduce further loss, meet reporting deadlines and avoid statements or actions that may damage a later claim or defence.

Use the search facility at the top of this page to find a solicitor with experience in computer law, cybercrime, data protection or technology disputes.

This guide provides general information about computer law in the UK. It does not constitute legal advice and should not be relied upon as a substitute for advice about a particular incident or dispute.

Computer Law
Image Description
related news
recent articles
Double Jeopardy Law

What is Double Jeopardy? and is it still Law in the UK?..

link

Wilful Neglect.

Social workers could face up to five years in jail should they prove guilty of wilful neglect towards children, if consultation decides to extend the law to inc..

law on legal highs to be reviewed

The law banning legal highs in the UK is to undergo an urgent review...

Stalking and Harassment.

Recent report uncovers failings by the police and prosecution service...

What is a Section 60 notice?

Over 2000 section 60 notices have been issued in London last year..

link

Appointing a Solicitor

Guide to some of the factors people use when appointing a Solicitor...

New Guidelines for online hate crimes.

New guidelines have been issued to crack down on online hate...

Plea services launched online.

Plea services launched on-line for motoring offences -
The Government has launched a new service that allows motorists charged with summary offences to enter a..

Stop and Search Laws to be changed?

Police Chiefs are calling for a change in the 'stop and search' l..

link

Setting Up A Business

Setting up in Business - When you are starting up in business you will need to choose a business type, most of us have heard of limited companies and partnershi..

Social Media hampering police investigations.

Its time social media worked better with the police...

Employment Law Solicitors for Employers.

Employment Law Solicitors for Employers. If you're the employer of people, you want excellent solicitor's representation that giving expert advice...

Image Description
Is there anything wrong with this page? - any amendments will receive accreditation - email us

Solicitors.com are not a firm of solicitors, and any content on the site should not be used in substitute for obtaining Legal advice from a solicitor regulated in the UK, Solicitors.com recommends that you contact a firm of solicitors to discuss your individual legal requirement. Whilst we strive to bring you accurate up to date content, all content on this site is not legal advice and is not guaranteed to be correct. Use of this site does not create a client relationship.

Information by area of law
Back to top