• Top 1% of Defence Law Firms

  • Defended over 50,000 Cases

  • 5 star google reviews

  • 40 Years of Criminal Law Expertise

Criminal Defence Articles

A Guide to Computer Misuse Act Offences

Have you been charged with an offence under the Computer Misuse Act 1990? If so, you are probably in need of some expert advice. The offences under the Computer Misuse Act (CMA), and their application, especially in the current world of complex technologies (which are far more advanced than when the legislation was written) can be confusing and difficult to decipher. Perhaps you are looking at the words on the charge sheet and struggling to fit them to the facts of your case. This article aims to unpack the offences under the Computer Misuse Act. It looks at the types of evidence that are currently used in Computer Misuse Act cases, and the maximum sentence(s) you could face if you are convicted. It also considers possible defences, which could mean you get a lighter punishment or no punishment at all.

An overview of offences under the Computer Misuse Act  

The CMA sets out various offences that mainly relate to unauthorised access to, and interference with computers, including hacking. Here is a summary of the main offences:

  1. Unauthorised access to computer material (Section 1 CMA): In this offence, the defendant is alleged to have secured access, or intended to secure access, to computer information that the defendant was aware that they were not authorised to access. For example, one case under this offence related to a defendant who secured access to client bank accounts, which she knew she was not permitted to access, in order to forge credit cards.
  1. Unauthorised access with intent to commit or facilitate commission of further offences (Section 2 CMA): this offence relates to where computer information has been unlawfully accessed in order to commit a further offence. Examples of further offences that might follow on from such an act are fraud, theft, or offences under the Data Protection Act 2018.
  1. Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer (Section 3 CMA): This offence relates to an action that prevents or hinders access to computer material by a legitimate user. For example, cyber-attacks that seek to make a machine or service unavailable to their users.
  1. Unauthorised acts causing or creating risk of serious damage (Section 3ZA CMA): This offence targets computer misuse affecting critical national infrastructure, where damage to human welfare, environment, economy, or national security is at stake. It was added to the CMA legislation in 2015 to bring it into line with European Directive (2013/40/EU).

Offences under the CMA can be prosecuted even where the offence took place outside of England and Wales. However, according to Section 4 CMA, the court is only permitted to hear the case where there is a ‘significant link’ to England and Wales.

According to the Crown Prosecution Service, this could include if the target of the computer misuse is in the home country or if the misuse would create a significant risk of serious damage in the home country. It could also include if the technological activity that enabled the offending may have passed through a server based in the home country. This significantly widens the application of the legislation to include acts committed against any individual or network of a company or organisation with servers in England and Wales.

The CMA leaves the definition of ‘computer’ open. In 1997, courts interpreted this to mean ‘a device for storing, processing, and retrieving information.’ This was some time ago, and of course technology has progressed exponentially since then. If the matter is heard again by the courts, it may be possible that they develop a more refined definition to acknowledge the progress in technology. The offences under the CMA have been criticised by civil society organisations such as the Criminal Law Reform Now Network for being outdated and ambiguous.

What kind of evidence is used in Computer Misuse Act cases?

The police are likely to seize and interrogate any electronic devices that they allege were used in the commission of the offence. As well as searching the contents of the devices, they may also seek to access information held in the cloud.

Where the defendant is accused of hacking into a computer network system or computer, the prosecution is likely to rely upon electronic records that show when the system or computer was accessed, by whom, and how. In cases of unauthorised access, say for example in a bank, the prosecution would use the organisation’s audit records to show at what time the accounts were unlawfully accessed and by whom. They may also seek to link this unauthorised access to harm caused to the victim or connect it to further offences committed by the defendant – such as theft or fraud.

What is the maximum sentence for Computer Misuse Act cases?

The maximum sentences are set out in the CMA and depend upon the offence that has been committed. The table below sets out the various offences and the maximum sentence available for each:


Offence Maximum Sentence
Unauthorised access to computer material (Section 1 CMA): 2 years’ imprisonment
Unauthorised access with intent to commit or facilitate commission of further offences (Section 2 CMA) 5 years’ imprisonment
Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer (Section 3 CMA) 10 years’ imprisonment
Unauthorised acts causing, or creating risk of, serious damage (Section 3ZA CMA) 14 years’ imprisonment, unless the offence caused or created a significant risk of serious damage to human welfare or national security, in which case a person guilty of the offence is liable to imprisonment for life

What are the applicable Computer Misuse Act defences?

Defences are a complex area of law. Whether you have a valid defence depends on the facts of your case, and you should always consult a solicitor for specialist advice. That said, there are several possible defences to offences under the CMA:

  1. Straightforwardly, you did not perform the act that you have been accused of doing.
  2. You did perform the act, but you did not have the required ‘guilty mind’ for the offence to be made out. For example, say you have been accused of unauthorised access to computer material. You accessed a person’s record, which you were not authorised to access. However, you did so, simply following a colleague’s instructions, without realising that your colleague did not have permission to make the request. This scenario came up in a real case, concerning a police officer making a request to the Police National Computer (PNC). The operator at the PNC was found not guilty because they were following what they believed to be legitimate instructions.

General defences

A ‘general defence’ to relates to the person accused rather than the crime itself. The following general defences may apply to offences under the CMA:

Mistake: This defence could apply if you were mistaken as to certain factual circumstances and would not have committed the offence if you had known otherwise. For example, perhaps you accessed a person’s records, believing mistakenly that you were entitled to retrieve the information.

Insanity: To succeed in this defence, you need to do more than simply show that you were suffering from mental health issues. You need to show that due to mental illness, you lacked the ability to reason such that you did not know that the act that you were doing was against the law.

Duress: This is where you were forced by a person or a set of circumstances to commit an offence. The court will consider whether you reasonably feared death or serious injury if you did not commit the act, and whether a reasonable person in your situation would have shared those fears and responded in the same way. This could apply to you if someone forced or pressurised you to hack or otherwise interfere with a computer.

Automatism: If you were not aware of your actions when committing the offence, in some rare circumstances, you may be able to rely upon the defence of automatism. Generally, if you were under the voluntary influence of alcohol or illicit drugs you will not be able to rely on this defence.

What will a successful defence achieve?

A successful defence may lead to you being acquitted or convicted of a lesser charge. Defences are highly fact dependent, so it is always best to seek advice on your case from a criminal defence solicitor with experience in handling CMA cases.

Where can I get help with Computer Misuse Act offences?

 If you have been accused of an offence under the Computer Misuse Act, make sure that you instruct criminal defence solicitors who are ready to take on the technical challenge of such a case. Not all solicitors are qualified to handle these cases given the technicalities of the provisions. With a team of highly experienced specialist and experienced criminal defence experts, Stuart Miller Solicitors is here to help. Contact us for a no obligation consultation today.


  • Responsive

    A legal expert will consult you within 24 hours of making an enquiry.

  • Empathetic

    We will always treat you with trust, understanding and respect.

  • Specialised

    Your case will be handled by an expert who specialises in your type of offence.

  • Proactive

    We will take early action to end proceedings as soon as it is practically and legally possible to do so.

  • Engaged

    You will be kept updated on your case at all times. We will provide a named contact available to answer your questions.

  • Caring

    We understand this is a difficult and stressful time for you and your family. Our team will support you every step of the way.

  • Tenacious

    We will never give up on your case. We fight tirelessly to get you the best possible outcome.

Google Rating
Based on 346 reviews

Further Reading


Call 24 hours a day, 7 days a week.