Cyber Crime Attracts New Life Sentence in the UK

For serious computer-related crime, life imprisonment is now a possibility. A new criminal offence has been created, which includes a number of interesting features:

The relevant acts must be “unauthorised” The meaning of this term was considered by the House of Lords in one of several cases involving attempts by the US authorities to extradite individuals to face charges in the US relating to computer hacking. The House of Lords decided that, so far as employees were concerned, an employee could commit an offence of securing “unauthorised access” to a computer only if she intentionally caused a computer to give her access to data which she knew she was not authorised to access. Their Lordships made it clear that an employee would only be guilty of an offence if the employer clearly defined the limits of the employee’s authority to access a program or data.

The person undertaking the acts must know they will cause or create a significant risk of serious damage of a “material kind”. “Damage of a material kind” is defined to mean:

  • damage to human welfare in any place;
  • damage to the environment of any place;
  • damage to the economy of any country; or
  • damage to the national security of any country.

“Damage to human welfare” is defined to mean:

  • loss to human life;
  • human illness or injury;
  • disruption of a supply of money, food, water, energy or fuel;
  • disruption of a system of communication;
  • disruption of facilities for transport; or
  • disruption of services relating to health.

It’s not hard to conjure up a range of horror story scenarios, each more lurid than the last, by reference to every one of the headings listed above. The only limiting factor is probably our own imaginations.

In fact it’s difficult to think of just about any activity in the developed world that does not rely on computers in some way. Everything from nuclear power plants to mass transport systems and from biochemical factories to flood barriers. (Remember that while there is no statutory definition of a computer, under English law, it has been defined to mean any “device for storing, processing and retrieving information” (SeeIn DPP v McKeown, DPP v Jones [1997] 2Cr App R, 155, HL)

It’s interesting also to note which of these scenarios the UK Government takes most seriously. Only these attract a life sentence:

  • damage to human welfare in any place
  • damage to the environment of any place
  • damage to the national security of any country

Other offences under this new provision “only” attract a 14-year term. Perhaps understandably the UK equates threats to national security with threats to human life, but what does this really mean? For example could a threat to the integrity of the UK’s financial system (if sufficiently grave) be regarded as a threat to national security?

Finally, it should be noted that the serious damage and other consequences of a cyber-attack don’t have to materialise in order for the offence to be triggered. It is enough if there is “significant risk” posed as a result of the attack. Of course the authorities still have the considerable challenge of finding those responsible (or at least some of them).

All of this serves to underline the seriousness with which companies in every sector need to take their responsibilities in this key area. It goes without saying that this advice applies equally to the directors and officers of these companies