Anna may be liableunder S.1 Computer Misuse Act (CMA) 1990 if; she causes a computer to performany function with intent to secure access to any program or data held in anycomputer, the access she intends to secure is unauthorised, and if she knows atthe time when she causes the computer to perform the function that is thecase’.1The prosecution would thus need to prove that Anna had unauthorised access tothe database.
S.17(2) CMA defines “access” as altering or erasing data, copyingor moving data, using data or causing output to data. Whilst s.
17(5) defines”unauthorised” as not being entitled to control access of any kind in questionof the data or program and not having consent from an entitled person. Case lawalso helps to distinguish access and unauthorised access, R v Bow Street Magsand Allison (1999) overruled the decision in DPP v Bignell and held that aperson within an organisation who was authorised to access some data on acomputer system, can exceed their authority by accessing data at a leveloutside that authority.2The case of DPP v Ellis (2001) also reinforces this common law rule. Applyings.1 CMA and case law to this scenario, it seems that Anna is liable for a s.1offence as security engineers at Friendbook do not have any authorisation toaccess the user database and there is no information present stating that shewas given permission to access the database by someone with validauthorisation.
The penalty for a s.1 offence tried in the Magistrates Court canbe a fine of up to £5000 and/or 12 months’ imprisonment.3Friendbook could also dismiss Anna for gross misconduct as she was aware thatsecurity engineers were not meant to access the user database but stillaccessed it anyway.41 S.1 Computer Misuse Act 19902 Rv Bow Street Magistrate and Allison, ex parte US Govt 1999 HL 3 ibid n.14 Denco Ltd v Joinson (EAT 1991)