As discussed in the previous blog, “The Court’s Nonsensical Approach to Unauthorised Access in DPP v Bignell” the early decision of the Court in relation to unauthorised access suggested that the actions of a person authorised to access parts of a computer system, but who then accessed other parts without permission, would not be covered by the Computer Misuse Act 1990 (‘the Act’).
In this case the US Government had sought extradition of an individual accused of fraud of American Express. With the assistance of an American Express employee, he had forged credit cards using information obtained by the employee. He had not accessed the computer himself, instead, he had relied upon someone who was authorised to access the system generally to obtain the information but who was not authorised to access that specific data.
Using the Bignell defence it was argued that an offence had not been committed since the employee was authorised to access the relevant computer system, i.e. it did not matter that the information obtained was not information the employee was authorised to access.
The case eventually reached the House of Lords where the interpretation in Bignell was rejected. The House of Lords stated that, as the employee had accessed data in accounts for which she was not authorised, the access she obtained was obviously “unauthorised access”.
The Courts had now adopted a common sense approach to the interpretation of “unauthorised access”, in a nutshell, if the employee obtained information she was not authorised to obtain then an offence had been committed. Whilst the interpretation of the Act was in its early stages and essentially still being moulded, this stance was upheld in subsequent cases.