Ethics and Law - Lesson 2

Ethics and Law - Lesson 2 of 6

Legislation

Four key UK laws govern what you can and cannot do with computers, data, creative works and public information. This lesson covers all four, the specific offences and rights within each, and how to apply them to exam scenarios instantly.

45 - 60 min CMA 1990, DPA 2018, CDPA 1988, FoIA 2000

Opening scenario

In October 2015, a 15-year-old in Northern Ireland used a basic SQL injection attack to access TalkTalk's customer database. Within hours, the personal and financial details of 157,000 customers had been exposed. TalkTalk's share price fell by a third. The company was fined £400,000 by the Information Commissioner's Office.

Think about it: The attacker was a teenager with no specialist equipment. Which laws did he break? How many separate criminal offences did his actions involve? And why was TalkTalk also penalised when they were the victim?

The answer involves at least three of the four laws in this lesson. Understanding the legislation does not just help you pass exams - it clarifies where responsibility sits when digital harm occurs.

Why this matters in the exam

Legislation questions often give you a scenario and ask you to name the relevant law, identify the specific offence or section, and explain why it applies. You need to be precise: "computer misuse" is not an answer - "Section 1 of the Computer Misuse Act 1990: unauthorised access" is.

Section 1

Computer Misuse Act 1990

Passed in 1990 in response to high-profile hacking cases, the Computer Misuse Act created three main criminal offences for accessing or modifying computer systems without authorisation.

Section 1

Unauthorised access to computer material

Accessing any computer system or data without permission from the owner. The simplest offence: just logging in without authorisation.

Example: Using a friend's password to access their social media account without permission. Guessing a colleague's login to read their emails.

Up to 2 years imprisonment

Section 2

Unauthorised access with intent to commit further offences

Accessing a system without authorisation AND intending to use that access to commit another crime, such as fraud or theft.

Example: Hacking a bank's system with the intention of transferring funds. Accessing an HR database to steal employees' personal information for identity fraud.

Up to 5 years imprisonment

Section 3

Unauthorised modification of computer material

Making unauthorised changes to any computer system or data. Includes installing malware, deleting files, encrypting data (ransomware), or defacing websites.

Example: Deploying ransomware that encrypts a hospital's files. Installing a keylogger on a colleague's computer. Defacing a company website.

Up to 10 years imprisonment

A fourth offence was added in 2006: Section 3A makes it illegal to make, supply or obtain tools for use in committing any of the above offences (for example, distributing hacking software or selling stolen login credentials).

Real case The TalkTalk Hack (2015) - SQL injection and the CMA

In October 2015, TalkTalk - a major UK broadband provider - was attacked using a basic SQL injection technique that exploited unpatched vulnerabilities on their website. The attack exposed the personal data of approximately 157,000 customers, including names, addresses, dates of birth, and in some cases bank account details.

Six people were arrested and prosecuted. The youngest, a 15-year-old from Northern Ireland, pleaded guilty to offences under the Computer Misuse Act and received a 12-month youth rehabilitation order. A 20-year-old received a 12-month suspended sentence. These sentences were widely criticised as lenient given the scale of the breach.

Crucially, TalkTalk itself was also found to have breached the Data Protection Act. The Information Commissioner's Office fined TalkTalk £400,000 - at the time the maximum possible fine - for failing to implement adequate security measures, meaning they failed to protect customer data against foreseeable attacks.

Exam link: This case illustrates that a criminal act (Computer Misuse Act) and a data protection failure (DPA) are distinct and can both occur in the same incident. For a 4-mark question, identify: (1) CMA Section 1 - unauthorised access, (2) CMA Section 3 - modifying/extracting data, (3) DPA failure by TalkTalk - inadequate security measures, violating integrity and confidentiality principle.

Real case British Library ransomware attack (2023)

In October 2023, the British Library - one of the world's largest libraries, holding over 170 million items - suffered a major ransomware attack by the Rhysida criminal group. The attackers encrypted the library's systems and demanded a ransom, then leaked approximately 600 gigabytes of stolen data online when the British Library refused to pay. The leaked data included personal details of staff and library users.

The attack knocked out the British Library's website, online catalogue, public Wi-Fi and internal systems for months. Researchers, academics and members of the public lost access to one of the world's most important research resources. The library estimated recovery costs of up to £7 million - roughly 40% of its reserves. Full restoration of services took well into 2024.

The Rhysida attackers had committed multiple offences under the Computer Misuse Act 1990: Section 1 (unauthorised access), Section 2 (access with intent to commit further offences), and Section 3A (supplying a tool for unauthorised access - the ransomware itself). The British Library also faced scrutiny over whether it had taken adequate technical security measures to protect the personal data it held, raising potential issues under the Data Protection Act 2018.

Exam link: This is an excellent current UK case for demonstrating how multiple laws apply to a single incident. For a 6-mark question: the attackers break the CMA (ss.1, 2, 3, 3A) and potentially CDPA if they copy protected content. The British Library may breach DPA 2018 if found to have inadequate security. For "evaluate the effectiveness of the CMA": the law clearly covers the offences, but enforcement is difficult when attackers operate from overseas and use cryptocurrency ransoms.

Scenario PixelCraft Studios - copyright and software piracy

PixelCraft is a fictional independent game developer that spends two years creating and publishing a game. Within a week of release, a cracked version appears on file-sharing websites, allowing users to play the game without purchasing it. PixelCraft estimates that 200,000 copies have been downloaded illegally.

Additionally, a content creator uses footage from PixelCraft's game in a YouTube video, including the original soundtrack, without permission. The video gets 3 million views and generates advertising revenue for the creator.

Exam link: Two separate acts are relevant: (1) The Copyright Designs and Patents Act 1988 - the game's code, assets and soundtrack are all copyrighted works; distributing or using them without permission is an infringement. (2) For the file-sharers who downloaded the cracked copy, depending on the circumstances, the Computer Misuse Act Section 3A may also apply (making tools for unauthorised access). For a "state the relevant law and explain" question, be specific: name the act, the section/principle, and explain why it applies to each party.

Section 2

Three more key laws

Law	Main purpose	Key provisions
Data Protection Act 2018	Controls how organisations collect, store and use personal data. Implements GDPR in UK law.	6 GDPR principles (see Lesson 1), 8 individual rights (access, erasure, portability, object), requirement to register as a data controller. Maximum fine: 4% of global turnover or £17.5 million.
Copyright, Designs and Patents Act 1988	Protects original creative works from being copied or used without permission.	Protects software, music, images, text, film, and databases. Copyright is automatic - no registration needed. Lasts for 70 years after the creator's death. Fair dealing exceptions exist for education, research and news reporting.
Freedom of Information Act 2000	Gives the public the right to access information held by public authorities.	Any person can request information from public bodies (government, NHS, schools, police). Must respond within 20 working days. Exemptions exist for national security, personal data, commercial sensitivity and ongoing investigations.

Intellectual property

A legal concept protecting creations of the mind. Copyright, patents and trademarks are all forms of intellectual property protection.

Software licence

A legal agreement defining how software may be used, copied, modified and distributed. Violating a licence is a copyright infringement.

Fair dealing

A legal exception to copyright allowing limited use of copyrighted material without permission for purposes such as education, criticism, or news reporting.

Data controller

The organisation or person that determines why and how personal data is processed. They are responsible for compliance with the DPA 2018.

Section 3

Software licensing types

The Copyright Designs and Patents Act makes it illegal to copy or distribute software without appropriate authorisation. Software is distributed under licences that define what users may and may not do.

Type	Cost	Source code	Modify?	Redistribute?
Proprietary (e.g. Windows, MS Office)	Paid	Closed	No	No
Open source (e.g. Linux, Firefox, LibreOffice)	Free	Open	Yes	Yes (under licence conditions)
Freeware (e.g. Skype, VLC)	Free	Closed	No	Often limited
Shareware (e.g. WinRAR trial)	Free trial, then paid	Closed	No	Often permitted for distribution of trial

Think deeper

The Computer Misuse Act 1990 was written before widespread internet use, smartphones, or cloud computing existed. A student argues that "just looking at files" on a system they are not authorised to use should not be a criminal offence - only actions that cause damage should be criminalised. Do you agree?

Arguments for the current law: unauthorised access violates the system owner's privacy even without damage, normalising it would make more serious attacks easier to conceal, and intelligence-gathering (even passive reading) can enable future crimes. Arguments for reform: the law criminalises accidental access (e.g. following a shared link), the "intent" requirement in Section 2 already recognises severity gradations, and disproportionate penalties for minor access may deter security researchers. In practice, prosecutions for "just looking" are extremely rare - the Crown Prosecution Service typically only prosecutes where there is evidence of intent, actual harm, or both.

Interactive tool

Law matcher - which act applies?

Legislation Matcher

Select the most relevant law for each scenario, then check your answers

Lesson 2 Quick Quiz

5 questions - click an option to answer

Question 1

A hacker uses a stolen password to log into a company's server with the intention of transferring money to their own account. Which section of the Computer Misuse Act 1990 most accurately describes this?

Question 2

A school uses a photo from a photographer's website on their prospectus without permission. Which law has been broken?

Question 3

A journalist requests a list of all public contracts awarded by a local council in the last year. Under which law can they make this request?

Question 4

Which type of software licence allows users to view and modify the source code?

Question 5

An organisation suffers a data breach because they stored customer passwords in plain text. Under which law could they be fined?

Lesson 2 complete - head to Lesson 3: Environmental Impact

Lesson 1 Lesson 3: Environmental Impact

Lesson 2 Worksheets

Three differentiated worksheets covering legislation recall, application and exam technique.

Recall

Four Laws - Key Facts

Match laws to descriptions, fill in offence sections, and complete a comparison table of software licensing types.

Download PDF

Application

Scenario: Which Law?

Eight short scenarios. For each, identify the relevant law, the specific section or principle, and the likely penalty. Answers included.

Download PDF

Exam technique

TalkTalk Hack - Structured Questions

Questions building from 1 to 8 marks using the TalkTalk scenario. Includes a 6-mark evaluate question with model answer and mark scheme.

Download PDF

Flashcard deck

Key legislation and software licensing terms

Open flashcards

Lesson 2 - Ethics and Law

Legislation

Starter activity

Show students a news headline about a high-profile hack (TalkTalk, or a current one). Ask: who is responsible? The attacker? The company? Both? Why? Take a vote, then reveal that both may face legal consequences under different laws.

Lesson objectives

Name the three main offences in the Computer Misuse Act 1990 and their maximum penalties.

Explain the purpose of the DPA 2018, CDPA 1988 and FoIA 2000.

Distinguish between proprietary, open source, freeware and shareware licences.

Apply the correct legislation to a range of exam scenarios.

Key vocabulary

Unauthorised access

Accessing a computer system without permission from the owner. CMA Section 1.

Unauthorised modification

Making changes to a system without authorisation: deleting files, installing malware, defacing websites. CMA Section 3.

Intellectual property

Legal protection for creations of the mind: code, music, images, text. CDPA 1988.

Open source licence

Permits viewing, modifying and redistributing source code, usually under conditions (e.g. GPL requires derivatives to stay open source).

Discussion questions

Should companies be criminally liable (not just fined) when poor security practices lead to customer data breaches?

Is software piracy a "victimless crime"? Consider independent developers vs large corporations.

The Freedom of Information Act does not apply to private companies. Should it? What would be the benefits and risks?

Exit tickets

Name all three sections of the CMA 1990 and give one example of each. [3 marks]

State the difference between freeware and open source software. [2 marks]

A company experiences a ransomware attack. Identify the laws broken by (a) the attacker and (b) the company (if they had poor security). [4 marks]

Homework suggestion

Find the terms and conditions of one piece of software students use regularly (Discord, Spotify, a game). What does the licence say about what they can and cannot do? Report back with one surprising restriction they found.

Resources

Worksheet 1 - Recall & Definitions Worksheet 2 - Application Questions Worksheet 3 - Exam Practice Unit Exam Paper (all 6 lessons) Ethics Series Overview