This post was written by Cynthia O’Donoghue.
The UK Court of Appeal, R v Martin  EWCA Crim 1420, dismissed an appeal against a two-year prison sentence for various cybercrimes by the appellant, Lewys Martin. Martin previously pleaded guilty to various breaches of the Computer Misuse Act 1990. Martin was then convicted and sentenced to concurrent terms for unauthorised modification of computer material, securing unauthorised access to computer material, including with intent, and for making, supplying or obtaining computer materials. In addition, there was a violation for the interception of communications under the Regulation of Investigatory Powers Act 2000.
The underlying convictions related to denial of service (DOS) attacks against various public bodies including Oxford and Cambridge Universities and the Kent Police, as well as to the hacking of several individuals’ bank accounts, all taking place during 2011 and 2012. Martin was found to be linked to the cyberattack group “Anonymous.” The Universities wasted 19 working days in dealing with the attacks and Kent Policy wasted 35 man hours, with 30% of their security team engaged in dealing with the attacks. The individuals whose banking details were hacked and stolen were also impacted with each of them having to cancel and obtain new bank cards and close accounts, which took weeks to resolve.
The court recognised that individuals who had their privacy invaded in this way “very seldom” got over it, and the sentence had to reflect that the attacks against the individuals bordered on identity theft, even though Martin’s acts were not financially motivated. The appellate court held that the offences fell “into the highest level of culpability: they were carefully planned offences which did and were intended to cause harm both to the individuals and organisations targeted” (para. 36).
The court also held that the seriousness of the criminality could not be measured by the length of a cyberattack nor by the financial consequences, rather that the wider implications for society could not be ignored because of the potential to cause great damage and increasing prevalence of such incidents. The court looked at aggravating factors, such as whether an offence was planned or persistent, the nature of the damage, the public interest, and effect on individual privacy and on public confidence, holding that “for offending of this scale, sentences would be measured in years rather than months” (para. 43). In particular, the court acknowledged the prevalence of computer crime, the potential to cause enormous damage, to IT systems, important public institutions and to individuals, given the way in which society now operates, and that organisations are compelled to spend substantial sums combating this type of crime. The court concluded, therefore, that a deterrent sentence was warranted and the sentences were “amply justified” (para. 46).