BILL ANALYSIS �Ó
AB 32
Page 1
Date of Hearing: March 24, 2015
Counsel: Gabriel Caswell
ASSEMBLY COMMITTEE ON PUBLIC SAFETY
Bill Quirk, Chair
AB
32 (Waldron) - As Introduced December 1, 2014
As Proposed to be Amended in Committee
SUMMARY: Increases specified fines related to computer crimes
from a maximum of five thousand dollars ($5,000), to a maximum
of ten thousand dollars ($10,000), and tolls the statute of
limitations for illegally acquiring digital images of a person
that displays an intimate body part of a person. Specifically,
this bill:
1)Increases fines from a fine of up to five thousand dollars
($5,000) to a fine of up to ten thousand dollars ($10,000) for
the following offenses:
a) Knowingly access and without permission altering,
damaging, deleting, destroying, or otherwise use any data,
computer, computer system, or computer network in order to
either (A) devise or execute any scheme or artifice to
defraud, deceive, or extort, or (B) wrongfully control or
obtain money, property, or data.
b) Knowingly access and without permission take, copy, or
make use of any data from a computer, computer system, or
�
AB 32
Page 2
computer network, or take or copy any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network.
c) Knowingly and without permission use or cause to be used
computer services.
d) Knowingly access and without permission add, alter,
damage, delete, or destroy any data, computer software, or
computer programs which reside or exist internal or
external to a computer, computer system, or computer
network.
e) Knowingly and without permission disrupt or cause the
disruption of computer services or deny or cause the denial
of computer services to an authorized user of a computer,
computer system, or computer network.
f) Second or subsequent violations of knowingly and without
permission provides or assists in providing a means of
accessing a computer, computer system, or computer network
in violation of this section.
g) Second or subsequent violations of knowingly and without
permission accessing or causing to be accessed any
computer, computer system, or computer network.
h) Knowingly introducing any computer contaminant into any
computer, computer system, or computer network.
�
AB 32
Page 3
i) Second or subsequent violations of knowingly and without
permission using the Internet domain name or profile of
another individual, corporation, or entity in connection
with the sending of one or more electronic mail messages or
posts and thereby damaging or causing damage to a computer,
computer data, computer system, or computer network.
j) Knowingly and without permission disrupting or causing
the disruption of government computer services or denying
or causing the denial of government computer services to an
authorized user of a government computer, computer system,
or computer network.
aa) Knowingly accessing and without permission adding,
altering, damaging, deleting, or destroying any data,
computer software, or computer programs which reside or
exist internal or external to a public safety
infrastructure computer system computer, computer system,
or computer network.
bb) Knowingly and without permission disrupting or causing
the disruption of public safety infrastructure computer
system computer services or denying or causing the denial
of computer services to an authorized user of a public
safety infrastructure computer system computer, computer
system, or computer network.
cc) Second or subsequent violations of knowingly and without
permission providing or assisting in providing a means of
accessing a computer, computer system, or public safety
infrastructure computer system computer, computer system,
�
AB 32
Page 4
or computer network in violation of this section.
dd) Knowingly introducing any computer contaminant into any
public safety infrastructure computer system computer,
computer system, or computer network.
2)Provides that the statute of limitations does not commence to
run until the discovery of specified computer hacking offenses
in which it is alleged that the defendant acquired, copied, or
distributed one or more digital images of a person that
displays an intimate body part of the person. Includes the
following definitions:
a) Defines "intimate body part" as any portion of the
genitals, the anus, and in the case of a female also
includes any portion of the breasts below the top of the
areola, that is either uncovered or clearly visible through
clothing; and
b) Defines "digital images of a person" as not including
representational images, artwork, or cartoon drawings.
EXISTING LAW:
1)Punishes the following offenses by a fine not exceeding
$10,000, by a sentenced felony jail term of 16 months, two
years or three years, or both, or as a misdemeanor by a fine
not exceeding $5,000, by imprisonment in a county jail not
exceeding one year, or both: (Pen. Code, § 502(d)(1).)
a) Any person who knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in
order to either devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or
obtain money, property, or data. (Pen. Code, § 502(c)(1).)
�
AB 32
Page 5
b) Any person who knowingly accesses and without permission
takes, copies, or makes use of any data from a computer,
computer system, or computer network, or takes or copies
any supporting documentation, whether existing or residing
internal or external to a computer, computer system, or
computer network. (Pen. Code, § 502(c)(2).)
c) Any person who knowingly accesses and without permission
adds, alters, damages, deletes, or destroys any data,
computer software, or computer programs which reside or
exist internal or external to a computer, computer system,
or computer network. (Pen. Code, § 502(c)(4).)
d) Any person who knowingly and without permission disrupts
or causes the disruption of computer services or denies or
causes the denial of computer services to an authorized
user of a computer, computer system, or computer network.
(Pen. Code, § 502(c)(5).)
e) Any person who knowingly and without permission disrupts
or causes the disruption of government computer services or
denies or causes the denial of government computer services
to an authorized user of a government computer, computer
system, or computer network. (Pen. Code, § 502(c)(10).)
f) Any person who knowingly accesses and without permission
adds, alters, damages, deletes, or destroys any data,
computer software, or computer programs which reside or
exist internal or external to a public safety
infrastructure computer system computer, computer system,
or computer network. (Pen. Code, § 502(c)(11).)
�
AB 32
Page 6
g) Any person who knowingly and without permission disrupts
or causes the disruption of public safety infrastructure
computer system computer services or denies or causes the
denial of computer services to an authorized user of a
public safety infrastructure computer system computer,
computer system, or computer network. (Pen. Code, §
502(c)(12).)
2)Punishes any person who knowingly and without permission uses
or causes to be used computer services as follows: (Pen Code,
§ 502(c)(3).)
a) For the first violation that does not result in injury,
and where the value of the computer services used does not
exceed nine hundred fifty dollars ($950), by a fine not
exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment. (Pen. Code, § 502(d)(2).)
b) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000) or
in an injury, or if the value of the computer services used
exceeds nine hundred fifty dollars ($950), or for any
second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.
(Pen. Code, § 502(d)(2).)
3)Punishes any person who knowingly and without permission
provides or assists in providing a means of accessing a
computer, computer system, or computer network as follows:
(Pen. Code, § 502(c)(6).)
�
AB 32
Page 7
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand
dollars ($1,000).
b) For any violation that results in a victim expenditure
in an amount not greater than five thousand dollars
($5,000), or for a second or subsequent violation, by a
fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
c) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000),
by a fine not exceeding ten thousand dollars ($10,000), or
by imprisonment pursuant to subdivision (h) of Section 1170
for 16 months, or two or three years, or by both that fine
and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.
(Pen. Code, § 502(d)(3).)
4)Punishes any person who knowingly and without permission
accesses or causes to be accessed any computer, computer
system, or computer network as follows: (Pen. Code, §
502(c)(7).)
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand
dollars ($1,000).
b) For any violation that results in a victim expenditure
in an amount not greater than five thousand dollars
($5,000), or for a second or subsequent violation, by a
fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
�
AB 32
Page 8
both that fine and imprisonment.
c) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000),
by a fine not exceeding ten thousand dollars ($10,000), or
by imprisonment pursuant to subdivision (h) of Section 1170
for 16 months, or two or three years, or by both that fine
and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.
(Pen. Code, § 502(d)(3).)
5)Punishes any person who knowingly and without permission
provides or assists in providing a means of accessing a
computer, computer system, or public safety infrastructure
computer system computer, computer system, or computer network
as follows: (Pen. Code, § 502(c)(11).)
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand
dollars ($1,000).
b) For any violation that results in a victim expenditure
in an amount not greater than five thousand dollars
($5,000), or for a second or subsequent violation, by a
fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
c) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000),
by a fine not exceeding ten thousand dollars ($10,000), or
by imprisonment pursuant to subdivision (h) of Section 1170
for 16 months, or two or three years, or by both that fine
and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
�
AB 32
Page 9
exceeding one year, or by both that fine and imprisonment.
(Pen. Code, § 502(d)(3).)
6)Punishes any person who knowingly introduces any computer
contaminant into any computer, computer system, or computer
network as follows: (Pen. Code, § 502(c)(8).)
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five
thousand dollars ($5,000), or by imprisonment in a county
jail not exceeding one year, or by both that fine and
imprisonment.
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in a county
jail not exceeding one year, or by imprisonment, or by both
that fine and imprisonment. (Pen. Code, § 502(d)(4).)
7)Punishes any person who knowingly introduces any computer
contaminant into any public safety infrastructure computer
system computer, computer system, or computer network as
follows: (Pen. Code, § 502(c)(14).)
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five
thousand dollars ($5,000), or by imprisonment in a county
jail not exceeding one year, or by both that fine and
imprisonment.
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in a county
jail not exceeding one year, or by imprisonment, or by both
that fine and imprisonment. (Pen. Code, § 502(d)(4).)
�
AB 32
Page 10
8)Punishes any person who knowingly and without permission uses
the Internet domain name or profile of another individual,
corporation, or entity in connection with the sending of one
or more electronic mail messages or posts and thereby damages
or causes damage to a computer, computer data, computer
system, or computer network. (Pen. Code, § 502(c)(9).)
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand
dollars ($1,000).
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine
and imprisonment. (Pen. Code, § 502(d)(5).)
9)Defines the following terms as follows:
a) "Access" means to gain entry to, instruct, cause input
to, cause output from, cause data processing with, or
communicate with, the logical, arithmetical, or memory
function resources of a computer, computer system, or
computer network. (Pen. Code, § 502(b)(1).)
b) "Computer network" means any system that provides
communications between one or more computer systems and
input/output devices including, but not limited to, display
terminals, remote systems, mobile devices, and printers
connected by telecommunication facilities. (Pen. Code, §
502(b)(2).)
c) "Computer program or software" means a set of
instructions or statements, and related data, that when
executed in actual or modified form, cause a computer,
computer system, or computer network to perform specified
functions. (Pen. Code, § 502(b)(3).)
�
AB 32
Page 11
d) "Computer services" includes, but is not limited to,
computer time, data processing, or storage functions,
Internet services, electronic mail services, electronic
message services, or other uses of a computer, computer
system, or computer network. (Pen. Code, § 502(b)(4).)
e) "Computer system" means a device or collection of
devices, including support devices and excluding
calculators that are not programmable and capable of being
used in conjunction with external files, one or more of
which contain computer programs, electronic instructions,
input data, and output data, that performs functions
including, but not limited to, logic, arithmetic, data
storage and retrieval, communication, and control. (Pen.
Code, § 502(b)(5).)
f) "Government computer system" means any computer system,
or part thereof, that is owned, operated, or used by any
federal, state, or local governmental entity. (Pen. Code,
§ 502(b)(6).)
g) "Public safety infrastructure computer system" means any
computer system, or part thereof, that is necessary for the
health and safety of the public including computer systems
owned, operated, or used by drinking water and wastewater
treatment facilities, hospitals, emergency service
providers, telecommunication companies, and gas and
electric utility companies. (Pen. Code, § 502(b)(7).)
h) "Data" means a representation of information, knowledge,
facts, concepts, computer software, computer programs or
instructions. Data may be in any form, in storage media, or
�
AB 32
Page 12
as stored in the memory of the computer or in transit or
presented on a display device. (Pen. Code, § 502(b)(8).)
i) "Supporting documentation" includes, but is not limited
to, all information, in any form, pertaining to the design,
construction, classification, implementation, use, or
modification of a computer, computer system, computer
network, computer program, or computer software, which
information is not generally available to the public and is
necessary for the operation of a computer, computer system,
computer network, computer program, or computer software.
(Pen. Code, § 502(b)(9).)
j) "Injury" means any alteration, deletion, damage, or
destruction of a computer system, computer network,
computer program, or data caused by the access, or the
denial of access to legitimate users of a computer system,
network, or program. (Pen. Code, § 502(b)(10).)
aa) "Victim expenditure" means any expenditure reasonably
and necessarily incurred by the owner or lessee to verify
that a computer system, computer network, computer program,
or data was or was not altered, deleted, damaged, or
destroyed by the access. (Pen. Code, § 502(b)(11).)
bb) "Computer contaminant" means any set of computer
instructions that are designed to modify, damage, destroy,
record, or transmit information within a computer, computer
system, or computer network without the intent or
permission of the owner of the information. They include,
but are not limited to, a group of computer instructions
commonly called viruses or worms, that are self-replicating
or self-propagating and are designed to contaminate other
computer programs or computer data, consume computer
�
AB 32
Page 13
resources, modify, destroy, record, or transmit data, or in
some other fashion usurp the normal operation of the
computer, computer system, or computer network. (Pen.
Code, § 502(b)(12).)
cc) "Internet domain name" means a globally unique,
hierarchical reference to an Internet host or service,
assigned through centralized Internet naming authorities,
comprising a series of character strings separated by
periods, with the rightmost character string specifying the
top of the hierarchy. (Pen. Code, § 502(b)(13).)
dd) "Electronic mail" means an electronic message or
computer file that is transmitted between two or more
telecommunications devices; computers; computer networks,
regardless of whether the network is a local, regional, or
global network; or electronic devices capable or receiving
electronic messages, regardless of whether the message is
converted to hard copy format after receipt, viewed upon
transmission, or stored for later retrieval. (Pen. Code, §
502(b)(14).)
ee) "Profile" means either of the following:
i) A configuration of user data required by a computer
so that the user may access programs or services and have
the desired functionality on that computer; or
ii) An Internet website user's personal page or section
of a page that is made up of data, in text of graphical
form, that displays significant, unique, or identifying
information, including, but not limited to, listing
acquaintances, interests, associations, activities, or
personal statements. (Pen. Code, § 502(b)(15).)
�
AB 32
Page 14
FISCAL EFFECT: Unknown
COMMENTS:
1)Author's Statement: According to the author, "Cyber criminals
compromise personal information for individual gain or to
merely cause a disruption. This year, The California
Department of Motor Vehicles computer system was hacked
causing a data security breach in its credit card processing
services. Existing fines are just a small sum compared to the
dollar who have been violated. Ordinary computer hacking
penalties do not sufficiently capture the emotional trauma and
hardship that such data breach can cause. AB 32 will make
crimes involving computer hacking punishable by up to $10,000
for misdemeanor offenses. It is important to keep up with the
new emerging computer crimes to make sure that the violators
do not go unpunished and to prevent future crimes in such
circumstances.
2)Growing Concerns Regarding Privacy of Personal Images and the
Internet: In recent years the attention of the media and
policymakers has turned to privacy concerns raised by the
sheer volume of data shared over internet connections. With
the advent of wireless internet, more data is being
transmitted than ever before through cyberspace. Over the
last couple of years several serious incidents of the invasion
of privacy have come to the forefront of national attention.
(Opinion: the Biggest Privacy Outrages in 2014, Los Angeles
Times, by Jon Healey).
In August and September of 2014, dozens of women (including
Jennifer Lawrence) had revealing photos misappropriated from
Apple's iCloud storage site and they were posted on the
�
AB 32
Page 15
"4chan" bulletin board for the public to view. Apple
represents that the site was not hacked, but others believe
that the photos were obtained by guessing the passwords of the
victims. The incident alerted the public to the fact that
many people's phones may be copying material automatically to
the internet.
In October of 2014 an unknown hacker assembled a gallery of
more than 100,000 images and videos that people had sent via
Snapchat. Snapchat markets itself as a web based mobile
application that allows users to send photos and videos to one
another in a format that can only be viewed by the recipient,
not copied or saved by the recipient. As it turns out, other
web developers have created systems that enable users to make
permanent copies of the temporary Snapchat files and store
them in "the cloud" wherein they can be obtained by
knowledgeable hackers.
3)Penalty Assessments: The amount spelled out in statute as a
fine for violating a criminal offense are base figures, as
these amounts are subject to statutorily-imposed penalty
assessments, such as fees and surcharges. Assuming a
defendant is fined the maximum fine of $10,000 under Penal
Code Section 502, the following penalty assessments would be
imposed pursuant to the Government and Penal codes:
-------------------------------------------------------
|Base Fine: |$10,000.|
| | 00|
| | |
| | |
|----------------------------------------------+--------|
| | |
| | |
| | |
|----------------------------------------------+--------|
�
AB 32
Page 16
|Penal Code § 1464 assessment ($10 for every |$10,000.|
|$10): | 00|
| | |
| | |
|----------------------------------------------+--------|
|Penal Code § 1465.7 assessment (20% |$2,000.0|
|surcharge): | 0|
| | |
| | |
|----------------------------------------------+--------|
|Penal Code § 1465.8 assessment ($40 per | $40.00|
|criminal offense): | |
| | |
| | |
|----------------------------------------------+--------|
|Government Code § 70372 assessment ($5 for |$5,000.0|
|every $10): | 0|
| | |
| | |
|----------------------------------------------+--------|
|Government Code § 70373 assessment ($30 for | $30.00|
|felony or misdemeanor offense): | |
| | |
| | |
|----------------------------------------------+--------|
|Government Code § 76000 assessment ($7 for |$7,000.0|
|every $10): | 0|
| | |
| | |
|----------------------------------------------+--------|
|Government Code § 76000.5 assessment ($2 for |$2,000.0|
|every $10): | 0|
| | |
| | |
|----------------------------------------------+--------|
|Government Code § 76104.6 assessment ($1 for |$1,000.0|
|every $10): | 0|
| | |
| | |
|----------------------------------------------+--------|
|Government Code § 76104.7 assessment ($4 for |$4,000.0|
|every $10): | 0|
�
AB 32
Page 17
| | |
| | |
|----------------------------------------------+--------|
| | |
| | |
| | |
|----------------------------------------------+--------|
|Fine with Assessments: | |
| |$41,070.00*|
| | |
| | |
-------------------------------------------------------
*In addition to the assessments detailed in the chart, the
defendant could be subject to pay "actual administrative
costs" related to his or her arrest and booking (Gov. Code, §
29550 et seq.) and victim restitution for damages impose by
the court.
4)"Cyber Revenge" or "Revenge Porn": Recently, there have been
numerous publicized incidents of cyber revenge or revenge porn
which involves the posting of nude or sexually explicit photos
without the consent of the person depicted. While not every
incident of revenge porn would involve illegally obtaining the
photos by hacking into a computer system, revenge porn
incidents can overlap with the privacy interests addressed in
this bill.
5)Proposed Amendments: The proposed amendments modify the bill
significantly from the introduced version. As introduced this
bill added a second fine of up to $10,000 per image for a
violation of specified sections of Penal Code § 502 when the
image in question is of an intimate body part, as defined by
the bill. In lieu of the additional fine, this bill raises
the maximum fine for the offenses in Penal Code § 502 that
were a maximum of $5,000 to fines with a maximum of $10,000.
Additionally, the amendments maintain an extension of the
statute of limitations for Penal Code § 502 offenses involving
photographs of intimate body parts until the discovery of the
�
AB 32
Page 18
photographs, as specified.
All letters that were written in support and in opposition of
the bill reflect the introduced version of the bill and not
the proposed amended version of the bill.
6)Argument in Support: According to the Association for Los
Angeles Deputy Sheriffs, "AB 32 will take critical steps to
establish stronger penalties for violating personal
privacy?[the bill] would extend the timeframe for enforcing
the penalty to one year from the discovery of the offense.
"Current law does not provide a sufficient level of penalty to
discourage individuals from committing these harmful
crimes?Strengthening the punishment will decrease the
likelihood that computer hackers will choose to commit these
types of intrusive violations. Further, the measure will
ensure that justice will be served by establishing that a
criminal complaint may be filed up to a year from discovery.
"The public deserves to feel safe and secure in this age of
emerging technology. Computers, cellular phones and cloud
technology will continue to evolve into more integral
components of our lives. Any effort that can be undertaken to
safeguard the private personal information that is stored on
these mediums should be applauded."
7)Argument in Opposition: According to the California Attorneys
for Criminal Justice, "Penal Code section 502 is already
extremely broad. Anyone who '[k]knowingly accesses and
without permission takes, copies, or makes use of any data
from a computer system, or computer network, or takes or
copies any supporting documentation whether existing or
residing internal or external to a computer, computer system,
�
AB 32
Page 19
or computer network' can be fined $10,000 and may be sentenced
to prison for up to 2 years (Penal Code 502 subd. (c)(2) &
(d)(1)."
8)Prior Legislation:
a) AB 1649 (Waldron), Chapter 379, Statutes of 2014,
specified the penalties for any person who disrupts or
causes the disruption of, adds, alters, damages, destroys,
provides or assists in providing a means of accessing, or
introduces any computer contaminant into a "government
computer system" or a "public safety infrastructure
computer system," as specified, and changed and added the
definition of specified terms.
b) SB 255 (Canella), Chapter 466, Statutes of 2014 created
a new misdemeanor for the distribution of a consensually
taken image of an identifiable person in a state of full or
partial undress when the image is distributed with the
intent to cause serious emotional distress, and the person
suffers such distress.
REGISTERED SUPPORT / OPPOSITION:
Support
Association of Deputy District Attorneys
Association for Los Angeles Deputy Sheriffs
California College and University Police Chiefs
California Communities United Institute
Los Angeles Police Protective League
Riverside Sheriffs Association
Opposition
California Attorneys for Criminal Justice
�
AB 32
Page 20
California Public Defenders Association
Analysis Prepared
by: Gabriel Caswell / PUB. S. / (916) 319-3744