Amended in Assembly April 6, 2015

California Legislature—2015–16 Regular Session

Assembly BillNo. 195


Introduced by Assembly Member Chau

January 28, 2015


An act to amendbegin delete Sections 502 andend deletebegin insert Sectionend insert 653f of the Penal Code, relating to computer crimes.

LEGISLATIVE COUNSEL’S DIGEST

AB 195, as amended, Chau. Unauthorized access to computer systems.

begin delete

(1) Existing

end delete

begin insertExistingend insert law establishes various crimes related to computer services and systems. Existing law makes it a crime to knowingly, and without permission, access, cause to be accessed, or provide or assist in providing a means of accessing, a computer, computer system, computer network, or computer data in violation of prescribed provisions, and defines related terms.

begin delete

This bill would specify that “computer network” for these purposes includes smartphones, as defined, and would make a conforming change.

end delete
begin delete

(2) Existing

end delete

begin insertExistingend insert law makes it a crime for a person, with the intent that the crime be committed, to solicit another to commit or join in the commission of prescribed crimes.

This bill would expand these provisions to make it a crime for a person, with the intent that the crime be committed, to solicit another to commit or join in the commission of the access crimes related to computer services and systems. The bill would make it a crime to offer to obtain or procure assistance for another to obtain unauthorized access, or to assist others in locating hacking services, as defined. The bill would make a violation of this provision punishable by imprisonment in a county jail for a term not to exceed 6 months, or imprisonment for a term not to exceed one year for subsequent violations.

begin delete

(3) By

end delete

begin insertByend insert expanding the definitions of existing crimes, this bill would impose a state-mandated local program.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

begin delete
P2    1

SECTION 1.  

Section 502 of the Penal Code is amended to
2read:

3

502.  

(a) It is the intent of the Legislature in enacting this
4section to expand the degree of protection afforded to individuals,
5businesses, and governmental agencies from tampering,
6interference, damage, and unauthorized access to lawfully created
7computer data and computer systems. The Legislature finds and
8declares that the proliferation of computer technology has resulted
9in a concomitant proliferation of computer crime and other forms
10of unauthorized access to computers, computer systems, and
11computer data.

12The Legislature further finds and declares that protection of the
13integrity of all types and forms of lawfully created computers,
14computer systems, and computer data is vital to the protection of
15the privacy of individuals as well as to the well-being of financial
16institutions, business concerns, governmental agencies, and others
17within this state that lawfully utilize those computers, computer
18systems, and data.

19(b) For the purposes of this section, the following terms have
20the following meanings:

21(1) “Access” means to gain entry to, instruct, cause input to,
22cause output from, cause data processing with, or communicate
P3    1with, the logical, arithmetical, or memory function resources of a
2computer, computer system, or computer network.

3(2) “Computer network” means any system that provides
4communications between one or more computer systems and
5input/output devices including, but not limited to, display terminals,
6remote systems, mobile devices, smartphones, and printers
7connected by telecommunication facilities.

8(3) “Computer program or software” means a set of instructions
9or statements, and related data, that when executed in actual or
10modified form, cause a computer, computer system, or computer
11network to perform specified functions.

12(4) “Computer services” includes, but is not limited to, computer
13time, data processing, or storage functions, Internet services,
14electronic mail services, electronic message services, or other uses
15of a computer, computer system, or computer network.

16(5) “Computer system” means a device or collection of devices,
17including support devices and excluding calculators that are not
18programmable and capable of being used in conjunction with
19external files, one or more of which contain computer programs,
20electronic instructions, input data, and output data, that performs
21functions including, but not limited to, logic, arithmetic, data
22storage and retrieval, communication, and control.

23(6) “Government computer system” means any computer system,
24or part thereof, that is owned, operated, or used by any federal,
25state, or local governmental entity.

26(7) “Public safety infrastructure computer system” means any
27computer system, or part thereof, that is necessary for the health
28and safety of the public including computer systems owned,
29operated, or used by drinking water and wastewater treatment
30facilities, hospitals, emergency service providers,
31telecommunication companies, and gas and electric utility
32companies.

33(8) “Data” means a representation of information, knowledge,
34facts, concepts, computer software, computer programs or
35instructions, or smartphone applications. Data may be in any form,
36in storage media, or as stored in the memory of the computer or
37in transit or presented on a display device.

38(9) “Supporting documentation” includes, but is not limited to,
39all information, in any form, pertaining to the design, construction,
40classification, implementation, use, or modification of a computer,
P4    1computer system, computer network, computer program, or
2computer software, which information is not generally available
3to the public and is necessary for the operation of a computer,
4computer system, computer network, computer program, or
5computer software.

6(10) “Injury” means any alteration, deletion, damage, or
7destruction of a computer system, computer network, computer
8program, or data caused by the access, or the denial of access to
9legitimate users of a computer system, network, or program.

10(11) “Victim expenditure” means any expenditure reasonably
11and necessarily incurred by the owner or lessee to verify that a
12computer system, computer network, computer program, or data
13was or was not altered, deleted, damaged, or destroyed by the
14access.

15(12) “Computer contaminant” means any set of computer
16instructions that are designed to modify, damage, destroy, record,
17or transmit information within a computer, computer system, or
18computer network without the intent or permission of the owner
19of the information. They include, but are not limited to, a group
20of computer instructions commonly called viruses or worms, that
21are self-replicating or self-propagating and are designed to
22contaminate other computer programs or computer data, consume
23computer resources, modify, destroy, record, or transmit data, or
24in some other fashion usurp the normal operation of the computer,
25computer system, or computer network.

26(13) “Internet domain name” means a globally unique,
27hierarchical reference to an Internet host or service, assigned
28through centralized Internet naming authorities, comprising a series
29of character strings separated by periods, with the rightmost
30character string specifying the top of the hierarchy.

31(14) “Electronic mail” means an electronic message or computer
32file that is transmitted between two or more telecommunications
33devices; computers; computer networks, regardless of whether the
34network is a local, regional, or global network; or electronic devices
35capable or receiving electronic messages, regardless of whether
36the message is converted to hard copy format after receipt, viewed
37upon transmission, or stored for later retrieval.

38(15) “Profile” means either of the following:

P5    1(A) A configuration of user data required by a computer so that
2the user may access programs or services and have the desired
3functionality on that computer.

4(B) An Internet Web site user’s personal page or section of a
5page that is made up of data, in text of graphical form, that displays
6significant, unique, or identifying information, including, but not
7limited to, listing acquaintances, interests, associations, activities,
8or personal statements.

9(16) “Smartphone” means a cellular radio telephone or other
10mobile communications device that performs many of the functions
11of a computer, typically having a touchscreen interface, Internet
12access, and an operating system capable of running downloaded
13applications.

14(c) Except as provided in subdivision (h), any person who
15commits any of the following acts is guilty of a public offense:

16(1) Knowingly accesses and without permission alters, damages,
17deletes, destroys, or otherwise uses any data, computer, computer
18system, or computer network in order to either (A) devise or
19execute any scheme or artifice to defraud, deceive, or extort, or
20(B) wrongfully control or obtain money, property, or data.

21(2) Knowingly accesses and without permission takes, copies,
22or makes use of any data from a computer, computer system, or
23computer network, or takes or copies any supporting
24documentation, whether existing or residing internal or external
25to a computer, computer system, or computer network.

26(3) Knowingly and without permission uses or causes to be used
27computer services.

28(4) Knowingly accesses and without permission adds, alters,
29damages, deletes, or destroys any data, computer software, or
30computer programs which reside or exist internal or external to a
31computer, computer system, or computer network.

32(5) Knowingly and without permission disrupts or causes the
33disruption of computer services or denies or causes the denial of
34computer services to an authorized user of a computer, computer
35system, or computer network.

36(6) Knowingly and without permission provides or assists in
37providing a means of accessing a computer, computer system, or
38computer network in violation of this section.

39(7) Knowingly and without permission accesses or causes to be
40accessed any computer, computer system, or computer network.

P6    1(8) Knowingly introduces any computer contaminant into any
2computer, computer system, or computer network.

3(9) Knowingly and without permission uses the Internet domain
4name or profile of another individual, corporation, or entity in
5connection with the sending of one or more electronic mail
6messages or posts and thereby damages or causes damage to a
7computer, computer data, computer system, or computer network.

8(10) Knowingly and without permission disrupts or causes the
9disruption of government computer services or denies or causes
10the denial of government computer services to an authorized user
11of a government computer, computer system, or computer network.

12(11) Knowingly accesses and without permission adds, alters,
13damages, deletes, or destroys any data, computer software, or
14computer programs which reside or exist internal or external to a
15public safety infrastructure computer system computer, computer
16system, or computer network.

17(12) Knowingly and without permission disrupts or causes the
18disruption of public safety infrastructure computer system computer
19services or denies or causes the denial of computer services to an
20authorized user of a public safety infrastructure computer system
21computer, computer system, or computer network.

22(13) Knowingly and without permission provides or assists in
23providing a means of accessing a computer, computer system, or
24public safety infrastructure computer system computer, computer
25system, or computer network in violation of this section.

26(14) Knowingly introduces any computer contaminant into any
27public safety infrastructure computer system computer, computer
28system, or computer network.

29(d) (1) Any person who violates any of the provisions of
30paragraph (1), (2), (4), (5), (10), (11), or (12) of subdivision (c) is
31punishable by a fine not exceeding ten thousand dollars ($10,000),
32or by imprisonment pursuant to subdivision (h) of Section 1170
33for 16 months, or two or three years, or by both that fine and
34imprisonment, or by a fine not exceeding five thousand dollars
35($5,000), or by imprisonment in a county jail not exceeding one
36year, or by both that fine and imprisonment.

37(2) Any person who violates paragraph (3) of subdivision (c)
38is punishable as follows:

39(A) For the first violation that does not result in injury, and
40where the value of the computer services used does not exceed
P7    1nine hundred fifty dollars ($950), by a fine not exceeding five
2thousand dollars ($5,000), or by imprisonment in a county jail not
3exceeding one year, or by both that fine and imprisonment.

4(B) For any violation that results in a victim expenditure in an
5amount greater than five thousand dollars ($5,000) or in an injury,
6or if the value of the computer services used exceeds nine hundred
7fifty dollars ($950), or for any second or subsequent violation, by
8a fine not exceeding ten thousand dollars ($10,000), or by
9imprisonment pursuant to subdivision (h) of Section 1170 for 16
10months, or two or three years, or by both that fine and
11imprisonment, or by a fine not exceeding five thousand dollars
12($5,000), or by imprisonment in a county jail not exceeding one
13year, or by both that fine and imprisonment.

14(3) Any person who violates paragraph (6), (7), or (13) of
15subdivision (c) is punishable as follows:

16(A) For a first violation that does not result in injury, an
17infraction punishable by a fine not exceeding one thousand dollars
18($1,000).

19(B) For any violation that results in a victim expenditure in an
20amount not greater than five thousand dollars ($5,000), or for a
21second or subsequent violation, by a fine not exceeding five
22thousand dollars ($5,000), or by imprisonment in a county jail not
23exceeding one year, or by both that fine and imprisonment.

24(C) For any violation that results in a victim expenditure in an
25amount greater than five thousand dollars ($5,000), by a fine not
26exceeding ten thousand dollars ($10,000), or by imprisonment
27pursuant to subdivision (h) of Section 1170 for 16 months, or two
28or three years, or by both that fine and imprisonment, or by a fine
29not exceeding five thousand dollars ($5,000), or by imprisonment
30in a county jail not exceeding one year, or by both that fine and
31imprisonment.

32(4) Any person who violates paragraph (8) or (14) of subdivision
33(c) is punishable as follows:

34(A) For a first violation that does not result in injury, a
35misdemeanor punishable by a fine not exceeding five thousand
36dollars ($5,000), or by imprisonment in a county jail not exceeding
37one year, or by both that fine and imprisonment.

38(B) For any violation that results in injury, or for a second or
39subsequent violation, by a fine not exceeding ten thousand dollars
40($10,000), or by imprisonment in a county jail not exceeding one
P8    1year, or by imprisonment pursuant to subdivision (h) of Section
21170, or by both that fine and imprisonment.

3(5) Any person who violates paragraph (9) of subdivision (c)
4is punishable as follows:

5(A) For a first violation that does not result in injury, an
6infraction punishable by a fine not exceeding one thousand dollars
7($1,000).

8(B) For any violation that results in injury, or for a second or
9subsequent violation, by a fine not exceeding five thousand dollars
10($5,000), or by imprisonment in a county jail not exceeding one
11year, or by both that fine and imprisonment.

12(e) (1) In addition to any other civil remedy available, the owner
13or lessee of the computer, computer system, computer network,
14computer program, or data who suffers damage or loss by reason
15of a violation of any of the provisions of subdivision (c) may bring
16a civil action against the violator for compensatory damages and
17injunctive relief or other equitable relief. Compensatory damages
18shall include any expenditure reasonably and necessarily incurred
19by the owner or lessee to verify that a computer system, computer
20network, computer program, or data was or was not altered,
21damaged, or deleted by the access. For the purposes of actions
22authorized by this subdivision, the conduct of an unemancipated
23minor shall be imputed to the parent or legal guardian having
24control or custody of the minor, pursuant to the provisions of
25Section 1714.1 of the Civil Code.

26(2) In any action brought pursuant to this subdivision the court
27may award reasonable attorney’s fees.

28(3) A community college, state university, or academic
29institution accredited in this state is required to include
30computer-related crimes as a specific violation of college or
31university student conduct policies and regulations that may subject
32a student to disciplinary sanctions up to and including dismissal
33from the academic institution. This paragraph shall not apply to
34the University of California unless the Board of Regents adopts a
35resolution to that effect.

36(4) In any action brought pursuant to this subdivision for a
37willful violation of the provisions of subdivision (c), where it is
38proved by clear and convincing evidence that a defendant has been
39guilty of oppression, fraud, or malice as defined in subdivision (c)
P9    1of Section 3294 of the Civil Code, the court may additionally award
2punitive or exemplary damages.

3(5) No action may be brought pursuant to this subdivision unless
4it is initiated within three years of the date of the act complained
5of, or the date of the discovery of the damage, whichever is later.

6(f) This section shall not be construed to preclude the
7applicability of any other provision of the criminal law of this state
8which applies or may apply to any transaction, nor shall it make
9illegal any employee labor relations activities that are within the
10scope and protection of state or federal labor laws.

11(g) Any computer, computer system, computer network, or any
12software or data, owned by the defendant, that is used during the
13commission of any public offense described in subdivision (c) or
14any computer, owned by the defendant, which is used as a
15repository for the storage of software or data illegally obtained in
16violation of subdivision (c) shall be subject to forfeiture, as
17specified in Section 502.01.

18(h) (1) Subdivision (c) does not apply to punish any acts which
19are committed by a person within the scope of his or her lawful
20 employment. For purposes of this section, a person acts within the
21scope of his or her employment when he or she performs acts
22which are reasonably necessary to the performance of his or her
23work assignment.

24(2) Paragraph (3) of subdivision (c) does not apply to penalize
25any acts committed by a person acting outside of his or her lawful
26employment, provided that the employee’s activities do not cause
27an injury, to the employer or another, or provided that the value
28of supplies or computer services which are used does not exceed
29an accumulated total of two hundred fifty dollars ($250).

30(i) No activity exempted from prosecution under paragraph (2)
31of subdivision (h) which incidentally violates paragraph (2), (4),
32or (7) of subdivision (c) shall be prosecuted under those paragraphs.

33(j) For purposes of bringing a civil or a criminal action under
34this section, a person who causes, by any means, the access of a
35computer, computer system, or computer network in one
36jurisdiction from another jurisdiction is deemed to have personally
37accessed the computer, computer system, or computer network in
38each jurisdiction.

P10   1(k) In determining the terms and conditions applicable to a
2person convicted of a violation of this section the court shall
3consider the following:

4(1) The court shall consider prohibitions on access to and use
5of computers.

6(2) Except as otherwise required by law, the court shall consider
7alternate sentencing, including community service, if the defendant
8shows remorse and recognition of the wrongdoing, and an
9inclination not to repeat the offense.

end delete
10

begin deleteSEC. 2.end delete
11begin insertSECTION 1.end insert  

Section 653f of the Penal Code is amended to
12read:

13

653f.  

(a) Every person who, with the intent that the crime be
14committed, solicits another to offer, accept, or join in the offer or
15acceptance of a bribe, or to commit or join in the commission of
16carjacking, robbery, burglary, grand theft, receiving stolen property,
17extortion, perjury, subornation of perjury, forgery, kidnapping,
18arson or assault with a deadly weapon or instrument or by means
19of force likely to produce great bodily injury, or, by the use of
20force or a threat of force, to prevent or dissuade any person who
21is or may become a witness from attending upon, or testifying at,
22any trial, proceeding, or inquiry authorized by law, shall be
23punished by imprisonment in a county jail for not more than one
24year or pursuant to subdivision (h) of Section 1170, or by a fine
25of not more than ten thousand dollars ($10,000), or the amount
26which could have been assessed for commission of the offense
27itself, whichever is greater, or by both the fine and imprisonment.

28(b) Every person who, with the intent that the crime be
29committed, solicits another to commit or join in the commission
30of murder shall be punished by imprisonment in the state prison
31for three, six, or nine years.

32(c) Every person who, with the intent that the crime be
33committed, solicits another to commit rape by force or violence,
34sodomy by force or violence, oral copulation by force or violence,
35or any violation of Section 264.1, 288, or 289, shall be punished
36by imprisonment in the state prison for two, three, or four years.

37(d) (1) Every person who, with the intent that the crime be
38committed, solicits another to commit an offense specified in
39Section 11352, 11379, 11379.5, 11379.6, or 11391 of the Health
40and Safety Code shall be punished by imprisonment in a county
P11   1jail not exceeding six months. Everybegin delete person,end deletebegin insert personend insert who, having
2been convicted of soliciting another to commit an offense specified
3in this subdivision, is subsequently convicted of the proscribed
4solicitation, shall be punished by imprisonment in a county jail
5not exceeding one year, or pursuant to subdivision (h) of Section
61170.

7(2) This subdivision does not apply where the term of
8imprisonment imposed under other provisions of law would result
9in a longer term of imprisonment.

10(e) Every person who, with the intent that the crime be
11committed, solicits another to commit an offense specified in
12Section 14014 of the Welfare and Institutions Code shall be
13punished by imprisonment in a county jail for not exceeding six
14months. Every person who, having been convicted of soliciting
15another to commit an offense specified in this subdivision, is
16subsequently convicted of the proscribed solicitation, shall be
17punished by imprisonment in a county jail not exceeding one year,
18or pursuant to subdivision (h) of Section 1170.

19(f) (1) Every person who, with the intent that the crime be
20committed, solicits another to commit an offense set forth in
21Section 502 shall be punished as set forth in paragraph (3).

22(2) Every person who, with the intent that the crime be
23committed, offers to solicit assistance for another to conduct
24activities in violation of Section 502 shall be punished as set forth
25in paragraph (3). This includes persons operating Internet Web
26sites that offer to assist others in locating hacking services. For the
27purposes of this section “hacking services” means assistance in
28the unauthorized access to computers, computer systems, or
29begin deletecomputerend delete data in violation of Section 502.

30(3) Every person who violates this subdivision shall be punished
31by imprisonment in a county jail for a period not to exceed six
32months. Every subsequent violation of this subdivision by that
33same person shall be punished by imprisonment in a county jail
34not exceeding onebegin delete year, or pursuant to subdivision (h) of Section
351170.end delete
begin insert year.end insert

36(g) An offense charged in violation of subdivision (a), (b), or
37(c) shall be proven by the testimony of two witnesses, or of one
38witness and corroborating circumstances. An offense charged in
39violation of subdivision (d), (e), or (f) shall be proven by the
40testimony of one witness and corroborating circumstances.

P12   1

begin deleteSEC. 3.end delete
2begin insertSEC. 2.end insert  

No reimbursement is required by this act pursuant to
3Section 6 of Article XIII B of the California Constitution because
4the only costs that may be incurred by a local agency or school
5district will be incurred because this act creates a new crime or
6infraction, eliminates a crime or infraction, or changes the penalty
7for a crime or infraction, within the meaning of Section 17556 of
8the Government Code, or changes the definition of a crime within
9the meaning of Section 6 of Article XIII B of the California
10Constitution.



O

    98