Amended in Senate March 28, 2016

Senate BillNo. 1137


Introduced by Senator Hertzberg

begin insert

(Principal coauthor: Senator Beall)

end insert
begin insert

(Coauthors: Senators Anderson, Bates, Hill, Liu, and Wieckowski)

end insert
begin insert

(Coauthors: Assembly Members Brough, Chávez, Dodd, Lackey, Low, and Obernolte)

end insert

February 18, 2016


An act to amend Section 502 of the Penal Code, relating to computer crimes.

LEGISLATIVE COUNSEL’S DIGEST

SB 1137, as amended, Hertzberg. Computer crimes: ransomware.

Existing law establishes various crimes relating to computer services and systems, including, but not limited to, knowingly introducing a computer contaminant, as defined. Existing law makes a violation of those crimes punishable by specified fines or terms of imprisonment, or by both those fines and imprisonment.

Existing law defines extortion as obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear. Existing law makes extortion a crime, punishable by imprisonment in a county jail for 2, 3, or 4 years.

This bill would define ransomware as a computer contaminant that restricts access to the infected computer and demands that the user pay a ransom to remove the restriction. The bill would make it a crime for a person to knowingly introduce ransomware into any computer, computer system, or computer network. The bill would make a violation of this provision punishable by imprisonment in a county jail for 2, 3, or 4 years and a fine not exceeding $10,000.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Section 502 of the Penal Code is amended to
2read:

3

502.  

(a) It is the intent of the Legislature in enacting this
4section to expand the degree of protection afforded to individuals,
5businesses, and governmental agencies from tampering,
6interference, damage, and unauthorized access to lawfully created
7computer data and computer systems. The Legislature finds and
8declares that the proliferation of computer technology has resulted
9in a concomitant proliferation of computer crime and other forms
10of unauthorized access to computers, computer systems, and
11computer data.

12The Legislature further finds and declares that protection of the
13integrity of all types and forms of lawfully created computers,
14computer systems, and computer data is vital to the protection of
15the privacy of individuals as well as to the well-being of financial
16institutions, business concerns, governmental agencies, and others
17within this state that lawfully utilize those computers, computer
18systems, and data.

19(b) For the purposes of this section, the following terms have
20the following meanings:

21(1) “Access” means to gain entry to, instruct, cause input to,
22cause output from, cause data processing with, or communicate
23with, the logical, arithmetical, or memory function resources of a
24computer, computer system, or computer network.

25(2) “Computer network” means any system that provides
26communications between one or more computer systems and
27input/output devices, including, but not limited to, display
28terminals, remote systems, mobile devices, and printers connected
29by telecommunication facilities.

P3    1(3) “Computer program or software” means a set of instructions
2or statements, and related data, that when executed in actual or
3modified form, cause a computer, computer system, or computer
4network to perform specified functions.

5(4) “Computer services” includes, but is not limited to, computer
6time, data processing, or storage functions, Internet services,
7electronic mail services, electronic message services, or other uses
8of a computer, computer system, or computer network.

9(5) “Computer system” means a device or collection of devices,
10including support devices and excluding calculators that are not
11programmable and capable of being used in conjunction with
12external files, one or more of which contain computer programs,
13electronic instructions, input data, and output data, that performs
14functions, including, but not limited to, logic, arithmetic, data
15storage and retrieval, communication, and control.

16(6) “Government computer system” means any computer system,
17or part thereof, that is owned, operated, or used by any federal,
18state, or local governmental entity.

19(7) “Public safety infrastructure computer system” means any
20computer system, or part thereof, that is necessary for the health
21and safety of the public including computer systems owned,
22operated, or used by drinking water and wastewater treatment
23facilities, hospitals, emergency service providers,
24telecommunication companies, and gas and electric utility
25companies.

26(8) “Data” means a representation of information, knowledge,
27facts, concepts, computer software, or computer programs or
28instructions. Data may be in any form, in storage media, or as
29stored in the memory of the computer or in transit or presented on
30a display device.

31(9) “Supporting documentation” includes, but is not limited to,
32all information, in any form, pertaining to the design, construction,
33classification, implementation, use, or modification of a computer,
34computer system, computer network, computer program, or
35computer software, which information is not generally available
36to the public and is necessary for the operation of a computer,
37computer system, computer network, computer program, or
38computer software.

39(10) “Injury” means any alteration, deletion, damage, or
40destruction of a computer system, computer network, computer
P4    1program, or data caused by the access, or the denial of access to
2legitimate users of a computer system, network, or program.

3(11) “Victim expenditure” means any expenditure reasonably
4and necessarily incurred by the owner or lessee to verify that a
5 computer system, computer network, computer program, or data
6was or was not altered, deleted, damaged, or destroyed by the
7access.

8(12) “Computer contaminant” means any set of computer
9instructions that are designed to modify, damage, destroy, record,
10or transmit information within a computer, computer system, or
11computer network without the intent or permission of the owner
12of the information. They include, but are not limited to, a group
13of computer instructions commonly called viruses or worms, that
14are self-replicating or self-propagating and are designed to
15contaminate other computer programs or computer data, consume
16computer resources, modify, destroy, record, or transmit data, or
17in some other fashion usurp the normal operation of the computer,
18computer system, or computer network.

19(13) “Internet domain name” means a globally unique,
20hierarchical reference to an Internet host or service, assigned
21through centralized Internet naming authorities, comprising a series
22of character strings separated by periods, with the rightmost
23character string specifying the top of the hierarchy.

24(14) “Electronic mail” means an electronic message or computer
25file that is transmitted between two or more telecommunications
26devices; computers; computer networks, regardless of whether the
27network is a local, regional, or global network; or electronic devices
28capable of receiving electronic messages, regardless of whether
29the message is converted to hard copy format after receipt, viewed
30upon transmission, or stored for later retrieval.

31(15) “Profile” means either of the following:

32(A) A configuration of user data required by a computer so that
33the user may access programs or services and have the desired
34 functionality on that computer.

35(B) An Internet Web site user’s personal page or section of a
36page that is made up of data, in text or graphical form, that displays
37significant, unique, or identifying information, including, but not
38limited to, listing acquaintances, interests, associations, activities,
39or personal statements.

P5    1(16) “Ransomware” means a computer contaminant that restricts
2access to the infected computer system in some way and demands
3that the user pay a ransom to the person responsible for the
4computer contaminant to remove the restriction. Ransomware may
5systematically encrypt files on the system’s hard drive, which
6become difficult or impossible to decrypt without paying the
7ransom for the encryptionbegin delete key,end deletebegin insert key or other unlocking device,end insert or
8may simply lock the system and display messages intended to coax
9the user into paying.

10(c) Except as provided in subdivision (h), any person who
11commits any of the following acts is guilty of a public offense:

12(1) Knowingly accesses and without permission alters, damages,
13deletes, destroys, or otherwise uses any data, computer, computer
14system, or computer network in order to either (A) devise or
15execute any scheme or artifice to defraud, deceive, or extort, or
16(B) wrongfully control or obtain money, property, or data.

17(2) Knowingly accesses and without permission takes, copies,
18or makes use of any data from a computer, computer system, or
19computer network, or takes or copies any supporting
20documentation, whether existing or residing internal or external
21to a computer, computer system, or computer network.

22(3) Knowingly and without permission uses or causes to be used
23computer services.

24(4) Knowingly accesses and without permission adds, alters,
25damages, deletes, or destroys any data, computer software, or
26computer programs which reside or exist internal or external to a
27computer, computer system, or computer network.

28(5) Knowingly and without permission disrupts or causes the
29disruption of computer services or denies or causes the denial of
30computer services to an authorized user of a computer, computer
31system, or computer network.

32(6) Knowingly and without permission provides or assists in
33providing a means of accessing a computer, computer system, or
34computer network in violation of this section.

35(7) Knowingly and without permission accesses or causes to be
36accessed any computer, computer system, or computer network.

37(8) Knowingly introduces any computer contaminant into any
38computer, computer system, or computer network.

39(9) Knowingly and without permission uses the Internet domain
40name or profile of another individual, corporation, or entity in
P6    1connection with the sending of one or more electronic mail
2messages or posts and thereby damages or causes damage to a
3computer, computer data, computer system, or computer network.

4(10) Knowingly and without permission disrupts or causes the
5disruption of government computer services or denies or causes
6the denial of government computer services to an authorized user
7of a government computer, computer system, or computer network.

8(11) Knowingly accesses and without permission adds, alters,
9damages, deletes, or destroys any data, computer software, or
10computer programs which reside or exist internal or external to a
11public safety infrastructure computer system computer, computer
12system, or computer network.

13(12) Knowingly and without permission disrupts or causes the
14disruption of public safety infrastructure computer system computer
15services or denies or causes the denial of computer services to an
16authorized user of a public safety infrastructure computer system
17computer, computer system, or computer network.

18(13) Knowingly and without permission provides or assists in
19providing a means of accessing a computer, computer system, or
20public safety infrastructure computer system computer, computer
21system, or computer network in violation of this section.

22(14) Knowingly introduces any computer contaminant into any
23public safety infrastructure computer system computer, computer
24system, or computer network.

25(15) Knowingly introduces ransomware into any computer,
26computer system, or computer network.

27(d) (1) Any person who violates any of the provisions of
28paragraph (1), (2), (4), (5), (10), (11), or (12) of subdivision (c) is
29guilty of a felony, punishable by imprisonment pursuant to
30subdivision (h) of Section 1170 for 16 months, or two or three
31years and a fine not exceeding ten thousand dollars ($10,000), or
32a misdemeanor, punishable by imprisonment in a county jail not
33exceeding one year, by a fine not exceeding five thousand dollars
34($5,000), or by both that fine and imprisonment.

35(2) Any person who violates paragraph (3) of subdivision (c)
36is punishable as follows:

37(A) For the first violation that does not result in injury, and
38where the value of the computer services used does not exceed
39nine hundred fifty dollars ($950), by a fine not exceeding five
P7    1thousand dollars ($5,000), or by imprisonment in a county jail not
2exceeding one year, or by both that fine and imprisonment.

3(B) For any violation that results in a victim expenditure in an
4amount greater than five thousand dollars ($5,000) or in an injury,
5or if the value of the computer services used exceeds nine hundred
6fifty dollars ($950), or for any second or subsequent violation, by
7a fine not exceeding ten thousand dollars ($10,000), or by
8imprisonment pursuant to subdivision (h) of Section 1170 for 16
9months, or two or three years, or by both that fine and
10imprisonment, or by a fine not exceeding five thousand dollars
11($5,000), or by imprisonment in a county jail not exceeding one
12year, or by both that fine and imprisonment.

13(3) Any person who violates paragraph (6), (7), or (13) of
14subdivision (c) is punishable as follows:

15(A) For a first violation that does not result in injury, an
16infraction punishable by a fine not exceeding one thousand dollars
17($1,000).

18(B) For any violation that results in a victim expenditure in an
19amount not greater than five thousand dollars ($5,000), or for a
20second or subsequent violation, by a fine not exceeding five
21thousand dollars ($5,000), or by imprisonment in a county jail not
22exceeding one year, or by both that fine and imprisonment.

23(C) For any violation that results in a victim expenditure in an
24amount greater than five thousand dollars ($5,000), by a fine not
25exceeding ten thousand dollars ($10,000), or by imprisonment
26pursuant to subdivision (h) of Section 1170 for 16 months, or two
27or three years, or by both that fine and imprisonment, or by a fine
28not exceeding five thousand dollars ($5,000), or by imprisonment
29in a county jail not exceeding one year, or by both that fine and
30imprisonment.

31(4) Any person who violates paragraph (8) or (14) of subdivision
32(c) is punishable as follows:

33(A) For a first violation that does not result in injury, a
34misdemeanor punishable by a fine not exceeding five thousand
35dollars ($5,000), or by imprisonment in a county jail not exceeding
36one year, or by both that fine and imprisonment.

37(B) For any violation that results in injury, or for a second or
38subsequent violation, by a fine not exceeding ten thousand dollars
39($10,000), or by imprisonment in a county jail not exceeding one
P8    1year, or by imprisonment pursuant to subdivision (h) of Section
21170, or by both that fine and imprisonment.

3(5) Any person who violates paragraph (9) of subdivision (c)
4is punishable as follows:

5(A) For a first violation that does not result in injury, an
6infraction punishable by a fine not exceeding one thousand dollars
7($1,000).

8(B) For any violation that results in injury, or for a second or
9subsequent violation, by a fine not exceeding five thousand dollars
10($5,000), or by imprisonment in a county jail not exceeding one
11year, or by both that fine and imprisonment.

12(6) Any person who violates paragraph (15) of subdivision (c)
13is guilty of a felony, punishable by imprisonment pursuant to
14subdivision (h) of Section 1170 for two, three, or four years and
15a fine not exceeding ten thousand dollars ($10,000).

16(e) (1) In addition to any other civil remedy available, the owner
17or lessee of the computer, computer system, computer network,
18computer program, or data who suffers damage or loss by reason
19of a violation of any of the provisions of subdivision (c) may bring
20a civil action against the violator for compensatory damages and
21injunctive relief or other equitable relief. Compensatory damages
22shall include any expenditure reasonably and necessarily incurred
23by the owner or lessee to verify that a computer system, computer
24network, computer program, or data was or was not altered,
25damaged, or deleted by the access. For the purposes of actions
26authorized by this subdivision, the conduct of an unemancipated
27minor shall be imputed to the parent or legal guardian having
28control or custody of the minor, pursuant to the provisions of
29Section 1714.1 of the Civil Code.

30(2) In any action brought pursuant to this subdivision the court
31may award reasonable attorney’s fees.

32(3) A community college, state university, or academic
33institution accredited in this state is required to include
34computer-related crimes as a specific violation of college or
35university student conduct policies and regulations that may subject
36a student to disciplinary sanctions up to and including dismissal
37from the academic institution. This paragraph shall not apply to
38the University of California unless the Board of Regents adopts a
39resolution to that effect.

P9    1(4) In any action brought pursuant to this subdivision for a
2willful violation of the provisions of subdivision (c), where it is
3proved by clear and convincing evidence that a defendant has been
4guilty of oppression, fraud, or malice as defined in subdivision (c)
5of Section 3294 of the Civil Code, the court may additionally award
6punitive or exemplary damages.

7(5) No action may be brought pursuant to this subdivision unless
8it is initiated within three years of the date of the act complained
9of, or the date of the discovery of the damage, whichever is later.

10(f) This section shall not be construed to preclude the
11applicability of any other provision of the criminal law of this state
12which applies or may apply to any transaction, nor shall it make
13illegal any employee labor relations activities that are within the
14scope and protection of state or federal labor laws.

15(g) Any computer, computer system, computer network, or any
16software or data, owned by the defendant, that is used during the
17commission of any public offense described in subdivision (c) or
18any computer, owned by the defendant, which is used as a
19repository for the storage of software or data illegally obtained in
20violation of subdivision (c) shall be subject to forfeiture, as
21specified in Section 502.01.

22(h) (1) Subdivision (c) does not apply to punish any acts which
23are committed by a person within the scope of his or her lawful
24employment. For purposes of this section, a person acts within the
25scope of his or her employment when he or she performs acts
26which are reasonably necessary to the performance of his or her
27work assignment.

28(2) Paragraph (3) of subdivision (c) does not apply to penalize
29any acts committed by a person acting outside of his or her lawful
30employment, provided that the employee’s activities do not cause
31an injury, to the employer or another, or provided that the value
32of supplies or computer services which are used does not exceed
33an accumulated total of two hundred fifty dollars ($250).

34(i) No activity exempted from prosecution under paragraph (2)
35of subdivision (h) which incidentally violates paragraph (2), (4),
36or (7) of subdivision (c) shall be prosecuted under those paragraphs.

37(j) For purposes of bringing a civil or a criminal action under
38this section, a person who causes, by any means, the access of a
39computer, computer system, or computer network in one
40jurisdiction from another jurisdiction is deemed to have personally
P10   1accessed the computer, computer system, or computer network in
2each jurisdiction.

3(k) In determining the terms and conditions applicable to a
4person convicted of a violation of this section the court shall
5consider the following:

6(1) The court shall consider prohibitions on access to and use
7of computers.

8(2) Except as otherwise required by law, the court shall consider
9alternate sentencing, including community service, if the defendant
10shows remorse and recognition of the wrongdoing, and an
11inclination not to repeat the offense.

12

SEC. 2.  

No reimbursement is required by this act pursuant to
13Section 6 of Article XIII B of the California Constitution because
14the only costs that may be incurred by a local agency or school
15district will be incurred because this act creates a new crime or
16infraction, eliminates a crime or infraction, or changes the penalty
17for a crime or infraction, within the meaning of Section 17556 of
18the Government Code, or changes the definition of a crime within
19the meaning of Section 6 of Article XIII B of the California
20Constitution.



O

    98