Amended in Senate March 31, 2016

Amended in Senate March 28, 2016

Senate BillNo. 1137


Introduced by Senator Hertzberg

(Principal coauthor: Senator Beall)

(Coauthors: Senators Anderson, Bates, Hill,begin insert Huff,end insert Liu, and Wieckowski)

(Coauthors: Assembly Members Brough, Chávez, Dodd, Lackey, Low, and Obernolte)

February 18, 2016


An act to amend Section 502 of the Penal Code, relating to computer crimes.

LEGISLATIVE COUNSEL’S DIGEST

SB 1137, as amended, Hertzberg. Computer crimes: ransomware.

Existing law establishes various crimes relating to computer services and systems, including, but not limited to, knowingly introducing a computer contaminant, as defined. Existing law makes a violation of those crimes punishable by specified fines or terms of imprisonment, or by both those fines and imprisonment.

Existing law defines extortion as obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear. Existing law makes extortion a crime, punishable by imprisonment in a county jail for 2, 3, or 4 years.

This bill would define ransomware as a computerbegin insert or dataend insert contaminantbegin insert or lock placed in or introduced into a computer system, computer or data in a computer system, or computerend insert that restricts access to thebegin delete infected computer and demands that the user pay a ransom to remove the restriction.end deletebegin insert system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock. The bill would provide that a end insertbegin insertperson is responsible for placing or introducing a contaminant or lock into a computer system, computer or data on a computer system, or computer if the person directly places or introduces the contaminant or lock, directs another to do so, or induces another person do so, with the intent of demanding payment or other consideration to remove the contaminant, unlock the computer system or computer, or repair the computer system, computer or data on the computer system, or computer.end insert The bill would make it a crime for a person to knowingly introduce ransomware into any computer, computer system, or computer network. The bill would make a violation of this provision punishable by imprisonment in a county jail for 2, 3, or 4 years and a fine not exceeding $10,000.begin insert The bill would specify that prosecution under that provision does not prohibit or limit prosecution under any other law.end insert

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Section 502 of the Penal Code is amended to
2read:

3

502.  

(a) It is the intent of the Legislature in enacting this
4section to expand the degree of protection afforded to individuals,
5businesses, and governmental agencies from tampering,
6interference, damage, and unauthorized access to lawfully created
7computer data and computer systems. The Legislature finds and
8declares that the proliferation of computer technology has resulted
9in a concomitant proliferation of computer crime and other forms
10of unauthorized access to computers, computer systems, and
11computer data.

P3    1The Legislature further finds and declares that protection of the
2integrity of all types and forms of lawfully created computers,
3computer systems, and computer data is vital to the protection of
4the privacy of individuals as well as to the well-being of financial
5institutions, business concerns, governmental agencies, and others
6within this state that lawfully utilize those computers, computer
7systems, and data.

8(b) For the purposes of this section, the following terms have
9the following meanings:

10(1) “Access” means to gain entry to, instruct, cause input to,
11cause output from, cause data processing with, or communicate
12with, the logical, arithmetical, or memory function resources of a
13computer, computer system, or computer network.

14(2) “Computer network” means any system that provides
15communications between one or more computer systems and
16input/output devices, including, but not limited to, display
17terminals, remote systems, mobile devices, and printers connected
18by telecommunication facilities.

19(3) “Computer program or software” means a set of instructions
20or statements, and related data, that when executed in actual or
21modified form, cause a computer, computer system, or computer
22network to perform specified functions.

23(4) “Computer services” includes, but is not limited to, computer
24time, data processing, or storage functions, Internet services,
25electronic mail services, electronic message services, or other uses
26of a computer, computer system, or computer network.

27(5) “Computer system” means a device or collection of devices,
28including support devices and excluding calculators that are not
29programmable and capable of being used in conjunction with
30external files, one or more of which contain computer programs,
31electronic instructions, input data, and output data, that performs
32functions, including, but not limited to, logic, arithmetic, data
33storage and retrieval, communication, and control.

34(6) “Government computer system” means any computer system,
35or part thereof, that is owned, operated, or used by any federal,
36state, or local governmental entity.

37(7) “Public safety infrastructure computer system” means any
38computer system, or part thereof, that is necessary for the health
39and safety of the public including computer systems owned,
40operated, or used by drinking water and wastewater treatment
P4    1facilities, hospitals, emergency service providers,
2telecommunication companies, and gas and electric utility
3companies.

4(8) “Data” means a representation of information, knowledge,
5facts, concepts, computer software, or computer programs or
6instructions. Data may be in any form, in storage media, or as
7stored in the memory of the computer or in transit or presented on
8a display device.

9(9) “Supporting documentation” includes, but is not limited to,
10all information, in any form, pertaining to the design, construction,
11classification, implementation, use, or modification of a computer,
12computer system, computer network, computer program, or
13computer software, which information is not generally available
14to the public and is necessary for the operation of a computer,
15computer system, computer network, computer program, or
16computer software.

17(10) “Injury” means any alteration, deletion, damage, or
18destruction of a computer system, computer network, computer
19program, or data caused by the access, or the denial of access to
20legitimate users of a computer system, network, or program.

21(11) “Victim expenditure” means any expenditure reasonably
22and necessarily incurred by the owner or lessee to verify that a
23 computer system, computer network, computer program, or data
24was or was not altered, deleted, damaged, or destroyed by the
25access.

26(12) “Computer contaminant” means any set of computer
27instructions that are designed to modify, damage, destroy, record,
28or transmit information within a computer, computer system, or
29computer network without the intent or permission of the owner
30of the information. They include, but are not limited to, a group
31of computer instructions commonly called viruses or worms, that
32are self-replicating or self-propagating and are designed to
33contaminate other computer programs or computer data, consume
34computer resources, modify, destroy, record, or transmit data, or
35in some other fashion usurp the normal operation of the computer,
36computer system, or computer network.

37(13) “Internet domain name” means a globally unique,
38hierarchical reference to an Internet host or service, assigned
39through centralized Internet naming authorities, comprising a series
P5    1of character strings separated by periods, with the rightmost
2character string specifying the top of the hierarchy.

3(14) “Electronic mail” means an electronic message or computer
4file that is transmitted between two or more telecommunications
5devices; computers; computer networks, regardless of whether the
6network is a local, regional, or global network; or electronic devices
7capable of receiving electronic messages, regardless of whether
8the message is converted to hard copy format after receipt, viewed
9upon transmission, or stored for later retrieval.

10(15) “Profile” means either of the following:

11(A) A configuration of user data required by a computer so that
12the user may access programs or services and have the desired
13 functionality on that computer.

14(B) An Internet Web site user’s personal page or section of a
15page that is made up of data, in text or graphical form, that displays
16significant, unique, or identifying information, including, but not
17limited to, listing acquaintances, interests, associations, activities,
18or personal statements.

19(16) begin insert(A)end insertbegin insertend insert “Ransomware” means a computerbegin insert or dataend insert contaminant
20begin insert or lock placed in or introduced into a computer system, computer
21or data in a computer system, or computerend insert
that restricts access to
22thebegin delete infected computer systemend deletebegin insert system, computer, or dataend insert in some
23begin delete wayend deletebegin insert way,end insert andbegin insert under circumstances in which the person responsible
24for the ransomwareend insert
demandsbegin delete that the user pay a ransom to the
25person responsible for the computer contaminantend delete
begin insert payment of money
26or other considerationend insert
to remove the begin delete restriction. Ransomware may
27systematically encrypt files on the system’s hard drive, which
28become difficult or impossible to decrypt without paying the
29ransom for the encryption key or other unlocking device, or may
30simply lock the system and display messages intended to coax the
31user into paying.end delete
begin insert contaminant, unlock the computer system or
32computer, or repair the injury done to the computer system,
33computer, or data by the contaminant or lock.end insert

begin insert

34
(B) A person is responsible for placing or introducing a
35contaminant or lock into a computer system, computer or data on
36a computer system, or computer if the person directly places or
37introduces the contaminant or lock, directs another to do so, or
38induces another person do so, with the intent of demanding
39payment or other consideration to remove the contaminant, unlock
P6    1the computer system or computer, or repair the computer system,
2computer or data on the computer system, or computer.

end insert

3(c) Except as provided in subdivision (h), any person who
4commits any of the following acts is guilty of a public offense:

5(1) Knowingly accesses and without permission alters, damages,
6deletes, destroys, or otherwise uses any data, computer, computer
7system, or computer network in order to either (A) devise or
8execute any scheme or artifice to defraud, deceive, or extort, or
9(B) wrongfully control or obtain money, property, or data.

10(2) Knowingly accesses and without permission takes, copies,
11or makes use of any data from a computer, computer system, or
12computer network, or takes or copies any supporting
13documentation, whether existing or residing internal or external
14to a computer, computer system, or computer network.

15(3) Knowingly and without permission uses or causes to be used
16computer services.

17(4) Knowingly accesses and without permission adds, alters,
18damages, deletes, or destroys any data, computer software, or
19computer programs which reside or exist internal or external to a
20computer, computer system, or computer network.

21(5) Knowingly and without permission disrupts or causes the
22disruption of computer services or denies or causes the denial of
23computer services to an authorized user of a computer, computer
24system, or computer network.

25(6) Knowingly and without permission provides or assists in
26providing a means of accessing a computer, computer system, or
27computer network in violation of this section.

28(7) Knowingly and without permission accesses or causes to be
29accessed any computer, computer system, or computer network.

30(8) Knowingly introduces any computer contaminant into any
31computer, computer system, or computer network.

32(9) Knowingly and without permission uses the Internet domain
33name or profile of another individual, corporation, or entity in
34connection with the sending of one or more electronic mail
35messages or posts and thereby damages or causes damage to a
36computer, computer data, computer system, or computer network.

37(10) Knowingly and without permission disrupts or causes the
38disruption of government computer services or denies or causes
39the denial of government computer services to an authorized user
40of a government computer, computer system, or computer network.

P7    1(11) Knowingly accesses and without permission adds, alters,
2damages, deletes, or destroys any data, computer software, or
3computer programs which reside or exist internal or external to a
4public safety infrastructure computer system computer, computer
5system, or computer network.

6(12) Knowingly and without permission disrupts or causes the
7disruption of public safety infrastructure computer system computer
8services or denies or causes the denial of computer services to an
9authorized user of a public safety infrastructure computer system
10computer, computer system, or computer network.

11(13) Knowingly and without permission provides or assists in
12providing a means of accessing a computer, computer system, or
13public safety infrastructure computer system computer, computer
14system, or computer network in violation of this section.

15(14) Knowingly introduces any computer contaminant into any
16public safety infrastructure computer system computer, computer
17system, or computer network.

18(15) Knowingly introduces ransomware into any computer,
19computer system, or computer network.

20(d) (1) Any person who violates any of the provisions of
21paragraph (1), (2), (4), (5), (10), (11), or (12) of subdivision (c) is
22guilty of a felony, punishable by imprisonment pursuant to
23subdivision (h) of Section 1170 for 16 months, or two or three
24years and a fine not exceeding ten thousand dollars ($10,000), or
25a misdemeanor, punishable by imprisonment in a county jail not
26exceeding one year, by a fine not exceeding five thousand dollars
27($5,000), or by both that fine and imprisonment.

28(2) Any person who violates paragraph (3) of subdivision (c)
29is punishable as follows:

30(A) For the first violation that does not result in injury, and
31where the value of the computer services used does not exceed
32nine hundred fifty dollars ($950), by a fine not exceeding five
33thousand dollars ($5,000), or by imprisonment in a county jail not
34exceeding one year, or by both that fine and imprisonment.

35(B) For any violation that results in a victim expenditure in an
36amount greater than five thousand dollars ($5,000) or in an injury,
37or if the value of the computer services used exceeds nine hundred
38fifty dollars ($950), or for any second or subsequent violation, by
39a fine not exceeding ten thousand dollars ($10,000), or by
40imprisonment pursuant to subdivision (h) of Section 1170 for 16
P8    1months, or two or three years, or by both that fine and
2imprisonment, or by a fine not exceeding five thousand dollars
3($5,000), or by imprisonment in a county jail not exceeding one
4year, or by both that fine and imprisonment.

5(3) Any person who violates paragraph (6), (7), or (13) of
6subdivision (c) is punishable as follows:

7(A) For a first violation that does not result in injury, an
8infraction punishable by a fine not exceeding one thousand dollars
9($1,000).

10(B) For any violation that results in a victim expenditure in an
11amount not greater than five thousand dollars ($5,000), or for a
12second or subsequent violation, by a fine not exceeding five
13thousand dollars ($5,000), or by imprisonment in a county jail not
14exceeding one year, or by both that fine and imprisonment.

15(C) For any violation that results in a victim expenditure in an
16amount greater than five thousand dollars ($5,000), by a fine not
17exceeding ten thousand dollars ($10,000), or by imprisonment
18pursuant to subdivision (h) of Section 1170 for 16 months, or two
19or three years, or by both that fine and imprisonment, or by a fine
20not exceeding five thousand dollars ($5,000), or by imprisonment
21in a county jail not exceeding one year, or by both that fine and
22imprisonment.

23(4) Any person who violates paragraph (8) or (14) of subdivision
24(c) is punishable as follows:

25(A) For a first violation that does not result in injury, a
26misdemeanor punishable by a fine not exceeding five thousand
27dollars ($5,000), or by imprisonment in a county jail not exceeding
28one year, or by both that fine and imprisonment.

29(B) For any violation that results in injury, or for a second or
30subsequent violation, by a fine not exceeding ten thousand dollars
31($10,000), or by imprisonment in a county jail not exceeding one
32year, or by imprisonment pursuant to subdivision (h) of Section
331170, or by both that fine and imprisonment.

34(5) Any person who violates paragraph (9) of subdivision (c)
35is punishable as follows:

36(A) For a first violation that does not result in injury, an
37infraction punishable by a fine not exceeding one thousand dollars
38($1,000).

39(B) For any violation that results in injury, or for a second or
40subsequent violation, by a fine not exceeding five thousand dollars
P9    1($5,000), or by imprisonment in a county jail not exceeding one
2year, or by both that fine and imprisonment.

3(6) Any person who violates paragraph (15) of subdivision (c)
4is guilty of a felony, punishable by imprisonment pursuant to
5subdivision (h) of Section 1170 for two, three, or four years and
6a fine not exceeding ten thousand dollars ($10,000).begin insert Prosecution
7under this paragraph does not prohibit or limit prosecution under
8any other law.end insert

9(e) (1) In addition to any other civil remedy available, the owner
10or lessee of the computer, computer system, computer network,
11computer program, or data who suffers damage or loss by reason
12of a violation of any of the provisions of subdivision (c) may bring
13a civil action against the violator for compensatory damages and
14injunctive relief or other equitable relief. Compensatory damages
15shall include any expenditure reasonably and necessarily incurred
16by the owner or lessee to verify that a computer system, computer
17network, computer program, or data was or was not altered,
18damaged, or deleted by the access. For the purposes of actions
19authorized by this subdivision, the conduct of an unemancipated
20minor shall be imputed to the parent or legal guardian having
21control or custody of the minor, pursuant to the provisions of
22Section 1714.1 of the Civil Code.

23(2) In any action brought pursuant to this subdivision the court
24may award reasonable attorney’s fees.

25(3) A community college, state university, or academic
26institution accredited in this state is required to include
27computer-related crimes as a specific violation of college or
28university student conduct policies and regulations that may subject
29a student to disciplinary sanctions up to and including dismissal
30from the academic institution. This paragraph shall not apply to
31the University of California unless the Board of Regents adopts a
32resolution to that effect.

33(4) In any action brought pursuant to this subdivision for a
34willful violation of the provisions of subdivision (c), where it is
35proved by clear and convincing evidence that a defendant has been
36guilty of oppression, fraud, or malice as defined in subdivision (c)
37of Section 3294 of the Civil Code, the court may additionally award
38punitive or exemplary damages.

P10   1(5) No action may be brought pursuant to this subdivision unless
2it is initiated within three years of the date of the act complained
3of, or the date of the discovery of the damage, whichever is later.

4(f) This section shall not be construed to preclude the
5applicability of any other provision of the criminal law of this state
6which applies or may apply to any transaction, nor shall it make
7illegal any employee labor relations activities that are within the
8scope and protection of state or federal labor laws.

9(g) Any computer, computer system, computer network, or any
10software or data, owned by the defendant, that is used during the
11commission of any public offense described in subdivision (c) or
12any computer, owned by the defendant, which is used as a
13repository for the storage of software or data illegally obtained in
14violation of subdivision (c) shall be subject to forfeiture, as
15specified in Section 502.01.

16(h) (1) Subdivision (c) does not apply to punish any acts which
17are committed by a person within the scope of his or her lawful
18employment. For purposes of this section, a person acts within the
19scope of his or her employment when he or she performs acts
20which are reasonably necessary to the performance of his or her
21work assignment.

22(2) Paragraph (3) of subdivision (c) does not apply to penalize
23any acts committed by a person acting outside of his or her lawful
24employment, provided that the employee’s activities do not cause
25an injury, to the employer or another, or provided that the value
26of supplies or computer services which are used does not exceed
27an accumulated total of two hundred fifty dollars ($250).

28(i) No activity exempted from prosecution under paragraph (2)
29of subdivision (h) which incidentally violates paragraph (2), (4),
30or (7) of subdivision (c) shall be prosecuted under those paragraphs.

31(j) For purposes of bringing a civil or a criminal action under
32this section, a person who causes, by any means, the access of a
33computer, computer system, or computer network in one
34jurisdiction from another jurisdiction is deemed to have personally
35accessed the computer, computer system, or computer network in
36each jurisdiction.

37(k) In determining the terms and conditions applicable to a
38person convicted of a violation of this section the court shall
39consider the following:

P11   1(1) The court shall consider prohibitions on access to and use
2of computers.

3(2) Except as otherwise required by law, the court shall consider
4alternate sentencing, including community service, if the defendant
5shows remorse and recognition of the wrongdoing, and an
6inclination not to repeat the offense.

7

SEC. 2.  

No reimbursement is required by this act pursuant to
8Section 6 of Article XIII B of the California Constitution because
9the only costs that may be incurred by a local agency or school
10district will be incurred because this act creates a new crime or
11infraction, eliminates a crime or infraction, or changes the penalty
12for a crime or infraction, within the meaning of Section 17556 of
13the Government Code, or changes the definition of a crime within
14the meaning of Section 6 of Article XIII B of the California
15Constitution.



O

    97