Senate BillNo. 1137

3

502.  

(a) It is the intent of the Legislature in enacting this
4section to expand the degree of protection afforded to individuals,
5businesses, and governmental agencies from tampering,
6interference, damage, and unauthorized access to lawfully created
7begin delete computer data and computer systems.end deletebegin insert computers, computer
8systems, computer networks, and data.end insert The Legislature finds and
9declares that the proliferation of computer technology has resulted
10in a concomitant proliferation of computer crime and other forms
11of unauthorized access to computers, computer systems, and
12computer data.

13The Legislature further finds and declares that protection of the
14integrity of all types and forms of lawfully created computers,
15computer systems,begin insert computer networks,end insert andbegin delete computerend delete data is vital
16to the protection of the privacy of individuals as well as to the
17well-being of financial institutions, business concerns,
18governmental agencies, and others within this state that lawfully
19utilize those computers, computer systems,begin insert computer networks,end insert
20 and data.

21(b) For the purposes of this section, the following terms have
22the following meanings:

23(1) “Access” means to gain entry to, instruct, cause input to,
24cause output from, cause data processing with, or communicate
25with, the logical, arithmetical, or memory function resources of a
26computer, computer system, or computer network.

27(2) “Computer network” means any system that provides
28communications between one or more computer systems and
29input/output devices, including, but not limited to, display
30terminals, remote systems, mobile devices, and printers connected
31by telecommunication facilities.

32(3) “Computer program or software” means a set of instructions
33or statements, and related data, that when executed in actual or
34modified form, cause a computer, computer system, or computer
35network to perform specified functions.

36(4) “Computer services” includes, but is not limited to, computer
37time, data processing, or storage functions, Internet services,
P4    1electronic mail services, electronic message services, or other uses
2of a computer, computer system, or computer network.

3(5) “Computer system” means a device or collection of devices,
4including support devices and excluding calculators that are not
5programmable and capable of being used in conjunction with
6external files, one or more of which contain computerbegin delete programs,end delete
7begin insert programs or software,end insert electronic instructions, input data, and
8output data, that performs functions, including, but not limited to,
9logic, arithmetic, data storage and retrieval, communication, and
10control.

11(6) “Government computer system” means any computer system,
12or part thereof, that is owned, operated, or used by any federal,
13state, or local governmental entity.

14(7) “Public safety infrastructure computer system” means any
15computer system, or part thereof, that is necessary for the health
16and safety of the public including computer systems owned,
17operated, or used by drinking water and wastewater treatment
18facilities, hospitals, emergency service providers,
19telecommunication companies, and gas and electric utility
20companies.

21(8) “Data” means a representation of information, knowledge,
22facts, concepts, computer software, or computer programs or
23instructions. Data may be in any form, in storage media, or as
24stored in the memory of the computer or in transit or presented on
25a display device.

26(9) “Supporting documentation” includes, but is not limited to,
27all information, in any form, pertaining to the design, construction,
28classification, implementation, use, or modification of a computer,
29computer system, computer network, computer program, or
30computer software, which information is not generally available
31to the public and is necessary for the operation of a computer,
32computer system, computer network, computer program, or
33computer software.

34(10) “Injury” means any alteration, deletion, damage, or
35destruction of a computer system, computer network, computer
36program, or data caused by the access, or the denial of access to
37legitimate users of a computer system, network, or program.

38(11) “Victim expenditure” means any expenditure reasonably
39and necessarily incurred by the owner or lessee to verify that a
40computer system, computer network, computer program, or data
P5    1was or was not altered, deleted, damaged, or destroyed by the
2access.

3(12) “Computer contaminant” means any set of computer
4instructionsbegin insert or dataend insert that are designed to modify, damage, destroy,
5begin insert render inaccessible,end insert record, or transmitbegin delete informationend deletebegin insert dataend insert within a
6computer, computer system, or computer network without the
7intent or permission of the owner of thebegin delete information.end deletebegin insert data.end insert They
8include, but are not limited to, a group of computer instructions
9commonly called viruses or worms,begin delete thatend deletebegin insert whichend insert are self-replicating
10or self-propagating and are designed to contaminatebegin insert data orend insert other
11computer programsbegin delete or computer data,end deletebegin insert or software,end insert consume
12computer resources,begin delete modify, destroy, record, or transmit data, or
13in some other fashionend deletebegin insert or otherwiseend insert usurp the normal operation of
14the computer, computer system, or computer network.

15(13) “Internet domain name” means a globally unique,
16hierarchical reference to an Internet host or service, assigned
17through centralized Internet naming authorities, comprising a series
18of character strings separated by periods, with the rightmost
19character string specifying the top of the hierarchy.

20(14) “Electronic mail” means an electronic message or computer
21file that is transmitted between two or more telecommunications
22devices; computers; computer networks, regardless of whether the
23network is a local, regional, or global network; or electronic devices
24capable of receiving electronic messages, regardless of whether
25the message is converted to hard copy format after receipt, viewed
26upon transmission, or stored for later retrieval.

27(15) “Profile” means either of the following:

28(A) A configuration of user data required by a computer so that
29the user may access programs or services and have the desired
30functionality on that computer.

31(B) An Internet Web site user’s personal page or section of a
32page that is made up of data, in text or graphical form, that displays
33significant, unique, or identifying information, including, but not
34limited to, listing acquaintances, interests, associations, activities,
35or personal statements.

36(16) (A) “Ransomware” means a computerbegin delete or dataend delete contaminant
37or lock placedbegin delete inend delete or introducedbegin insert without authorizationend insert into a
38begin delete computer system, computer or data in a computer system, or
39computerend deletebegin insert computer, computer system, or computer networkend insert that
40restricts accessbegin delete to the system, computer, or data in some way, andend delete
P6    1begin insert by an authorized person to the computer, computer system,
2computer network, or any data thereinend insert under circumstances in
3which the person responsible for thebegin insert placement or introduction of
4theend insert ransomware demands payment of money or other consideration
5to remove thebegin insert computerend insert contaminant,begin delete unlock the computer system
6or computer, or repair the injury done to the computer system,
7computer, or data by theend deletebegin insert restore access to the computer, computer
8system, computer network, or data, or otherwise remediate the
9impact of the computerend insert contaminant or lock.

10(B) A person is responsible for placing or introducingbegin delete a
11contaminant or lock into a computer system, computer or data on
12a computer system, or computerend deletebegin insert ransomware into a computer,
13computer system, or computer networkend insert if the person directly places
14or introduces thebegin delete contaminant or lock, directs another to do so, orend delete
15begin insert ransomware or directs orend insert induces another person do so, with the
16intent of demanding payment or other consideration to remove the begin delete17 contaminant, unlock the computer system or computer, or repair
18the computer system, computer or data on the computer system,
19or computer.end delete begin insert ransomware, restore access, or otherwise remediate
20the impact of the ransomware.end insert

21(c) Except as provided in subdivision (h), any person who
22commits any of the following acts is guilty of a public offense:

23(1) Knowingly accesses and without permission alters, damages,
24deletes, destroys, or otherwise uses any data, computer, computer
25system, or computer network in order to either (A) devise or
26execute any scheme or artifice to defraud, deceive, or extort, or
27(B) wrongfully control or obtain money, property, or data.

28(2) Knowingly accesses and without permission takes, copies,
29or makes use of any data from a computer, computer system, or
30computer network, or takes or copies any supporting
31documentation, whether existing or residing internal or external
32to a computer, computer system, or computer network.

33(3) Knowingly and without permission uses or causes to be used
34computer services.

35(4) Knowingly accesses and without permission adds, alters,
36damages, deletes, or destroys any data, computer software, or
37computer programs which reside or exist internal or external to a
38computer, computer system, or computer network.

39(5) Knowingly and without permission disrupts or causes the
40disruption of computer services or denies or causes the denial of
P7    1computer services to an authorized user of a computer, computer
2system, or computer network.

3(6) Knowingly and without permission provides or assists in
4providing a means of accessing a computer, computer system, or
5computer network in violation of this section.

6(7) Knowingly and without permission accesses or causes to be
7accessed any computer, computer system, or computer network.

8(8) Knowingly introduces any computer contaminant into any
9computer, computer system, or computer network.

10(9) Knowingly and without permission uses the Internet domain
11name or profile of another individual, corporation, or entity in
12connection with the sending of one or more electronic mail
13messages or posts and thereby damages or causes damage to a
14computer, computer data, computer system, or computer network.

15(10) Knowingly and without permission disrupts or causes the
16disruption of government computer services or denies or causes
17the denial of government computer services to an authorized user
18of a government computer, computer system, or computer network.

19(11) Knowingly accesses and without permission adds, alters,
20damages, deletes, or destroys any data, computer software, or
21computer programs which reside or exist internal or external to a
22public safety infrastructure computer system computer, computer
23system, or computer network.

24(12) Knowingly and without permission disrupts or causes the
25disruption of public safety infrastructure computer system computer
26services or denies or causes the denial of computer services to an
27authorized user of a public safety infrastructure computer system
28computer, computer system, or computer network.

29(13) Knowingly and without permission provides or assists in
30providing a means of accessing a computer, computer system, or
31public safety infrastructure computer system computer, computer
32system, or computer network in violation of this section.

33(14) Knowingly introduces any computer contaminant into any
34public safety infrastructure computer system computer, computer
35system, or computer network.

36(15) Knowingly introduces ransomware into any computer,
37computer system, or computer network.

38(d) (1) Any person who violates any of the provisions of
39paragraph (1), (2), (4), (5), (10), (11), or (12) of subdivision (c) is
40guilty of a felony, punishable by imprisonment pursuant to
P8    1subdivision (h) of Section 1170 for 16 months, or two or three
2years and a fine not exceeding ten thousand dollars ($10,000), or
3a misdemeanor, punishable by imprisonment in a county jail not
4exceeding one year, by a fine not exceeding five thousand dollars
5($5,000), or by both that fine and imprisonment.

6(2) Any person who violates paragraph (3) of subdivision (c)
7is punishable as follows:

8(A) For the first violation that does not result in injury, and
9where the value of the computer services used does not exceed
10nine hundred fifty dollars ($950), by a fine not exceeding five
11thousand dollars ($5,000), or by imprisonment in a county jail not
12exceeding one year, or by both that fine and imprisonment.

13(B) For any violation that results in a victim expenditure in an
14amount greater than five thousand dollars ($5,000) or in an injury,
15or if the value of the computer services used exceeds nine hundred
16fifty dollars ($950), or for any second or subsequent violation, by
17a fine not exceeding ten thousand dollars ($10,000), or by
18imprisonment pursuant to subdivision (h) of Section 1170 for 16
19months, or two or three years, or by both that fine and
20imprisonment, or by a fine not exceeding five thousand dollars
21($5,000), or by imprisonment in a county jail not exceeding one
22year, or by both that fine and imprisonment.

23(3) Any person who violates paragraph (6), (7), or (13) of
24subdivision (c) is punishable as follows:

25(A) For a first violation that does not result in injury, an
26infraction punishable by a fine not exceeding one thousand dollars
27($1,000).

28(B) For any violation that results in a victim expenditure in an
29amount not greater than five thousand dollars ($5,000), or for a
30second or subsequent violation, by a fine not exceeding five
31thousand dollars ($5,000), or by imprisonment in a county jail not
32exceeding one year, or by both that fine and imprisonment.

33(C) For any violation that results in a victim expenditure in an
34amount greater than five thousand dollars ($5,000), by a fine not
35exceeding ten thousand dollars ($10,000), or by imprisonment
36pursuant to subdivision (h) of Section 1170 for 16 months, or two
37or three years, or by both that fine and imprisonment, or by a fine
38not exceeding five thousand dollars ($5,000), or by imprisonment
39in a county jail not exceeding one year, or by both that fine and
40imprisonment.

P9    1(4) Any person who violates paragraph (8) or (14) of subdivision
2(c) is punishable as follows:

3(A) For a first violation that does not result in injury, a
4misdemeanor punishable by a fine not exceeding five thousand
5dollars ($5,000), or by imprisonment in a county jail not exceeding
6one year, or by both that fine and imprisonment.

7(B) For any violation that results in injury, or for a second or
8subsequent violation, by a fine not exceeding ten thousand dollars
9($10,000), or by imprisonment in a county jail not exceeding one
10year, or by imprisonment pursuant to subdivision (h) of Section
111170, or by both that fine and imprisonment.

12(5) Any person who violates paragraph (9) of subdivision (c)
13is punishable as follows:

14(A) For a first violation that does not result in injury, an
15infraction punishable by a fine not exceeding one thousand dollars
16($1,000).

17(B) For any violation that results in injury, or for a second or
18subsequent violation, by a fine not exceeding five thousand dollars
19($5,000), or by imprisonment in a county jail not exceeding one
20year, or by both that fine and imprisonment.

21(6) Any person who violates paragraph (15) of subdivision (c)
22is guilty of a felony, punishable by imprisonment pursuant to
23subdivision (h) of Section 1170 for two, three, or four years and
24a fine not exceeding ten thousand dollars ($10,000). Prosecution
25under this paragraph does not prohibit or limit prosecution under
26any other law.

27(e) (1) In addition to any other civil remedy available, the owner
28or lessee of the computer, computer system, computer network,
29computer program, or data who suffers damage or loss by reason
30of a violation of any of the provisions of subdivision (c) may bring
31a civil action against the violator for compensatory damages and
32injunctive relief or other equitable relief. Compensatory damages
33shall include any expenditure reasonably and necessarily incurred
34by the owner or lessee to verify that a computer system, computer
35network, computer program, or data was or was not altered,
36damaged, or deleted by the access. For the purposes of actions
37authorized by this subdivision, the conduct of an unemancipated
38minor shall be imputed to the parent or legal guardian having
39control or custody of the minor, pursuant to the provisions of
40Section 1714.1 of the Civil Code.

P10   1(2) In any action brought pursuant to this subdivision the court
2may award reasonable attorney’s fees.

3(3) A community college, state university, or academic
4institution accredited in this state is required to include
5computer-related crimes as a specific violation of college or
6university student conduct policies and regulations that may subject
7a student to disciplinary sanctions up to and including dismissal
8from the academic institution. This paragraph shall not apply to
9the University of California unless the Board of Regents adopts a
10resolution to that effect.

11(4) In any action brought pursuant to this subdivision for a
12willful violation of the provisions of subdivision (c), where it is
13proved by clear and convincing evidence that a defendant has been
14guilty of oppression, fraud, or malice as defined in subdivision (c)
15of Section 3294 of the Civil Code, the court may additionally award
16punitive or exemplary damages.

17(5) No action may be brought pursuant to this subdivision unless
18it is initiated within three years of the date of the act complained
19of, or the date of the discovery of the damage, whichever is later.

20(f) This section shall not be construed to preclude the
21applicability of any other provision of the criminal law of this state
22which applies or may apply to any transaction, nor shall it make
23illegal any employee labor relations activities that are within the
24scope and protection of state or federal labor laws.

25(g) Any computer, computer system, computer network, or any
26software or data, owned by the defendant, that is used during the
27commission of any public offense described in subdivision (c) or
28any computer, owned by the defendant, which is used as a
29repository for the storage of software or data illegally obtained in
30violation of subdivision (c) shall be subject to forfeiture, as
31specified in Section 502.01.

32(h) (1) Subdivision (c) does not apply to punish any acts which
33are committed by a person within the scope of his or her lawful
34employment. For purposes of this section, a person acts within the
35scope of his or her employment when he or she performs acts
36which are reasonably necessary to the performance of his or her
37work assignment.

38(2) Paragraph (3) of subdivision (c) does not apply to penalize
39any acts committed by a person acting outside of his or her lawful
40employment, provided that the employee’s activities do not cause
P11   1an injury, to the employer or another, or provided that the value
2of supplies or computer services which are used does not exceed
3an accumulated total of two hundred fifty dollars ($250).

4(i) No activity exempted from prosecution under paragraph (2)
5of subdivision (h) which incidentally violates paragraph (2), (4),
6or (7) of subdivision (c) shall be prosecuted under those paragraphs.

7(j) For purposes of bringing a civil or a criminal action under
8this section, a person who causes, by any means, the access of a
9computer, computer system, or computer network in one
10jurisdiction from another jurisdiction is deemed to have personally
11accessed the computer, computer system, or computer network in
12each jurisdiction.

13(k) In determining the terms and conditions applicable to a
14person convicted of a violation of this section the court shall
15consider the following:

16(1) The court shall consider prohibitions on access to and use
17of computers.

18(2) Except as otherwise required by law, the court shall consider
19alternate sentencing, including community service, if the defendant
20shows remorse and recognition of the wrongdoing, and an
21inclination not to repeat the offense.