Senate BillNo. 1137

P4    1

502.  

(a) It is the intent of the Legislature in enacting this
2section to expand the degree of protection afforded to individuals,
3businesses, and governmental agencies from tampering,
4interference, damage, and unauthorized access to lawfully created
5computers, computer systems, computer networks, and data. The
6Legislature finds and declares that the proliferation of computer
7technology has resulted in a concomitant proliferation of computer
8crime and other forms of unauthorized access to computers,
9computer systems, and computer data.

10The Legislature further finds and declares that protection of the
11integrity of all types and forms of lawfully created computers,
12computer systems, computer networks, and data is vital to the
13protection of the privacy of individuals as well as to the well-being
14of financial institutions, business concerns, governmental agencies,
15and others within this state that lawfully utilize those computers,
16computer systems, computer networks, and data.

17(b) For the purposes of this section, the following terms have
18the following meanings:

19(1) “Access” means to gain entry to, instruct, cause input to,
20cause output from, cause data processing with, or communicate
21with, the logical, arithmetical, or memory function resources of a
22computer, computer system, or computer network.

23(2) “Computer network” means any system that provides
24communications between one or more computer systems and
25input/output devices, including, but not limited to, display
26terminals, remote systems, mobile devices, and printers connected
27by telecommunication facilities.

28(3) “Computer program or software” means a set of instructions
29or statements, and related data, that when executed in actual or
30modified form, cause a computer, computer system, or computer
31network to perform specified functions.

32(4) “Computer services” includes, but is not limited to, computer
33time, data processing, or storage functions, Internet services,
34electronic mail services, electronic message services, or other uses
35of a computer, computer system, or computer network.

36(5) “Computer system” means a device or collection of devices,
37including support devices and excluding calculators that are not
38programmable and capable of being used in conjunction with
39external files, one or more of which contain computer programs
40or software, electronic instructions, input data, and output data,
P5    1that performs functions, including, but not limited to, logic,
2arithmetic, data storage and retrieval, communication, and control.

3(6) “Government computer system” means any computer system,
4or part thereof, that is owned, operated, or used by any federal,
5state, or local governmental entity.

6(7) “Public safety infrastructure computer system” means any
7computer system, or part thereof, that is necessary for the health
8and safety of the public including computer systems owned,
9operated, or used by drinking water and wastewater treatment
10facilities, hospitals, emergency service providers,
11telecommunication companies, and gas and electric utility
12companies.

13(8) “Data” means a representation of information, knowledge,
14facts, concepts, computer software, or computer programs or
15instructions. Data may be in any form, in storage media, or as
16stored in the memory of the computer or in transit or presented on
17a display device.

18(9) “Supporting documentation” includes, but is not limited to,
19all information, in any form, pertaining to the design, construction,
20classification, implementation, use, or modification of a computer,
21computer system, computer network, computer program, or
22computer software, which information is not generally available
23to the public and is necessary for the operation of a computer,
24computer system, computer network, computer program, or
25computer software.

26(10) “Injury” means any alteration, deletion, damage, or
27destruction of a computer system, computer network, computer
28program, or data caused by the access, or the denial of access to
29legitimate users of a computer system, network, or program.

30(11) “Victim expenditure” means any expenditure reasonably
31and necessarily incurred by the owner or lessee to verify that a
32computer system, computer network, computer program, or data
33was or was not altered, deleted, damaged, or destroyed by the
34access.

35(12) “Computer contaminant” means any set of computer
36instructions or data that are designed to modify, damage, destroy,
37render inaccessible, record, or transmit data within a computer,
38computer system, or computer network without the intent or
39permission of the owner of the data. They include, but are not
40limited to, a group of computer instructions commonly called
P6    1viruses or worms, which are self-replicating or self-propagating
2and are designed to contaminate data or other computer programs
3or software, consume computer resources, or otherwise usurp the
4normal operation of the computer, computer system, or computer
5network.

6(13) “Internet domain name” means a globally unique,
7hierarchical reference to an Internet host or service, assigned
8through centralized Internet naming authorities, comprising a series
9of character strings separated by periods, with the rightmost
10character string specifying the top of the hierarchy.

11(14) “Electronic mail” means an electronic message or computer
12file that is transmitted between two or more telecommunications
13devices; computers; computer networks, regardless of whether the
14network is a local, regional, or global network; or electronic devices
15capable of receiving electronic messages, regardless of whether
16the message is converted to hard copy format after receipt, viewed
17upon transmission, or stored for later retrieval.

18(15) “Profile” means either of the following:

19(A) A configuration of user data required by a computer so that
20the user may access programs or services and have the desired
21functionality on that computer.

22(B) An Internet Web site user’s personal page or section of a
23page that is made up of data, in text or graphical form, that displays
24significant, unique, or identifying information, including, but not
25limited to, listing acquaintances, interests, associations, activities,
26 or personal statements.

27(16) (A) “Ransomware” means a computer contaminant or lock
28placed or introduced without authorization into a computer,
29computer system, or computer network that restricts access by an
30authorized person to the computer, computer system, computer
31network, or any data therein under circumstances in which the
32person responsible for the placement or introduction of the
33ransomware demands payment of money or other consideration
34to remove the computer contaminant, restore access to the
35computer, computer system, computer network, or data, or
36otherwise remediate the impact of the computer contaminant or
37lock.

38(B) A person is responsible for placing or introducing
39 ransomware into a computer, computer system, or computer
40network if the person directly places or introduces the ransomware
P7    1or directs or induces another person do so, with the intent of
2demanding payment or other consideration to remove the
3ransomware, restore access, or otherwise remediate the impact of
4the ransomware.

5(c) Except as provided in subdivision (h), any person who
6commits any of the following acts is guilty of a public offense:

7(1) Knowingly accesses and without permission alters, damages,
8deletes, destroys, or otherwise uses any data, computer, computer
9system, or computer network in order to either (A) devise or
10execute any scheme or artifice to defraud, deceive, or extort, or
11(B) wrongfully control or obtain money, property, or data.

12(2) Knowingly accesses and without permission takes, copies,
13or makes use of any data from a computer, computer system, or
14computer network, or takes or copies any supporting
15documentation, whether existing or residing internal or external
16to a computer, computer system, or computer network.

17(3) Knowingly and without permission uses or causes to be used
18computer services.

19(4) Knowingly accesses and without permission adds, alters,
20damages, deletes, or destroys any data, computer software, or
21computer programs which reside or exist internal or external to a
22computer, computer system, or computer network.

23(5) Knowingly and without permission disrupts or causes the
24disruption of computer services or denies or causes the denial of
25computer services to an authorized user of a computer, computer
26system, or computer network.

27(6) Knowingly and without permission provides or assists in
28providing a means of accessing a computer, computer system, or
29computer network in violation of this section.

30(7) Knowingly and without permission accesses or causes to be
31accessed any computer, computer system, or computer network.

32(8) Knowingly introduces any computer contaminant into any
33computer, computer system, or computer network.

34(9) Knowingly and without permission uses the Internet domain
35name or profile of another individual, corporation, or entity in
36connection with the sending of one or more electronic mail
37messages or posts and thereby damages or causes damage to a
38computer, computer data, computer system, or computer network.

39(10) Knowingly and without permission disrupts or causes the
40disruption of government computer services or denies or causes
P8    1the denial of government computer services to an authorized user
2of a government computer, computer system, or computer network.

3(11) Knowingly accesses and without permission adds, alters,
4damages, deletes, or destroys any data, computer software, or
5computer programs which reside or exist internal or external to a
6public safety infrastructure computer system computer, computer
7system, or computer network.

8(12) Knowingly and without permission disrupts or causes the
9disruption of public safety infrastructure computer system computer
10services or denies or causes the denial of computer services to an
11authorized user of a public safety infrastructure computer system
12computer, computer system, or computer network.

13(13) Knowingly and without permission provides or assists in
14providing a means of accessing a computer, computer system, or
15public safety infrastructure computer system computer, computer
16system, or computer network in violation of this section.

17(14) Knowingly introduces any computer contaminant into any
18public safety infrastructure computer system computer, computer
19system, or computer network.

20(15) Knowingly introduces ransomware into any computer,
21computer system, or computer network.

22(d) (1) Any person who violates any of the provisions of
23paragraph (1), (2), (4), (5), (10), (11), or (12) of subdivision (c) is
24guilty of a felony, punishable by imprisonment pursuant to
25subdivision (h) of Section 1170 for 16 months, or two or three
26years and a fine not exceeding ten thousand dollars ($10,000), or
27a misdemeanor, punishable by imprisonment in a county jail not
28exceeding one year, by a fine not exceeding five thousand dollars
29($5,000), or by both that fine and imprisonment.

30(2) Any person who violates paragraph (3) of subdivision (c)
31is punishable as follows:

32(A) For the first violation that does not result in injury, and
33where the value of the computer services used does not exceed
34nine hundred fifty dollars ($950), by a fine not exceeding five
35thousand dollars ($5,000), or by imprisonment in a county jail not
36exceeding one year, or by both that fine and imprisonment.

37(B) For any violation that results in a victim expenditure in an
38amount greater than five thousand dollars ($5,000) or in an injury,
39or if the value of the computer services used exceeds nine hundred
40fifty dollars ($950), or for any second or subsequent violation, by
P9    1a fine not exceeding ten thousand dollars ($10,000), or by
2imprisonment pursuant to subdivision (h) of Section 1170 for 16
3months, or two or three years, or by both that fine and
4imprisonment, or by a fine not exceeding five thousand dollars
5($5,000), or by imprisonment in a county jail not exceeding one
6year, or by both that fine and imprisonment.

7(3) Any person who violates paragraph (6), (7), or (13) of
8subdivision (c) is punishable as follows:

9(A) For a first violation that does not result in injury, an
10infraction punishable by a fine not exceeding one thousand dollars
11($1,000).

12(B) For any violation that results in a victim expenditure in an
13amount not greater than five thousand dollars ($5,000), or for a
14second or subsequent violation, by a fine not exceeding five
15thousand dollars ($5,000), or by imprisonment in a county jail not
16exceeding one year, or by both that fine and imprisonment.

17(C) For any violation that results in a victim expenditure in an
18amount greater than five thousand dollars ($5,000), by a fine not
19exceeding ten thousand dollars ($10,000), or by imprisonment
20pursuant to subdivision (h) of Section 1170 for 16 months, or two
21or three years, or by both that fine and imprisonment, or by a fine
22not exceeding five thousand dollars ($5,000), or by imprisonment
23in a county jail not exceeding one year, or by both that fine and
24imprisonment.

25(4) Any person who violates paragraph (8) or (14) of subdivision
26(c) is punishable as follows:

27(A) For a first violation that does not result in injury, a
28misdemeanor punishable by a fine not exceeding five thousand
29dollars ($5,000), or by imprisonment in a county jail not exceeding
30one year, or by both that fine and imprisonment.

31(B) For any violation that results in injury, or for a second or
32subsequent violation, by a fine not exceeding ten thousand dollars
33($10,000), or by imprisonment in a county jail not exceeding one
34year, or by imprisonment pursuant to subdivision (h) of Section
351170, or by both that fine and imprisonment.

36(5) Any person who violates paragraph (9) of subdivision (c)
37is punishable as follows:

38(A) For a first violation that does not result in injury, an
39infraction punishable by a fine not exceeding one thousand dollars
40($1,000).

P10   1(B) For any violation that results in injury, or for a second or
2subsequent violation, by a fine not exceeding five thousand dollars
3($5,000), or by imprisonment in a county jail not exceeding one
4year, or by both that fine and imprisonment.

5(6) Any person who violates paragraph (15) of subdivision (c)
6is guilty of a felony, punishable by imprisonment pursuant to
7subdivision (h) of Section 1170 for two, three, or four years and
8a fine not exceeding ten thousand dollars ($10,000). Prosecution
9under this paragraph does not prohibit or limit prosecution under
10any other law.

11(e) (1) In addition to any other civil remedy available, the owner
12or lessee of the computer, computer system, computer network,
13computer program, or data who suffers damage or loss by reason
14of a violation of any of the provisions of subdivision (c) may bring
15a civil action against the violator for compensatory damages and
16injunctive relief or other equitable relief. Compensatory damages
17shall include any expenditure reasonably and necessarily incurred
18by the owner or lessee to verify that a computer system, computer
19network, computer program, or data was or was not altered,
20damaged, or deleted by the access. For the purposes of actions
21authorized by this subdivision, the conduct of an unemancipated
22minor shall be imputed to the parent or legal guardian having
23control or custody of the minor, pursuant to the provisions of
24Section 1714.1 of the Civil Code.

25(2) In any action brought pursuant to this subdivision the court
26may award reasonable attorney’s fees.

27(3) A community college, state university, or academic
28institution accredited in this state is required to include
29computer-related crimes as a specific violation of college or
30university student conduct policies and regulations that may subject
31a student to disciplinary sanctions up to and including dismissal
32from the academic institution. This paragraph shall not apply to
33the University of California unless the Board of Regents adopts a
34resolution to that effect.

35(4) In any action brought pursuant to this subdivision for a
36willful violation of the provisions of subdivision (c), where it is
37proved by clear and convincing evidence that a defendant has been
38guilty of oppression, fraud, or malice as defined in subdivision (c)
39of Section 3294 of the Civil Code, the court may additionally award
40punitive or exemplary damages.

P11   1(5) No action may be brought pursuant to this subdivision unless
2it is initiated within three years of the date of the act complained
3of, or the date of the discovery of the damage, whichever is later.

4(f) This section shall not be construed to preclude the
5applicability of any other provision of the criminal law of this state
6which applies or may apply to any transaction, nor shall it make
7illegal any employee labor relations activities that are within the
8scope and protection of state or federal labor laws.

9(g) Any computer, computer system, computer network, or any
10software or data, owned by the defendant, that is used during the
11commission of any public offense described in subdivision (c) or
12any computer, owned by the defendant, which is used as a
13repository for the storage of software or data illegally obtained in
14violation of subdivision (c) shall be subject to forfeiture, as
15specified in Section 502.01.

16(h) (1) Subdivision (c) does not apply to punish any acts which
17are committed by a person within the scope of his or her lawful
18employment. For purposes of this section, a person acts within the
19scope of his or her employment when he or she performs acts
20which are reasonably necessary to the performance of his or her
21work assignment.

22(2) Paragraph (3) of subdivision (c) does not apply to penalize
23any acts committed by a person acting outside of his or her lawful
24employment, provided that the employee’s activities do not cause
25an injury, to the employer or another, or provided that the value
26of supplies or computer services which are used does not exceed
27an accumulated total of two hundred fifty dollars ($250).

28(i) No activity exempted from prosecution under paragraph (2)
29of subdivision (h) which incidentally violates paragraph (2), (4),
30or (7) of subdivision (c) shall be prosecuted under those paragraphs.

31(j) For purposes of bringing a civil or a criminal action under
32this section, a person who causes, by any means, the access of a
33computer, computer system, or computer network in one
34jurisdiction from another jurisdiction is deemed to have personally
35accessed the computer, computer system, or computer network in
36each jurisdiction.

37(k) In determining the terms and conditions applicable to a
38person convicted of a violation of this section the court shall
39consider the following:

P12   1(1) The court shall consider prohibitions on access to and use
2of computers.

3(2) Except as otherwise required by law, the court shall consider
4alternate sentencing, including community service, if the defendant
5shows remorse and recognition of the wrongdoing, and an
6inclination not to repeat the offense.