BILL ANALYSIS Ó SENATE COMMITTEE ON PUBLIC SAFETY Senator Loni Hancock, Chair 2015 - 2016 Regular Bill No: SB 1137 Hearing Date: April 12, 2016 ----------------------------------------------------------------- |Author: |Hertzberg | |-----------+-----------------------------------------------------| |Version: |March 31, 2016 | ----------------------------------------------------------------- ----------------------------------------------------------------- |Urgency: |No |Fiscal: |Yes | ----------------------------------------------------------------- ----------------------------------------------------------------- |Consultant:|JM | | | | ----------------------------------------------------------------- Subject: Computer Crimes: Ransomware HISTORY Source: TechNet; Los Angeles County District Attorney Prior Legislation:AB 32 (Waldron) Ch. 614 Stats. 2015 AB 1649 (Waldron) - Ch. 379, Statutes of 2014 Support: Association of Orange County Deputy Sheriffs; California Association of Licensed Investigators; California Police Chiefs Association; California State Sheriffs' Association; California Statewide Law Enforcement Association; Fraternal Order of Police, California State Lodge; Long Beach Police Officers Association; Sacramento County Deputy Sheriffs' Association Opposition:Legal Services for Prisoners with Children PURPOSE The purpose of this bill is to: 1) separately define as a felony the crime of placing a contaminant or lock on a computer or SB 1137 (Hertzberg ) PageB of? computer system for the purpose of locking or controlling the computer, computer system or data files, coupled with a demand for payment of money or other consideration before the lock will be removed of control returned to owner or authorized user; and, 2) to specifically define such a contaminant or lock as "ransomware." Existing law defines numerous computer or electronic data offenses and imposes a wide range of penalties based on the seriousness of the offense or extent of harm caused by the defendant, including by by felony imprisonment pursuant to Penal Code Section 1170, subdivision (h) for a term of term of 16 months, two years or three years and a fine of up to $10,000, or as misdemeanor by a fine not exceeding $5,000, or a fine of up to $1,000 by imprisonment in a county jail not exceeding one year, or as infraction. (Pen. Code § 502.) These penalties apply where any person knowingly: Accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to devise or execute any scheme or artifice to defraud, deceive, or extort, or wrongfully control or obtain money, property or data. Accesses and without permission takes, copies or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. Accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network Without permission, disrupts or causes the disruption of computer services or denies or causes the denial of computer services, or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. Disrupts or improperly accesses a government or public safety computer system Without permission provides or assists in providing a SB 1137 (Hertzberg ) PageC of? means of accessing, accesses, or causes to be accessed a computer, computer system, or computer network as Introduces any computer contaminant into any computer, or computer system, or computer network as follows: Without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and thereby damages or causes damage to a computer, computer system, or computer network as follows:. (Pen. Code § 502, subds. (c)(9) and (d)(5).) Existing law defines extortion as the obtaining of property from another person, without the person's consent, or obtaining an official act of a public officer, induced by the wrongful use of force or fear, or under color of official right. (Pen. Code § 518.) Existing law defines force or fear sufficient to commit extortion as a threat to do any of the following: Injure the person or property of the person threatened or a third person. Accuse the threatened person or a relative of a crime. Expose or impute to the person threatened or a relative any deformity, disgrace or crime. Expose any secret of the person or relative. To report the immigration status of the person or a relative (Pen. Code § 519.) Existing law provides that extortion is a felony, punishable pursuant to Penal Code Section 1170, subdivision (h), to an executed felony sentence of two, three or four years. (Pen. Code § 520.) Existing law provides that attempted extortion is an alternate felony-misdemeanor, punishable by a jail term of up to one year, a fine of up to $1,000, or both, or by a prison term of 16 months, two years or three years and a fine of up to $10,000. Existing law includes "white collar" financial crime prison SB 1137 (Hertzberg ) PageD of? sentence enhancements of 1-5 years and special fines, depending on the amount of money or property taken by the defendant or the loss suffered by the victim. The enhancements apply where the defendant is convicted of two or more related felonies and the loss to the victim or gain to the defendant is at least $100,000. To prevent a defendant from secreting or dissipating his or her assets, the court may order pretrial seizure of assets to preserve them for restitution and fines. (Pen. Code § 186.11.) Existing federal law includes the Computer Fraud and Abuse Act ("CFAA"), which prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data. (18 U.S.C. § 1030(a)(1)-(7)). Existing federal law provides that a person who intends to extort from any person any money or other thing of value and transmits in interstate or foreign commerce any communication containing either of the following: A threat to damage a protected computer; A threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or A demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion." A first violation is punishable by imprisonment for up to five years and a fine determined pursuant to the sentencing guidelines.<1> A violation that follows conviction for this offense or a related offense is punishable by imprisonment for up to 10 years and a fine determined through the sentencing guidelines. (18 U.S.C. § 1030 (a)(7).) This bill provides that the person responsible for placing ------------------------- <1> It appears that the fine would be no more than $250,000 or twice the gain or loss in the crime. (18 U.S.C. § 3571.) SB 1137 (Hertzberg ) PageE of? "ransomware" on a computer, computer system, or data in a computer system is a felony, punishable pursuant to Penal Code Section 1170, subdivision (h), by an executed felony sentence of two years, three years or four years and a fine of up to $10,000. This bill with defines "ransomware" as the placement or introduction of a computer contaminant or lock on a computer, computer system, or data in a computer system, coupled with a demand that money or other consideration be paid to the person responsible for the contaminant or lock before it is removed or repaired. This bill provides that one is responsible for ransomware if the person directly places or introduces the contaminant or lock, or directs or induces another person to do so, with the intent to demand payment or other consideration to remove the contaminant, unlock the computer system or data, or repair the computer, computer system or data. RECEIVERSHIP/OVERCROWDING CRISIS AGGRAVATION For the past several years this Committee has scrutinized legislation referred to its jurisdiction for any potential impact on prison overcrowding. Mindful of the United States Supreme Court ruling and federal court orders relating to the state's ability to provide a constitutional level of health care to its inmate population and the related issue of prison overcrowding, this Committee has applied its "ROCA" policy as a content-neutral, provisional measure necessary to ensure that the Legislature does not erode progress in reducing prison overcrowding. On February 10, 2014, the federal court ordered California to reduce its in-state adult institution population to 137.5% of design capacity by February 28, 2016, as follows: 143% of design bed capacity by June 30, 2014; 141.5% of design bed capacity by February 28, 2015; and, 137.5% of design bed capacity by February 28, 2016. In December of 2015 the administration reported that as "of SB 1137 (Hertzberg ) PageF of? December 9, 2015, 112,510 inmates were housed in the State's 34 adult institutions, which amounts to 136.0% of design bed capacity, and 5,264 inmates were housed in out-of-state facilities. The current population is 1,212 inmates below the final court-ordered population benchmark of 137.5% of design bed capacity, and has been under that benchmark since February 2015." (Defendants' December 2015 Status Report in Response to February 10, 2014 Order, 2:90-cv-00520 KJM DAD PC, 3-Judge Court, Coleman v. Brown, Plata v. Brown (fn. omitted).) One year ago, 115,826 inmates were housed in the State's 34 adult institutions, which amounted to 140.0% of design bed capacity, and 8,864 inmates were housed in out-of-state facilities. (Defendants' December 2014 Status Report in Response to February 10, 2014 Order, 2:90-cv-00520 KJM DAD PC, 3-Judge Court, Coleman v. Brown, Plata v. Brown (fn. omitted).) While significant gains have been made in reducing the prison population, the state must stabilize these advances and demonstrate to the federal court that California has in place the "durable solution" to prison overcrowding "consistently demanded" by the court. (Opinion Re: Order Granting in Part and Denying in Part Defendants' Request For Extension of December 31, 2013 Deadline, NO. 2:90-cv-0520 LKK DAD (PC), 3-Judge Court, Coleman v. Brown, Plata v. Brown (2-10-14). The Committee's consideration of bills that may impact the prison population therefore will be informed by the following questions: Whether a proposal erodes a measure which has contributed to reducing the prison population; Whether a proposal addresses a major area of public safety or criminal activity for which there is no other reasonable, appropriate remedy; Whether a proposal addresses a crime which is directly dangerous to the physical safety of others for which there is no other reasonably appropriate sanction; Whether a proposal corrects a constitutional problem or legislative drafting error; and Whether a proposal proposes penalties which are proportionate, and cannot be achieved through any other reasonably appropriate remedy. COMMENTS SB 1137 (Hertzberg ) PageG of? 1.Need for This Bill According to the author: Kidnapping and ransom demands have been around as long as criminal activity itself. But what is new in the digital age is the immediacy in which a computer hacker can access and hold your computer hostage. Computer users are told that the only way to get their machines back is to pay a steep fine. This is known as "ransomware," a computer virus that renders files unobtainable until a ransom is paid. Essentially online extortion, ransomware involves infecting a user's computer with a virus that locks it. The attackers demand money before the computer will be unlocked, but once the money is paid attackers may not unlock the system. One of the scarier things about ransomware is that criminals can use victims' machines however they like. While the computer is locked, the criminals can steal passwords and even get into the victim's online bank accounts. Ransomware affects victims financially and imposes additional costs of replacing breached hardware, bringing legal action, and updating system security. This doesn't just impact home computers. Businesses, financial institutions, government agencies, academic institutions, and other organizations can and have become infected as well, resulting in loss of sensitive or proprietary information, disruption of regular operations, financial losses incurred to restore systems and files, and/or potential harm to an organization's reputation. In 2014, according to a recent report, 43 percent of companies experienced some sort of data breach, including highly visible and damaging attacks on Sony, Home Depot, Target and JP Morgan Chase. This bill defines "ransomware" in state law and makes it a crime to introduce ransomware into any computer, system, or network. The range of punishment (up to four years imprisonment) is equivalent to the punishment under current law for extortion. SB 1137 (Hertzberg ) PageH of? 2.Using Ransomware is Criminal under Existing California and Federal Laws, including Extortion and Introducing a Contaminant into a Computer or Computer System The use of ransomware to demand a payment from a computer or computer system owner or operator appears to constitute extortion under existing California law. California law (Pen. Code § 502 - the section amended by this bill) also makes it a crime to access, damage or alter a computer system or data without permission. Section 502 specifically lists prohibited acts and provides various penalties, based on the severity of the harm caused or value of services taken. This bill would add the use of ransomware as a computer crime in Section 502. The penalty for this form of computer crimes is the same as the penalty for extortion, a felony term of two, three, or four years. (Pen. Code § 518-527.) A prosecutor could charge ransomware with the very specific crime defined by this bill and the more general crime of extortion. A prosecutor could perhaps conclude that jurors would have a set understanding of extortion as meaning a demand for protection money from a store owner or blackmail to hide an embarrassing secret that they might be confused or reluctant to apply extortion to a highly technical and sophisticated computer scheme. A defendant, however, convicted of both offenses would be subject to a single punishment. California sentencing law generally permits a prosecutor to obtain a conviction on every crime covered by the defendant's conduct. However, the defendant can only be punished a single time for one act that violates a number of criminal statutes or for multiple offenses committed in one indivisible transaction. (Pen. Code § 654.) 3.Explosion in Computer and Data Fraud and Extortion Incidents and Awareness It appears that the use of ransom to extort money or other form SB 1137 (Hertzberg ) PageI of? of exchange, such as bitcoin, has become nearly ubiquitous. Even relatively large-scale attacks on or seizure of control over computers, computer systems and computer can be done quickly and remotely. Victims can reasonably conclude that they have little option but to comply. The perpetrators might well be in another country or even another continent. An attempt to obtain assistance from law enforcement may be futile and the perpetrators could punish such attempts by destroying data that includes an entity's entire operation. A business or organization could conclude that it could no longer function if the threat is carried out. Even where the threat is not executed, the very admission of the event could be extremely harmful to a business or other organization's reputation. For example, a hospital would be loath to admit that confidential medical records were seized or locked. The customers and clients of banks and brokerage houses must believe that their financial holdings and information are safe. Attorneys cannot afford to reveal the confidences of clients stored in digital files. Computer criminals have become increasingly sophisticated as technology became more sophisticated and essential to the life of virtually every person and entity. The attacks have included locking or encrypting files on the home computers of individual victims - often through authentic-look law enforcement notifications that the victim has done some wrong that he or she would never want exposed.<2> The attacks have also included attacks on large entities, such as three hospitals in recent, well-publicized incidents in Southern California<3> and government entities. It appears that no media report of ransomware incidents is complete without noting that even police departments have paid ransoms to computer criminals. A February --------------------------- <2> https://www.fbi.gov/news/stories/2012/august/new-internet-scam <3> http://www.latimes.com/local/lanow/la-me-ln-two-more-so-cal-hospi tals-ransomware-20160322-story.html SB 1137 (Hertzberg ) PageJ of? 20, 2015 story in the Chicago Tribune reported the suburban Chicago town of Midlothian paid a hacker $500<4> in bitcoin for release of infected files. Even the department's backup files were encrypted. A number of computer, software and computer and computer data security businesses have developed products to detect and remove ransomware. Numerous on-line guides about ransomware have been published. These typically include descriptions of ransomware, how to detect ransomware, remove it and protect against. For example, the Mountain View, California firm Symantec has published particularly detailed guides<5> for addressing ransomware questions, concerns, protection, removal and repair.<6> TechNet - a Microsoft division that is a co-sponsor of this bill also publishes detailed ransomware guides and assistance, including information about newly discovered ransomware.<7> Comparison with Identity Theft In recent decades, identity theft has become a growing and --------------------------- <4> http://www.chicagotribune.com/news/local/breaking/ct-midlothian-h acker-ransom-met-20150220-story.html <5> http://www.symantec.com/content/en/us/enterprise/media/security_r esponse/whitepapers/the-evolution-of-ransomware.pdf <6> http://www.symantec.com/tv/products/details.jsp?vid=1954285164001 <7> https://blogs.technet.microsoft.com/mmpc/2015/08/09/emerging-rans omware-troldesh/ SB 1137 (Hertzberg ) PageK of? daunting crime problem. Traditional investigative techniques did not work well to combat identity theft, a crime that was often committed by unseen, electronic means, creating law enforcement problems similar to recent ransomware incidents. In 1997, California was one of the first states to create a crime specifically described as identity theft in Penal Code section 530.5.<8> Prior to that time, law enforcement agencies generally considered the defrauded business entity that was defrauded to be the victim of identity theft, not the person whose identity was stolen so that the fraud could be committed, although applicable statutes described a person whose identity was misused as a crime victim. However, advocates believed that the person who was the actual victim often found himself or herself given no respect or standing in repairing the damage done by the crime. It would appear that the greatest value in the current identity theft statutes is to allow a victim to clear his or her name. Penal Code section 530.6 allows an identity theft victim to require the police to investigate an identity theft report and further allows the victim to use the report to obtain a court order declaring that he or she did not commit certain crimes or accumulate certain debts. Pursuant to this judicial procedure, a person may be listed in a database of identity theft victims maintained by the Department of Justice. One of the most daunting and frustrating problems encountered by identify theft victims is the damage to one's credit. Good credit is essential to financial stability. An identity theft victim may well face months of work and substantial expense repairing his or credit. Companies marketing credit repair services. Credit card companies compete for business, in part, by including credit monitoring and repair in a credit account. Similar daunting problems face victims of ransomware and cryptoware. Business and government entities that were hacked must repair systems, recreate files and rebuild the trust of customers and citizens. -- END - --------------------------- <8> AB 156 (Murray) Ch. 768, Stats. 1997 SB 1137 (Hertzberg ) PageL of?