BILL ANALYSIS �Ó
SENATE COMMITTEE ON PUBLIC SAFETY
Senator Loni Hancock, Chair
2015 - 2016 Regular
Bill No: SB 1137 Hearing Date: April 12, 2016
-----------------------------------------------------------------
|Author: |Hertzberg |
|-----------+-----------------------------------------------------|
|Version: |March 31, 2016 |
-----------------------------------------------------------------
-----------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
-----------------------------------------------------------------
-----------------------------------------------------------------
|Consultant:|JM |
| | |
-----------------------------------------------------------------
Subject: Computer Crimes: Ransomware
HISTORY
Source: TechNet; Los Angeles County District Attorney
Prior Legislation:AB 32 (Waldron) Ch. 614 Stats. 2015
AB 1649 (Waldron) - Ch. 379, Statutes of 2014
Support: Association of Orange County Deputy Sheriffs;
California Association of Licensed Investigators;
California Police Chiefs Association; California State
Sheriffs' Association; California Statewide Law
Enforcement Association; Fraternal Order of Police,
California State Lodge; Long Beach Police Officers
Association; Sacramento County Deputy Sheriffs'
Association
Opposition:Legal Services for Prisoners with Children
PURPOSE
The purpose of this bill is to: 1) separately define as a felony
the crime of placing a contaminant or lock on a computer or
�
SB 1137 (Hertzberg ) PageB
of?
computer system for the purpose of locking or controlling the
computer, computer system or data files, coupled with a demand
for payment of money or other consideration before the lock will
be removed of control returned to owner or authorized user; and,
2) to specifically define such a contaminant or lock as
"ransomware."
Existing law defines numerous computer or electronic data
offenses and imposes a wide range of penalties based on the
seriousness of the offense or extent of harm caused by the
defendant, including by by felony imprisonment pursuant to Penal
Code Section 1170, subdivision (h) for a term of term of 16
months, two years or three years and a fine of up to $10,000, or
as misdemeanor by a fine not exceeding $5,000, or a fine of up
to $1,000 by imprisonment in a county jail not exceeding one
year, or as infraction. (Pen. Code § 502.) These penalties
apply where any person knowingly:
Accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer,
computer system, or computer network in order to devise or
execute any scheme or artifice to defraud, deceive, or
extort, or wrongfully control or obtain money, property or
data.
Accesses and without permission takes, copies or makes
use of any data from a computer, computer system, or
computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network.
Accesses and without permission adds, alters, damages,
deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or
external to a computer, computer system, or computer
network
Without permission, disrupts or causes the disruption of
computer services or denies or causes the denial of
computer services, or denies or causes the denial of
computer services to an authorized user of a computer,
computer system, or computer network.
Disrupts or improperly accesses a government or public
safety computer system
Without permission provides or assists in providing a
�
SB 1137 (Hertzberg ) PageC
of?
means of accessing, accesses, or causes to be accessed a
computer, computer system, or computer network as
Introduces any computer contaminant into any computer,
or computer system, or computer network as follows:
Without permission uses the Internet domain name of
another individual, corporation, or entity in connection
with the sending of one or more electronic mail messages,
and thereby damages or causes damage to a computer,
computer system, or computer network as follows:. (Pen.
Code § 502, subds. (c)(9) and (d)(5).)
Existing law defines extortion as the obtaining of property from
another person, without the person's consent, or obtaining an
official act of a public officer, induced by the wrongful use of
force or fear, or under color of official right. (Pen. Code §
518.)
Existing law defines force or fear sufficient to commit
extortion as a threat to do any of the following:
Injure the person or property of the person threatened
or a third person.
Accuse the threatened person or a relative of a crime.
Expose or impute to the person threatened or a relative
any deformity, disgrace or crime.
Expose any secret of the person or relative.
To report the immigration status of the person or a
relative (Pen. Code § 519.)
Existing law provides that extortion is a felony, punishable
pursuant to Penal Code Section 1170, subdivision (h), to an
executed felony sentence of two, three or four years. (Pen.
Code § 520.)
Existing law provides that attempted extortion is an alternate
felony-misdemeanor, punishable by a jail term of up to one year,
a fine of up to $1,000, or both, or by a prison term of 16
months, two years or three years and a fine of up to $10,000.
Existing law includes "white collar" financial crime prison
�
SB 1137 (Hertzberg ) PageD
of?
sentence enhancements of 1-5 years and special fines, depending
on the amount of money or property taken by the defendant or the
loss suffered by the victim. The enhancements apply where the
defendant is convicted of two or more related felonies and the
loss to the victim or gain to the defendant is at least
$100,000. To prevent a defendant from secreting or
dissipating his or her assets, the court may order pretrial
seizure of assets to preserve them for restitution and fines.
(Pen. Code § 186.11.)
Existing federal law includes the Computer Fraud and Abuse Act
("CFAA"), which prohibits a number of different computer crimes,
the majority of which involve accessing computers without
authorization or in excess of authorization, and then taking
specified forbidden actions, ranging from obtaining information
to damaging a computer or computer data. (18 U.S.C. §
1030(a)(1)-(7)).
Existing federal law provides that a person who intends to
extort from any person any money or other thing of value and
transmits in interstate or foreign commerce any communication
containing either of the following:
A threat to damage a protected computer;
A threat to obtain information from a protected computer
without authorization or in excess of authorization or to
impair the confidentiality of information obtained from a
protected computer without authorization or by exceeding
authorized access; or
A demand or request for money or other thing of value in
relation to damage to a protected computer, where such
damage was caused to facilitate the extortion." A first
violation is punishable by imprisonment for up to five
years and a fine determined pursuant to the sentencing
guidelines.<1> A violation that follows conviction for this
offense or a related offense is punishable by imprisonment
for up to 10 years and a fine determined through the
sentencing guidelines. (18 U.S.C. § 1030 (a)(7).)
This bill provides that the person responsible for placing
-------------------------
<1> It appears that the fine would be no more than $250,000 or
twice the gain or loss in the crime. (18 U.S.C. § 3571.)
�
SB 1137 (Hertzberg ) PageE
of?
"ransomware" on a computer, computer system, or data in a
computer system is a felony, punishable pursuant to Penal
Code Section 1170, subdivision (h), by an executed felony
sentence of two years, three years or four years and a fine
of up to $10,000.
This bill with defines "ransomware" as the placement or
introduction of a computer contaminant or lock on a
computer, computer system, or data in a computer system,
coupled with a demand that money or other consideration be
paid to the person responsible for the contaminant or lock
before it is removed or repaired.
This bill provides that one is responsible for ransomware
if the person directly places or introduces the contaminant
or lock, or directs or induces another person to do so,
with the intent to demand payment or other consideration to
remove the contaminant, unlock the computer system or data,
or repair the computer, computer system or data.
RECEIVERSHIP/OVERCROWDING CRISIS AGGRAVATION
For the past several years this Committee has scrutinized
legislation referred to its jurisdiction for any potential
impact on prison overcrowding. Mindful of the United States
Supreme Court ruling and federal court orders relating to the
state's ability to provide a constitutional level of health care
to its inmate population and the related issue of prison
overcrowding, this Committee has applied its "ROCA" policy as a
content-neutral, provisional measure necessary to ensure that
the Legislature does not erode progress in reducing prison
overcrowding.
On February 10, 2014, the federal court ordered California to
reduce its in-state adult institution population to 137.5% of
design capacity by February 28, 2016, as follows:
143% of design bed capacity by June 30, 2014;
141.5% of design bed capacity by February 28, 2015; and,
137.5% of design bed capacity by February 28, 2016.
In December of 2015 the administration reported that as "of
�
SB 1137 (Hertzberg ) PageF
of?
December 9, 2015, 112,510 inmates were housed in the State's 34
adult institutions, which amounts to 136.0% of design bed
capacity, and 5,264 inmates were housed in out-of-state
facilities. The current population is 1,212 inmates below the
final court-ordered population benchmark of 137.5% of design bed
capacity, and has been under that benchmark since February
2015." (Defendants' December 2015 Status Report in Response to
February 10, 2014 Order, 2:90-cv-00520 KJM DAD PC, 3-Judge
Court, Coleman v. Brown, Plata v. Brown (fn. omitted).) One
year ago, 115,826 inmates were housed in the State's 34 adult
institutions, which amounted to 140.0% of design bed capacity,
and 8,864 inmates were housed in out-of-state facilities.
(Defendants' December 2014 Status Report in Response to February
10, 2014 Order, 2:90-cv-00520 KJM DAD PC, 3-Judge Court, Coleman
v. Brown, Plata v. Brown (fn. omitted).)
While significant gains have been made in reducing the prison
population, the state must stabilize these advances and
demonstrate to the federal court that California has in place
the "durable solution" to prison overcrowding "consistently
demanded" by the court. (Opinion Re: Order Granting in Part and
Denying in Part Defendants' Request For Extension of December
31, 2013 Deadline, NO. 2:90-cv-0520 LKK DAD (PC), 3-Judge Court,
Coleman v. Brown, Plata v. Brown (2-10-14). The Committee's
consideration of bills that may impact the prison population
therefore will be informed by the following questions:
Whether a proposal erodes a measure which has contributed
to reducing the prison population;
Whether a proposal addresses a major area of public safety
or criminal activity for which there is no other
reasonable, appropriate remedy;
Whether a proposal addresses a crime which is directly
dangerous to the physical safety of others for which there
is no other reasonably appropriate sanction;
Whether a proposal corrects a constitutional problem or
legislative drafting error; and
Whether a proposal proposes penalties which are
proportionate, and cannot be achieved through any other
reasonably appropriate remedy.
COMMENTS
�
SB 1137 (Hertzberg ) PageG
of?
1.Need for This Bill
According to the author:
Kidnapping and ransom demands have been around as long
as criminal activity itself. But what is new in the
digital age is the immediacy in which a computer
hacker can access and hold your computer hostage.
Computer users are told that the only way to get their
machines back is to pay a steep fine. This is known as
"ransomware," a computer virus that renders files
unobtainable until a ransom is paid.
Essentially online extortion, ransomware involves
infecting a user's computer with a virus that locks
it. The attackers demand money before the computer
will be unlocked, but once the money is paid attackers
may not unlock the system. One of the scarier things
about ransomware is that criminals can use victims'
machines however they like. While the computer is
locked, the criminals can steal passwords and even get
into the victim's online bank accounts. Ransomware
affects victims financially and imposes additional
costs of replacing breached hardware, bringing legal
action, and updating system security.
This doesn't just impact home computers. Businesses,
financial institutions, government agencies, academic
institutions, and other organizations can and have
become infected as well, resulting in loss of
sensitive or proprietary information, disruption of
regular operations, financial losses incurred to
restore systems and files, and/or potential harm to an
organization's reputation. In 2014, according to a
recent report, 43 percent of companies experienced
some sort of data breach, including highly visible and
damaging attacks on Sony, Home Depot, Target and JP
Morgan Chase.
This bill defines "ransomware" in state law and makes
it a crime to introduce ransomware into any computer,
system, or network. The range of punishment (up to
four years imprisonment) is equivalent to the
punishment under current law for extortion.
�
SB 1137 (Hertzberg ) PageH
of?
2.Using Ransomware is Criminal under Existing California and
Federal Laws, including Extortion and Introducing a
Contaminant into a Computer or Computer System
The use of ransomware to demand a payment from a computer or
computer system owner or operator appears to constitute
extortion under existing California law. California law (Pen.
Code § 502 - the section amended by this bill) also makes it a
crime to access, damage or alter a computer system or data
without permission. Section 502 specifically lists prohibited
acts and provides various penalties, based on the severity of
the harm caused or value of services taken.
This bill would add the use of ransomware as a computer crime in
Section 502. The penalty for this form of computer crimes is
the same as the penalty for extortion, a felony term of two,
three, or four years. (Pen. Code § 518-527.) A prosecutor
could charge ransomware with the very specific crime defined by
this bill and the more general crime of extortion. A prosecutor
could perhaps conclude that jurors would have a set
understanding of extortion as meaning a demand for protection
money from a store owner or blackmail to hide an embarrassing
secret that they might be confused or reluctant to apply
extortion to a highly technical and sophisticated computer
scheme. A defendant, however, convicted of both offenses would
be subject to a single punishment. California sentencing law
generally permits a prosecutor to obtain a conviction on every
crime covered by the defendant's conduct. However, the
defendant can only be punished a single time for one act that
violates a number of criminal statutes or for multiple offenses
committed in one indivisible transaction. (Pen. Code § 654.)
3.Explosion in Computer and Data Fraud and Extortion Incidents
and Awareness
It appears that the use of ransom to extort money or other form
�
SB 1137 (Hertzberg ) PageI
of?
of exchange, such as bitcoin, has become nearly ubiquitous.
Even relatively large-scale attacks on or seizure of control
over computers, computer systems and computer can be done
quickly and remotely.
Victims can reasonably conclude that they have little option but
to comply. The perpetrators might well be in another country or
even another continent. An attempt to obtain assistance from law
enforcement may be futile and the perpetrators could punish such
attempts by destroying data that includes an entity's entire
operation. A business or organization could conclude that it
could no longer function if the threat is carried out. Even
where the threat is not executed, the very admission of the
event could be extremely harmful to a business or other
organization's reputation. For example, a hospital would be
loath to admit that confidential medical records were seized or
locked. The customers and clients of banks and brokerage
houses must believe that their financial holdings and
information are safe. Attorneys cannot afford to reveal the
confidences of clients stored in digital files.
Computer criminals have become increasingly sophisticated as
technology became more sophisticated and essential to the life
of virtually every person and entity. The attacks have included
locking or encrypting files on the home computers of individual
victims - often through authentic-look law enforcement
notifications that the victim has done some wrong that he or she
would never want exposed.<2> The attacks have also included
attacks on large entities, such as three hospitals in recent,
well-publicized incidents in Southern California<3> and
government entities. It appears that no media report of
ransomware incidents is complete without noting that even police
departments have paid ransoms to computer criminals. A February
---------------------------
<2>
https://www.fbi.gov/news/stories/2012/august/new-internet-scam
<3>
http://www.latimes.com/local/lanow/la-me-ln-two-more-so-cal-hospi
tals-ransomware-20160322-story.html
�
SB 1137 (Hertzberg ) PageJ
of?
20, 2015 story in the Chicago Tribune reported the suburban
Chicago town of Midlothian paid a hacker $500<4> in bitcoin for
release of infected files. Even the department's backup files
were encrypted.
A number of computer, software and computer and computer data
security businesses have developed products to detect and remove
ransomware. Numerous on-line guides about ransomware have been
published. These typically include descriptions of ransomware,
how to detect ransomware, remove it and protect against. For
example, the Mountain View, California firm Symantec has
published particularly detailed guides<5> for addressing
ransomware questions, concerns, protection, removal and
repair.<6> TechNet - a Microsoft division that is a co-sponsor
of this bill also publishes detailed ransomware guides and
assistance, including information about newly discovered
ransomware.<7>
Comparison with Identity Theft
In recent decades, identity theft has become a growing and
---------------------------
<4>
http://www.chicagotribune.com/news/local/breaking/ct-midlothian-h
acker-ransom-met-20150220-story.html
<5>
http://www.symantec.com/content/en/us/enterprise/media/security_r
esponse/whitepapers/the-evolution-of-ransomware.pdf
<6>
http://www.symantec.com/tv/products/details.jsp?vid=1954285164001
<7>
https://blogs.technet.microsoft.com/mmpc/2015/08/09/emerging-rans
omware-troldesh/
�
SB 1137 (Hertzberg ) PageK
of?
daunting crime problem. Traditional investigative techniques
did not work well to combat identity theft, a crime that was
often committed by unseen, electronic means, creating law
enforcement problems similar to recent ransomware incidents.
In 1997, California was one of the first states to create a
crime specifically described as identity theft in Penal Code
section 530.5.<8> Prior to that time, law enforcement agencies
generally considered the defrauded business entity that was
defrauded to be the victim of identity theft, not the person
whose identity was stolen so that the fraud could be committed,
although applicable statutes described a person whose identity
was misused as a crime victim. However, advocates believed that
the person who was the actual victim often found himself or
herself given no respect or standing in repairing the damage
done by the crime.
It would appear that the greatest value in the current identity
theft statutes is to allow a victim to clear his or her name.
Penal Code section 530.6 allows an identity theft victim to
require the police to investigate an identity theft report and
further allows the victim to use the report to obtain a court
order declaring that he or she did not commit certain crimes or
accumulate certain debts. Pursuant to this judicial procedure,
a person may be listed in a database of identity theft victims
maintained by the Department of Justice.
One of the most daunting and frustrating problems encountered by
identify theft victims is the damage to one's credit. Good
credit is essential to financial stability. An identity theft
victim may well face months of work and substantial expense
repairing his or credit. Companies marketing credit repair
services. Credit card companies compete for business, in part,
by including credit monitoring and repair in a credit account.
Similar daunting problems face victims of ransomware and
cryptoware. Business and government entities that were hacked
must repair systems, recreate files and rebuild the trust of
customers and citizens.
-- END -
---------------------------
<8> AB 156 (Murray) Ch. 768, Stats. 1997
�
SB 1137 (Hertzberg ) PageL
of?