BILL ANALYSIS Ó SENATE COMMITTEE ON APPROPRIATIONS Senator Ricardo Lara, Chair 2015 - 2016 Regular Session SB 1137 (Hertzberg) - Computer crimes: ransomware ----------------------------------------------------------------- | | | | | | ----------------------------------------------------------------- |--------------------------------+--------------------------------| | | | |Version: March 31, 2016 |Policy Vote: PUB. S. 6 - 0 | | | | |--------------------------------+--------------------------------| | | | |Urgency: No |Mandate: Yes | | | | |--------------------------------+--------------------------------| | | | |Hearing Date: April 25, 2016 |Consultant: Jolie Onodera | | | | ----------------------------------------------------------------- This bill meets the criteria for referral to the Suspense File. Bill Summary: SB 1137 would provide that a person who knowingly introduces "ransomware," as defined, into any computer, computer system, or computer network is guilty of a felony, punishable by imprisonment in a county jail, or state prison under specified circumstances, for two, three, or four years, and a fine not exceeding $10,000. Fiscal Impact: State prisons : Potential minor increase in state costs (General Fund) for new commitments to state prison that would not have otherwise been convicted under the extortion statutes, or potentially longer sentences for convictions that otherwise would have been charged as other computer crimes. CDCR data indicates 29 commitments to state prison in 2015 under the extortion statutes. To the extent the provisions of SB 1137 (Hertzberg) Page 1 of ? this measure result in even two additional commitments to state prison in any one year would result in state costs of $58,000 assuming the contract bed rate of $29,000 per inmate. County jails : Potential increase in local incarceration costs (Local Funds) to the extent persons would not have otherwise been convicted of the felony offense of extortion or other computer offenses under existing law. Background: Existing law establishes various offenses relating to computer data and electronic systems and imposes a wide range of penalties based on the seriousness of the offense or extent of harm caused by the defendant, including as an infraction, a misdemeanor, or as a felony, punishable pursuant to Penal Code (PC) § 1170(h) for a term of term of 16 months, two years, or three years and a fine of up to $10,000. (PC § 502.) These penalties apply where any person knowingly does any of the following: Accesses and without permission adds, alters, copies, damages, deletes, destroys, or otherwise uses any data, computer, computer system, computer programs, computer software, or computer network in order to devise or execute any scheme or artifice to defraud, deceive, or extort, or wrongfully control or obtain money, property or data. Without permission, disrupts or causes the disruption of computer services or denies or causes the denial of computer services, or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. Disrupts or improperly accesses a government or public safety computer system. Without permission provides or assists in providing a means of accessing, accesses, or causes to be accessed a computer, computer system, or computer network. Introduces any computer contaminant into any computer, or computer system, or computer network. SB 1137 (Hertzberg) Page 2 of ? Without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and thereby damages or causes damage to a computer, computer system, or computer network. Existing law defines extortion as the obtaining of property from another person, without the person's consent, or obtaining an official act of a public officer, induced by the wrongful use of force or fear, or under color of official right. (PC § 518.) Under existing law, a person who extorts any money or other property from another, under circumstances not amounting to robbery or carjacking, by means of force, or any threat, as specified, is guilty of extortion, a felony punishable by imprisonment pursuant to PC § 1170(h) for two, three or four years. (PC § 520.) Proposed Law: This bill provides that a person who knowingly introduces "ransomware" on a computer, computer system, or computer network is guilty of a felony, punishable pursuant to PC § 1170 (h) by an executed felony sentence of two years, three years, or four years and a fine of up to $10,000. Additionally, this bill: Defines "ransomware" as a computer or data contaminant or lock placed in or introduced into a computer system, computer or data in a computer system, or computer that restricts access to the system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock. Provides that one is responsible for placing or introducing ransomware if the person directly places or introduces the contaminant or lock, or directs or induces another person to do so, with the intent to demand payment or other consideration to remove the contaminant, unlock the computer system or computer, or repair the computer, computer system, SB 1137 (Hertzberg) Page 3 of ? or data. Provides that prosecution under the felony offense of placing ransomware on a computer does not prohibit or limit prosecution under any other law. Prior Legislation: AB 32 (Waldron) Chapter 614/2015 increases the fines for felony convictions of specified computer crimes from a maximum of $5,000, to a maximum of $10,000. AB 1649 (Waldron) Chapter 379/2014 specifically and separately provides that the crimes and penalties for unauthorized access of or damage to a computer, computer system or data apply to government and public safety infrastructure computers, computer systems and data, as specified. Staff Comments: By separately establishing the offense of ransomware, this bill could potentially result in new commitments and longer sentences being imposed, both to state prison and county jail. Pursuant to the provisions of PC § 1170(h)(3), sentences imposed on defendants with the following criminal history must be served in state prison: 1) a defendant has a prior or current felony conviction for a serious or violent felony; 2) a defendant is required to register as a sex offender; or 3) a defendant is convicted of a crime and as part of the sentence an enhancement pursuant to PC § 186.11 is imposed. The fiscal impact of this bill cannot be known with certainty, as the actual impact will be dependent on numerous factors including but not limited to judicial and prosecutorial discretion, the criminal history of the defendant, and the factors unique to each case. However, to the extent defendants convicted of knowingly introducing ransomware into a computer are already largely reflected in the historical commitments to state prison and county jail under the existing extortion statutes, the impact of this bill would be somewhat mitigated. SB 1137 (Hertzberg) Page 4 of ? While a defendant cannot be punished for an offense under more than one provision of law (PC § 654), a defendant could be charged with both offenses, which could potentially have an impact on the outcome of the proceedings that may not have otherwise occurred under existing provisions of law. -- END --