BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
SB 1137 (Hertzberg) - Computer crimes: ransomware
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: March 31, 2016 |Policy Vote: PUB. S. 6 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: Yes |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: April 25, 2016 |Consultant: Jolie Onodera |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: SB 1137 would provide that a person who knowingly
introduces "ransomware," as defined, into any computer, computer
system, or computer network is guilty of a felony, punishable by
imprisonment in a county jail, or state prison under specified
circumstances, for two, three, or four years, and a fine not
exceeding $10,000.
Fiscal
Impact:
State prisons : Potential minor increase in state costs
(General Fund) for new commitments to state prison that would
not have otherwise been convicted under the extortion
statutes, or potentially longer sentences for convictions that
otherwise would have been charged as other computer crimes.
CDCR data indicates 29 commitments to state prison in 2015
under the extortion statutes. To the extent the provisions of
�
SB 1137 (Hertzberg) Page 1 of
?
this measure result in even two additional commitments to
state prison in any one year would result in state costs of
$58,000 assuming the contract bed rate of $29,000 per inmate.
County jails : Potential increase in local incarceration costs
(Local Funds) to the extent persons would not have otherwise
been convicted of the felony offense of extortion or other
computer offenses under existing law.
Background: Existing law establishes various offenses relating to computer
data and electronic systems and imposes a wide range of
penalties based on the seriousness of the offense or extent of
harm caused by the defendant, including as an infraction, a
misdemeanor, or as a felony, punishable pursuant to Penal Code
(PC) § 1170(h) for a term of term of 16 months, two years, or
three years and a fine of up to $10,000. (PC § 502.) These
penalties apply where any person knowingly does any of the
following:
Accesses and without permission adds, alters, copies,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, computer programs, computer
software, or computer network in order to devise or execute
any scheme or artifice to defraud, deceive, or extort, or
wrongfully control or obtain money, property or data.
Without permission, disrupts or causes the disruption of
computer services or denies or causes the denial of
computer services, or denies or causes the denial of
computer services to an authorized user of a computer,
computer system, or computer network.
Disrupts or improperly accesses a government or public
safety computer system.
Without permission provides or assists in providing a
means of accessing, accesses, or causes to be accessed a
computer, computer system, or computer network.
Introduces any computer contaminant into any computer,
or computer system, or computer network.
�
SB 1137 (Hertzberg) Page 2 of
?
Without permission uses the Internet domain name of
another individual, corporation, or entity in connection
with the sending of one or more electronic mail messages,
and thereby damages or causes damage to a computer,
computer system, or computer network.
Existing law defines extortion as the obtaining of property from
another person, without the person's consent, or obtaining an
official act of a public officer, induced by the wrongful use of
force or fear, or under color of official right. (PC § 518.)
Under existing law, a person who extorts any money or other
property from another, under circumstances not amounting to
robbery or carjacking, by means of force, or any threat, as
specified, is guilty of extortion, a felony punishable by
imprisonment pursuant to PC § 1170(h) for two, three or four
years. (PC § 520.)
Proposed Law:
This bill provides that a person who knowingly introduces
"ransomware" on a computer, computer system, or computer network
is guilty of a felony, punishable pursuant to PC § 1170 (h) by
an executed felony sentence of two years, three years, or four
years and a fine of up to $10,000. Additionally, this bill:
Defines "ransomware" as a computer or data contaminant or lock
placed in or introduced into a computer system, computer or
data in a computer system, or computer that restricts access
to the system, computer, or data in some way, and under
circumstances in which the person responsible for the
ransomware demands payment of money or other consideration to
remove the contaminant, unlock the computer system or
computer, or repair the injury done to the computer system,
computer, or data by the contaminant or lock.
Provides that one is responsible for placing or introducing
ransomware if the person directly places or introduces the
contaminant or lock, or directs or induces another person to
do so, with the intent to demand payment or other
consideration to remove the contaminant, unlock the computer
system or computer, or repair the computer, computer system,
�
SB 1137 (Hertzberg) Page 3 of
?
or data.
Provides that prosecution under the felony offense of placing
ransomware on a computer does not prohibit or limit
prosecution under any other law.
Prior
Legislation: AB 32 (Waldron) Chapter 614/2015 increases the
fines for felony convictions of specified computer crimes from a
maximum of $5,000, to a maximum of $10,000.
AB 1649 (Waldron) Chapter 379/2014 specifically and separately
provides that the crimes and penalties for unauthorized access
of or damage to a computer, computer system or data apply to
government and public safety infrastructure computers, computer
systems and data, as specified.
Staff
Comments: By separately establishing the offense of ransomware,
this bill could potentially result in new commitments and longer
sentences being imposed, both to state prison and county jail.
Pursuant to the provisions of PC § 1170(h)(3), sentences imposed
on defendants with the following criminal history must be served
in state prison: 1) a defendant has a prior or current felony
conviction for a serious or violent felony; 2) a defendant is
required to register as a sex offender; or 3) a defendant is
convicted of a crime and as part of the sentence an enhancement
pursuant to PC § 186.11 is imposed.
The fiscal impact of this bill cannot be known with certainty,
as the actual impact will be dependent on numerous factors
including but not limited to judicial and prosecutorial
discretion, the criminal history of the defendant, and the
factors unique to each case. However, to the extent defendants
convicted of knowingly introducing ransomware into a computer
are already largely reflected in the historical commitments to
state prison and county jail under the existing extortion
statutes, the impact of this bill would be somewhat mitigated.
�
SB 1137 (Hertzberg) Page 4 of
?
While a defendant cannot be punished for an offense under more
than one provision of law (PC § 654), a defendant could be
charged with both offenses, which could potentially have an
impact on the outcome of the proceedings that may not have
otherwise occurred under existing provisions of law.
-- END --