BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON APPROPRIATIONS
                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          SB 1137 (Hertzberg) - Computer crimes:  ransomware
          
           ----------------------------------------------------------------- 
          |                                                                 |
          |                                                                 |
          |                                                                 |
           ----------------------------------------------------------------- 
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Version: March 31, 2016         |Policy Vote: PUB. S. 6 - 0      |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Urgency: No                     |Mandate: Yes                    |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Hearing Date: April 25, 2016    |Consultant: Jolie Onodera       |
          |                                |                                |
           ----------------------------------------------------------------- 


          This bill meets the criteria for referral to the Suspense File.




          Bill  
          Summary:  SB 1137 would provide that a person who knowingly  
          introduces "ransomware," as defined, into any computer, computer  
          system, or computer network is guilty of a felony, punishable by  
          imprisonment in a county jail, or state prison under specified  
          circumstances, for two, three, or four years, and a fine not  
          exceeding $10,000. 


          Fiscal  
          Impact:  
            State prisons  :  Potential minor increase in state costs  
            (General Fund) for new commitments to state prison that would  
            not have otherwise been convicted under the extortion  
            statutes, or potentially longer sentences for convictions that  
            otherwise would have been charged as other computer crimes.  
            CDCR data indicates 29 commitments to state prison in 2015  
            under the extortion statutes. To the extent the provisions of  







          SB 1137 (Hertzberg)                                    Page 1 of  
          ?
          
          
            this measure result in even two additional commitments to  
            state prison in any one year would result in state costs of  
            $58,000 assuming the contract bed rate of $29,000 per inmate.
            County jails  :  Potential increase in local incarceration costs  
            (Local Funds) to the extent persons would not have otherwise  
            been convicted of the felony offense of extortion or other  
            computer offenses under existing law. 


          Background:  Existing law establishes various offenses relating to computer  
          data and electronic systems and imposes a wide range of  
          penalties based on the seriousness of the offense or extent of  
          harm caused by the defendant, including as an infraction, a  
          misdemeanor, or as a felony, punishable pursuant to Penal Code  
          (PC)  1170(h) for a term of term of 16 months, two years, or  
          three years and a fine of up to $10,000. (PC  502.) These  
          penalties apply where any person knowingly does any of the  
          following: 
                 Accesses and without permission adds, alters, copies,  
               damages, deletes, destroys, or otherwise uses any data,  
               computer, computer system, computer programs, computer  
               software, or computer network in order to devise or execute  
               any scheme or artifice to defraud, deceive, or extort, or  
               wrongfully control or obtain money, property or data. 


                 Without permission, disrupts or causes the disruption of  
               computer services or denies or causes the denial of  
               computer services, or denies or causes the denial of  
               computer services to an authorized user of a computer,  
               computer system, or computer network. 


                 Disrupts or improperly accesses a government or public  
               safety computer system.


                 Without permission provides or assists in providing a  
               means of accessing, accesses, or causes to be accessed a  
               computer, computer system, or computer network.


                 Introduces any computer contaminant into any computer,  
               or computer system, or computer network. 








          SB 1137 (Hertzberg)                                    Page 2 of  
          ?
          
          


                 Without permission uses the Internet domain name of  
               another individual, corporation, or entity in connection  
               with the sending of one or more electronic mail messages,  
               and thereby damages or causes damage to a computer,  
               computer system, or computer network. 


          Existing law defines extortion as the obtaining of property from  
          another person, without the person's consent, or obtaining an  
          official act of a public officer, induced by the wrongful use of  
          force or fear, or under color of official right. (PC  518.)  
          Under existing law, a person who extorts any money or other  
          property from another, under circumstances not amounting to  
          robbery or carjacking, by means of force, or any threat, as  
          specified, is guilty of extortion, a felony punishable by  
          imprisonment pursuant to PC  1170(h) for two, three or four  
          years. (PC  520.)


          Proposed Law:  
           This bill provides that a person who knowingly introduces  
          "ransomware" on a computer, computer system, or computer network  
          is guilty of a felony, punishable pursuant to PC  1170 (h) by  
          an executed felony sentence of two years, three years, or four  
          years and a fine of up to $10,000. Additionally, this bill:
           Defines "ransomware" as a computer or data contaminant or lock  
            placed in or introduced into a computer system, computer or  
            data in a computer system, or computer that restricts access  
            to the system, computer, or data in some way, and under  
            circumstances in which the person responsible for the  
            ransomware demands payment of money or other consideration to  
            remove the contaminant, unlock the computer system or  
            computer, or repair the injury done to the computer system,  
            computer, or data by the contaminant or lock. 


           Provides that one is responsible for placing or introducing  
            ransomware if the person directly places or introduces the  
            contaminant or lock, or directs or induces another person to  
            do so, with the intent to demand payment or other  
            consideration to remove the contaminant, unlock the computer  
            system or computer, or repair the computer, computer system,  








          SB 1137 (Hertzberg)                                    Page 3 of  
          ?
          
          
            or data.


           Provides that prosecution under the felony offense of placing  
            ransomware on a computer does not prohibit or limit  
            prosecution under any other law.




          Prior  
          Legislation:  AB 32 (Waldron) Chapter 614/2015 increases the  
          fines for felony convictions of specified computer crimes from a  
          maximum of $5,000, to a maximum of $10,000.
          AB 1649 (Waldron) Chapter 379/2014 specifically and separately  
          provides that the crimes and penalties for unauthorized access  
          of or damage to a computer, computer system or data apply to  
          government and public safety infrastructure computers, computer  
          systems and data, as specified.




          Staff  
          Comments:  By separately establishing the offense of ransomware,  
          this bill could potentially result in new commitments and longer  
          sentences being imposed, both to state prison and county jail.  
          Pursuant to the provisions of PC  1170(h)(3), sentences imposed  
          on defendants with the following criminal history must be served  
          in state prison: 1) a defendant has a prior or current felony  
          conviction for a serious or violent felony; 2) a defendant is  
          required to register as a sex offender; or 3) a defendant is  
          convicted of a crime and as part of the sentence an enhancement  
          pursuant to PC  186.11 is imposed.
          The fiscal impact of this bill cannot be known with certainty,  
          as the actual impact will be dependent on numerous factors  
          including but not limited to judicial and prosecutorial  
          discretion, the criminal history of the defendant, and the  
          factors unique to each case. However, to the extent defendants  
          convicted of knowingly introducing ransomware into a computer  
          are already largely reflected in the historical commitments to  
          state prison and county jail under the existing extortion  
          statutes, the impact of this bill would be somewhat mitigated.









          SB 1137 (Hertzberg)                                    Page 4 of  
          ?
          
          

          While a defendant cannot be punished for an offense under more  
          than one provision of law (PC  654), a defendant could be  
          charged with both offenses, which could potentially have an  
          impact on the outcome of the proceedings that may not have  
          otherwise occurred under existing provisions of law. 


                                      -- END --