BILL ANALYSIS                                                                                                                                                                                                    






           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                       SB 1137|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 


                                   THIRD READING 


          Bill No:  SB 1137
          Author:   Hertzberg (D), et al.
          Amended:  3/31/16  
          Vote:     21 

           SENATE PUBLIC SAFETY COMMITTEE:  6-0, 4/12/16
           AYES:  Hancock, Glazer, Leno, Liu, Monning, Stone
           NO VOTE RECORDED:  Anderson

           SENATE APPROPRIATIONS COMMITTEE:  7-0, 5/27/16
           AYES:  Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen

           SUBJECT:   Computer crimes:  ransomware


          SOURCE:    Los Angeles County District Attorney 
                     TechNet

          DIGEST:   This bill separately defines as a felony the crime of  
          placing a contaminant or lock on a computer or computer system  
          for the purpose of locking or controlling the computer, computer  
          system or data files, coupled with a demand for payment of money  
          or other consideration before the lock will be removed of  
          control returned to owner or authorized user; and specifically  
          defines such a contaminant or lock as "ransomware."


          ANALYSIS:  


          Existing law:










                                                                    SB 1137  
                                                                    Page  2


          1)Defines numerous computer or electronic data offenses and  
            imposes a wide range of penalties based on the seriousness of  
            the offense or extent of harm caused by the defendant,  
            including by felony imprisonment pursuant to Penal Code  
            Section 1170, subdivision (h) for a term of term of 16 months,  
            two years or three years and a fine of up to $10,000, or as  
            misdemeanor by a fine not exceeding $5,000, or a fine of up to  
            $1,000 by imprisonment in a county jail not exceeding one  
            year, or as infraction.  (Pen. Code  502.)  These penalties  
            apply where any person knowingly:


             a)   Accesses and without permission alters, damages,  
               deletes, destroys, or otherwise uses any data, computer,  
               computer system, or computer network in order to devise or  
               execute any scheme or artifice to defraud, deceive, or  
               extort, or wrongfully control or obtain money, property or  
               data.

             b)   Accesses and without permission takes, copies or makes  
               use of any data from a computer, computer system, or  
               computer network, or takes or copies any supporting  
               documentation, whether existing or residing internal or  
               external to a computer, computer system, or computer  
               network.

             c)   Accesses and without permission adds, alters, damages,  
               deletes, or destroys any data, computer software, or  
               computer programs which reside or exist internal or  
               external to a computer, computer system, or computer  
               network

             d)   Without permission, disrupts or causes the disruption of  
               computer services or denies or causes the denial of  
               computer services, or denies or causes the denial of  
               computer services to an authorized user of a computer,  
               computer system, or computer network.

             e)   Disrupts or improperly accesses a government or public  
               safety computer system.

             f)   Without permission provides or assists in providing a  
               means of accessing, accesses, or causes to be accessed a  
               computer, computer system, or computer network.







                                                                    SB 1137  
                                                                    Page  3



             g)   Introduces any computer contaminant into any computer,  
               or computer system, or computer network as specified.

             h)   Without permission uses the Internet domain name of  
               another individual, corporation, or entity in connection  
               with the sending of one or more electronic mail messages,  
               and thereby damages or causes damage to a computer,  
               computer system, or computer network as specified.  (Pen.  
               Code  502, subds. (c)(9) and (d)(5).)


          2)Defines extortion as the obtaining of property from another  
            person, without the person's consent, or obtaining an official  
            act of a public officer, induced by the wrongful use of force  
            or fear, or under color of official right.  (Pen. Code  518.)  
             

          3)Defines force or fear sufficient to commit extortion as a  
            threat to do any of the following:

             a)   Injure the person or property of the person threatened  
          or a third person.

             b)   Accuse the threatened person or a relative of a crime.

             c)   Expose or impute to the person threatened or a relative  
               any deformity, disgrace or crime.

             d)   Expose any secret of the person or relative.

             e)   To report the immigration status of the person or a  
               relative   (Pen. Code  519.)

           4) Provides that extortion is a felony, punishable pursuant to  
             Penal Code Section 1170, subdivision (h), to an executed  
             felony sentence of two, three or four years.  (Pen. Code   
             520.)

           5) Provides that attempted extortion is an alternate  
             felony-misdemeanor, punishable by a jail term of up to one  
             year, a fine of up to $1,000, or both, or by a prison term of  
             16 months, two years or three years and a fine of up to  
             $10,000.







                                                                    SB 1137  
                                                                    Page  4



           6) Includes "white collar" financial crime prison sentence  
             enhancements of one to five years and special fines,  
             depending on the amount of money or property taken by the  
             defendant or the loss suffered by the victim. The  
             enhancements apply where the defendant is convicted of two or  
             more related felonies and the loss to the victim or gain to  
             the defendant is at least $100,000. To prevent a defendant  
             from secreting or dissipating his or her assets, the court  
             may order pretrial seizure of assets to preserve them for  
             restitution and fines.  (Pen. Code  186.11.)

           7) Includes the federal Computer Fraud and Abuse Act, which  
             prohibits a number of different computer crimes, the majority  
             of which involve accessing computers without authorization or  
             in excess of authorization, and then taking specified  
             forbidden actions, ranging from obtaining information to  
             damaging a computer or computer data.  (18 U.S.C.   
             1030(a)(1)-(7)).

          8)Includes federal statutory provisions crimes applicable to a  
            person who intends to extort from any person any money or  
            other thing of value and transmits in interstate or foreign  
            commerce any communication containing either of the following:

            a)   A threat to damage a protected computer;

             b)   A threat to obtain information from a protected computer  
               without authorization or in excess of authorization or to  
               impair the confidentiality of information obtained from a  
               protected computer without authorization or by exceeding  
               authorized access; or

             c)   A demand or request for money or other thing of value in  
               relation to damage to a protected computer, where such  
               damage was caused to facilitate the extortion. A first  
               violation is punishable by imprisonment for up to five  
               years and a fine determined pursuant to the sentencing  
               guidelines.  A violation that follows conviction for this  
               offense or a related offense is punishable by imprisonment  
               for up to 10 years and a fine determined through the  
               sentencing guidelines.  (18 U.S.C.  1030 (a)(7).)









                                                                    SB 1137  
                                                                    Page  5


          This bill:


          1)Provides that the person responsible for placing "ransomware"  
            on a computer, computer system, or data in a computer system  
            is a felony, punishable pursuant to Penal Code Section 1170,  
            subdivision (h), by an executed felony sentence of two years,  
            three years or four years and a fine of up to $10,000.


          2)Defines "ransomware" as the placement or introduction of a  
            computer contaminant or lock on a computer, computer system,  
            or data in a computer system, coupled with a demand that money  
            or other consideration be paid to the person responsible for  
            the contaminant or lock before it is removed or repaired.


          3)Provides that one is responsible for ransomware if the person  
            directly places or introduces the contaminant or lock, or  
            directs or induces another person to do so, with the intent to  
            demand payment or other consideration to remove the  
            contaminant, unlock the computer system or data, or repair the  
            computer, computer system or data.


          Background


          The use of ransomware to demand a payment from a computer or  
          computer system owner or operator may constitute extortion under  
          existing California law.  California law (Pen. Code  502 - the  
          section amended by this bill) also makes it a crime to access,  
          damage or alter a computer system or data without permission.  
          Section 502 specifically lists prohibited acts and provides  
          various penalties, based on the severity of the harm caused or  
          value of services taken. 


          This bill adds the use of ransomware as a computer crime in  
          Section 502.  The penalty for this form of computer crimes is  
          the same as the penalty for extortion, a felony term of two,  
          three, or four years.  (Pen. Code  518-527.)  A prosecutor  
          could charge ransomware with the very specific crime defined by  
          this bill and the more general crime of extortion.  A prosecutor  







                                                                    SB 1137  
                                                                    Page  6


          could perhaps conclude that jurors would have a set  
          understanding of extortion as meaning a demand for protection  
          money from a store owner or blackmail to hide an embarrassing  
          secret that they might be confused or reluctant to apply  
          extortion to a highly technical and sophisticated computer  
          scheme.  A defendant, however, convicted of both offenses would  
          be subject to a single punishment.  California sentencing law  
          generally permits a prosecutor to obtain a conviction on every  
          crime covered by the defendant's conduct.  However, the  
          defendant can only be punished a single time for one act that  
          violates a number of criminal statutes or for multiple offenses  
          committed in one indivisible transaction.  (Pen. Code  654.)     



          It appears that the use of ransom to extort money or other form  
          of exchange, such as bitcoin, has become nearly ubiquitous.   
          Even relatively large-scale attacks on or seizure of control  
          over computers, computer systems and computer can be done  
          quickly and remotely.  Victims can reasonably conclude that they  
          have little option but to comply.  The perpetrators might well  
          be in another country or even another continent. An attempt to  
          obtain assistance from law enforcement may be futile and the  
          perpetrators could punish such attempts by destroying data that  
          includes an entity's entire operation.  A business or  
          organization could conclude that it could no longer function if  
          the threat is carried out.  Even where the threat is not  
          executed, the very admission of the event could be extremely  
          harmful to a business or other organization's reputation.  For  
          example, a hospital would be loath to admit that confidential  
          medical records were seized or locked.   The customers and  
          clients of banks and brokerage houses must believe that their  
          financial holdings and information are safe.  Attorneys cannot  
          afford to reveal the confidences of clients stored in digital  
          files. 


          Computer criminals have become increasingly sophisticated as  
          technology became more sophisticated and essential to the life  
          of virtually every person and entity.  The attacks have included  
          locking or encrypting files on the home computers of individual  
          victims - often through authentic-look law enforcement  
          notifications that the victim has done some wrong that he or she  
          would never want exposed.  







                                                                    SB 1137  
                                                                    Page  7


          (https://www.fbi.gov/news/stories/2012/august/new-internet-scam.) 



          The attacks have also targeted large entities, such as three  
          hospitals in recent, well-publicized incidents in Southern  
          California and government entities.   
          (https://www.fbi.gov/news/stories/2012/august/new-internet-scam.) 
            It appears that no media report of ransomware incidents is  
          complete without noting that even police departments have paid  
          ransoms to computer criminals.  A February 20, 2015 story in the  
          Chicago Tribune reported the suburban Chicago town of Midlothian  
          paid a hacker $500 in bitcoin for release of infected files.   
          Even the department's backup files were encrypted.   
          (http://www.chicagotribune.com/news/local/breaking/ct-midlothian- 
          hacker-ransom-met-20150220-story.html)




          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   Yes


          According to the Senate Appropriations Committee:


           State prisons:  Potential minor increase in state costs  
            (General Fund) for new commitments to state prison that would  
            not have otherwise been convicted under the extortion  
            statutes, or potentially longer sentences for convictions that  
            otherwise would have been charged as other computer crimes.  
            The California Department of Corrections and Rehabilitation  
            data indicates 29 commitments to state prison in 2015 under  
            the extortion statutes. To the extent the provisions of this  
            bill result in even two additional commitments to state prison  
            in any one year would result in state costs of $58,000  
            assuming the contract bed rate of $29,000 per inmate.


           County jails:  Potential increase in local incarceration costs  
            (Local Funds) to the extent persons would not have otherwise  
            been convicted of the felony offense of extortion or other  
            computer offenses under existing law.







                                                                    SB 1137  
                                                                    Page  8




          SUPPORT:   (Verified5/27/16)


          Los Angeles County District Attorney (co-source)
          TechNet (co-source)
          Association of Orange County Deputy Sheriffs
          California Association of Licensed Investigators
          California Police Chiefs Association
          California State Sheriffs' Association
          California Statewide Law Enforcement Association
          Fraternal Order of Police, California State Lodge
          Long Beach Police Officers Association
          Los Angeles County Professional Peace Officers Association
          Sacramento County Deputy Sheriffs' Association


          OPPOSITION:   (Verified5/27/16)


          Legal Services for Prisoners with Children



          Prepared by:Jerome McGuire / PUB. S. / 
          5/28/16 16:57:31


                                   ****  END  ****