BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 1137|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 1137
Author: Hertzberg (D), et al.
Amended: 3/31/16
Vote: 21
SENATE PUBLIC SAFETY COMMITTEE: 6-0, 4/12/16
AYES: Hancock, Glazer, Leno, Liu, Monning, Stone
NO VOTE RECORDED: Anderson
SENATE APPROPRIATIONS COMMITTEE: 7-0, 5/27/16
AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
SUBJECT: Computer crimes: ransomware
SOURCE: Los Angeles County District Attorney
TechNet
DIGEST: This bill separately defines as a felony the crime of
placing a contaminant or lock on a computer or computer system
for the purpose of locking or controlling the computer, computer
system or data files, coupled with a demand for payment of money
or other consideration before the lock will be removed of
control returned to owner or authorized user; and specifically
defines such a contaminant or lock as "ransomware."
ANALYSIS:
Existing law:
�
SB 1137
Page 2
1)Defines numerous computer or electronic data offenses and
imposes a wide range of penalties based on the seriousness of
the offense or extent of harm caused by the defendant,
including by felony imprisonment pursuant to Penal Code
Section 1170, subdivision (h) for a term of term of 16 months,
two years or three years and a fine of up to $10,000, or as
misdemeanor by a fine not exceeding $5,000, or a fine of up to
$1,000 by imprisonment in a county jail not exceeding one
year, or as infraction. (Pen. Code § 502.) These penalties
apply where any person knowingly:
a) Accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer,
computer system, or computer network in order to devise or
execute any scheme or artifice to defraud, deceive, or
extort, or wrongfully control or obtain money, property or
data.
b) Accesses and without permission takes, copies or makes
use of any data from a computer, computer system, or
computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network.
c) Accesses and without permission adds, alters, damages,
deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or
external to a computer, computer system, or computer
network
d) Without permission, disrupts or causes the disruption of
computer services or denies or causes the denial of
computer services, or denies or causes the denial of
computer services to an authorized user of a computer,
computer system, or computer network.
e) Disrupts or improperly accesses a government or public
safety computer system.
f) Without permission provides or assists in providing a
means of accessing, accesses, or causes to be accessed a
computer, computer system, or computer network.
�
SB 1137
Page 3
g) Introduces any computer contaminant into any computer,
or computer system, or computer network as specified.
h) Without permission uses the Internet domain name of
another individual, corporation, or entity in connection
with the sending of one or more electronic mail messages,
and thereby damages or causes damage to a computer,
computer system, or computer network as specified. (Pen.
Code § 502, subds. (c)(9) and (d)(5).)
2)Defines extortion as the obtaining of property from another
person, without the person's consent, or obtaining an official
act of a public officer, induced by the wrongful use of force
or fear, or under color of official right. (Pen. Code § 518.)
3)Defines force or fear sufficient to commit extortion as a
threat to do any of the following:
a) Injure the person or property of the person threatened
or a third person.
b) Accuse the threatened person or a relative of a crime.
c) Expose or impute to the person threatened or a relative
any deformity, disgrace or crime.
d) Expose any secret of the person or relative.
e) To report the immigration status of the person or a
relative (Pen. Code § 519.)
4) Provides that extortion is a felony, punishable pursuant to
Penal Code Section 1170, subdivision (h), to an executed
felony sentence of two, three or four years. (Pen. Code §
520.)
5) Provides that attempted extortion is an alternate
felony-misdemeanor, punishable by a jail term of up to one
year, a fine of up to $1,000, or both, or by a prison term of
16 months, two years or three years and a fine of up to
$10,000.
�
SB 1137
Page 4
6) Includes "white collar" financial crime prison sentence
enhancements of one to five years and special fines,
depending on the amount of money or property taken by the
defendant or the loss suffered by the victim. The
enhancements apply where the defendant is convicted of two or
more related felonies and the loss to the victim or gain to
the defendant is at least $100,000. To prevent a defendant
from secreting or dissipating his or her assets, the court
may order pretrial seizure of assets to preserve them for
restitution and fines. (Pen. Code § 186.11.)
7) Includes the federal Computer Fraud and Abuse Act, which
prohibits a number of different computer crimes, the majority
of which involve accessing computers without authorization or
in excess of authorization, and then taking specified
forbidden actions, ranging from obtaining information to
damaging a computer or computer data. (18 U.S.C. §
1030(a)(1)-(7)).
8)Includes federal statutory provisions crimes applicable to a
person who intends to extort from any person any money or
other thing of value and transmits in interstate or foreign
commerce any communication containing either of the following:
a) A threat to damage a protected computer;
b) A threat to obtain information from a protected computer
without authorization or in excess of authorization or to
impair the confidentiality of information obtained from a
protected computer without authorization or by exceeding
authorized access; or
c) A demand or request for money or other thing of value in
relation to damage to a protected computer, where such
damage was caused to facilitate the extortion. A first
violation is punishable by imprisonment for up to five
years and a fine determined pursuant to the sentencing
guidelines. A violation that follows conviction for this
offense or a related offense is punishable by imprisonment
for up to 10 years and a fine determined through the
sentencing guidelines. (18 U.S.C. § 1030 (a)(7).)
�
SB 1137
Page 5
This bill:
1)Provides that the person responsible for placing "ransomware"
on a computer, computer system, or data in a computer system
is a felony, punishable pursuant to Penal Code Section 1170,
subdivision (h), by an executed felony sentence of two years,
three years or four years and a fine of up to $10,000.
2)Defines "ransomware" as the placement or introduction of a
computer contaminant or lock on a computer, computer system,
or data in a computer system, coupled with a demand that money
or other consideration be paid to the person responsible for
the contaminant or lock before it is removed or repaired.
3)Provides that one is responsible for ransomware if the person
directly places or introduces the contaminant or lock, or
directs or induces another person to do so, with the intent to
demand payment or other consideration to remove the
contaminant, unlock the computer system or data, or repair the
computer, computer system or data.
Background
The use of ransomware to demand a payment from a computer or
computer system owner or operator may constitute extortion under
existing California law. California law (Pen. Code § 502 - the
section amended by this bill) also makes it a crime to access,
damage or alter a computer system or data without permission.
Section 502 specifically lists prohibited acts and provides
various penalties, based on the severity of the harm caused or
value of services taken.
This bill adds the use of ransomware as a computer crime in
Section 502. The penalty for this form of computer crimes is
the same as the penalty for extortion, a felony term of two,
three, or four years. (Pen. Code § 518-527.) A prosecutor
could charge ransomware with the very specific crime defined by
this bill and the more general crime of extortion. A prosecutor
�
SB 1137
Page 6
could perhaps conclude that jurors would have a set
understanding of extortion as meaning a demand for protection
money from a store owner or blackmail to hide an embarrassing
secret that they might be confused or reluctant to apply
extortion to a highly technical and sophisticated computer
scheme. A defendant, however, convicted of both offenses would
be subject to a single punishment. California sentencing law
generally permits a prosecutor to obtain a conviction on every
crime covered by the defendant's conduct. However, the
defendant can only be punished a single time for one act that
violates a number of criminal statutes or for multiple offenses
committed in one indivisible transaction. (Pen. Code § 654.)
It appears that the use of ransom to extort money or other form
of exchange, such as bitcoin, has become nearly ubiquitous.
Even relatively large-scale attacks on or seizure of control
over computers, computer systems and computer can be done
quickly and remotely. Victims can reasonably conclude that they
have little option but to comply. The perpetrators might well
be in another country or even another continent. An attempt to
obtain assistance from law enforcement may be futile and the
perpetrators could punish such attempts by destroying data that
includes an entity's entire operation. A business or
organization could conclude that it could no longer function if
the threat is carried out. Even where the threat is not
executed, the very admission of the event could be extremely
harmful to a business or other organization's reputation. For
example, a hospital would be loath to admit that confidential
medical records were seized or locked. The customers and
clients of banks and brokerage houses must believe that their
financial holdings and information are safe. Attorneys cannot
afford to reveal the confidences of clients stored in digital
files.
Computer criminals have become increasingly sophisticated as
technology became more sophisticated and essential to the life
of virtually every person and entity. The attacks have included
locking or encrypting files on the home computers of individual
victims - often through authentic-look law enforcement
notifications that the victim has done some wrong that he or she
would never want exposed.
�
SB 1137
Page 7
(https://www.fbi.gov/news/stories/2012/august/new-internet-scam.)
The attacks have also targeted large entities, such as three
hospitals in recent, well-publicized incidents in Southern
California and government entities.
(https://www.fbi.gov/news/stories/2012/august/new-internet-scam.)
It appears that no media report of ransomware incidents is
complete without noting that even police departments have paid
ransoms to computer criminals. A February 20, 2015 story in the
Chicago Tribune reported the suburban Chicago town of Midlothian
paid a hacker $500 in bitcoin for release of infected files.
Even the department's backup files were encrypted.
(http://www.chicagotribune.com/news/local/breaking/ct-midlothian-
hacker-ransom-met-20150220-story.html)
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: Yes
According to the Senate Appropriations Committee:
State prisons: Potential minor increase in state costs
(General Fund) for new commitments to state prison that would
not have otherwise been convicted under the extortion
statutes, or potentially longer sentences for convictions that
otherwise would have been charged as other computer crimes.
The California Department of Corrections and Rehabilitation
data indicates 29 commitments to state prison in 2015 under
the extortion statutes. To the extent the provisions of this
bill result in even two additional commitments to state prison
in any one year would result in state costs of $58,000
assuming the contract bed rate of $29,000 per inmate.
County jails: Potential increase in local incarceration costs
(Local Funds) to the extent persons would not have otherwise
been convicted of the felony offense of extortion or other
computer offenses under existing law.
�
SB 1137
Page 8
SUPPORT: (Verified5/27/16)
Los Angeles County District Attorney (co-source)
TechNet (co-source)
Association of Orange County Deputy Sheriffs
California Association of Licensed Investigators
California Police Chiefs Association
California State Sheriffs' Association
California Statewide Law Enforcement Association
Fraternal Order of Police, California State Lodge
Long Beach Police Officers Association
Los Angeles County Professional Peace Officers Association
Sacramento County Deputy Sheriffs' Association
OPPOSITION: (Verified5/27/16)
Legal Services for Prisoners with Children
Prepared by:Jerome McGuire / PUB. S. /
5/28/16 16:57:31
**** END ****