BILL ANALYSIS                                                                                                                                                                                                    



                                                                    SB 1137


                                                                    Page  1





          Date of Hearing:  June 21, 2016


          Counsel:               David Billingsley








                         ASSEMBLY COMMITTEE ON PUBLIC SAFETY


                       Reginald Byron Jones-Sawyer, Sr., Chair





          SB  
          1137 (Hertzberg) - As Amended March 31, 2016





          SUMMARY:  Makes it a crime to knowingly introduce "ransomware"  
          into a computer or computer network for the purpose of extorting  
          payment.  Specifically, this bill:  



          1)Makes it a crime for a person to knowingly introduce  
            ransomware into any computer, computer system, or computer  
            network. This bill would make a violation of this provision  
            punishable by imprisonment in a county jail for two, three, or  
            four years and a fine not exceeding $10,000. 








                                                                    SB 1137


                                                                    Page  2






          2)Defines "ransomware" to mean a "computer or data contaminant  
            or lock placed in or introduced into a computer system,  
            computer or data in a computer system, or computer that  
            restricts access to system, computer, or data in some   way, and  
            under circumstances in which the person responsible for the  
            ransomware demands payment of money or other consideration to  
            remove the   contaminant, unlock the computer system or  
            computer, or repair the injury done to the computer system,  
            computer, or data by the contaminant or lock."



          3)Specifies that a person is responsible for placing or  
            introducing a contaminant or lock into a computer system,  
            computer or data on a computer system, or computer if the  
            person directly places or introduces the contaminant or lock,  
            directs another to do so, or induces another person do so,  
            with the intent of demanding payment or other consideration to  
            remove the contaminant, unlock the computer system or  
            computer, or repair the computer system, computer or data on  
            the computer system, or computer.


          4)Specifies that prosecution under that provision does not  
            prohibit or limit prosecution under any other law.





          EXISTING LAW:  



          1)Defines "extortion" as the obtaining of property from another,  
            with his consent, or the obtaining of an official act of a  
            public officer, induced by a wrongful use of force or fear, or  
            under color of official right.  (Pen. Code,  518.)








                                                                    SB 1137


                                                                    Page  3






          2)Specifies that fear, sufficient to constitute extortion, may  
            be induced by a threat of any of the following: 

             a)   To do an unlawful injury to the person or property of  
               the individual threatened or of a third person; 

             b)   To accuse the individual threatened, or any relative of  
               his, or member of his family, of any crime; 

             c)   To expose, or to impute to him or them any deformity,  
               disgrace or crime; or, 

             d)   To expose, any secret affecting him or them. (Pen. Code,  
                519.)

          3)States that every person who extorts any money or other  
            property from another, under circumstances not amounting to  
            robbery or carjacking, by means of force, or any threat, such  
            as is mentioned in existing provisions of law relating to  
            threats sufficient to constitute extortion, shall be punished  
            by custody time of two, three or four years.  (Pen. Code  
            Section 520.)

          4)Provides that every person who commits any extortion under  
            color of official right, in cases for which a different  
            punishment is not prescribed in the Penal Code, is guilty of a  
            misdemeanor.  (Pen. Code Section 521.)

          5)States that every person who attempts, by means of any threat,  
            such as is specified in existing provisions of law relating to  
            threats sufficient to constitute extortion, to extort money or  
            other property from another is punishable by imprisonment in  
            the county jail not longer than one year or in the state  
            prison or by fine not exceeding ten thousand dollars  
            ($10,000), or by both such fine and imprisonment.  (Pen. Code  
            Section 524.)










                                                                    SB 1137


                                                                    Page  4






          6)Specifies that any person who commits any of the following  
            acts is guilty of a crime:



             a)   Knowingly accesses and without permission alters,  
               damages, deletes, destroys, or otherwise uses any data,  
               computer, computer system, or computer network in order to  
               either (A) devise or execute any scheme or artifice to  
               defraud, deceive, or extort, or (B) wrongfully control or  
               obtain money, property, or data. (Pen. Code,  502, subd.  
               (c)(1).) 

             b)   Knowingly accesses and without permission takes, copies,  
               or makes use of any data from a computer, computer system,  
               or computer network, or takes or copies any supporting  
               documentation, whether existing or residing internal or  
               external to a computer, computer system, or computer  
               network. (Pen. Code,  502, subd. (c)(2).)



             c)   Knowingly accesses and without permission adds, alters,  
               damages, deletes, or destroys any data, computer software,  
               or computer programs which reside or exist internal or  
               external to a computer, computer system, or computer  
               network. (Pen. Code,  502, subd. (c)(4).)



             d)    Knowingly and without permission disrupts or causes the  
               disruption of computer services or denies or causes the  
               denial of computer services to an authorized user of a  
               computer, computer system, or computer network. (Pen. Code,  
                502, subd. (c)(5).)











                                                                    SB 1137


                                                                    Page  5





             e)   Knowingly and without permission disrupts or causes the  
               disruption of government computer services or denies or  
               causes the denial of government computer services to an  
               authorized user of a government computer, computer system,  
               or computer network. (Pen. Code,  502, subd. (c)(10).)



             f)   Knowingly accesses and without permission adds, alters,  
               damages, deletes, or destroys any data, computer software,  
               or computer programs which reside or exist internal or  
               external to a public safety infrastructure computer system  
               computer, computer system, or computer network. (Pen. Code,  
                502, subd. (c)(11).)



             g)   Knowingly and without permission disrupts or causes the  
               disruption of public safety infrastructure computer system  
               computer services or denies or causes the denial of  
               computer services to an authorized user of a public safety  
               infrastructure computer system computer, computer system,  
               or computer network. (Pen. Code,  502, subd. (c)(12).)



          7)States that any person who violates any of the provisions of  
            6(a)-(g) is guilty of a felony, punishable by imprisonment  
            pursuant to subdivision (h) of Section 1170 for 16 months, or  
            two or three years and a fine not exceeding ten thousand  
            dollars ($10,000), or a misdemeanor, punishable by  
            imprisonment in a county jail not exceeding one year, by a  
            fine not exceeding five thousand dollars ($5,000), or by both  
            that fine and imprisonment.

          8)Specifies that any person who commits any of the following  
            acts is guilty of a crime:










                                                                    SB 1137


                                                                    Page  6






             a)   Knowingly and without permission provides or assists in  
               providing a means of accessing a computer, computer system,  
               or computer network in violation of this section; (Pen.  
               Code,  502, subd. (c)(6).)

             b)   Knowingly and without permission accesses or causes to  
               be accessed any computer, computer system, or computer  
               network; and (Pen. Code,  502, subd. (c)(7).)



             c)   Knowingly and without permission provides or assists in  
               providing a means of accessing a computer, computer system,  
               or public safety infrastructure computer system computer,  
               computer system, or computer network in violation of this  
               section. (Pen. Code,  502, subd. (c)(13).)



          9)States that any person who violates 8(a)-(c) is punishable as  
            follows:

             a)   For a first violation that does not result in injury, an  
               infraction punishable by a fine not exceeding one thousand  
               dollars ($1,000);

             b)   For any violation that results in a victim expenditure  
               in an amount not greater than five thousand dollars  
               ($5,000), or for a second or subsequent violation, by a  
               fine not exceeding five thousand dollars ($5,000), or by  
               imprisonment in a county jail not exceeding one year, or by  
               both fine and imprisonment; and



             c)   For any violation that results in a victim expenditure  
               in an amount greater than five thousand dollars ($5,000),  
               by a fine not exceeding ten thousand dollars ($10,000), or  








                                                                    SB 1137


                                                                    Page  7





               by imprisonment pursuant to subdivision (h) of Section 1170  
               for 16 months, or two or three years, or by both that fine  
               and imprisonment, or by a fine not exceeding five thousand  
               dollars ($5,000), or by imprisonment in a county jail not  
               exceeding one year, or by both fine and imprisonment.



          10)Specifies that any person who commits any of the following  
            acts is guilty of a crime:

             a)   Knowingly introduces any computer contaminant into any  
               computer, computer system, or computer network; and (Pen.  
               Code,  502, subd. (c)(8).)

             b)   Knowingly introduces any computer contaminant into any  
               public safety infrastructure computer system computer,  
               computer system, or computer network. (Pen. Code,  502,  
               subd. (c)(14).)



          11) States that any person who violates 10(a)-(b) is punishable  
            as follows:

             a)   For a first violation that does not result in injury, a  
               misdemeanor punishable by a fine not exceeding five  
               thousand dollars ($5,000), or by imprisonment in a county  
               jail not exceeding one year, or by both fine and  
               imprisonment; and

             b)   For any violation that results in injury, or for a  
               second or subsequent violation, by a fine not exceeding ten  
               thousand dollars ($10,000), or by imprisonment in a county  
               jail not exceeding one year, or by imprisonment pursuant to  
               subdivision (h) of Section 1170, or by both fine and  
               imprisonment.










                                                                    SB 1137


                                                                    Page  8






          12)States that in addition to any other civil remedy available,  
            the owner or lessee of the computer, computer system, computer  
            network, computer program, or data who suffers damage or loss  
            by reason of a violation of specified computer may bring a  
            civil action against the violator for compensatory damages and  
            injunctive relief or other equitable relief. (Pen. Code,   
            502, subd. (e)(1).)



          FISCAL EFFECT:  Unknown.





          COMMENTS:  



          1)Author's Statement:  According to the author, "Kidnapping and  
            ransom demands have been around as long as criminal activity  
            itself. But what is new in today's digital age is the  
            immediacy in which a computer hacker can access your computer  
            and hold it hostage. Computer users are told that the only way  
            to get their machines back is to pay a steep fine. This is  
            known as "ransomware."
            
            "SB 1137 addresses this new form of ransom in Penal Code.  
            Currently, statutes on extortion can be used to prosecute  
            ransomware crimes. However, extortion is based on the threat  
            of future harm. When ransomware is used there is no threat to  
            commit a future harm unless a ransom is paid, the harm has  
            already occurred.  The attacker is demanding payment to undo  
            the harm they have already committed.  The difference is  
            slight, but extremely important in a criminal prosecution.










                                                                    SB 1137


                                                                    Page  9






            "Earlier this year, computers at Hollywood Presbyterian  
            Medical Center became infected with malware that shut down  
            their communications capabilities. After the 434-bed hospital  
            had been reduced to keeping records with pen and paper, the  
            facility  paid a ransom of 40 bitcoins -- about $17,000  -- and  
            regained access to its system.

            "SB 1137 defines ransomware and outlines the punishment for  
            those convicted of the crime. With advanced technology comes  
            advanced forms of crime, and we must be properly equipped to  
            address them."
          2)Ransomware:  Ransomware is a type of malware that restricts  
            access to the infected computer system in some way, and  
            demands that the user pay a ransom to the malware operators to  
            remove the restriction. Some forms of ransomware  
            systematically encrypt files on the system's hard drive, which  
            become difficult or impossible to decrypt without paying the  
            ransom for the encryption key. 

            Payment is virtually always the goal, and the victim is  
            coerced into paying for the ransomware to be removed-which may  
            or may not actually occur-either by supplying a program that  
            can decrypt the files, or by sending an unlock code that  
            undoes the payload's changes. A key element in making  
            ransomware work for the attacker is a convenient untraceable  
            payment system. A range of such payment methods have been  
            used, including: wire transfer, premium-rate text messages,  
            online payment voucher service such as  Ukash  or Paysafecard,  
            and the digital currency  Bitcoin  .

          1)Ransomware is a Crime under Existing California Law: The use  
            of ransomware to demand a payment from a computer or computer  
            system owner or operator appears to constitute extortion under  
            existing California law.  California law makes it a felony to  
            commit extortion.  "Extortion" is defined as obtaining  
            property from another, with his consent by a use of force or  
            fear. (Pen. Code,  518.)  Existing law states that fear,  
            sufficient to establish extortion, may be established by a  








                                                                    SB 1137


                                                                    Page  10





            threat do an unlawful injury to the person or property of the  
            individual.

          A demand for money based on the introduction of "ransomware" to  
            an individual computer or to a computer network seems to fit  
            within the crime of extortion.  If the computer owner fails to  
            pay the "ransom", they face financial losses if they are  
            unable to access data, programs, or computer functionality  
            that they need.  In addition to any financial losses, the  
            computer user is denied the use of, and access to, their  
            property.  If the fear of such consequences results in payment  
            to remove the ransomware, the crime of extortion has been  
            committed.

            California law (Pen. Code,  502 - the section amended by this  
            bill) also makes it a crime to access, damage or alter a  
            computer system or data without permission. Section 502  
            specifically lists prohibited acts and provides various  
            penalties, based on the severity of the harm caused or value  
            of services taken.



            This bill would add the use of ransomware as a computer crime  
            in Section 502.  The penalty for this form of computer crimes  
            is the same as the penalty for extortion, a felony term of  
            two, three, or four years.  (Pen. Code,  518-527.)     
          1)Governor's 2016 Veto Message Regarding "Multiplication" and  
            "Particularization" of Crimes:  In 2015, the Governor vetoed a  
            number of criminal justice bills because they created new  
            crimes for conduct that was already prohibited.  The bills the  
            Governor vetoed on this basis included:  AB 144, AB 849, SB  
            168, SB 170, SB 271, SB 333, SB 347, SB 716, SB 722

          The Governor vetoed those bills and issued this statement  
            applying to all the bills:

               "Each of these bills creates a new crime - usually by  
               finding a novel way to characterize and criminalize conduct  








                                                                    SB 1137


                                                                    Page  11





               that is already proscribed. This multiplication and  
               particularization of criminal behavior creates increasing  
               complexity without commensurate benefit. 

               "Over the last several decades, California's criminal code  
               has grown to more than 5,000 separate provisions, covering  
               almost every conceivable form of human misbehavior. During  
               the same period, our jail and prison populations have  
               exploded. 

               "Before we keep going down this road, I think we should  
               pause and reflect on how our system of criminal justice  
               could be made more human, more just and more  
               cost-effective."

            As pointed out above, "ransomware" is already criminal  
            behavior prohibited by existing law. 

          2)Argument in Support:  According to the Los Angeles County  
            District Attorney, "Attackers using ransomware don't just  
            target private individuals.  Businesses, financial  
            institutions, government agencies, academic institutions, and  
            other organizations are often targets.  According to the L.A.  
            Times, since 2010 at least 158 institutions, including medical  
            providers, insurers and hospitals, have reported being hacked  
            or having information technology issues that compromised  
            patient records.

          "During February 2016, the Los Angeles County Department of  
            Health Services computers were targets of a "ransomware" cyber  
            attack.  The agency identified remnants of a ransomware thread  
            on five work computers, but operations were not affected and  
            the county did not pay a ransom.  On the other hand, Hollywood  
            Presbyterian Medical Center paid a $17,000 ransom in bitcoin  
            to hackers who seized control of the hospital's computer  
            system on February 5.  The attack forced the hospital to  
            return to pen and paper for its record-keeping.  In the best  
            interest of restoring normal operations, the hospital paid the  
            ransom to obtain the decryption key.








                                                                    SB 1137


                                                                    Page  12






          "SB 1137 provides a clear code section to prosecute this  
            specific type of computer crime.  Existing law does not  
            adequately provide prosecutors with the tools to prosecute  
            this type of crime.  SB 1137 eliminates the argument that  
            triggering a system function that implements a restriction is  
            not a contaminant for purposes of Penal Code Section 502.  SB  
            1137 also eliminates this type of argument for  
            password-lockout situations, in which the attacker resets the  
            victim's password and holds it hostage.  SB 1137 also provides  
            prosecutors a much needed tool to prosecute attackers who use  
            ransomware because California's existing extortion statute  
            (Penal Code 518) may not properly cover the type of harm  
            caused by ransomware.

          "Penal Code Section 518 makes it a crime to obtain property from  
            an individual with the individual's consent by a wrongful use  
            of fear.  A wrongful use of fear for the purpose of extortion  
            requires a threat to do an unlawful injury to the property of  
            another because the harm has already been caused by the  
            introduction of the malware.

          "For example in a traditional extortion prosecution, a defendant  
            is charged with extortion for threatening to cause physical  
            harm to an individual or their property (pay me $1 million or  
            I will break your legs or I will burn your business to the  
            ground).  In these prosecutions it is the threat to commit the  
            harm unless a ransom is paid that is prosecuted.

          "When ransomware is used there is no threat to commit a future  
            harm unless a ransom is paid, the harm has already occurred.   
            The attacker is demanding to undo the harm they have already  
            committed.  The difference is slight but extremely important  
            in a criminal prosecution.

          3)Argument in Opposition:  According to Legal Services for  
            Prisoners with Children, "This bill would create a specific  
            prohibition against infecting a person's computer with  
            'ransomware,' causing their computer to fail to operate, and  








                                                                    SB 1137


                                                                    Page  13





            extorting money from them.  However, this activity is already  
            covered by existing law.  Penal Code section 502(c) makes it a  
            crime to access a person's computer, to delete data in order  
            to extort money from them, to damage or delete a person's data  
            without their permission, to disrupt the services of another's  
            computer, and to introduce a computer contaminant (virus) to a  
            computer system.  Some of these are already felonies.

          "Because these actions are already prohibited, a new crime and  
            additional punishment is neither necessary nor prudent.  This  
            will simply create longer sentences for individuals convicted  
            of violating these provisions, which does not increase public  
            safety."

          4)Related Legislation: 

             a)   AB 32 (Waldron), Chapter 614, Statutes of 2015,  
               increased fines for felony convictions of specified  
               computer crimes from a maximum of $5,000, to a maximum of  
               $10,000.

          5)Prior Legislation:  

             a)   AB 1649 (Waldron), Chapter 379, Statutes of 2014,  
               provided that the crimes and penalties for unauthorized  
               access of or damage to a computer, computer system or data  
               shall apply to government and public safety infrastructure  
               computers, computer systems and data.

          REGISTERED SUPPORT / OPPOSITION:





          Support


          








                                                                    SB 1137


                                                                    Page  14







          Los Angeles County District Attorney's Office (Co-Sponsor)


          TechNet (Co-Sponsor)


          AFSCME Local 685
          Association of Deputy District Attorneys
          Association of Orange County Deputy Sheriffs
          California Association of Licensed Investigators
                                                          California District Attorneys Association
          California Hospital Association
          California Police Chiefs Association
          California State Sheriffs' Association


          California Statewide Law Enforcement Association
          Fraternal Order of Police


          Los Angeles Deputy Sheriffs
          Los Angeles Police Protective League
          Los Angeles Probation Officer's Union
          Long Beach Police officers Association
          Riverside Sheriffs Association
          Sacramento County Deputy Sheriffs' Association



          Opposition


          


          Legal Services for Prisoners with Children









                                                                    SB 1137


                                                                    Page  15









          Analysis Prepared by:David Billingsley / PUB. S. / (916)  
          319-3744