BILL ANALYSIS �Ó
SB 1137
Page 1
Date of Hearing: June 21, 2016
Counsel: David Billingsley
ASSEMBLY COMMITTEE ON PUBLIC SAFETY
Reginald Byron Jones-Sawyer, Sr., Chair
SB
1137 (Hertzberg) - As Amended March 31, 2016
SUMMARY: Makes it a crime to knowingly introduce "ransomware"
into a computer or computer network for the purpose of extorting
payment. Specifically, this bill:
1)Makes it a crime for a person to knowingly introduce
ransomware into any computer, computer system, or computer
network. This bill would make a violation of this provision
punishable by imprisonment in a county jail for two, three, or
four years and a fine not exceeding $10,000.
�
SB 1137
Page 2
2)Defines "ransomware" to mean a "computer or data contaminant
or lock placed in or introduced into a computer system,
computer or data in a computer system, or computer that
restricts access to system, computer, or data in some way, and
under circumstances in which the person responsible for the
ransomware demands payment of money or other consideration to
remove the contaminant, unlock the computer system or
computer, or repair the injury done to the computer system,
computer, or data by the contaminant or lock."
3)Specifies that a person is responsible for placing or
introducing a contaminant or lock into a computer system,
computer or data on a computer system, or computer if the
person directly places or introduces the contaminant or lock,
directs another to do so, or induces another person do so,
with the intent of demanding payment or other consideration to
remove the contaminant, unlock the computer system or
computer, or repair the computer system, computer or data on
the computer system, or computer.
4)Specifies that prosecution under that provision does not
prohibit or limit prosecution under any other law.
EXISTING LAW:
1)Defines "extortion" as the obtaining of property from another,
with his consent, or the obtaining of an official act of a
public officer, induced by a wrongful use of force or fear, or
under color of official right. (Pen. Code, § 518.)
�
SB 1137
Page 3
2)Specifies that fear, sufficient to constitute extortion, may
be induced by a threat of any of the following:
a) To do an unlawful injury to the person or property of
the individual threatened or of a third person;
b) To accuse the individual threatened, or any relative of
his, or member of his family, of any crime;
c) To expose, or to impute to him or them any deformity,
disgrace or crime; or,
d) To expose, any secret affecting him or them. (Pen. Code,
§ 519.)
3)States that every person who extorts any money or other
property from another, under circumstances not amounting to
robbery or carjacking, by means of force, or any threat, such
as is mentioned in existing provisions of law relating to
threats sufficient to constitute extortion, shall be punished
by custody time of two, three or four years. (Pen. Code
Section 520.)
4)Provides that every person who commits any extortion under
color of official right, in cases for which a different
punishment is not prescribed in the Penal Code, is guilty of a
misdemeanor. (Pen. Code Section 521.)
5)States that every person who attempts, by means of any threat,
such as is specified in existing provisions of law relating to
threats sufficient to constitute extortion, to extort money or
other property from another is punishable by imprisonment in
the county jail not longer than one year or in the state
prison or by fine not exceeding ten thousand dollars
($10,000), or by both such fine and imprisonment. (Pen. Code
Section 524.)
�
SB 1137
Page 4
6)Specifies that any person who commits any of the following
acts is guilty of a crime:
a) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either (A) devise or execute any scheme or artifice to
defraud, deceive, or extort, or (B) wrongfully control or
obtain money, property, or data. (Pen. Code, § 502, subd.
(c)(1).)
b) Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network. (Pen. Code, § 502, subd. (c)(2).)
c) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a computer, computer system, or computer
network. (Pen. Code, § 502, subd. (c)(4).)
d) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network. (Pen. Code,
§ 502, subd. (c)(5).)
�
SB 1137
Page 5
e) Knowingly and without permission disrupts or causes the
disruption of government computer services or denies or
causes the denial of government computer services to an
authorized user of a government computer, computer system,
or computer network. (Pen. Code, § 502, subd. (c)(10).)
f) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a public safety infrastructure computer system
computer, computer system, or computer network. (Pen. Code,
§ 502, subd. (c)(11).)
g) Knowingly and without permission disrupts or causes the
disruption of public safety infrastructure computer system
computer services or denies or causes the denial of
computer services to an authorized user of a public safety
infrastructure computer system computer, computer system,
or computer network. (Pen. Code, § 502, subd. (c)(12).)
7)States that any person who violates any of the provisions of
6(a)-(g) is guilty of a felony, punishable by imprisonment
pursuant to subdivision (h) of Section 1170 for 16 months, or
two or three years and a fine not exceeding ten thousand
dollars ($10,000), or a misdemeanor, punishable by
imprisonment in a county jail not exceeding one year, by a
fine not exceeding five thousand dollars ($5,000), or by both
that fine and imprisonment.
8)Specifies that any person who commits any of the following
acts is guilty of a crime:
�
SB 1137
Page 6
a) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or computer network in violation of this section; (Pen.
Code, § 502, subd. (c)(6).)
b) Knowingly and without permission accesses or causes to
be accessed any computer, computer system, or computer
network; and (Pen. Code, § 502, subd. (c)(7).)
c) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or public safety infrastructure computer system computer,
computer system, or computer network in violation of this
section. (Pen. Code, § 502, subd. (c)(13).)
9)States that any person who violates 8(a)-(c) is punishable as
follows:
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand
dollars ($1,000);
b) For any violation that results in a victim expenditure
in an amount not greater than five thousand dollars
($5,000), or for a second or subsequent violation, by a
fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by
both fine and imprisonment; and
c) For any violation that results in a victim expenditure
in an amount greater than five thousand dollars ($5,000),
by a fine not exceeding ten thousand dollars ($10,000), or
�
SB 1137
Page 7
by imprisonment pursuant to subdivision (h) of Section 1170
for 16 months, or two or three years, or by both that fine
and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not
exceeding one year, or by both fine and imprisonment.
10)Specifies that any person who commits any of the following
acts is guilty of a crime:
a) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network; and (Pen.
Code, § 502, subd. (c)(8).)
b) Knowingly introduces any computer contaminant into any
public safety infrastructure computer system computer,
computer system, or computer network. (Pen. Code, § 502,
subd. (c)(14).)
11) States that any person who violates 10(a)-(b) is punishable
as follows:
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five
thousand dollars ($5,000), or by imprisonment in a county
jail not exceeding one year, or by both fine and
imprisonment; and
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in a county
jail not exceeding one year, or by imprisonment pursuant to
subdivision (h) of Section 1170, or by both fine and
imprisonment.
�
SB 1137
Page 8
12)States that in addition to any other civil remedy available,
the owner or lessee of the computer, computer system, computer
network, computer program, or data who suffers damage or loss
by reason of a violation of specified computer may bring a
civil action against the violator for compensatory damages and
injunctive relief or other equitable relief. (Pen. Code, §
502, subd. (e)(1).)
FISCAL EFFECT: Unknown.
COMMENTS:
1)Author's Statement: According to the author, "Kidnapping and
ransom demands have been around as long as criminal activity
itself. But what is new in today's digital age is the
immediacy in which a computer hacker can access your computer
and hold it hostage. Computer users are told that the only way
to get their machines back is to pay a steep fine. This is
known as "ransomware."
"SB 1137 addresses this new form of ransom in Penal Code.
Currently, statutes on extortion can be used to prosecute
ransomware crimes. However, extortion is based on the threat
of future harm. When ransomware is used there is no threat to
commit a future harm unless a ransom is paid, the harm has
already occurred. The attacker is demanding payment to undo
the harm they have already committed. The difference is
slight, but extremely important in a criminal prosecution.
�
SB 1137
Page 9
"Earlier this year, computers at Hollywood Presbyterian
Medical Center became infected with malware that shut down
their communications capabilities. After the 434-bed hospital
had been reduced to keeping records with pen and paper, the
facility paid a ransom of 40 bitcoins -- about $17,000 -- and
regained access to its system.
"SB 1137 defines ransomware and outlines the punishment for
those convicted of the crime. With advanced technology comes
advanced forms of crime, and we must be properly equipped to
address them."
2)Ransomware: Ransomware is a type of malware that restricts
access to the infected computer system in some way, and
demands that the user pay a ransom to the malware operators to
remove the restriction. Some forms of ransomware
systematically encrypt files on the system's hard drive, which
become difficult or impossible to decrypt without paying the
ransom for the encryption key.
Payment is virtually always the goal, and the victim is
coerced into paying for the ransomware to be removed-which may
or may not actually occur-either by supplying a program that
can decrypt the files, or by sending an unlock code that
undoes the payload's changes. A key element in making
ransomware work for the attacker is a convenient untraceable
payment system. A range of such payment methods have been
used, including: wire transfer, premium-rate text messages,
online payment voucher service such as Ukash or Paysafecard,
and the digital currency Bitcoin .
1)Ransomware is a Crime under Existing California Law: The use
of ransomware to demand a payment from a computer or computer
system owner or operator appears to constitute extortion under
existing California law. California law makes it a felony to
commit extortion. "Extortion" is defined as obtaining
property from another, with his consent by a use of force or
fear. (Pen. Code, § 518.) Existing law states that fear,
sufficient to establish extortion, may be established by a
�
SB 1137
Page 10
threat do an unlawful injury to the person or property of the
individual.
A demand for money based on the introduction of "ransomware" to
an individual computer or to a computer network seems to fit
within the crime of extortion. If the computer owner fails to
pay the "ransom", they face financial losses if they are
unable to access data, programs, or computer functionality
that they need. In addition to any financial losses, the
computer user is denied the use of, and access to, their
property. If the fear of such consequences results in payment
to remove the ransomware, the crime of extortion has been
committed.
California law (Pen. Code, § 502 - the section amended by this
bill) also makes it a crime to access, damage or alter a
computer system or data without permission. Section 502
specifically lists prohibited acts and provides various
penalties, based on the severity of the harm caused or value
of services taken.
This bill would add the use of ransomware as a computer crime
in Section 502. The penalty for this form of computer crimes
is the same as the penalty for extortion, a felony term of
two, three, or four years. (Pen. Code, §§ 518-527.)
1)Governor's 2016 Veto Message Regarding "Multiplication" and
"Particularization" of Crimes: In 2015, the Governor vetoed a
number of criminal justice bills because they created new
crimes for conduct that was already prohibited. The bills the
Governor vetoed on this basis included: AB 144, AB 849, SB
168, SB 170, SB 271, SB 333, SB 347, SB 716, SB 722
The Governor vetoed those bills and issued this statement
applying to all the bills:
"Each of these bills creates a new crime - usually by
finding a novel way to characterize and criminalize conduct
�
SB 1137
Page 11
that is already proscribed. This multiplication and
particularization of criminal behavior creates increasing
complexity without commensurate benefit.
"Over the last several decades, California's criminal code
has grown to more than 5,000 separate provisions, covering
almost every conceivable form of human misbehavior. During
the same period, our jail and prison populations have
exploded.
"Before we keep going down this road, I think we should
pause and reflect on how our system of criminal justice
could be made more human, more just and more
cost-effective."
As pointed out above, "ransomware" is already criminal
behavior prohibited by existing law.
2)Argument in Support: According to the Los Angeles County
District Attorney, "Attackers using ransomware don't just
target private individuals. Businesses, financial
institutions, government agencies, academic institutions, and
other organizations are often targets. According to the L.A.
Times, since 2010 at least 158 institutions, including medical
providers, insurers and hospitals, have reported being hacked
or having information technology issues that compromised
patient records.
"During February 2016, the Los Angeles County Department of
Health Services computers were targets of a "ransomware" cyber
attack. The agency identified remnants of a ransomware thread
on five work computers, but operations were not affected and
the county did not pay a ransom. On the other hand, Hollywood
Presbyterian Medical Center paid a $17,000 ransom in bitcoin
to hackers who seized control of the hospital's computer
system on February 5. The attack forced the hospital to
return to pen and paper for its record-keeping. In the best
interest of restoring normal operations, the hospital paid the
ransom to obtain the decryption key.
�
SB 1137
Page 12
"SB 1137 provides a clear code section to prosecute this
specific type of computer crime. Existing law does not
adequately provide prosecutors with the tools to prosecute
this type of crime. SB 1137 eliminates the argument that
triggering a system function that implements a restriction is
not a contaminant for purposes of Penal Code Section 502. SB
1137 also eliminates this type of argument for
password-lockout situations, in which the attacker resets the
victim's password and holds it hostage. SB 1137 also provides
prosecutors a much needed tool to prosecute attackers who use
ransomware because California's existing extortion statute
(Penal Code 518) may not properly cover the type of harm
caused by ransomware.
"Penal Code Section 518 makes it a crime to obtain property from
an individual with the individual's consent by a wrongful use
of fear. A wrongful use of fear for the purpose of extortion
requires a threat to do an unlawful injury to the property of
another because the harm has already been caused by the
introduction of the malware.
"For example in a traditional extortion prosecution, a defendant
is charged with extortion for threatening to cause physical
harm to an individual or their property (pay me $1 million or
I will break your legs or I will burn your business to the
ground). In these prosecutions it is the threat to commit the
harm unless a ransom is paid that is prosecuted.
"When ransomware is used there is no threat to commit a future
harm unless a ransom is paid, the harm has already occurred.
The attacker is demanding to undo the harm they have already
committed. The difference is slight but extremely important
in a criminal prosecution.
3)Argument in Opposition: According to Legal Services for
Prisoners with Children, "This bill would create a specific
prohibition against infecting a person's computer with
'ransomware,' causing their computer to fail to operate, and
�
SB 1137
Page 13
extorting money from them. However, this activity is already
covered by existing law. Penal Code section 502(c) makes it a
crime to access a person's computer, to delete data in order
to extort money from them, to damage or delete a person's data
without their permission, to disrupt the services of another's
computer, and to introduce a computer contaminant (virus) to a
computer system. Some of these are already felonies.
"Because these actions are already prohibited, a new crime and
additional punishment is neither necessary nor prudent. This
will simply create longer sentences for individuals convicted
of violating these provisions, which does not increase public
safety."
4)Related Legislation:
a) AB 32 (Waldron), Chapter 614, Statutes of 2015,
increased fines for felony convictions of specified
computer crimes from a maximum of $5,000, to a maximum of
$10,000.
5)Prior Legislation:
a) AB 1649 (Waldron), Chapter 379, Statutes of 2014,
provided that the crimes and penalties for unauthorized
access of or damage to a computer, computer system or data
shall apply to government and public safety infrastructure
computers, computer systems and data.
REGISTERED SUPPORT / OPPOSITION:
Support
�
SB 1137
Page 14
Los Angeles County District Attorney's Office (Co-Sponsor)
TechNet (Co-Sponsor)
AFSCME Local 685
Association of Deputy District Attorneys
Association of Orange County Deputy Sheriffs
California Association of Licensed Investigators
California District Attorneys Association
California Hospital Association
California Police Chiefs Association
California State Sheriffs' Association
California Statewide Law Enforcement Association
Fraternal Order of Police
Los Angeles Deputy Sheriffs
Los Angeles Police Protective League
Los Angeles Probation Officer's Union
Long Beach Police officers Association
Riverside Sheriffs Association
Sacramento County Deputy Sheriffs' Association
Opposition
Legal Services for Prisoners with Children
�
SB 1137
Page 15
Analysis Prepared by:David Billingsley / PUB. S. / (916)
319-3744