BILL ANALYSIS                                                                                                                                                                                                    

                                                                    SB 1137

                                                                    Page  1

          Date of Hearing:   June 28, 2016


                                   Ed Chau, Chair

          1137 (Hertzberg) - As Amended March 31, 2016

          SENATE VOTE:  39-0

          SUBJECT:  Computer crimes:  ransomware

          SUMMARY:  Makes the knowing introduction of ransomware into a  
          computer with the intent of demanding payment to remove the  
          ransomware or reverse its effects a felony, punishable by up to  
          four years in prison and a fine not exceeding ten thousand  
          dollars ($10,000).  Specifically, this bill:  

          1)Makes it a felony to knowingly introduce ransomware into any  
            computer, computer system, or computer network and specifies  
            punishment as imprisonment for two, three, or four years and a  
            fine not exceeding ten thousand dollars ($10,000).

          2)Clarifies that prosecution for the knowing introduction of  
            ransomware does not prohibit or limit prosecution under any  
            other law.


                                                                    SB 1137

                                                                    Page  2

          3)Defines "ransomware" as "a computer or data contaminant or  
            lock placed in or introduced into a computer system, computer  
            or data in a computer system, or computer that restricts  
            access to the system, computer, or data in some way, and under  
            circumstances in which the person responsible for the  
            ransomware demands payment of money or other consideration to  
            remove the contaminant, unlock the computer system or  
            computer, or repair the injury done to the computer system,  
            computer, or data by the contaminant or lock."

          4)Further provides that a person is responsible for placing or  
            introducing a contaminant or lock into a computer system,  
            computer or data on a computer system, or computer if the  
            person directly places or introduces the contaminant or lock,  
            directs another to do so, or induces another person do so,  
            with the intent of demanding payment or other consideration to  
            remove the contaminant, unlock the computer system or  
            computer, or repair the computer system, computer or data on  
            the computer system, or computer.

          5)Provides that no reimbursement is required because the only  
            costs that may be incurred by a local agency or school  
            district will be incurred because this bill creates a new  
            crime or infraction, eliminates a crime or infraction, changes  
            the penalty for a crime or infraction, or changes the  
            definition of a crime.
          EXISTING LAW:   

          1)Establishes various crimes relating to computer services and  
            systems, including, but not limited to, knowingly introducing  
            a computer contaminant.  (Penal Code Section (PC) 502(c))


                                                                    SB 1137

                                                                    Page  3

          2)Makes a violation of those crimes relating to computer  
            services punishable by specified fines or terms of  
            imprisonment, or by both those fines and imprisonment.  (PC  

          3)Authorizes, in addition to any other civil remedy available,  
            the owner or lessee of the computer, computer system, computer  
            network, computer program, or data who suffers damage or loss  
            by reason of a violation of a computer crime may bring a civil  
            action against the violator for compensatory damages and  
            injunctive relief or other equitable relief, as well as  
            reasonable attorney's fees.  (PC 502(e)) 

          4)Deems any computer, computer system, computer network, or any  
            software or data, owned by the defendant, that is used during  
            the commission of a computer crime, or any computer owned by  
            the defendant used as a repository for the storage of software  
            or data illegally obtained, shall be subject to forfeiture, as  
            specified.  (PC 502(g))

          5)Defines a "computer contaminant" as "any set of computer  
            instructions that are designed to modify, damage, destroy,  
            record, or transmit information within a computer, computer  
            system, or computer network without the intent or permission  
            of the owner of the information.  They include, but are not  
            limited to, a group of computer instructions commonly called  
            viruses or worms, that are self-replicating or  
            self-propagating and are designed to contaminate other  
            computer programs or computer data, consume computer  
            resources, modify, destroy, record, or transmit data, or in  


                                                                    SB 1137

                                                                    Page  4

            some other fashion usurp the normal operation of the computer,  
            computer system, or computer network."  (PC 502 (b)(12))

          6)Defines extortion as "the obtaining of property from another,  
            with his consent, or the obtaining of an official act of a  
            public officer, induced by a wrongful use of force or fear, or  
            under color of official right."  (PC 512)

          FISCAL EFFECT:  According to the Senate Appropriations  
          Committee, this bill would have the following fiscal impacts: 

           1)State prisons  :  Potential minor increase in state costs  
            (General Fund) for new commitments to state prison that would  
            not have otherwise been convicted under the extortion  
            statutes, or potentially longer sentences for convictions that  
            otherwise would have been charged as other computer crimes.   
            [The California Department of Corrections and Rehabilitation]  
            data indicates 29 commitments to state prison in 2015 under  
            the extortion statutes.  To the extent the provisions of this  
            measure result in even two additional commitments to state  
            prison in any one year would result in state costs of $58,000  
            assuming the contract bed rate of $29,000 per inmate.

           2)County jails  :  Potential increase in local incarceration costs  
            (Local Funds) to the extent persons would not have otherwise  
            been convicted of the felony offense of extortion or other  
            computer offenses under existing law. 



                                                                    SB 1137

                                                                    Page  5

           1)Purpose of this bill  .  This bill is intended to explicitly and  
            clearly prohibit the use of malicious computer programs called  
            "ransomware" to infect computers or data and lock an  
            authorized user out, and then extort money from that user in  
            exchange for removing the ransomware or otherwise restoring  
            access.  This bill is co-sponsored by TechNet and Los Angeles  
            County District Attorney Jackie Lacey.  

          2)Author's statement  .  According to the author's office, "The  
            L.A. Times reports that since 2010 at least 158 institutions,  
            including medical providers, insurers and hospitals, have  
            reported being hacked or having information technology issues  
            that compromised patient records.  Earlier this year,  
            computers at Hollywood Presbyterian Medical Center became  
            infected with malware that shut down their communications  
            capabilities.  After the 434-bed hospital had been reduced to  
            keeping records with pen and paper, the facility paid a ransom  
            of 40 bitcoins -- about $17,000 -- and regained access to its  
            system.  More than a week later, computers at the Los Angeles  
            County Department of Health Services became infected with a  
            program that blocked access to their data.  According to a  
            recent report by the Institute for Critical Infrastructure  
            Technology, ransomware will 'wreak havoc' on the United  
            States' critical infrastructure community in 2016."  

            3)Understanding ransomware.   According to cybersecurity firm  
            Kaspersky Labs, ransomware is "a type of malware that, upon  
            infecting a device, blocks access to it or to some or all of  
            the information stored on it.  In order to unlock either the  
            device or the data, the user is required to pay a ransom,  
            usually in bitcoins or another widely used e-currency."  In  
            practice, ransomware is simply a high-tech version of  
            extortion, using the loss of access to one's data or computer  
            as leverage to extort an electronic payment from the owner of  
            the infected device.  


                                                                    SB 1137

                                                                    Page  6

           The potential impacts of a ransomware infection are serious.   
            According to the Federal Bureau of Investigation (FBI),  
            "Hospitals, school districts, state and local governments, law  
            enforcement agencies, small businesses, large businesses-these  
            are just some of the entities impacted recently by ransomware,  
            an insidious type of malware that encrypts, or locks, valuable  
            digital files and demands a ransom to release them.  The  
            inability to access the important data these kinds of  
            organizations keep can be catastrophic in terms of the loss of  
            sensitive or proprietary information, the disruption to  
            regular operations, financial losses incurred to restore  
            systems and files, and the potential harm to an organization's  
            reputation.  And, of course, home computers are just as  
            susceptible to ransomware, and the loss of access to personal  
            and often irreplaceable items-including family photos, videos,  
            and other data-can be devastating for individuals as well."   
            As a result, victims have to deal not only with the loss of  
            access and potentially paying the cost of the ransom, but also  
            the attendant costs of dealing with identity theft and  
            remediating the underlying breach to re-secure the system.

          The author's office cites FBI statistics showing that more than  
            $209 million in ransomware payments have been paid by victims  
            in the United States in the first three months of 2016,  
            compared to $25 million in all of last year.

           4)Ransomware attacks on the rise.   In an April 2016 news  
            bulletin, the FBI warns that incidents of ransomware are on  
            the rise: "Ransomware has been around for a few years, but  
            during 2015, law enforcement saw an increase in these types of  
            cyber attacks, particularly against organizations because the  
            payoffs are higher.  And if the first three months of this  
            year are any indication, the number of ransomware  
            incidents-and the ensuing damage they cause-will grow even  
            more in 2016 if individuals and organizations don't prepare  
            for these attacks in advance."


                                                                    SB 1137

                                                                    Page  7

          These attacks have also become far more sophisticated.  The same  
            FBI bulletin states that "[s]everal years ago, ransomware was  
            normally delivered through spam e-mails, but because e-mail  
            systems got better at filtering out spam, cyber criminals  
            turned to spear phishing e-mails targeting specific  
            individuals.  And in newly identified instances of ransomware,  
            some cyber criminals aren't using e-mails at all," and are  
            instead "seeding legitimate websites with malicious code,  
            taking advantage of unpatched software on end-user computers."

          Two well-publicized examples of ransomware attacks in California  
            are cited by co-sponsor TechNet as evidence of how serious the  
            threat is: "During February 2016, the Los Angeles County  
            Department of Health Services computers were targets of a  
            'ransomware' cyberattack. The agency identified remnants of a  
            ransomware thread on five work computers, but operations were  
            not affected and the county did not pay a ransom.  On the  
            other hand, Hollywood Presbyterian Medical Center paid a  
            $17,000 ransom in bitcoin to hackers who seized control of the  
            hospital's computer system on February 5.  The attack forced  
            the hospital to return to pen and paper for its  
            record-keeping.  In the best interest of restoring normal  
            operations, the hospital paid the ransom to obtain the  
            decryption key."  
          5)Arguments in support.   According to co-sponsor, the Los  
            Angeles District Attorney's Office, "SB 1137 provides a clear  
            code section to prosecute this specific type of computer  
            crime. Existing law does not adequately provide prosecutors  
            with the tools to prosecute this type of crime.  SB 1137  
            eliminates the argument that triggering a system malfunction  
            that implements a restriction is not a contaminant for  
            purposes of Penal Code Section 502.  SB 1137 also eliminates  
            this type of argument for password-lockout situations, in  
            which the attacker resets the victim's password and holds it  


                                                                    SB 1137

                                                                    Page  8

          "SB 1137 also provides prosecutors a much needed tool to  
            prosecute attackers who use ransomware because California's  
            existing extortion statute (Penal Code 518) may not properly  
            cover the type of harm caused by ransomware.  Penal Code 518  
            makes it a crime to obtain property from an individual with  
            the individual's consent by a wrongful use of force or fear.   
            A wrongful use of fear for the purpose of extortion requires a  
            threat to do an unlawful injury to the property of an  
            individual.  In cases of ransomware there is no threat to do  
            harm to the property of another because the harm has already  
            been caused by the introduction of the malware?When ransomware  
            is used there is no threat to commit a future harm unless a  
            ransom is paid, the harm has already occurred.  The attacker  
            is demanding payment to undo the harm they have already  
            committed.  The difference is slight but extremely important  
            in a criminal prosecution."

          According to co-sponsor TechNet, "we are proud to sponsor SB  
            1137 (Hertzberg) Ransomware Prevention, which makes it a crime  
            to infect computers, computer systems, or networks with  
            ransomware.  We agree ransomware not only affects victims  
            financially, but also imposes additional costs of replacing  
            breached hardware, bringing legal action, and updating system  
            security.  This doesn't just impact home computers.   
            Businesses, financial institutions, government agencies,  
            academic institutions, and other organizations are often  

           6)Arguments in opposition  .  According to Legal Services for  
            Prisoners with Children, "[ransomware] is already covered by  
            existing law.  Penal Code section 502(c) makes it a crime to  
            access a person's computer, to delete data in order to extort  
            money from them, to damage or delete a person's data without  
            their permission, to disrupt the services of another's  
            computer, and to introduce a computer contaminant (virus) to a  
            computer system.  Some of these are already felonies.  Because  
            these actions are already prohibited, a new crime and  


                                                                    SB 1137

                                                                    Page  9

            additional punishment is neither necessary nor prudent.  This  
            will simply create longer sentences for individuals convicted  
            of violating these provisions, which does not better protect  
            individual's privacy." 

           7)Previous legislation  .  AB 32 (Waldron), Chapter 614, Statutes  
            of 2015, increased the fines for felony convictions of  
            specified computer crimes from a maximum of $5,000 to a  
            maximum of $10,000.

          AB 1649 (Waldron), Chapter 379, Statutes of 2014, provided that  
            the crimes and penalties for unauthorized access of or damage  
            to a computer, computer system or data specifically and  
            separately apply to government and public safety  
            infrastructure computers, computer systems and data.
           8)Double-referral  .  This bill was double-referred to the  
            Assembly Public Safety Committee on June 21, 2016, where it  
            passed 7-0. 



          Los Angeles County District Attorney's Office (co-sponsor)

          TechNet (co-sponsor)

          AFSCME Local 658


                                                                    SB 1137

                                                                    Page  10

          Association for Los Angeles Deputy Sheriffs

          Association of Deputy District Attorneys

          Association of Orange County Deputy Sheriffs

          California Association of Licensed Investigators

          California Hospital Association

          California Police Chiefs Association

          California State Sheriffs' Association

          California Statewide Law Enforcement Association

          Fraternal Order of Police

          Long Beach Police Officers Association

          Los Angeles County Professional Peace Officers Association

          Los Angeles Police Protective League

          Los Angeles Probation Officer's Union


                                                                    SB 1137

                                                                    Page  11

          Riverside Sheriffs Association

          Sacramento County Deputy Sheriffs' Association


          Legal Services for Prisoners with Children

          Analysis Prepared by:Hank Dempsey & Karim Troost / P. & C.P. /  
          (916) 319-2200