BILL ANALYSIS Ó SB 1137 Page 1 Date of Hearing: June 28, 2016 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Ed Chau, Chair SB 1137 (Hertzberg) - As Amended March 31, 2016 SENATE VOTE: 39-0 SUBJECT: Computer crimes: ransomware SUMMARY: Makes the knowing introduction of ransomware into a computer with the intent of demanding payment to remove the ransomware or reverse its effects a felony, punishable by up to four years in prison and a fine not exceeding ten thousand dollars ($10,000). Specifically, this bill: 1)Makes it a felony to knowingly introduce ransomware into any computer, computer system, or computer network and specifies punishment as imprisonment for two, three, or four years and a fine not exceeding ten thousand dollars ($10,000). 2)Clarifies that prosecution for the knowing introduction of ransomware does not prohibit or limit prosecution under any other law. SB 1137 Page 2 3)Defines "ransomware" as "a computer or data contaminant or lock placed in or introduced into a computer system, computer or data in a computer system, or computer that restricts access to the system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock." 4)Further provides that a person is responsible for placing or introducing a contaminant or lock into a computer system, computer or data on a computer system, or computer if the person directly places or introduces the contaminant or lock, directs another to do so, or induces another person do so, with the intent of demanding payment or other consideration to remove the contaminant, unlock the computer system or computer, or repair the computer system, computer or data on the computer system, or computer. 5)Provides that no reimbursement is required because the only costs that may be incurred by a local agency or school district will be incurred because this bill creates a new crime or infraction, eliminates a crime or infraction, changes the penalty for a crime or infraction, or changes the definition of a crime. EXISTING LAW: 1)Establishes various crimes relating to computer services and systems, including, but not limited to, knowingly introducing a computer contaminant. (Penal Code Section (PC) 502(c)) SB 1137 Page 3 2)Makes a violation of those crimes relating to computer services punishable by specified fines or terms of imprisonment, or by both those fines and imprisonment. (PC 502(d)) 3)Authorizes, in addition to any other civil remedy available, the owner or lessee of the computer, computer system, computer network, computer program, or data who suffers damage or loss by reason of a violation of a computer crime may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief, as well as reasonable attorney's fees. (PC 502(e)) 4)Deems any computer, computer system, computer network, or any software or data, owned by the defendant, that is used during the commission of a computer crime, or any computer owned by the defendant used as a repository for the storage of software or data illegally obtained, shall be subject to forfeiture, as specified. (PC 502(g)) 5)Defines a "computer contaminant" as "any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in SB 1137 Page 4 some other fashion usurp the normal operation of the computer, computer system, or computer network." (PC 502 (b)(12)) 6)Defines extortion as "the obtaining of property from another, with his consent, or the obtaining of an official act of a public officer, induced by a wrongful use of force or fear, or under color of official right." (PC 512) FISCAL EFFECT: According to the Senate Appropriations Committee, this bill would have the following fiscal impacts: 1)State prisons : Potential minor increase in state costs (General Fund) for new commitments to state prison that would not have otherwise been convicted under the extortion statutes, or potentially longer sentences for convictions that otherwise would have been charged as other computer crimes. [The California Department of Corrections and Rehabilitation] data indicates 29 commitments to state prison in 2015 under the extortion statutes. To the extent the provisions of this measure result in even two additional commitments to state prison in any one year would result in state costs of $58,000 assuming the contract bed rate of $29,000 per inmate. 2)County jails : Potential increase in local incarceration costs (Local Funds) to the extent persons would not have otherwise been convicted of the felony offense of extortion or other computer offenses under existing law. COMMENTS: SB 1137 Page 5 1)Purpose of this bill . This bill is intended to explicitly and clearly prohibit the use of malicious computer programs called "ransomware" to infect computers or data and lock an authorized user out, and then extort money from that user in exchange for removing the ransomware or otherwise restoring access. This bill is co-sponsored by TechNet and Los Angeles County District Attorney Jackie Lacey. 2)Author's statement . According to the author's office, "The L.A. Times reports that since 2010 at least 158 institutions, including medical providers, insurers and hospitals, have reported being hacked or having information technology issues that compromised patient records. Earlier this year, computers at Hollywood Presbyterian Medical Center became infected with malware that shut down their communications capabilities. After the 434-bed hospital had been reduced to keeping records with pen and paper, the facility paid a ransom of 40 bitcoins -- about $17,000 -- and regained access to its system. More than a week later, computers at the Los Angeles County Department of Health Services became infected with a program that blocked access to their data. According to a recent report by the Institute for Critical Infrastructure Technology, ransomware will 'wreak havoc' on the United States' critical infrastructure community in 2016." 3)Understanding ransomware. According to cybersecurity firm Kaspersky Labs, ransomware is "a type of malware that, upon infecting a device, blocks access to it or to some or all of the information stored on it. In order to unlock either the device or the data, the user is required to pay a ransom, usually in bitcoins or another widely used e-currency." In practice, ransomware is simply a high-tech version of extortion, using the loss of access to one's data or computer as leverage to extort an electronic payment from the owner of the infected device. SB 1137 Page 6 The potential impacts of a ransomware infection are serious. According to the Federal Bureau of Investigation (FBI), "Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses-these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization's reputation. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items-including family photos, videos, and other data-can be devastating for individuals as well." As a result, victims have to deal not only with the loss of access and potentially paying the cost of the ransom, but also the attendant costs of dealing with identity theft and remediating the underlying breach to re-secure the system. The author's office cites FBI statistics showing that more than $209 million in ransomware payments have been paid by victims in the United States in the first three months of 2016, compared to $25 million in all of last year. 4)Ransomware attacks on the rise. In an April 2016 news bulletin, the FBI warns that incidents of ransomware are on the rise: "Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents-and the ensuing damage they cause-will grow even more in 2016 if individuals and organizations don't prepare for these attacks in advance." SB 1137 Page 7 These attacks have also become far more sophisticated. The same FBI bulletin states that "[s]everal years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals. And in newly identified instances of ransomware, some cyber criminals aren't using e-mails at all," and are instead "seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers." Two well-publicized examples of ransomware attacks in California are cited by co-sponsor TechNet as evidence of how serious the threat is: "During February 2016, the Los Angeles County Department of Health Services computers were targets of a 'ransomware' cyberattack. The agency identified remnants of a ransomware thread on five work computers, but operations were not affected and the county did not pay a ransom. On the other hand, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to hackers who seized control of the hospital's computer system on February 5. The attack forced the hospital to return to pen and paper for its record-keeping. In the best interest of restoring normal operations, the hospital paid the ransom to obtain the decryption key." 5)Arguments in support. According to co-sponsor, the Los Angeles District Attorney's Office, "SB 1137 provides a clear code section to prosecute this specific type of computer crime. Existing law does not adequately provide prosecutors with the tools to prosecute this type of crime. SB 1137 eliminates the argument that triggering a system malfunction that implements a restriction is not a contaminant for purposes of Penal Code Section 502. SB 1137 also eliminates this type of argument for password-lockout situations, in which the attacker resets the victim's password and holds it hostage." SB 1137 Page 8 "SB 1137 also provides prosecutors a much needed tool to prosecute attackers who use ransomware because California's existing extortion statute (Penal Code 518) may not properly cover the type of harm caused by ransomware. Penal Code 518 makes it a crime to obtain property from an individual with the individual's consent by a wrongful use of force or fear. A wrongful use of fear for the purpose of extortion requires a threat to do an unlawful injury to the property of an individual. In cases of ransomware there is no threat to do harm to the property of another because the harm has already been caused by the introduction of the malware?When ransomware is used there is no threat to commit a future harm unless a ransom is paid, the harm has already occurred. The attacker is demanding payment to undo the harm they have already committed. The difference is slight but extremely important in a criminal prosecution." According to co-sponsor TechNet, "we are proud to sponsor SB 1137 (Hertzberg) Ransomware Prevention, which makes it a crime to infect computers, computer systems, or networks with ransomware. We agree ransomware not only affects victims financially, but also imposes additional costs of replacing breached hardware, bringing legal action, and updating system security. This doesn't just impact home computers. Businesses, financial institutions, government agencies, academic institutions, and other organizations are often targets." 6)Arguments in opposition . According to Legal Services for Prisoners with Children, "[ransomware] is already covered by existing law. Penal Code section 502(c) makes it a crime to access a person's computer, to delete data in order to extort money from them, to damage or delete a person's data without their permission, to disrupt the services of another's computer, and to introduce a computer contaminant (virus) to a computer system. Some of these are already felonies. Because these actions are already prohibited, a new crime and SB 1137 Page 9 additional punishment is neither necessary nor prudent. This will simply create longer sentences for individuals convicted of violating these provisions, which does not better protect individual's privacy." 7)Previous legislation . AB 32 (Waldron), Chapter 614, Statutes of 2015, increased the fines for felony convictions of specified computer crimes from a maximum of $5,000 to a maximum of $10,000. AB 1649 (Waldron), Chapter 379, Statutes of 2014, provided that the crimes and penalties for unauthorized access of or damage to a computer, computer system or data specifically and separately apply to government and public safety infrastructure computers, computer systems and data. 8)Double-referral . This bill was double-referred to the Assembly Public Safety Committee on June 21, 2016, where it passed 7-0. REGISTERED SUPPORT / OPPOSITION: Support Los Angeles County District Attorney's Office (co-sponsor) TechNet (co-sponsor) AFSCME Local 658 SB 1137 Page 10 Association for Los Angeles Deputy Sheriffs Association of Deputy District Attorneys Association of Orange County Deputy Sheriffs California Association of Licensed Investigators California Hospital Association California Police Chiefs Association California State Sheriffs' Association California Statewide Law Enforcement Association Fraternal Order of Police Long Beach Police Officers Association Los Angeles County Professional Peace Officers Association Los Angeles Police Protective League Los Angeles Probation Officer's Union SB 1137 Page 11 Riverside Sheriffs Association Sacramento County Deputy Sheriffs' Association Opposition Legal Services for Prisoners with Children Analysis Prepared by:Hank Dempsey & Karim Troost / P. & C.P. / (916) 319-2200