BILL ANALYSIS �Ó
SB 1137
Page 1
Date of Hearing: June 28, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
SB
1137 (Hertzberg) - As Amended March 31, 2016
SENATE VOTE: 39-0
SUBJECT: Computer crimes: ransomware
SUMMARY: Makes the knowing introduction of ransomware into a
computer with the intent of demanding payment to remove the
ransomware or reverse its effects a felony, punishable by up to
four years in prison and a fine not exceeding ten thousand
dollars ($10,000). Specifically, this bill:
1)Makes it a felony to knowingly introduce ransomware into any
computer, computer system, or computer network and specifies
punishment as imprisonment for two, three, or four years and a
fine not exceeding ten thousand dollars ($10,000).
2)Clarifies that prosecution for the knowing introduction of
ransomware does not prohibit or limit prosecution under any
other law.
�
SB 1137
Page 2
3)Defines "ransomware" as "a computer or data contaminant or
lock placed in or introduced into a computer system, computer
or data in a computer system, or computer that restricts
access to the system, computer, or data in some way, and under
circumstances in which the person responsible for the
ransomware demands payment of money or other consideration to
remove the contaminant, unlock the computer system or
computer, or repair the injury done to the computer system,
computer, or data by the contaminant or lock."
4)Further provides that a person is responsible for placing or
introducing a contaminant or lock into a computer system,
computer or data on a computer system, or computer if the
person directly places or introduces the contaminant or lock,
directs another to do so, or induces another person do so,
with the intent of demanding payment or other consideration to
remove the contaminant, unlock the computer system or
computer, or repair the computer system, computer or data on
the computer system, or computer.
5)Provides that no reimbursement is required because the only
costs that may be incurred by a local agency or school
district will be incurred because this bill creates a new
crime or infraction, eliminates a crime or infraction, changes
the penalty for a crime or infraction, or changes the
definition of a crime.
EXISTING LAW:
1)Establishes various crimes relating to computer services and
systems, including, but not limited to, knowingly introducing
a computer contaminant. (Penal Code Section (PC) 502(c))
�
SB 1137
Page 3
2)Makes a violation of those crimes relating to computer
services punishable by specified fines or terms of
imprisonment, or by both those fines and imprisonment. (PC
502(d))
3)Authorizes, in addition to any other civil remedy available,
the owner or lessee of the computer, computer system, computer
network, computer program, or data who suffers damage or loss
by reason of a violation of a computer crime may bring a civil
action against the violator for compensatory damages and
injunctive relief or other equitable relief, as well as
reasonable attorney's fees. (PC 502(e))
4)Deems any computer, computer system, computer network, or any
software or data, owned by the defendant, that is used during
the commission of a computer crime, or any computer owned by
the defendant used as a repository for the storage of software
or data illegally obtained, shall be subject to forfeiture, as
specified. (PC 502(g))
5)Defines a "computer contaminant" as "any set of computer
instructions that are designed to modify, damage, destroy,
record, or transmit information within a computer, computer
system, or computer network without the intent or permission
of the owner of the information. They include, but are not
limited to, a group of computer instructions commonly called
viruses or worms, that are self-replicating or
self-propagating and are designed to contaminate other
computer programs or computer data, consume computer
resources, modify, destroy, record, or transmit data, or in
�
SB 1137
Page 4
some other fashion usurp the normal operation of the computer,
computer system, or computer network." (PC 502 (b)(12))
6)Defines extortion as "the obtaining of property from another,
with his consent, or the obtaining of an official act of a
public officer, induced by a wrongful use of force or fear, or
under color of official right." (PC 512)
FISCAL EFFECT: According to the Senate Appropriations
Committee, this bill would have the following fiscal impacts:
1)State prisons : Potential minor increase in state costs
(General Fund) for new commitments to state prison that would
not have otherwise been convicted under the extortion
statutes, or potentially longer sentences for convictions that
otherwise would have been charged as other computer crimes.
[The California Department of Corrections and Rehabilitation]
data indicates 29 commitments to state prison in 2015 under
the extortion statutes. To the extent the provisions of this
measure result in even two additional commitments to state
prison in any one year would result in state costs of $58,000
assuming the contract bed rate of $29,000 per inmate.
2)County jails : Potential increase in local incarceration costs
(Local Funds) to the extent persons would not have otherwise
been convicted of the felony offense of extortion or other
computer offenses under existing law.
COMMENTS:
�
SB 1137
Page 5
1)Purpose of this bill . This bill is intended to explicitly and
clearly prohibit the use of malicious computer programs called
"ransomware" to infect computers or data and lock an
authorized user out, and then extort money from that user in
exchange for removing the ransomware or otherwise restoring
access. This bill is co-sponsored by TechNet and Los Angeles
County District Attorney Jackie Lacey.
2)Author's statement . According to the author's office, "The
L.A. Times reports that since 2010 at least 158 institutions,
including medical providers, insurers and hospitals, have
reported being hacked or having information technology issues
that compromised patient records. Earlier this year,
computers at Hollywood Presbyterian Medical Center became
infected with malware that shut down their communications
capabilities. After the 434-bed hospital had been reduced to
keeping records with pen and paper, the facility paid a ransom
of 40 bitcoins -- about $17,000 -- and regained access to its
system. More than a week later, computers at the Los Angeles
County Department of Health Services became infected with a
program that blocked access to their data. According to a
recent report by the Institute for Critical Infrastructure
Technology, ransomware will 'wreak havoc' on the United
States' critical infrastructure community in 2016."
3)Understanding ransomware. According to cybersecurity firm
Kaspersky Labs, ransomware is "a type of malware that, upon
infecting a device, blocks access to it or to some or all of
the information stored on it. In order to unlock either the
device or the data, the user is required to pay a ransom,
usually in bitcoins or another widely used e-currency." In
practice, ransomware is simply a high-tech version of
extortion, using the loss of access to one's data or computer
as leverage to extort an electronic payment from the owner of
the infected device.
�
SB 1137
Page 6
The potential impacts of a ransomware infection are serious.
According to the Federal Bureau of Investigation (FBI),
"Hospitals, school districts, state and local governments, law
enforcement agencies, small businesses, large businesses-these
are just some of the entities impacted recently by ransomware,
an insidious type of malware that encrypts, or locks, valuable
digital files and demands a ransom to release them. The
inability to access the important data these kinds of
organizations keep can be catastrophic in terms of the loss of
sensitive or proprietary information, the disruption to
regular operations, financial losses incurred to restore
systems and files, and the potential harm to an organization's
reputation. And, of course, home computers are just as
susceptible to ransomware, and the loss of access to personal
and often irreplaceable items-including family photos, videos,
and other data-can be devastating for individuals as well."
As a result, victims have to deal not only with the loss of
access and potentially paying the cost of the ransom, but also
the attendant costs of dealing with identity theft and
remediating the underlying breach to re-secure the system.
The author's office cites FBI statistics showing that more than
$209 million in ransomware payments have been paid by victims
in the United States in the first three months of 2016,
compared to $25 million in all of last year.
4)Ransomware attacks on the rise. In an April 2016 news
bulletin, the FBI warns that incidents of ransomware are on
the rise: "Ransomware has been around for a few years, but
during 2015, law enforcement saw an increase in these types of
cyber attacks, particularly against organizations because the
payoffs are higher. And if the first three months of this
year are any indication, the number of ransomware
incidents-and the ensuing damage they cause-will grow even
more in 2016 if individuals and organizations don't prepare
for these attacks in advance."
�
SB 1137
Page 7
These attacks have also become far more sophisticated. The same
FBI bulletin states that "[s]everal years ago, ransomware was
normally delivered through spam e-mails, but because e-mail
systems got better at filtering out spam, cyber criminals
turned to spear phishing e-mails targeting specific
individuals. And in newly identified instances of ransomware,
some cyber criminals aren't using e-mails at all," and are
instead "seeding legitimate websites with malicious code,
taking advantage of unpatched software on end-user computers."
Two well-publicized examples of ransomware attacks in California
are cited by co-sponsor TechNet as evidence of how serious the
threat is: "During February 2016, the Los Angeles County
Department of Health Services computers were targets of a
'ransomware' cyberattack. The agency identified remnants of a
ransomware thread on five work computers, but operations were
not affected and the county did not pay a ransom. On the
other hand, Hollywood Presbyterian Medical Center paid a
$17,000 ransom in bitcoin to hackers who seized control of the
hospital's computer system on February 5. The attack forced
the hospital to return to pen and paper for its
record-keeping. In the best interest of restoring normal
operations, the hospital paid the ransom to obtain the
decryption key."
5)Arguments in support. According to co-sponsor, the Los
Angeles District Attorney's Office, "SB 1137 provides a clear
code section to prosecute this specific type of computer
crime. Existing law does not adequately provide prosecutors
with the tools to prosecute this type of crime. SB 1137
eliminates the argument that triggering a system malfunction
that implements a restriction is not a contaminant for
purposes of Penal Code Section 502. SB 1137 also eliminates
this type of argument for password-lockout situations, in
which the attacker resets the victim's password and holds it
hostage."
�
SB 1137
Page 8
"SB 1137 also provides prosecutors a much needed tool to
prosecute attackers who use ransomware because California's
existing extortion statute (Penal Code 518) may not properly
cover the type of harm caused by ransomware. Penal Code 518
makes it a crime to obtain property from an individual with
the individual's consent by a wrongful use of force or fear.
A wrongful use of fear for the purpose of extortion requires a
threat to do an unlawful injury to the property of an
individual. In cases of ransomware there is no threat to do
harm to the property of another because the harm has already
been caused by the introduction of the malware?When ransomware
is used there is no threat to commit a future harm unless a
ransom is paid, the harm has already occurred. The attacker
is demanding payment to undo the harm they have already
committed. The difference is slight but extremely important
in a criminal prosecution."
According to co-sponsor TechNet, "we are proud to sponsor SB
1137 (Hertzberg) Ransomware Prevention, which makes it a crime
to infect computers, computer systems, or networks with
ransomware. We agree ransomware not only affects victims
financially, but also imposes additional costs of replacing
breached hardware, bringing legal action, and updating system
security. This doesn't just impact home computers.
Businesses, financial institutions, government agencies,
academic institutions, and other organizations are often
targets."
6)Arguments in opposition . According to Legal Services for
Prisoners with Children, "[ransomware] is already covered by
existing law. Penal Code section 502(c) makes it a crime to
access a person's computer, to delete data in order to extort
money from them, to damage or delete a person's data without
their permission, to disrupt the services of another's
computer, and to introduce a computer contaminant (virus) to a
computer system. Some of these are already felonies. Because
these actions are already prohibited, a new crime and
�
SB 1137
Page 9
additional punishment is neither necessary nor prudent. This
will simply create longer sentences for individuals convicted
of violating these provisions, which does not better protect
individual's privacy."
7)Previous legislation . AB 32 (Waldron), Chapter 614, Statutes
of 2015, increased the fines for felony convictions of
specified computer crimes from a maximum of $5,000 to a
maximum of $10,000.
AB 1649 (Waldron), Chapter 379, Statutes of 2014, provided that
the crimes and penalties for unauthorized access of or damage
to a computer, computer system or data specifically and
separately apply to government and public safety
infrastructure computers, computer systems and data.
8)Double-referral . This bill was double-referred to the
Assembly Public Safety Committee on June 21, 2016, where it
passed 7-0.
REGISTERED SUPPORT / OPPOSITION:
Support
Los Angeles County District Attorney's Office (co-sponsor)
TechNet (co-sponsor)
AFSCME Local 658
�
SB 1137
Page 10
Association for Los Angeles Deputy Sheriffs
Association of Deputy District Attorneys
Association of Orange County Deputy Sheriffs
California Association of Licensed Investigators
California Hospital Association
California Police Chiefs Association
California State Sheriffs' Association
California Statewide Law Enforcement Association
Fraternal Order of Police
Long Beach Police Officers Association
Los Angeles County Professional Peace Officers Association
Los Angeles Police Protective League
Los Angeles Probation Officer's Union
�
SB 1137
Page 11
Riverside Sheriffs Association
Sacramento County Deputy Sheriffs' Association
Opposition
Legal Services for Prisoners with Children
Analysis Prepared by:Hank Dempsey & Karim Troost / P. & C.P. /
(916) 319-2200