BILL ANALYSIS �Ó
SB 1137
Page 1
Date of Hearing: August 3, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
SB 1137
(Hertzberg) - As Amended August 1, 2016
-----------------------------------------------------------------
|Policy |Public Safety |Vote:|7 - 0 |
|Committee: | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| |Privacy and Consumer | |11 - 0 |
| |Protection | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: YesReimbursable:
No
SUMMARY:
This bill provides that a person who knowingly introduces
"ransomware," as defined, into any computer, computer system, or
computer network is guilty of a felony, punishable by
imprisonment in a county jail, or state prison under specified
circumstances, for two, three, or four years, and/or a fine of
up to $10,000.
�
SB 1137
Page 2
FISCAL EFFECT:
1)Potential moderate increased cost (General Fund) to the
California Department of Corrections and Rehabilitation (CDCR
) for new commitments to state prison that would not have
otherwise been convicted under the extortion statutes, or
potentially longer sentences for convictions that otherwise
would have been charged as other computer crimes. To the
extent the provisions of this measure result in two additional
commitments to state prison per year, the first year cost
would be $58,000, the second year would be $116,000, and
$174,00 thereafter assuming three-year sentences.
2)Potential increase in nonreimbursable local incarceration
costs to the extent persons would not have otherwise been
convicted of the felony offense of extortion or other computer
offenses under existing law. These costs may be partially
offset by revenue from fines.
COMMENTS:
1)Purpose. According to the author, "Kidnapping and ransom
demands have been around as long as criminal activity itself.
But what is new in today's digital age is the immediacy in
which a computer hacker can access your computer and hold it
hostage. Computer users are told that the only way to get
their machines back is to pay a steep fine. This is known as
"ransomware
In practice, ransomware is simply a high-tech version of
extortion, using the loss of access to one's data or computer
as leverage to extort an electronic payment from the owner of
�
SB 1137
Page 3
the infected device.
This bill is intended to explicitly and clearly prohibit the
use of malicious computer programs to infect computers or data
and lock an authorized user out, and then extort money from
that user in exchange for removing the ransomware or otherwise
restoring access.
2)Background. Current law defines "extortion" as the obtaining
of property from another, with consent, or the obtaining of an
official act of a public officer, induced by a wrongful use of
force or fear, or under color of official right. Current law
also specifies that every person who extorts any money or
other property from another, under circumstances not amounting
to robbery or carjacking, by means of force, or any threat,
such as is mentioned in existing provisions of law relating to
threats sufficient to constitute extortion is guilty of a
crime.
Current law establishes various crimes relating to computer
services and systems, including, but not limited to, knowingly
introducing a computer contaminant. It also makes a violation
of those crimes relating to computer services punishable by
specified fines or terms of imprisonment, or by both those
fines and imprisonment.
According to the author's office, "The L.A. Times reports that
since 2010 at least 158 institutions, including medical
providers, insurers and hospitals, have reported being hacked
or having information technology issues that compromised
patient records. Earlier this year, computers at Hollywood
Presbyterian Medical Center became infected with malware that
�
SB 1137
Page 4
shut down their communications capabilities. After the
434-bed hospital had been reduced to keeping records with pen
and paper, the facility paid a ransom of 40 bitcoins -- about
$17,000 -- and regained access to its system. More than a
week later, computers at the Los Angeles County Department of
Health Services became infected with a program that blocked
access to their data. According to a recent report by the
Institute for Critical Infrastructure Technology, ransomware
will 'wreak havoc' on the United States' critical
infrastructure community in 2016."
3)Support. The sponsors, the Los Angeles District Attorney's
Office, argues that this bill provides a clear code section to
prosecute ransomware because existing law may not properly
cover the type of harm caused by ransomware. Ransomware
impacts home computers, businesses, financial institutions,
government agencies, academic institutions, and other
organizations.
4)Opposition. Legal Services for Prisoners with Children argues
that these actions are already prohibited, a new crime and
additional punishment is neither necessary nor prudent. This
new law will simply create longer sentences for individuals
convicted of violating these provisions, which does not better
protect individual's privacy.
5)Prior Legislation:
a) AB 32 (Waldron), Chapter 614, Statutes of 2015,
increased the fines for felony convictions of specified
computer crimes from a maximum of $5,000 to a maximum of
$10,000.
�
SB 1137
Page 5
b) AB 32 (Waldron), Chapter 614, Statutes of 2015,
increased the fines for felony convictions of specified
computer crimes from a maximum of $5,000 to a maximum of
$10,000.
Analysis Prepared by:Pedro Reyes / APPR. / (916)
319-2081