BILL ANALYSIS                                                                                                                                                                                                    



                                                                    SB 1137  


                                                                    Page  1





          Date of Hearing:  August 3, 2016


                        ASSEMBLY COMMITTEE ON APPROPRIATIONS


                               Lorena Gonzalez, Chair


          SB 1137  
          (Hertzberg) - As Amended August 1, 2016


           ----------------------------------------------------------------- 
          |Policy       |Public Safety                  |Vote:|7 - 0        |
          |Committee:   |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |-------------+-------------------------------+-----+-------------|
          |             |Privacy and Consumer           |     |11 - 0       |
          |             |Protection                     |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
           ----------------------------------------------------------------- 


          Urgency:  No  State Mandated Local Program:  YesReimbursable:   
          No


          SUMMARY:


          This bill provides that a person who knowingly introduces  
          "ransomware," as defined, into any computer, computer system, or  
          computer network is guilty of a felony, punishable by  
          imprisonment in a county jail, or state prison under specified  
          circumstances, for two, three, or four years, and/or a fine of  
          up to $10,000. 








                                                                    SB 1137  


                                                                    Page  2







          FISCAL EFFECT:


          1)Potential moderate increased cost (General Fund) to the  
            California Department of Corrections and Rehabilitation (CDCR  
            ) for new commitments to state prison that would not have  
            otherwise been convicted under the extortion statutes, or  
            potentially longer sentences for convictions that otherwise  
            would have been charged as other computer crimes.  To the  
            extent the provisions of this measure result in two additional  
            commitments to state prison per year, the first year cost  
            would be $58,000, the second year would be $116,000, and  
            $174,00 thereafter assuming three-year sentences.


          2)Potential increase in nonreimbursable local incarceration  
            costs  to the extent persons would not have otherwise been  
            convicted of the felony offense of extortion or other computer  
            offenses under existing law.  These costs may be partially  
            offset by revenue from fines.


          COMMENTS:


          1)Purpose.  According to the author, "Kidnapping and ransom  
            demands have been around as long as criminal activity itself.  
            But what is new in today's digital age is the immediacy in  
            which a computer hacker can access your computer and hold it  
            hostage. Computer users are told that the only way to get  
            their machines back is to pay a steep fine. This is known as  
            "ransomware


            In practice, ransomware is simply a high-tech version of  
            extortion, using the loss of access to one's data or computer  
            as leverage to extort an electronic payment from the owner of  








                                                                    SB 1137  


                                                                    Page  3





            the infected device. 


            This bill is intended to explicitly and clearly prohibit the  
            use of malicious computer programs to infect computers or data  
            and lock an authorized user out, and then extort money from  
            that user in exchange for removing the ransomware or otherwise  
            restoring access.  





          2)Background.  Current law defines "extortion" as the obtaining  
            of property from another, with consent, or the obtaining of an  
            official act of a public officer, induced by a wrongful use of  
            force or fear, or under color of official right.  Current law  
            also specifies that every person who extorts any money or  
            other property from another, under circumstances not amounting  
            to robbery or carjacking, by means of force, or any threat,  
            such as is mentioned in existing provisions of law relating to  
            threats sufficient to constitute extortion is guilty of a  
            crime. 


            Current law establishes various crimes relating to computer  
            services and systems, including, but not limited to, knowingly  
            introducing a computer contaminant.  It also makes a violation  
            of those crimes relating to computer services punishable by  
            specified fines or terms of imprisonment, or by both those  
            fines and imprisonment.  


            According to the author's office, "The L.A. Times reports that  
            since 2010 at least 158 institutions, including medical  
            providers, insurers and hospitals, have reported being hacked  
            or having information technology issues that compromised  
            patient records.  Earlier this year, computers at Hollywood  
            Presbyterian Medical Center became infected with malware that  








                                                                    SB 1137  


                                                                    Page  4





            shut down their communications capabilities.  After the  
            434-bed hospital had been reduced to keeping records with pen  
            and paper, the facility paid a ransom of 40 bitcoins -- about  
            $17,000 -- and regained access to its system.  More than a  
            week later, computers at the Los Angeles County Department of  
            Health Services became infected with a program that blocked  
            access to their data.  According to a recent report by the  
            Institute for Critical Infrastructure Technology, ransomware  
            will 'wreak havoc' on the United States' critical  
            infrastructure community in 2016."


          3)Support.  The sponsors, the Los Angeles District Attorney's  
            Office, argues that this bill provides a clear code section to  
            prosecute ransomware because existing law may not properly  
            cover the type of harm caused by ransomware.  Ransomware  
            impacts home computers, businesses, financial institutions,  
            government agencies, academic institutions, and other  
            organizations.  



          4)Opposition. Legal Services for Prisoners with Children argues  
            that these actions are already prohibited, a new crime and  
            additional punishment is neither necessary nor prudent.  This  
            new law will simply create longer sentences for individuals  
            convicted of violating these provisions, which does not better  
            protect individual's privacy.



          5)Prior Legislation:
          


             a)   AB 32 (Waldron), Chapter 614, Statutes of 2015,  
               increased the fines for felony convictions of specified  
               computer crimes from a maximum of $5,000 to a maximum of  
               $10,000.








                                                                    SB 1137 


                                                                    Page  5








             b)   AB 32 (Waldron), Chapter 614, Statutes of 2015,  
               increased the fines for felony convictions of specified  
               computer crimes from a maximum of $5,000 to a maximum of  
               $10,000.
          Analysis Prepared by:Pedro Reyes / APPR. / (916)  
          319-2081