BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                    SB 1137


                                                                    Page  1





          SENATE THIRD READING


          SB  
          1137 (Hertzberg)


          As Amended  August 1, 2016


          Majority vote


          SENATE VOTE:  39-0


           ------------------------------------------------------------------ 
          |Committee       |Votes|Ayes                  |Noes                |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |----------------+-----+----------------------+--------------------|
          |Public Safety   |7-0  |Jones-Sawyer,         |                    |
          |                |     |Melendez, Lackey,     |                    |
          |                |     |Lopez, Low, Quirk,    |                    |
          |                |     |Santiago              |                    |
          |                |     |                      |                    |
          |----------------+-----+----------------------+--------------------|
          |Privacy         |11-0 |Chau, Wilk, Baker,    |                    |
          |                |     |Calderon, Chang,      |                    |
          |                |     |Cooper, Dababneh,     |                    |
          |                |     |Gatto, Gordon, Low,   |                    |
          |                |     |Olsen                 |                    |
          |                |     |                      |                    |
          |----------------+-----+----------------------+--------------------|
          |Appropriations  |20-0 |Gonzalez, Bigelow,    |                    |
          |                |     |Bloom, Bonilla,       |                    |
          |                |     |Bonta, Calderon,      |                    |
          |                |     |Chang, Daly, Eggman,  |                    |








                                                                    SB 1137


                                                                    Page  2





          |                |     |Gallagher, Eduardo    |                    |
          |                |     |Garcia, Holden,       |                    |
          |                |     |Jones, Obernolte,     |                    |
          |                |     |Quirk, Santiago,      |                    |
          |                |     |Wagner, Weber, Wood,  |                    |
          |                |     |McCarty               |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
           ------------------------------------------------------------------ 


          SUMMARY:  Makes it a crime to knowingly introduce "ransomware"  
          into a computer or computer network for the purpose of extorting  
          payment.  Specifically, this bill:  


          1)Makes it a crime for a person to knowingly introduce  
            ransomware into any computer, computer system, or computer  
            network.  This bill would make a violation of this provision  
            punishable by imprisonment in a county jail for two, three, or  
            four years and a fine not exceeding $10,000.


          2)Defines "Ransomware" mean a "computer contaminant or lock  
            placed or introduced without authorization into a computer,  
            computer system, or computer network  that restricts access by  
            an authorized person to the computer, computer system,  
            computer network, or any data therein,  under circumstances in  
            which the person responsible for the placement or introduction  
            of the ransomware demands payment of money or other  
            consideration to remove the computer contaminant, restore  
            access to the computer, computer system, computer network, or  
            data, or otherwise remediate the  impact of the computer  
            contaminant or lock."


          3)Specifies that a person is responsible for placing or  
            introducing ransomware into a computer, computer system, or  
            computer network if the person directly places or introduces  








                                                                    SB 1137


                                                                    Page  3





            the ransomware, or directs or induces another person do so,  
            with the intent of demanding payment or other consideration to  
            remove the ransomware, restore access, or otherwise remediate  
            the impact of the ransomware. 


          4)Specifies that prosecution under that provision does not  
            prohibit or limit prosecution under any other law.


          


          EXISTING LAW:  


          1)Defines "extortion" as the obtaining of property from another,  
            with his consent, or the obtaining of an official act of a  
            public officer, induced by a wrongful use of force or fear, or  
            under color of official right.  
          2)Specifies that fear, sufficient to constitute extortion, may  
            be induced by a threat of any of the following: 


             a)   To do an unlawful injury to the person or property of  
               the individual threatened or of a third person; 
             b)   To accuse the individual threatened, or any relative of  
               his, or member of his family, of any crime; 


             c)   To expose, or to impute to him or them any deformity,  
               disgrace or crime; or, 


             d)   To expose, any secret affecting him or them. 


          3)States that every person who extorts any money or other  
            property from another, under circumstances not amounting to  








                                                                    SB 1137


                                                                    Page  4





            robbery or carjacking, by means of force, or any threat, such  
            as is mentioned in existing provisions of law relating to  
            threats sufficient to constitute extortion, shall be punished  
            by custody time of two, three or four years.  Specifies that  
            any person who commits any of the following acts is guilty of  
            a crime:


             a)   Knowingly accesses and without permission alters,  
               damages, deletes, destroys, or otherwise uses any data,  
               computer, computer system, or computer network in order to  
               either i) devise or execute any scheme or artifice to  
               defraud, deceive, or extort, or ii) wrongfully control or  
               obtain money, property, or data. 


             b)   Knowingly accesses and without permission takes, copies,  
               or makes use of any data from a computer, computer system,  
               or computer network, or takes or copies any supporting  
               documentation, whether existing or residing internal or  
               external to a computer, computer system, or computer  
               network. 


             c)   Knowingly accesses and without permission adds, alters,  
               damages, deletes, or destroys any data, computer software,  
               or computer programs which reside or exist internal or  
               external to a computer, computer system, or computer  
               network. 


             d)   Knowingly and without permission disrupts or causes the  
               disruption of computer services or denies or causes the  
               denial of computer services to an authorized user of a  
               computer, computer system, or computer network. 


             e)   Knowingly and without permission disrupts or causes the  
               disruption of government computer services or denies or  








                                                                    SB 1137


                                                                    Page  5





               causes the denial of government computer services to an  
               authorized user of a government computer, computer system,  
               or computer network. 


             f)   Knowingly accesses and without permission adds, alters,  
               damages, deletes, or destroys any data, computer software,  
               or computer programs which reside or exist internal or  
               external to a public safety infrastructure computer system  
               computer, computer system, or computer network. 


             g)   Knowingly and without permission disrupts or causes the  
               disruption of public safety infrastructure computer system  
               computer services or denies or causes the denial of  
               computer services to an authorized user of a public safety  
               infrastructure computer system computer, computer system,  
               or computer network. 


          4)States that any person who violates any of the provisions of  
            3a)-g) is guilty of a felony, punishable by imprisonment  
            pursuant to Section 1170(h) for 16 months, or two or three  
            years and a fine not exceeding $10,000, or a misdemeanor,  
            punishable by imprisonment in a county jail not exceeding one  
            year, by a fine not exceeding $5,000, or by both that fine and  
            imprisonment.


          5)Specifies that any person who commits any of the following  
            acts is guilty of a crime:


             a)   Knowingly and without permission provides or assists in  
               providing a means of accessing a computer, computer system,  
               or computer network in violation of this section; 


             b)   Knowingly and without permission accesses or causes to  








                                                                    SB 1137


                                                                    Page  6





               be accessed any computer, computer system, or computer  
               network; and 


             c)   Knowingly and without permission provides or assists in  
               providing a means of accessing a computer, computer system,  
               or public safety infrastructure computer system computer,  
               computer system, or computer network in violation of this  
               section. 


          6)States that any person who violates 5a)-c) is punishable as  
            follows:


             a)   For a first violation that does not result in injury, an  
               infraction punishable by a fine not exceeding $1,000;


             b)   For any violation that results in a victim expenditure  
               in an amount not greater than $5,000, or for a second or  
               subsequent violation, by a fine not exceeding $5,000, or by  
               imprisonment in a county jail not exceeding one year, or by  
               both fine and imprisonment; and


             c)   For any violation that results in a victim expenditure  
               in an amount greater than $5,000, by a fine not exceeding  
               $10,000, or by imprisonment pursuant to Section 1170(h) for  
               16 months, or two or three years, or by both that fine and  
               imprisonment, or by a fine not exceeding $5,000, or by  
               imprisonment in a county jail not exceeding one year, or by  
               both fine and imprisonment.


          7)Specifies that any person who commits any of the following  
            acts is guilty of a crime:










                                                                    SB 1137


                                                                    Page  7





             a)   Knowingly introduces any computer contaminant into any  
               computer, computer system, or computer network; and 


             b)   Knowingly introduces any computer contaminant into any  
               public safety infrastructure computer system computer,  
               computer system, or computer network. 


          8)States that any person who violates 7a)-b) is punishable as  
            follows:


             a)   For a first violation that does not result in injury, a  
               misdemeanor punishable by a fine not exceeding $5,000, or  
               by imprisonment in a county jail not exceeding one year, or  
               by both fine and imprisonment; and


             b)   For any violation that results in injury, or for a  
               second or subsequent violation, by a fine not exceeding  
               $10,000, or by imprisonment in a county jail not exceeding  
               one year, or by imprisonment pursuant to Section 1170(h),  
               or by both fine and imprisonment.


          COMMENTS:  According to the author, "Kidnapping and ransom  
          demands have been around as long as criminal activity itself.   
          But what is new in today's digital age is the immediacy in which  
          a computer hacker can access your computer and hold it hostage.   
          Computer users are told that the only way to get their machines  
          back is to pay a steep fine.  This is known as "ransomware."


          "SB 1137 addresses this new form of ransom in Penal Code.   
          Currently, statutes on extortion can be used to prosecute  
          ransomware crimes.  However, extortion is based on the threat of  
          future harm.  When ransomware is used there is no threat to  
          commit a future harm unless a ransom is paid, the harm has  








                                                                    SB 1137


                                                                    Page  8





          already occurred.  The attacker is demanding payment to undo the  
          harm they have already committed.  The difference is slight, but  
          extremely important in a criminal prosecution.


          "Earlier this year, computers at Hollywood Presbyterian Medical  
          Center became infected with malware that shut down their  
          communications capabilities.  After the 434-bed hospital had  
          been reduced to keeping records with pen and paper, the facility  
          paid a ransom of 40 bitcoins - about $17,000 - and regained  
          access to its system.   
          (http://www.latimes.com/business/technology/la-me-ln-hollywood-ho 
          spital-bitcoin-20160217-story.html)


          "SB 1137 defines ransomware and outlines the punishment for  
          those convicted of the crime.  With advanced technology comes  
          advanced forms of crime, and we must be properly equipped to  
          address them."


          Analysis Prepared by:                          David Billingsley  
          / PUB. S. / (916) 319-3744                            FN:  
          0004128