BILL ANALYSIS �Ó
SB 1137
Page 1
SENATE THIRD READING
SB
1137 (Hertzberg)
As Amended August 1, 2016
Majority vote
SENATE VOTE: 39-0
------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Public Safety |7-0 |Jones-Sawyer, | |
| | |Melendez, Lackey, | |
| | |Lopez, Low, Quirk, | |
| | |Santiago | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Privacy |11-0 |Chau, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Cooper, Dababneh, | |
| | |Gatto, Gordon, Low, | |
| | |Olsen | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Appropriations |20-0 |Gonzalez, Bigelow, | |
| | |Bloom, Bonilla, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, Eggman, | |
�
SB 1137
Page 2
| | |Gallagher, Eduardo | |
| | |Garcia, Holden, | |
| | |Jones, Obernolte, | |
| | |Quirk, Santiago, | |
| | |Wagner, Weber, Wood, | |
| | |McCarty | |
| | | | |
| | | | |
------------------------------------------------------------------
SUMMARY: Makes it a crime to knowingly introduce "ransomware"
into a computer or computer network for the purpose of extorting
payment. Specifically, this bill:
1)Makes it a crime for a person to knowingly introduce
ransomware into any computer, computer system, or computer
network. This bill would make a violation of this provision
punishable by imprisonment in a county jail for two, three, or
four years and a fine not exceeding $10,000.
2)Defines "Ransomware" mean a "computer contaminant or lock
placed or introduced without authorization into a computer,
computer system, or computer network that restricts access by
an authorized person to the computer, computer system,
computer network, or any data therein, under circumstances in
which the person responsible for the placement or introduction
of the ransomware demands payment of money or other
consideration to remove the computer contaminant, restore
access to the computer, computer system, computer network, or
data, or otherwise remediate the impact of the computer
contaminant or lock."
3)Specifies that a person is responsible for placing or
introducing ransomware into a computer, computer system, or
computer network if the person directly places or introduces
�
SB 1137
Page 3
the ransomware, or directs or induces another person do so,
with the intent of demanding payment or other consideration to
remove the ransomware, restore access, or otherwise remediate
the impact of the ransomware.
4)Specifies that prosecution under that provision does not
prohibit or limit prosecution under any other law.
EXISTING LAW:
1)Defines "extortion" as the obtaining of property from another,
with his consent, or the obtaining of an official act of a
public officer, induced by a wrongful use of force or fear, or
under color of official right.
2)Specifies that fear, sufficient to constitute extortion, may
be induced by a threat of any of the following:
a) To do an unlawful injury to the person or property of
the individual threatened or of a third person;
b) To accuse the individual threatened, or any relative of
his, or member of his family, of any crime;
c) To expose, or to impute to him or them any deformity,
disgrace or crime; or,
d) To expose, any secret affecting him or them.
3)States that every person who extorts any money or other
property from another, under circumstances not amounting to
�
SB 1137
Page 4
robbery or carjacking, by means of force, or any threat, such
as is mentioned in existing provisions of law relating to
threats sufficient to constitute extortion, shall be punished
by custody time of two, three or four years. Specifies that
any person who commits any of the following acts is guilty of
a crime:
a) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either i) devise or execute any scheme or artifice to
defraud, deceive, or extort, or ii) wrongfully control or
obtain money, property, or data.
b) Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network.
c) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a computer, computer system, or computer
network.
d) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network.
e) Knowingly and without permission disrupts or causes the
disruption of government computer services or denies or
�
SB 1137
Page 5
causes the denial of government computer services to an
authorized user of a government computer, computer system,
or computer network.
f) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a public safety infrastructure computer system
computer, computer system, or computer network.
g) Knowingly and without permission disrupts or causes the
disruption of public safety infrastructure computer system
computer services or denies or causes the denial of
computer services to an authorized user of a public safety
infrastructure computer system computer, computer system,
or computer network.
4)States that any person who violates any of the provisions of
3a)-g) is guilty of a felony, punishable by imprisonment
pursuant to Section 1170(h) for 16 months, or two or three
years and a fine not exceeding $10,000, or a misdemeanor,
punishable by imprisonment in a county jail not exceeding one
year, by a fine not exceeding $5,000, or by both that fine and
imprisonment.
5)Specifies that any person who commits any of the following
acts is guilty of a crime:
a) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or computer network in violation of this section;
b) Knowingly and without permission accesses or causes to
�
SB 1137
Page 6
be accessed any computer, computer system, or computer
network; and
c) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or public safety infrastructure computer system computer,
computer system, or computer network in violation of this
section.
6)States that any person who violates 5a)-c) is punishable as
follows:
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding $1,000;
b) For any violation that results in a victim expenditure
in an amount not greater than $5,000, or for a second or
subsequent violation, by a fine not exceeding $5,000, or by
imprisonment in a county jail not exceeding one year, or by
both fine and imprisonment; and
c) For any violation that results in a victim expenditure
in an amount greater than $5,000, by a fine not exceeding
$10,000, or by imprisonment pursuant to Section 1170(h) for
16 months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, or by
imprisonment in a county jail not exceeding one year, or by
both fine and imprisonment.
7)Specifies that any person who commits any of the following
acts is guilty of a crime:
�
SB 1137
Page 7
a) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network; and
b) Knowingly introduces any computer contaminant into any
public safety infrastructure computer system computer,
computer system, or computer network.
8)States that any person who violates 7a)-b) is punishable as
follows:
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding $5,000, or
by imprisonment in a county jail not exceeding one year, or
by both fine and imprisonment; and
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
$10,000, or by imprisonment in a county jail not exceeding
one year, or by imprisonment pursuant to Section 1170(h),
or by both fine and imprisonment.
COMMENTS: According to the author, "Kidnapping and ransom
demands have been around as long as criminal activity itself.
But what is new in today's digital age is the immediacy in which
a computer hacker can access your computer and hold it hostage.
Computer users are told that the only way to get their machines
back is to pay a steep fine. This is known as "ransomware."
"SB 1137 addresses this new form of ransom in Penal Code.
Currently, statutes on extortion can be used to prosecute
ransomware crimes. However, extortion is based on the threat of
future harm. When ransomware is used there is no threat to
commit a future harm unless a ransom is paid, the harm has
�
SB 1137
Page 8
already occurred. The attacker is demanding payment to undo the
harm they have already committed. The difference is slight, but
extremely important in a criminal prosecution.
"Earlier this year, computers at Hollywood Presbyterian Medical
Center became infected with malware that shut down their
communications capabilities. After the 434-bed hospital had
been reduced to keeping records with pen and paper, the facility
paid a ransom of 40 bitcoins - about $17,000 - and regained
access to its system.
(http://www.latimes.com/business/technology/la-me-ln-hollywood-ho
spital-bitcoin-20160217-story.html)
"SB 1137 defines ransomware and outlines the punishment for
those convicted of the crime. With advanced technology comes
advanced forms of crime, and we must be properly equipped to
address them."
Analysis Prepared by: David Billingsley
/ PUB. S. / (916) 319-3744 FN:
0004128