BILL ANALYSIS Ó SB 1137 Page 1 SENATE THIRD READING SB 1137 (Hertzberg) As Amended August 1, 2016 Majority vote SENATE VOTE: 39-0 ------------------------------------------------------------------ |Committee |Votes|Ayes |Noes | | | | | | | | | | | | | | | | |----------------+-----+----------------------+--------------------| |Public Safety |7-0 |Jones-Sawyer, | | | | |Melendez, Lackey, | | | | |Lopez, Low, Quirk, | | | | |Santiago | | | | | | | |----------------+-----+----------------------+--------------------| |Privacy |11-0 |Chau, Wilk, Baker, | | | | |Calderon, Chang, | | | | |Cooper, Dababneh, | | | | |Gatto, Gordon, Low, | | | | |Olsen | | | | | | | |----------------+-----+----------------------+--------------------| |Appropriations |20-0 |Gonzalez, Bigelow, | | | | |Bloom, Bonilla, | | | | |Bonta, Calderon, | | | | |Chang, Daly, Eggman, | | SB 1137 Page 2 | | |Gallagher, Eduardo | | | | |Garcia, Holden, | | | | |Jones, Obernolte, | | | | |Quirk, Santiago, | | | | |Wagner, Weber, Wood, | | | | |McCarty | | | | | | | | | | | | ------------------------------------------------------------------ SUMMARY: Makes it a crime to knowingly introduce "ransomware" into a computer or computer network for the purpose of extorting payment. Specifically, this bill: 1)Makes it a crime for a person to knowingly introduce ransomware into any computer, computer system, or computer network. This bill would make a violation of this provision punishable by imprisonment in a county jail for two, three, or four years and a fine not exceeding $10,000. 2)Defines "Ransomware" mean a "computer contaminant or lock placed or introduced without authorization into a computer, computer system, or computer network that restricts access by an authorized person to the computer, computer system, computer network, or any data therein, under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant, restore access to the computer, computer system, computer network, or data, or otherwise remediate the impact of the computer contaminant or lock." 3)Specifies that a person is responsible for placing or introducing ransomware into a computer, computer system, or computer network if the person directly places or introduces SB 1137 Page 3 the ransomware, or directs or induces another person do so, with the intent of demanding payment or other consideration to remove the ransomware, restore access, or otherwise remediate the impact of the ransomware. 4)Specifies that prosecution under that provision does not prohibit or limit prosecution under any other law. EXISTING LAW: 1)Defines "extortion" as the obtaining of property from another, with his consent, or the obtaining of an official act of a public officer, induced by a wrongful use of force or fear, or under color of official right. 2)Specifies that fear, sufficient to constitute extortion, may be induced by a threat of any of the following: a) To do an unlawful injury to the person or property of the individual threatened or of a third person; b) To accuse the individual threatened, or any relative of his, or member of his family, of any crime; c) To expose, or to impute to him or them any deformity, disgrace or crime; or, d) To expose, any secret affecting him or them. 3)States that every person who extorts any money or other property from another, under circumstances not amounting to SB 1137 Page 4 robbery or carjacking, by means of force, or any threat, such as is mentioned in existing provisions of law relating to threats sufficient to constitute extortion, shall be punished by custody time of two, three or four years. Specifies that any person who commits any of the following acts is guilty of a crime: a) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either i) devise or execute any scheme or artifice to defraud, deceive, or extort, or ii) wrongfully control or obtain money, property, or data. b) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. c) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. d) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. e) Knowingly and without permission disrupts or causes the disruption of government computer services or denies or SB 1137 Page 5 causes the denial of government computer services to an authorized user of a government computer, computer system, or computer network. f) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a public safety infrastructure computer system computer, computer system, or computer network. g) Knowingly and without permission disrupts or causes the disruption of public safety infrastructure computer system computer services or denies or causes the denial of computer services to an authorized user of a public safety infrastructure computer system computer, computer system, or computer network. 4)States that any person who violates any of the provisions of 3a)-g) is guilty of a felony, punishable by imprisonment pursuant to Section 1170(h) for 16 months, or two or three years and a fine not exceeding $10,000, or a misdemeanor, punishable by imprisonment in a county jail not exceeding one year, by a fine not exceeding $5,000, or by both that fine and imprisonment. 5)Specifies that any person who commits any of the following acts is guilty of a crime: a) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section; b) Knowingly and without permission accesses or causes to SB 1137 Page 6 be accessed any computer, computer system, or computer network; and c) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or public safety infrastructure computer system computer, computer system, or computer network in violation of this section. 6)States that any person who violates 5a)-c) is punishable as follows: a) For a first violation that does not result in injury, an infraction punishable by a fine not exceeding $1,000; b) For any violation that results in a victim expenditure in an amount not greater than $5,000, or for a second or subsequent violation, by a fine not exceeding $5,000, or by imprisonment in a county jail not exceeding one year, or by both fine and imprisonment; and c) For any violation that results in a victim expenditure in an amount greater than $5,000, by a fine not exceeding $10,000, or by imprisonment pursuant to Section 1170(h) for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding $5,000, or by imprisonment in a county jail not exceeding one year, or by both fine and imprisonment. 7)Specifies that any person who commits any of the following acts is guilty of a crime: SB 1137 Page 7 a) Knowingly introduces any computer contaminant into any computer, computer system, or computer network; and b) Knowingly introduces any computer contaminant into any public safety infrastructure computer system computer, computer system, or computer network. 8)States that any person who violates 7a)-b) is punishable as follows: a) For a first violation that does not result in injury, a misdemeanor punishable by a fine not exceeding $5,000, or by imprisonment in a county jail not exceeding one year, or by both fine and imprisonment; and b) For any violation that results in injury, or for a second or subsequent violation, by a fine not exceeding $10,000, or by imprisonment in a county jail not exceeding one year, or by imprisonment pursuant to Section 1170(h), or by both fine and imprisonment. COMMENTS: According to the author, "Kidnapping and ransom demands have been around as long as criminal activity itself. But what is new in today's digital age is the immediacy in which a computer hacker can access your computer and hold it hostage. Computer users are told that the only way to get their machines back is to pay a steep fine. This is known as "ransomware." "SB 1137 addresses this new form of ransom in Penal Code. Currently, statutes on extortion can be used to prosecute ransomware crimes. However, extortion is based on the threat of future harm. When ransomware is used there is no threat to commit a future harm unless a ransom is paid, the harm has SB 1137 Page 8 already occurred. The attacker is demanding payment to undo the harm they have already committed. The difference is slight, but extremely important in a criminal prosecution. "Earlier this year, computers at Hollywood Presbyterian Medical Center became infected with malware that shut down their communications capabilities. After the 434-bed hospital had been reduced to keeping records with pen and paper, the facility paid a ransom of 40 bitcoins - about $17,000 - and regained access to its system. (http://www.latimes.com/business/technology/la-me-ln-hollywood-ho spital-bitcoin-20160217-story.html) "SB 1137 defines ransomware and outlines the punishment for those convicted of the crime. With advanced technology comes advanced forms of crime, and we must be properly equipped to address them." Analysis Prepared by: David Billingsley / PUB. S. / (916) 319-3744 FN: 0004128