BILL ANALYSIS �Ó
SB 1137
Page 1
SENATE THIRD READING
SB
1137 (Hertzberg)
As Amended August 19, 2016
Majority vote
SENATE VOTE: 39-0
--------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Public Safety |7-0 |Jones-Sawyer, | |
| | |Melendez, Lackey, | |
| | |Lopez, Low, Quirk, | |
| | |Santiago | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Privacy |11-0 |Chau, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Cooper, Dababneh, | |
| | |Gatto, Gordon, Low, | |
| | |Olsen | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Appropriations |20-0 |Gonzalez, Bigelow, | |
| | |Bloom, Bonilla, Bonta, | |
| | |Calderon, Chang, Daly, | |
| | |Eggman, Gallagher, | |
�
SB 1137
Page 2
| | |Eduardo Garcia, | |
| | |Holden, Jones, | |
| | |Obernolte, Quirk, | |
| | |Santiago, Wagner, | |
| | |Weber, Wood, McCarty | |
| | | | |
| | | | |
--------------------------------------------------------------------
SUMMARY: Clarifies that introducing "ransomware" into a
computer or computer network with the intent of extorting money
or property is punishable as extortion whether or not the money
or property is actually obtained by means of the "ransomware."
Specifically, this bill:
1)Clarifies that introducing "ransomware" into a computer or
computer network with the intent of extorting money or
property is punishable as extortion whether or not the money
or property is actually obtained by means of the "ransomware."
Such conduct would punishable by imprisonment in a county
jail for two, three, or four years and a fine not exceeding
$10,000.
2)Defines "Ransomware" to mean a "computer contaminant, as
specified, or lock placed or introduced without authorization
into a computer, computer system, or computer network that
restricts access by an authorized person to the computer,
computer system, computer network, or any data therein, under
circumstances in which the person responsible for the
placement or introduction of the ransomware demands payment of
money or other consideration to remove the computer
contaminant, restore access to the computer, computer system,
computer network, or data, or otherwise remediate the impact
of the computer contaminant or lock."
�
SB 1137
Page 3
3)Specifies that a person is responsible for placing or
introducing ransomware into a computer, computer system, or
computer network if the person directly places or introduces
the ransomware, or directs or induces another person do so,
with the intent of demanding payment or other consideration to
remove the ransomware, restore access, or otherwise remediate
the impact of the ransomware.
4)States that prosecution under the provisions of this bill do
not prohibit or limit prosecution under any other law.
EXISTING LAW:
1)Defines "extortion" as the obtaining of property from another,
with his consent, or the obtaining of an official act of a
public officer, induced by a wrongful use of force or fear, or
under color of official right.
2)Specifies that fear, sufficient to constitute extortion, may
be induced by a threat of any of the following:
a) To do an unlawful injury to the person or property of
the individual threatened or of a third person;
b) To accuse the individual threatened, or any relative of
his, or member of his family, of any crime;
c) To expose, or to impute to him or them any deformity,
disgrace or crime; or,
d) To expose, any secret affecting him or them.
�
SB 1137
Page 4
3)States that every person who extorts any money or other
property from another, under circumstances not amounting to
robbery or carjacking, by means of force, or any threat, such
as is mentioned in existing provisions of law relating to
threats sufficient to constitute extortion, shall be punished
by custody time of two, three or four years.
Specifies that any person who commits any of the following
acts is guilty of a crime:
a) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either i) devise or execute any scheme or artifice to
defraud, deceive, or extort, or ii) wrongfully control or
obtain money, property, or data.
b) Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network.
c) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a computer, computer system, or computer
network.
d) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network.
�
SB 1137
Page 5
e) Knowingly and without permission disrupts or causes the
disruption of government computer services or denies or
causes the denial of government computer services to an
authorized user of a government computer, computer system,
or computer network.
f) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a public safety infrastructure computer system
computer, computer system, or computer network.
g) Knowingly and without permission disrupts or causes the
disruption of public safety infrastructure computer system
computer services or denies or causes the denial of
computer services to an authorized user of a public safety
infrastructure computer system computer, computer system,
or computer network.
4)States that any person who violates any of the provisions of
3a)-g) is guilty of a felony, punishable by imprisonment
pursuant to Section 1170(h) for 16 months, or two or three
years and a fine not exceeding $10,000, or a misdemeanor,
punishable by imprisonment in a county jail not exceeding one
year, by a fine not exceeding $5,000, or by both that fine and
imprisonment.
5)Specifies that any person who commits any of the following
acts is guilty of a crime:
a) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
�
SB 1137
Page 6
or computer network in violation of this section;
b) Knowingly and without permission accesses or causes to
be accessed any computer, computer system, or computer
network; and
c) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or public safety infrastructure computer system computer,
computer system, or computer network in violation of this
section.
6)States that any person who violates 5a)-c) is punishable as
follows:
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding $1,000;
b) For any violation that results in a victim expenditure
in an amount not greater than $5,000, or for a second or
subsequent violation, by a fine not exceeding $5,000, or by
imprisonment in a county jail not exceeding one year, or by
both fine and imprisonment; and
c) For any violation that results in a victim expenditure
in an amount greater than $5,000, by a fine not exceeding
$10,000, or by imprisonment pursuant to Section 1170(h) for
16 months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, or by
imprisonment in a county jail not exceeding one year, or by
both fine and imprisonment.
�
SB 1137
Page 7
7)Specifies that any person who commits any of the following
acts is guilty of a crime:
a) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network; and
b) Knowingly introduces any computer contaminant into any
public safety infrastructure computer system computer,
computer system, or computer network.
8)States that any person who violates 7a)-b) is punishable as
follows:
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding $5,000, or
by imprisonment in a county jail not exceeding one year, or
by both fine and imprisonment; and
9)For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding $10,000, or by
imprisonment in a county jail not exceeding one year, or by
imprisonment pursuant to Section 1170(h), or by both fine and
imprisonment.
COMMENTS: According to the author, "Kidnapping and ransom
demands have been around as long as criminal activity itself.
But what is new in today's digital age is the immediacy in which
a computer hacker can access your computer and hold it hostage.
Computer users are told that the only way to get their machines
back is to pay a steep fine. This is known as "ransomware."
"SB 1137 addresses this new form of ransom in Penal Code.
�
SB 1137
Page 8
Currently, statutes on extortion can be used to prosecute
ransomware crimes. However, extortion is based on the threat of
future harm. When ransomware is used there is no threat to
commit a future harm unless a ransom is paid, the harm has
already occurred. The attacker is demanding payment to undo the
harm they have already committed. The difference is slight, but
extremely important in a criminal prosecution.
"Earlier this year, computers at Hollywood Presbyterian Medical
Center became infected with malware that shut down their
communications capabilities. After the 434-bed hospital had
been reduced to keeping records with pen and paper, the facility
paid a ransom of 40 bitcoins - about $17,000 - and regained
access to its system.
"SB 1137 defines ransomware and outlines the punishment for
those convicted of the crime. With advanced technology comes
advanced forms of crime, and we must be properly equipped to
address them."
Please see the policy committee analysis for a full discussion
of this bill.
Analysis Prepared by:
David Billingsley / PUB. S. / (916) 319-3744
FN: 0004639
�
SB 1137
Page 9