BILL ANALYSIS                                                                                                                                                                                                    



                                                                    SB 1137


                                                                    Page  1





          SENATE THIRD READING


          SB  
          1137 (Hertzberg)


          As Amended  August 19, 2016


          Majority vote


          SENATE VOTE:  39-0


           -------------------------------------------------------------------- 
          |Committee       |Votes|Ayes                   |Noes                 |
          |                |     |                       |                     |
          |                |     |                       |                     |
          |                |     |                       |                     |
          |----------------+-----+-----------------------+---------------------|
          |Public Safety   |7-0  |Jones-Sawyer,          |                     |
          |                |     |Melendez, Lackey,      |                     |
          |                |     |Lopez, Low, Quirk,     |                     |
          |                |     |Santiago               |                     |
          |                |     |                       |                     |
          |----------------+-----+-----------------------+---------------------|
          |Privacy         |11-0 |Chau, Wilk, Baker,     |                     |
          |                |     |Calderon, Chang,       |                     |
          |                |     |Cooper, Dababneh,      |                     |
          |                |     |Gatto, Gordon, Low,    |                     |
          |                |     |Olsen                  |                     |
          |                |     |                       |                     |
          |----------------+-----+-----------------------+---------------------|
          |Appropriations  |20-0 |Gonzalez, Bigelow,     |                     |
          |                |     |Bloom, Bonilla, Bonta, |                     |
          |                |     |Calderon, Chang, Daly, |                     |
          |                |     |Eggman, Gallagher,     |                     |








                                                                    SB 1137


                                                                    Page  2





          |                |     |Eduardo Garcia,        |                     |
          |                |     |Holden, Jones,         |                     |
          |                |     |Obernolte, Quirk,      |                     |
          |                |     |Santiago, Wagner,      |                     |
          |                |     |Weber, Wood, McCarty   |                     |
          |                |     |                       |                     |
          |                |     |                       |                     |
           -------------------------------------------------------------------- 


          SUMMARY:  Clarifies that introducing "ransomware" into a  
          computer or computer network with the intent of extorting money  
          or property is punishable as extortion whether or not the money  
          or property is actually obtained by means of the "ransomware."   
          Specifically, this bill:  


          1)Clarifies that introducing "ransomware" into a computer or  
            computer network with the intent of extorting money or  
            property is punishable as extortion whether or not the money  
            or property is actually obtained by means of the "ransomware."  
             Such conduct would punishable by imprisonment in a county  
            jail for two, three, or four years and a fine not exceeding  
            $10,000.


          2)Defines "Ransomware" to mean a "computer contaminant, as  
            specified, or lock placed or introduced without authorization  
            into a computer, computer system, or computer network  that  
            restricts access by an authorized person to the computer,  
            computer system, computer network, or any data therein,  under  
            circumstances in which the person responsible for the  
            placement or introduction of the ransomware demands payment of  
            money or other consideration to remove the computer  
            contaminant, restore access to the computer, computer system,  
            computer network, or data, or otherwise remediate the  impact  
            of the computer contaminant or lock."










                                                                    SB 1137


                                                                    Page  3





          3)Specifies that a person is responsible for placing or  
            introducing ransomware into a computer, computer  system, or  
            computer network if the person directly places or introduces  
            the ransomware, or directs or induces another person do so,  
            with the intent of demanding payment or other consideration to  
            remove the ransomware, restore access, or otherwise remediate  
            the impact of the ransomware. 


          4)States that prosecution under the provisions of this bill do  
            not prohibit or limit prosecution under any other law.


          EXISTING LAW:  


          1)Defines "extortion" as the obtaining of property from another,  
            with his consent, or the obtaining of an official act of a  
            public officer, induced by a wrongful use of force or fear, or  
            under color of official right.  


          2)Specifies that fear, sufficient to constitute extortion, may  
            be induced by a threat of any of the following: 


             a)   To do an unlawful injury to the person or property of  
               the individual threatened or of a third person; 
             b)   To accuse the individual threatened, or any relative of  
               his, or member of his family, of any crime; 


             c)   To expose, or to impute to him or them any deformity,  
               disgrace or crime; or, 


             d)   To expose, any secret affecting him or them. 










                                                                    SB 1137


                                                                    Page  4





          3)States that every person who extorts any money or other  
            property from another, under circumstances not amounting to  
            robbery or carjacking, by means of force, or any threat, such  
            as is mentioned in existing provisions of law relating to  
            threats sufficient to constitute extortion, shall be punished  
            by custody time of two, three or four years.  


            Specifies that any person who commits any of the following  
            acts is guilty of a crime:


             a)   Knowingly accesses and without permission alters,  
               damages, deletes, destroys, or otherwise uses any data,  
               computer, computer system, or computer network in order to  
               either i) devise or execute any scheme or artifice to  
               defraud, deceive, or extort, or ii) wrongfully control or  
               obtain money, property, or data. 


             b)   Knowingly accesses and without permission takes, copies,  
               or makes use of any data from a computer, computer system,  
               or computer network, or takes or copies any supporting  
               documentation, whether existing or residing internal or  
               external to a computer, computer system, or computer  
               network. 


             c)   Knowingly accesses and without permission adds, alters,  
               damages, deletes, or destroys any data, computer software,  
               or computer programs which reside or exist internal or  
               external to a computer, computer system, or computer  
               network. 


             d)   Knowingly and without permission disrupts or causes the  
               disruption of computer services or denies or causes the  
               denial of computer services to an authorized user of a  
               computer, computer system, or computer network. 








                                                                    SB 1137


                                                                    Page  5







             e)   Knowingly and without permission disrupts or causes the  
               disruption of government computer services or denies or  
               causes the denial of government computer services to an  
               authorized user of a government computer, computer system,  
               or computer network. 


             f)   Knowingly accesses and without permission adds, alters,  
               damages, deletes, or destroys any data, computer software,  
               or computer programs which reside or exist internal or  
               external to a public safety infrastructure computer system  
               computer, computer system, or computer network. 


             g)   Knowingly and without permission disrupts or causes the  
               disruption of public safety infrastructure computer system  
               computer services or denies or causes the denial of  
               computer services to an authorized user of a public safety  
               infrastructure computer system computer, computer system,  
               or computer network. 


          4)States that any person who violates any of the provisions of  
            3a)-g) is guilty of a felony, punishable by imprisonment  
            pursuant to Section 1170(h) for 16 months, or two or three  
            years and a fine not exceeding $10,000, or a misdemeanor,  
            punishable by imprisonment in a county jail not exceeding one  
            year, by a fine not exceeding $5,000, or by both that fine and  
            imprisonment.


          5)Specifies that any person who commits any of the following  
            acts is guilty of a crime:


             a)   Knowingly and without permission provides or assists in  
               providing a means of accessing a computer, computer system,  








                                                                    SB 1137


                                                                    Page  6





               or computer network in violation of this section; 


             b)   Knowingly and without permission accesses or causes to  
               be accessed any computer, computer system, or computer  
               network; and 


             c)   Knowingly and without permission provides or assists in  
               providing a means of accessing a computer, computer system,  
               or public safety infrastructure computer system computer,  
               computer system, or computer network in violation of this  
               section. 


          6)States that any person who violates 5a)-c) is punishable as  
            follows:


             a)   For a first violation that does not result in injury, an  
               infraction punishable by a fine not exceeding $1,000;


             b)   For any violation that results in a victim expenditure  
               in an amount not greater than $5,000, or for a second or  
               subsequent violation, by a fine not exceeding $5,000, or by  
               imprisonment in a county jail not exceeding one year, or by  
               both fine and imprisonment; and


             c)   For any violation that results in a victim expenditure  
               in an amount greater than $5,000, by a fine not exceeding  
               $10,000, or by imprisonment pursuant to Section 1170(h) for  
               16 months, or two or three years, or by both that fine and  
               imprisonment, or by a fine not exceeding $5,000, or by  
               imprisonment in a county jail not exceeding one year, or by  
               both fine and imprisonment.










                                                                    SB 1137


                                                                    Page  7





          7)Specifies that any person who commits any of the following  
            acts is guilty of a crime:


             a)   Knowingly introduces any computer contaminant into any  
               computer, computer system, or computer network; and 


             b)   Knowingly introduces any computer contaminant into any  
               public safety infrastructure computer system computer,  
               computer system, or computer network. 


          8)States that any person who violates 7a)-b) is punishable as  
            follows:


             a)   For a first violation that does not result in injury, a  
               misdemeanor punishable by a fine not exceeding $5,000, or  
               by imprisonment in a county jail not exceeding one year, or  
               by both fine and imprisonment; and


          9)For any violation that results in injury, or for a second or  
            subsequent violation, by a fine not exceeding $10,000, or by  
            imprisonment in a county jail not exceeding one year, or by  
            imprisonment pursuant to Section 1170(h), or by both fine and  
            imprisonment.


          COMMENTS:  According to the author, "Kidnapping and ransom  
          demands have been around as long as criminal activity itself.   
          But what is new in today's digital age is the immediacy in which  
          a computer hacker can access your computer and hold it hostage.   
          Computer users are told that the only way to get their machines  
          back is to pay a steep fine.  This is known as "ransomware."


          "SB 1137 addresses this new form of ransom in Penal Code.   








                                                                    SB 1137


                                                                    Page  8





          Currently, statutes on extortion can be used to prosecute  
          ransomware crimes.  However, extortion is based on the threat of  
          future harm.  When ransomware is used there is no threat to  
          commit a future harm unless a ransom is paid, the harm has  
          already occurred.  The attacker is demanding payment to undo the  
          harm they have already committed.  The difference is slight, but  
          extremely important in a criminal prosecution.


          "Earlier this year, computers at Hollywood Presbyterian Medical  
          Center became infected with malware that shut down their  
          communications capabilities.  After the 434-bed hospital had  
          been reduced to keeping records with pen and paper, the facility  
          paid a ransom of 40 bitcoins - about $17,000 - and regained  
          access to its system.


          "SB 1137 defines ransomware and outlines the punishment for  
          those convicted of the crime.  With advanced technology comes  
          advanced forms of crime, and we must be properly equipped to  
          address them."


          Please see the policy committee analysis for a full discussion  
          of this bill.




          Analysis Prepared by:                                             
                          David Billingsley / PUB. S. / (916) 319-3744   
          FN: 0004639















                                                                    SB 1137


                                                                    Page  9