BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 1137|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
UNFINISHED BUSINESS
Bill No: SB 1137
Author: Hertzberg (D), et al.
Amended: 8/19/16
Vote: 21
SENATE PUBLIC SAFETY COMMITTEE: 6-0, 4/12/16
AYES: Hancock, Glazer, Leno, Liu, Monning, Stone
NO VOTE RECORDED: Anderson
SENATE APPROPRIATIONS COMMITTEE: 7-0, 5/27/16
AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
SENATE FLOOR: 39-0, 5/31/16
AYES: Allen, Anderson, Bates, Beall, Berryhill, Block,
Cannella, De León, Fuller, Gaines, Galgiani, Glazer, Hall,
Hancock, Hernandez, Hertzberg, Hill, Hueso, Huff, Jackson,
Lara, Leno, Leyva, Liu, McGuire, Mendoza, Mitchell, Monning,
Moorlach, Morrell, Nguyen, Nielsen, Pan, Pavley, Roth, Stone,
Vidak, Wieckowski, Wolk
NO VOTE RECORDED: Runner
ASSEMBLY FLOOR: 80-0, 8/23/16 - See last page for vote
SUBJECT: Computer crimes: ransomware
SOURCE: Los Angeles County District Attorney
TechNet
DIGEST: This bill 1) separately defines as extortion the act
of placing a contaminant or lock on a computer, computer system
or data, coupled with a demand for payment of money or other
consideration before the lock will be removed or control
returned to owner or authorized user; and, 2) specifically
defines such a contaminant or lock as "ransomware."
�
SB 1137
Page 2
Assembly Amendments place the newly defined crime concerning
"ransonware" into the Penal Code Section defining extortion,
rather than the section concerning other forms of computer
crimes.
ANALYSIS:
Existing law:
1)Defines numerous computer or electronic data offenses and
imposes a wide range of penalties based on the seriousness of
the offense or extent of harm caused by the defendant,
including by felony imprisonment pursuant to Penal Code
Section 1170, subdivision (h) for a term of term of 16 months,
two years or three years and a fine of up to $10,000, or as
misdemeanor by a fine not exceeding $5,000, or a fine of up to
$1,000 by imprisonment in a county jail not exceeding one
year, or as infraction. (Pen. Code § 502.)
2)Defines extortion as the obtaining of property from another
person, without the person's consent, or obtaining an official
act of a public officer, induced by the wrongful use of force
or fear, or under color of official right. (Pen. Code § 518.)
3)Defines force or fear sufficient to commit extortion as a
threat to do any of the following:
Injure the person or property of the person threatened
or a third person.
Accuse the threatened person or a relative of a crime.
�
SB 1137
Page 3
Expose or impute to the person threatened or a relative
any deformity, disgrace or crime.
Expose any secret of the person or relative.
To report the immigration status of the person or a
relative. (Pen. Code § 519.)
1)Provides that extortion is a felony, punishable pursuant to
Penal Code Section 1170, subdivision (h), by a felony sentence
of two, three or four years. (Pen. Code § 520.)
2)Provides that attempted extortion is an alternate
felony-misdemeanor, punishable by a jail term of up to one
year, a fine of up to $1,000, or both, or by a prison term of
16 months, two years or three years and a fine of up to
$10,000. (Pen. Code § 524.)
3)Includes "white collar" financial crime prison sentence
enhancements of one to five years and special fines, depending
on the amount of money or property taken by the defendant or
the loss suffered by the victim. The enhancements apply where
the defendant is convicted of two or more related felonies and
the loss to the victim or gain to the defendant is at least
$100,000. To prevent a defendant from secreting or
dissipating his or her assets, the court may order pretrial
seizure of assets to preserve them for restitution and fines.
(Pen. Code § 186.11.)
4)Includes the federal Computer Fraud and Abuse Act, which
prohibits a number of different computer crimes, the majority
of which involve accessing computers without authorization or
in excess of authorization, and then taking specified
forbidden actions, ranging from obtaining information to
committing extortion. (18 U.S.C. § 1030(a)(1)-(7))
�
SB 1137
Page 4
This bill:
1)Provides that a person is guilty of extortion where he or she
is responsible for placing "ransomware" on a computer,
computer system, or data in a computer, coupled with a demand
that money or other consideration be paid to the person
responsible for ransomware before it is removed or repaired.
2)Defines "ransomware" as the placement or introduction of a
computer contaminant or lock on a computer, computer system,
or data in a computer system, coupled with a demand that money
or other consideration be paid to the person responsible for
the contaminant or lock before it is removed or repaired.
3)Provides that one is responsible for ransomware if the person
directly places or introduces the contaminant or lock, or
directs or induces another person to do so, with the intent to
demand payment or other consideration to remove the
contaminant, unlock the computer system or data, or repair the
computer, computer system or data.
Background
According to the author:
Kidnapping and ransom demands have been around as long
as criminal activity itself. But what is new in today's
digital age is the immediacy in which a computer hacker
can access your computer and hold it hostage. Computer
users are told that the only way to get their machines
back is to pay a steep fine. This is known as
"ransomware. In practice, ransomware is simply a
high-tech version of extortion, using the loss of access
to one's data or computer as leverage to extort an
�
SB 1137
Page 5
electronic payment from the owner of the infected
device.
This bill is intended to explicitly and clearly prohibit
the use of malicious computer programs to infect
computers or data and lock an authorized user out, and
then extort money from that user in exchange for
removing the ransomware or otherwise restoring access.
It appears that the use of ransom to extort money or other form
of exchange, such as bitcoin, has become nearly ubiquitous.
Even relatively large-scale attacks on or seizure of control
over computers, computer systems and computer can be done
quickly and remotely.
Victims can reasonably conclude that they have little option but
to comply. The perpetrators might well be in another country or
even another continent. An attempt to obtain assistance from
law enforcement may be futile and the perpetrators could punish
such attempts by destroying data that includes an entity's
entire operation. A business or organization could conclude
that it could no longer function if the threat is carried out.
Even where the threat is not executed, the very admission of the
event could be extremely harmful to a business or other
organization's reputation. For example, a hospital would be
loath to admit that confidential medical records were seized or
locked. The customers and clients of banks and brokerage
houses must believe that their financial holdings and
information are safe. Attorneys cannot afford to reveal the
confidences of clients stored in digital files.
Computer criminals have become increasingly sophisticated as
technology became more sophisticated and essential to the life
of virtually every person and entity. The attacks have included
locking or encrypting files on the home computers of individual
victims - often through authentic-look law enforcement
notifications that the victim has done some wrong that he or she
would never want exposed.
�
SB 1137
Page 6
(https://www.fbi.gov/news/stories/2012/august/new-internet-scam.)
The attacks have also included attacks on large entities, such
as three hospitals in recent, well-publicized incidents in
Southern California and government entities.
(http://www.latimes.com/local/lanow/la-me-ln-two-more-so-cal-hosp
itals-ransomware-20160322-story.html) It appears that no media
report of ransomware incidents is complete without noting that
even police departments have paid ransoms to computer criminals.
A February 20, 2015 story in the Chicago Tribune reported the
suburban Chicago town of Midlothian paid a hacker $500 in
bitcoin for release of infected files. Even the department's
backup files were encrypted.
(http://www.chicagotribune.com/news/local/breaking/ct-midlothian-
hacker-ransom-met-20150220-story.html.)
A number of computer, software and computer and computer data
security businesses have developed products to detect and remove
ransomware. Numerous on-line guides about ransomware have been
published. These typically include descriptions of ransomware,
how to detect ransomware, remove it and protect against. For
example, the Mountain View, California firm Symantec has
published particularly detailed guides for addressing ransomware
questions, concerns, protection, removal and repair.
(http://www.symantec.com/content/en/us/enterprise/media/security_
response/whitepapers/the-evolution-of-ransomware.pdf;
http://www.symantec.com/tv/products/details.jsp?vid=1954285164001
) TechNet - a Microsoft division that is a co-sponsor of this
bill also publishes detailed ransomware guides and assistance,
including information about newly discovered ransomware.
(https://blogs.technet.microsoft.com/mmpc/2015/08/09/emerging-ran
somware-troldesh/.)
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: Yes
According to the Assembly Appropriations Committee:
Potential moderate increased cost (General Fund) to the
California Department of Corrections and Rehabilitation for
new commitments to state prison that would not have otherwise
�
SB 1137
Page 7
been convicted under the existing extortion statutes, or
potentially longer sentences for convictions that otherwise
would have been charged as other computer crimes. To the
extent the provisions of this bill result in two additional
commitments to state prison per year, the first year cost
would be $58,000, the second year would be $116,000, and
$174,00 thereafter assuming three-year sentences.
Potential increase in nonreimbursable local incarceration
costs to the extent persons would not have otherwise been
convicted of the felony offense of extortion or other computer
offenses under existing law. These costs may be partially
offset by revenue from fines.
SUPPORT: (Verified8/22/16)
Los Angeles County District Attorney (co-source)
TechNet (co-source)
Association for Los Angeles Deputy Sheriffs
Association of Deputy District Attorneys
Association of Orange County Deputy Sheriffs
California Association of Licensed Investigators
California Hospital Association
California Police Chiefs Association
California State Sheriffs' Association
California Statewide Law Enforcement Association
Fraternal Order of Police, California State Lodge
Long Beach Police Officers Association
Los Angeles County Professional Peace Officers Association
Los Angeles Police Protective League
Los Angeles Probation Union, AFSCME, Local 685
Riverside Sheriffs' Association
Sacramento County Deputy Sheriffs' Association
OPPOSITION: (Verified8/22/16)
�
SB 1137
Page 8
Legal Services for Prisoners with Children
ARGUMENTS IN SUPPORT: The sponsor, the Los Angeles County
District Attorney, argues that this bill provides a clear
statutory provision to prosecute ransomware because existing law
may not properly cover the type of harm caused by ransomware.
Ransomware impacts home computers, businesses, financial
institutions, government agencies, academic institutions, and
other organizations.
ARGUMENTS IN OPPOSITION: Legal Services for Prisoners with
Children argues that these actions are already prohibited, such
that a new crime and additional punishment is neither necessary
nor prudent. This new law will not better protect individuals'
privacy.
ASSEMBLY FLOOR: 80-0, 8/23/16
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,
Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,
Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,
Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth
Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto,
Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper,
Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim,
Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis,
Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,
O'Donnell, Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez,
Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting,
Wagner, Waldron, Weber, Wilk, Williams, Wood, Rendon
Prepared by:Jerome McGuire / PUB. S. /
8/24/16 9:10:40
**** END ****
�
SB 1137
Page 9