BILL ANALYSIS                                                                                                                                                                                                    Ó




           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                       SB 1137|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 


                                UNFINISHED BUSINESS 


          Bill No:  SB 1137
          Author:   Hertzberg (D), et al.
          Amended:  8/19/16  
          Vote:     21 

           SENATE PUBLIC SAFETY COMMITTEE:  6-0, 4/12/16
           AYES:  Hancock, Glazer, Leno, Liu, Monning, Stone
           NO VOTE RECORDED:  Anderson

           SENATE APPROPRIATIONS COMMITTEE:  7-0, 5/27/16
           AYES:  Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen

           SENATE FLOOR:  39-0, 5/31/16
           AYES:  Allen, Anderson, Bates, Beall, Berryhill, Block,  
            Cannella, De León, Fuller, Gaines, Galgiani, Glazer, Hall,  
            Hancock, Hernandez, Hertzberg, Hill, Hueso, Huff, Jackson,  
            Lara, Leno, Leyva, Liu, McGuire, Mendoza, Mitchell, Monning,  
            Moorlach, Morrell, Nguyen, Nielsen, Pan, Pavley, Roth, Stone,  
            Vidak, Wieckowski, Wolk
           NO VOTE RECORDED:  Runner

           ASSEMBLY FLOOR:  80-0, 8/23/16 - See last page for vote

           SUBJECT:   Computer crimes:  ransomware


          SOURCE:    Los Angeles County District Attorney 
                     TechNet
          
          DIGEST:   This bill 1) separately defines as extortion the act  
          of placing a contaminant or lock on a computer, computer system  
          or data, coupled with a demand for payment of money or other  
          consideration before the lock will be removed or control  
          returned to owner or authorized user; and, 2) specifically  
          defines such a contaminant or lock as "ransomware."








                                                                    SB 1137  
                                                                    Page  2





          Assembly Amendments place the newly defined crime concerning  
          "ransonware" into the Penal Code Section defining extortion,  
          rather than the section concerning other forms of computer  
          crimes. 


          ANALYSIS: 


          Existing law:


          1)Defines numerous computer or electronic data offenses and  
            imposes a wide range of penalties based on the seriousness of  
            the offense or extent of harm caused by the defendant,  
            including by felony imprisonment pursuant to Penal Code  
            Section 1170, subdivision (h) for a term of term of 16 months,  
            two years or three years and a fine of up to $10,000, or as  
            misdemeanor by a fine not exceeding $5,000, or a fine of up to  
            $1,000 by imprisonment in a county jail not exceeding one  
            year, or as infraction.  (Pen. Code § 502.)


          2)Defines extortion as the obtaining of property from another  
            person, without the person's consent, or obtaining an official  
            act of a public officer, induced by the wrongful use of force  
            or fear, or under color of official right.  (Pen. Code § 518.)  
             


          3)Defines force or fear sufficient to commit extortion as a  
            threat to do any of the following:


                 Injure the person or property of the person threatened  
               or a third person.


                 Accuse the threatened person or a relative of a crime.









                                                                    SB 1137  
                                                                    Page  3




                 Expose or impute to the person threatened or a relative  
               any deformity, disgrace or crime.


                 Expose any secret of the person or relative.


                 To report the immigration status of the person or a  
               relative.  (Pen. Code § 519.)


          1)Provides that extortion is a felony, punishable pursuant to  
            Penal Code Section 1170, subdivision (h), by a felony sentence  
            of two, three or four years.  (Pen. Code § 520.)


          2)Provides that attempted extortion is an alternate  
            felony-misdemeanor, punishable by a jail term of up to one  
            year, a fine of up to $1,000, or both, or by a prison term of  
            16 months, two years or three years and a fine of up to  
            $10,000.  (Pen. Code § 524.)


          3)Includes "white collar" financial crime prison sentence  
            enhancements of one to five years and special fines, depending  
            on the amount of money or property taken by the defendant or  
            the loss suffered by the victim. The enhancements apply where  
            the defendant is convicted of two or more related felonies and  
            the loss to the victim or gain to the defendant is at least  
            $100,000.  To prevent a defendant from secreting or  
            dissipating his or her assets, the court may order pretrial  
            seizure of assets to preserve them for restitution and fines.   
             (Pen. Code § 186.11.)


          4)Includes the federal Computer Fraud and Abuse Act, which  
            prohibits a number of different computer crimes, the majority  
            of which involve accessing computers without authorization or  
            in excess of authorization, and then taking specified  
            forbidden actions, ranging from obtaining information to  
            committing extortion.  (18 U.S.C. § 1030(a)(1)-(7))








                                                                    SB 1137  
                                                                    Page  4





          This bill:


          1)Provides that a person is guilty of extortion where he or she  
            is responsible for placing "ransomware" on a computer,  
            computer system, or data in a computer, coupled with a demand  
            that money or other consideration be paid to the person  
            responsible for ransomware before it is removed or repaired.


          2)Defines "ransomware" as the placement or introduction of a  
            computer contaminant or lock on a computer, computer system,  
            or data in a computer system, coupled with a demand that money  
            or other consideration be paid to the person responsible for  
            the contaminant or lock before it is removed or repaired.


          3)Provides that one is responsible for ransomware if the person  
            directly places or introduces the contaminant or lock, or  
            directs or induces another person to do so, with the intent to  
            demand payment or other consideration to remove the  
            contaminant, unlock the computer system or data, or repair the  
            computer, computer system or data.


          Background


          According to the author:


             Kidnapping and ransom demands have been around as long  
             as criminal activity itself. But what is new in today's  
             digital age is the immediacy in which a computer hacker  
             can access your computer and hold it hostage. Computer  
             users are told that the only way to get their machines  
             back is to pay a steep fine. This is known as  
             "ransomware.  In practice, ransomware is simply a  
             high-tech version of extortion, using the loss of access  
             to one's data or computer as leverage to extort an  








                                                                    SB 1137  
                                                                    Page  5



             electronic payment from the owner of the infected  
             device. 


             This bill is intended to explicitly and clearly prohibit  
             the use of malicious computer programs to infect  
             computers or data and lock an authorized user out, and  
             then extort money from that user in exchange for  
             removing the ransomware or otherwise restoring access.  


          It appears that the use of ransom to extort money or other form  
          of exchange, such as bitcoin, has become nearly ubiquitous.   
          Even relatively large-scale attacks on or seizure of control  
          over computers, computer systems and computer can be done  
          quickly and remotely.


          Victims can reasonably conclude that they have little option but  
          to comply.  The perpetrators might well be in another country or  
          even another continent.  An attempt to obtain assistance from  
          law enforcement may be futile and the perpetrators could punish  
          such attempts by destroying data that includes an entity's  
          entire operation.  A business or organization could conclude  
          that it could no longer function if the threat is carried out.   
          Even where the threat is not executed, the very admission of the  
          event could be extremely harmful to a business or other  
          organization's reputation.  For example, a hospital would be  
          loath to admit that confidential medical records were seized or  
          locked.   The customers and clients of banks and brokerage  
          houses must believe that their financial holdings and  
          information are safe.  Attorneys cannot afford to reveal the  
          confidences of clients stored in digital files. 


          Computer criminals have become increasingly sophisticated as  
          technology became more sophisticated and essential to the life  
          of virtually every person and entity.  The attacks have included  
          locking or encrypting files on the home computers of individual  
          victims - often through authentic-look law enforcement  
          notifications that the victim has done some wrong that he or she  
          would never want exposed.   








                                                                    SB 1137  
                                                                    Page  6



          (https://www.fbi.gov/news/stories/2012/august/new-internet-scam.) 
            The attacks have also included attacks on large entities, such  
          as three hospitals in recent, well-publicized incidents in  
          Southern California and government entities.  
          (http://www.latimes.com/local/lanow/la-me-ln-two-more-so-cal-hosp 
          itals-ransomware-20160322-story.html)  It appears that no media  
          report of ransomware incidents is complete without noting that  
          even police departments have paid ransoms to computer criminals.  
           A February 20, 2015 story in the Chicago Tribune reported the  
          suburban Chicago town of Midlothian paid a hacker $500 in  
          bitcoin for release of infected files.  Even the department's  
          backup files were encrypted.  
          (http://www.chicagotribune.com/news/local/breaking/ct-midlothian- 
          hacker-ransom-met-20150220-story.html.)


          A number of computer, software and computer and computer data  
          security businesses have developed products to detect and remove  
          ransomware.  Numerous on-line guides about ransomware have been  
          published.  These typically include descriptions of ransomware,  
          how to detect ransomware, remove it and protect against.  For  
          example, the Mountain View, California firm Symantec has  
          published particularly detailed guides for addressing ransomware  
          questions, concerns, protection, removal and repair.  
          (http://www.symantec.com/content/en/us/enterprise/media/security_ 
          response/whitepapers/the-evolution-of-ransomware.pdf;  
          http://www.symantec.com/tv/products/details.jsp?vid=1954285164001 
          )  TechNet - a Microsoft division that is a co-sponsor of this  
          bill also publishes detailed ransomware guides and assistance,  
          including information about newly discovered ransomware.   
          (https://blogs.technet.microsoft.com/mmpc/2015/08/09/emerging-ran 
          somware-troldesh/.)


          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   Yes

          According to the Assembly Appropriations Committee:

           Potential moderate increased cost (General Fund) to the  
            California Department of Corrections and Rehabilitation for  
            new commitments to state prison that would not have otherwise  








                                                                    SB 1137  
                                                                    Page  7



            been convicted under the existing extortion statutes, or  
            potentially longer sentences for convictions that otherwise  
            would have been charged as other computer crimes.  To the  
            extent the provisions of this bill result in two additional  
            commitments to state prison per year, the first year cost  
            would be $58,000, the second year would be $116,000, and  
            $174,00 thereafter assuming three-year sentences.




           Potential increase in nonreimbursable local incarceration  
            costs to the extent persons would not have otherwise been  
            convicted of the felony offense of extortion or other computer  
            offenses under existing law.  These costs may be partially  
            offset by revenue from fines.


          SUPPORT:   (Verified8/22/16)


          Los Angeles County District Attorney (co-source) 
          TechNet (co-source)
          Association for Los Angeles Deputy Sheriffs
          Association of Deputy District Attorneys
          Association of Orange County Deputy Sheriffs
          California Association of Licensed Investigators
          California Hospital Association
          California Police Chiefs Association
          California State Sheriffs' Association
          California Statewide Law Enforcement Association
          Fraternal Order of Police, California State Lodge
          Long Beach Police Officers Association
          Los Angeles County Professional Peace Officers Association
          Los Angeles Police Protective League
          Los Angeles Probation Union, AFSCME, Local 685
          Riverside Sheriffs' Association
          Sacramento County Deputy Sheriffs' Association


          OPPOSITION:   (Verified8/22/16)









                                                                    SB 1137 
                                                                    Page  8




          Legal Services for Prisoners with Children

          ARGUMENTS IN SUPPORT:      The sponsor, the Los Angeles County  
          District Attorney, argues that this bill provides a clear  
          statutory provision to prosecute ransomware because existing law  
          may not properly cover the type of harm caused by ransomware.   
          Ransomware impacts home computers, businesses, financial  
          institutions, government agencies, academic institutions, and  
          other organizations. 

          ARGUMENTS IN OPPOSITION:      Legal Services for Prisoners with  
          Children argues that these actions are already prohibited, such  
          that a new crime and additional punishment is neither necessary  
          nor prudent.  This new law will not better protect individuals'  
          privacy.

           ASSEMBLY FLOOR:  80-0, 8/23/16
           AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,  
            Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,  
            Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,  
            Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth  
            Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto,  
            Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper,  
            Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim,  
            Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis,  
            Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,  
            O'Donnell, Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez,  
            Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting,  
            Wagner, Waldron, Weber, Wilk, Williams, Wood, Rendon



          Prepared by:Jerome McGuire / PUB. S. / 
          8/24/16 9:10:40


                                   ****  END  ****


          









                                                                    SB 1137 
                                                                    Page  9