BILL ANALYSIS �
AB 22
Page 1
Date of Hearing: March 31, 2009
Counsel: Nicole J. Hanson
ASSEMBLY COMMITTEE ON PUBLIC SAFETY
Jose Solorio, Chair
AB 22 (Torres) - As Introduced: December 1, 2008
As Proposed to be Amended in Committee
SUMMARY : Increases the maximum fines for those convicted of
feloniously tampering, interfering, damaging, and obtaining
unauthorized access to computer data and computer systems.
Specifically, this bill :
1)Provides that any person who knowingly accesses and without
permission alters, damages, deletes, destroys, or otherwise
uses any data, computer, computer system, or computer network
in order to devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or obtain
money, property or data is punishable by a fine not exceeding
$15,000, by imprisonment in the state prison for 16 months, 2
or 3 years, or by both that fine and imprisonment; or by a
fine not exceeding $5,000, by imprisonment in a county jail
not exceeding one year, or by both that fine and imprisonment.
2)States that any person who knowingly accesses and without
permission takes, copies or makes use of any data from a
computer, computer system, or computer network, or takes or
copies any supporting documentation, whether existing or
residing internal or external to a computer, computer system,
or computer network is punishable by a fine not exceeding
$15,000, by imprisonment in the state prison for 16 months, 2
or 3 years, or by both that fine and imprisonment; or by a
fine not exceeding $5,000, by imprisonment in a county jail
not exceeding one year, or by both that fine and imprisonment.
3)Makes knowingly accessing and without permission adding,
altering, damaging, deleting, or destroying any data, computer
software, or computer programs which reside or exist internal
or external to a computer, computer system, or computer
network punishable by a fine not exceeding $15,000, by
imprisonment in the state prison for 16 months, 2 or 3 years,
or by both that fine and imprisonment; or by a fine not
�
AB 22
Page 2
exceeding $5,000, by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.
4)Provides that knowingly and without permission disrupting or
causing the disruption of computer services or denies or
causes the denial of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network is punishable
by a fine not exceeding $15,000, by imprisonment in the state
prison for 16 months, 2 or 3 years, or by both that fine and
imprisonment; or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
5)States that any person who knowingly and without permission
provides or assists in providing a means of accessing a
computer, computer system, or computer network that results in
a victim expenditure in an amount greater than $5,000, is
punishable by a fine not exceeding $15,000, by imprisonment in
the state prison for 16 months, 2 or 3 years, or by both that
fine and imprisonment; or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
6)Makes any person who knowingly and without permission accesses
or causes to be accessed any computer, computer system or
computer network that results in a victim expenditure in an
amount greater than $5,000 is punishable by a fine not
exceeding $15,000, by imprisonment in the state prison for 16
months, 2 or 3 years, by both that fine and imprisonment; or
by a fine not exceeding $5,000, by imprisonment in a county
jail not exceeding one year, or by both that fine and
imprisonment.
7)Provides that any person who knowingly introduces any computer
contaminant into any computer, or computer system, or computer
network that results in injury, or for a second or subsequent
violation, by a fine not exceeding $15,000; by imprisonment in
a county jail not exceeding on year or in the state prison; or
by both that fine and imprisonment.
8)States that any person who knowingly and without permission
uses the Internet domain name of another individual,
corporation, or entity in connection with the sending of one
or more electronic mail messages, and thereby damages or
�
AB 22
Page 3
causes damage to a computer, computer system, or computer
network that results in injury, or for a second or subsequent
violation, by a fine not exceeding $10,000; by imprisonment in
a county jail not exceeding one year; or by both that fine and
imprisonment.
EXISTING LAW :
1)Provides that any person who knowingly accesses and without
permission alters, damages, deletes, destroys, or otherwise
uses any data, computer, computer system, or computer network
in order to devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or obtain
money, property or data is punishable by a fine not exceeding
$10,000 or by imprisonment in the state prison for 16 months,
or two or three years, or by both that fine and imprisonment,
or by a fine not exceeding $5,000, or by imprisonment in a
county jail not exceeding one year, or by both that fine and
imprisonment. [Penal Code Section 502(d)(1)(A).]
2)States that any person who knowingly accesses and without
permission takes, copies or makes use of any data from a
computer, computer system, or computer network, or takes or
copies any supporting documentation, whether existing or
residing internal or external to a computer, computer system,
or computer network is punishable by a fine not exceeding
$10,000 or by imprisonment in the state prison for 16 months,
or two or three years, or by both that fine and imprisonment,
or by a fine not exceeding $5,000, or by imprisonment in a
county jail not exceeding one year, or by both that fine and
imprisonment. [Penal Code Section 502(d)(1)(A).]
3)Makes knowingly accessing and without permission adding,
altering, damaging, deleting, or destroying any data, computer
software, or computer programs which reside or exist internal
or external to a computer, computer system, or computer
network punishable by a fine not exceeding $10,000 or by
imprisonment in the state prison for 16 months, 2 or 3 years,
or by both that fine and imprisonment, or by a fine not
exceeding $5,000, or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.
[Penal Code Section 502(d)(1)(A).]
4)Provides that knowingly and without permission disrupting or
causing the disruption of computer services or denies or
�
AB 22
Page 4
causes the denial of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network is punishable
by a fine not exceeding $10,000, or by imprisonment in the
state prison for 16 months, or two or three years, or by both
that fine and imprisonment, or by a fine not exceeding $5,000,
or by imprisonment in a county jail not exceeding one year, or
by both that fine and imprisonment. [Penal Code Section
502(d)(1)(A).]
5)States that any person who knowingly and without permission
provides or assists in providing a means of accessing a
computer, computer system, or computer network that results in
a victim expenditure in an amount greater than $5,000, is
punishable by a fine not exceeding $10,000, or by imprisonment
in the state prison for 16 months, 2 or 3 years, or by both
that fine and imprisonment, or by a fine not exceeding $5,000,
or by imprisonment in a county jail not exceeding one year, or
by both that fine and imprisonment. [Penal Code Section
502(d)(1)(A).]
6)Makes any person who knowingly and without permission accesses
or causes to be accessed any computer, computer system or
computer network that results in a victim expenditure in an
amount greater than $5,000 is punishable by a fine not
exceeding $10,000, or by imprisonment in the state prison for
16 months, 2 or 3 years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, or by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment. [Penal Code Section
502(d)(3)(C).]
7)Provides that any person who knowingly introduces any computer
contaminant into any computer, or computer system, or computer
network that results in injury, or for a second or subsequent
violation, by a fine not exceeding $10,000, or by imprisonment
in a county jail not exceeding on year, or in the state
prison, or by both that fine and imprisonment. [Penal Code
Section 502(d)(4)(B).]
8)States that any person who knowingly and without permission
uses the Internet domain name of another individual,
corporation, or entity in connection with the sending of one
or more electronic mail messages, and thereby damages or
causes damage to a computer, computer system, or computer
�
AB 22
Page 5
network that results in injury, or for a second or subsequent
violation, by a fine not exceeding $5,000, or by imprisonment
in a county jail not exceeding one year, or by both that fine
and imprisonment. [Penal Code Section 502(d)(5)(B).]
9)Creates an exemption to Penal Code Section 502(c) violations
for any person who accesses his or her employer's computer
system, network, program or data when acting within the scope
of lawful employment. [Penal Code Section 502(h)(1).]
10)Allows an exemption for a person using computer services
without permission and outside his or her employment if that
the acts do not cause an injury to any computer system, or
provided that the value of supplies used does not exceed $100.
[Penal Code Section 502(h)(2).]
11)Requires the forfeiture of computer equipment where the
defendant:
a) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either: (i) devise or execute any scheme or artifice to
defraud, deceive, or extort; or (ii) wrongfully control or
obtain money, property, or data.
b) Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network.
c) Knowingly and without permission uses or causes to be
used computer services.
d) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a computer, computer system, or computer
network.
e) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
�
AB 22
Page 6
computer, computer system, or computer network.
f) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or computer network in violation of this section.
g) Knowingly and without permission accesses or causes to
be accessed any computer, computer system, or computer
network.
h) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.
i) Knowingly and without permission uses the Internet
domain name of another individual, corporation, or entity
in connection with the sending of one or more electronic
mail messages, and thereby damages or causes damage to a
computer, computer system, or computer network. [Penal
Code Section 502.01(c).]
FISCAL EFFECT : Unknown
COMMENTS :
1)Author's Statement : According to the author, "AB 22 increases
the maximum fine for serious computer hacking offenses,
offenses which the law currently treats as wobblers.
"The increase is significant, from a maximum of $10,000 per
offense to a maximum of $50,000 per offense.
"I have myself been a victim of identity theft, as have many of
my constituents and -
perhaps - many of you. It is a crime that violates the sense of
personal security in a particularly insidious and painful way.
We need more effective deterrents.
"Computer hacking and related identity theft are crimes that
often have a motive of financial gain. By significantly
increasing the maximum fine that a judge may impose on a
hacker, AB 22 is intended to provide a more substantial
deterrent to commission of these types of offenses without
imposing on the state the increased costs associated with
longer terms of incarceration.
�
AB 22
Page 7
"The bill makes no change in the definition of computer hacking
crimes, and no change in the assessment of what constitutes a
more severe offense. It simply makes a conviction potentially
much more expensive for an offender."
2)Background : According to information provided by the author,
"Computer hacking and related identity theft are crimes that
often have a motive of financial gain. By significantly
increasing the maximum fine that a judge may impose on a
hacker, AB 22 is intended to provide a more substantial
deterrent to commission of these types of offenses without
imposing on the state the increased costs associated with
longer terms of incarceration."
3)Penalty Assessments : Fines are subject to penalty
assessments. Assuming a person is fined the maximum fine of
$10,000 under Penal Code Section 502, the following penalty
assessments would be imposed pursuant to the Penal Code and
the California Government Code:
Base Fine: $10,000
Penal Code 1464 Assessment: $10,000($10 for every
$10 in fines)
Penal Code 1465.7 Assessment: $ 2,000(20%
surcharge)
Penal Code 1465.8 Assessment: $ 20($20
fee per fine)
Government Code 70372 Assessment: $ 5,000($5 for every
$10 in fines)
Government Code 70373 Assessment $ 30
($30 fee per each conviction)
Government Code 76000 Assessment: $ 7,000 ($7 for every
$10 in fines)
Government Code 7600.5 Assessment: $ 2,000($2 for
every $10 in fines)
Government Code 76104.6 Assessment: $ 1,000($1 for
every $10 in fines)
Total Fine with Assessments: $37,050
Penal Code Section 502 was enacted through SB 255 (Davis),
Chapter 1499, Statutes of 1988. Assuming the fine is
increased under this bill and the maximum fine of $15,000 is
imposed upon the defendant, the new total fine would be as
�
AB 22
Page 8
follows:
Base Fine: $15,000
Penal Code 1464 Assessment: $15,000($10 for every
$10 in fines)
Penal Code 1465.7 Assessment: $ 3,000(20%
surcharge)
Penal Code 1465.8 Assessment: $ 20($20
fee per fine)
Government Code 70372 Assessment: $ 7,500($5 for every
$10 in fines)
Government Code 70373 Assessment $ 30
($30 fee per each conviction)
Government Code 76000 Assessment: $10,500 ($7 for every
$10 in fines)
Government Code 7600.5 Assessment: $ 3,000($2 for
every $10 in fines)
Government Code 76104.6 Assessment: $ 1,500($1 for
every $10 in fines)
Total Fine with Assessments: $55,550
4)Argument in Support : According to the California State
Sheriffs' Association , "The advancement and proliferation of
computer technology has resulted in a concomitant
proliferation of computer crime and other forms of
unauthorized access to computers, computer systems, and
computer data. Protection of the integrity of all types and
forms of computer systems is vital to the protection of the
privacy of individuals as well as to the well-being of
financial institutions, businesses, government agencies, and
others within this state that lawfully utilize those
computers.
"AB 22 would provide that in the case of a violation involving
the computer, computer system, or computer network of a bank,
savings and loan, credit card issuer, or other financial
institution, the fine for the felony conviction would be
increased, not to exceed $50,000."
5)Related Legislation :
a) SB 20 (Simitian) adds requirements to any agency,
�
AB 22
Page 9
person, or business that must issue a security breach
notification in the event that personal information has
been acquired by an unauthorized person due to a breach of
security an agency's computer system. SB 20 also requires
any agency, person, or business that must issue a security
breach notification to more than 500 California residents
pursuant to existing law to electronically submit that
security breach notification to the Attorney General. SB
20 is pending hearing by the Senate Committee of
Appropriations.
b) AB 130 (Jefferies) increases prison time from 16 months,
2 or 3 years to two, three, or four years for those who
commit a second or subsequent offense of willfully
obtaining the personal identifying information of another
person, and using that information for any unlawful
purpose. AB 130 will be heard by this Committee today.
1)Prior Legislation :
a) AB 49 (Simitian), Chapter 618, Statutes of 2004, created
the High Technology Crimes Task Force comprised of each
regional task force participating in the High Technology
Theft Apprehension and Prosecution Program.
b) AB 543 (Bogh), of the 2003-04 Legislative Session, would
have required restitution to victims of high-technology
crimes (including those under Penal Code Section 502) and
would have imposed a forensic laboratory analysis fee on
defendants, which would be deposited into the High
Technology Laboratory Trust Fund to defray costs incurred
for computer or other electronic analysis or computer
evidence related to investigating and prosecuting
high-technology crimes. AB 543 as introduced was never
heard and was gutted and amended into an unrelated
provision.
c) SB 1386 (Peace), Chapter 915, Statutes of 2003, created
requirements for state agencies, persons or businesses that
conduct business in California that own or license
computerized data that includes personal information, to
disclose in specified ways, any breach of the security of
the data to any resident of California whose unencrypted
�
AB 22
Page 10
personal information was or is reasonably believed to have
been acquired by an unauthorized person.
d) AB 2232 (Oller), Chapter 634, Statutes of 2000,
increased the fine for persons who knowingly and without
permission access or cause to be accessed any computer,
computer system, or computer network that does not result
in injury from $250 to $1,000. For damages less than
$5,000 for persons who knowingly and without permission
access or cause to be accessed any computer, computer
system, or computer network, AB 2232 created an alternate
felony/misdemeanor, punishable by a fine not exceeding
$10,000 and/or up to one year in county jail or a fine of
$10,000 and/or 16 months, 2 or 3 years in state prison. AB
2232 also increased the fine from $250 to $1,000 for
persons who knowingly and without permission use the
Internet domain name of another individual, corporation,
etc. in connection with sending email and thereby cause
damages to a computer, computer system or computer network.
REGISTERED SUPPORT / OPPOSITION :
Support
California Independent Bankers
California Probation, Parole and Correctional Association
California State Sheriffs' Association
Privacy Rights Clearinghouse
Sheriff, Alameda County
Sheriff, Amador County
Sheriff, Butte County
Sheriff, Contra Costa County
Sheriff, Mariposa County
Sheriff, San Bernardino County
Sheriff, Yolo County
Undersheriff, Tuolumne County
Opposition
None received
Analysis Prepared by : Nicole J. Hanson / PUB. S. / (916)
319-3744