BILL ANALYSIS �
SENATE COMMITTEE ON PUBLIC SAFETY
Senator Mark Leno, Chair A
2009-2010 Regular Session B
2
2
AB 22 (Torres)
As Amended April 14, 2009
Hearing date: June 9, 2009
Penal Code
JM:br
FINES FOR UNAUTHORIZED USE AND DAMAGE OF COMPUTERS AND DATA
HISTORY
Source: Author
Prior Legislation: AB 451 (Maddox) - Ch. 254, Stats. 1999
AB 1629 (Miller) - Ch. 863, Stats. 1998
SB 438 (Johnston) - Ch. 906, Stats. 1997
SB 1734 (Johnston) - Ch. 555, Stats. 1998
Support: California Independent Bankers; California Probation,
Parole and Correctional Association; California State
Sheriffs' Association; Privacy Rights Clearinghouse;
Alameda County Sheriff, Amador County Sheriff, Butte
County Sheriff, Contra Costa County Sheriff, Mariposa
County Sheriff, San Bernardino County Sheriff, Yolo
County Sheriff; Tuolumne County Undersheriff
Opposition:California Public Defenders Association
Assembly Floor Vote: Ayes 75 - Noes 0
KEY ISSUE
(More)
�
AB 22 (Torres)
PageB
SHOULD THE MAXIMUM FINES FOR FELONY CONVICTIONS INVOLVING DAMAGE
TO COMPUTERS OR COMPUTER DATA, UNAUTHORIZED USE OF COMPUTERS OR
COMPUTER DATA, OR UNAUTHORIZED USE OF INTERNET DOMAIN NAMES
CAUSING HARM, AS SPECIFIED, BE RAISED FROM $10,000 T0 $15,000?
PURPOSE
The purpose of this bill is to raise the maximum fine that can
be imposed on a defendant convicted of felony crimes involving
unauthorized use of computers, damage to computers or computer
data, and related offenses such as harmful misappropriation of
an Internet domain name, from $10,000 to $15,000.
Existing law provides that any person who knowingly accesses and
without permission alters, damages, deletes, destroys, or
otherwise uses any data, computer, computer system, or computer
network in order to devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or obtain
money, property or data is punishable by a fine not exceeding
$10,000 or by imprisonment in the state prison for 16 months, or
2 or 3 years, or by both that fine and imprisonment, or by a
fine not exceeding $5000, or by imprisonment in a county jail
not exceeding one year, or by both that fine and imprisonment.
(Pen. Code 502, subd. (d)(1)(A).)
Existing law states that any person who knowingly accesses and
without permission takes, copies or makes use of any data from a
computer, computer system, or computer network, or takes or
copies any supporting documentation, whether existing or
residing internal or external to a computer, computer system, or
computer network is punishable by a fine not exceeding $10,000
or by imprisonment in the state prison for 16 months, or 2 or 3
years, or by both that fine and imprisonment, or by a fine not
exceeding $5000, or by imprisonment in a county jail not
exceeding one year, or by both that fine and imprisonment.
(Pen. Code 502, subd. (d)(1)(A).)
Existing law makes knowingly accessing and without permission
adding, altering, damaging, deleting, or destroying any data,
(More)
�
AB 22 (Torres)
PageC
computer software, or computer programs which reside or exist
internal or external to a computer, computer system, or computer
network punishable by a fine not exceeding $10,000 or by
imprisonment in the state prison for 16 months, 2 or 3 years, or
by both that fine and imprisonment, or by a fine not exceeding
$5000, or by imprisonment in a county jail not exceeding one
year, or by both that fine and imprisonment. (Pen. Code 502,
subd. (d)(1)(A).)
Existing law provides that knowingly and without permission
disrupting or causing the disruption of computer services or
denies or causes the denial of computer services or denies or
causes the denial of computer services to an authorized user of
a computer, computer system, or computer network is punishable
by a fine not exceeding $10,000, or by imprisonment in the state
prison for 16 months, or 2 or 3 years, or by both that fine and
imprisonment, or by a fine not exceeding $5000, or by
imprisonment in a county jail not exceeding one year, or by both
that fine and imprisonment. (Pen. Code 502, subd. (d)(1)(A).)
Existing law states that any person who knowingly and without
permission provides or assists in providing a means of accessing
a computer, computer system, or computer network that results in
a victim expenditure in an amount greater than $5000, is
punishable by a fine not exceeding $10,000, or by imprisonment
in the state prison for 16 months, 2 or 3 years, or by both that
fine and imprisonment, or by a fine not exceeding $5000, or by
imprisonment in a county jail not exceeding one year, or by both
that fine and imprisonment. (Pen. Code 502, subd. (d)(1)(A).)
Existing law makes any person who knowingly and without
permission accesses or causes to be accessed any computer,
computer system or computer network that results in a victim
expenditure in an amount greater than $5000 is punishable by a
fine not exceeding $10,000, or by imprisonment in the state
prison for 16 months, 2 or 3 years, or by both that fine and
imprisonment, or by a fine not exceeding $5000, or by
imprisonment in a county jail not exceeding one year, or by both
that fine and imprisonment. (Pen. Code 502, subd. (d)(3)(C).)
(More)
�
AB 22 (Torres)
PageD
Existing law provides that any person who knowingly introduces
any computer contaminant into any computer, or computer system,
or computer network that results in injury, or for a second or
subsequent violation, by a fine not exceeding $10,000, or by
imprisonment in a county jail not exceeding on year, or in the
state prison, or by both that fine and imprisonment. (Pen.
Code 502, subd. (d)(4)(B).)
Existing law states that any person who knowingly and without
permission uses the Internet domain name of another individual,
corporation, or entity in connection with the sending of one or
more electronic mail messages, and thereby damages or causes
damage to a computer, computer system, or computer network that
results in injury, or for a second or subsequent violation, by a
fine not exceeding $5000, or by imprisonment in a county jail
not exceeding one year, or by both that fine and imprisonment.
(Pen. Code 502, subd. (d)(5)(B).)
Existing law creates an exemption to Penal Code Section 502(c)
violations for any person who accesses his or her employer's
computer system, network, program or data when acting within the
scope of lawful employment. (Pen. Code 502, subd. (h)(1).)
Existing law allows an exemption for a person using computer
services without permission and outside his or her employment if
the acts do not cause an injury to any computer system, or
provided that the value of supplies used does not exceed $100.
(Pen. Code 502, subd. (h)(2).]
Existing law requires the forfeiture of computer equipment where
the defendant knowingly and without permission:
Accesses and alters, damages, deletes, destroys, or
otherwise uses any data, computer, computer system, or
computer network in order to either: (1) devise or execute
any scheme or artifice to defraud, deceive, or extort; or
(2) wrongfully control or obtain money, property, or data.
Accesses, takes, copies, or makes use of any data from a
computer, computer system, or computer network, or takes or
(More)
�
AB 22 (Torres)
PageE
copies any supporting documentation, whether existing or
residing internal or external to a computer, computer
system, or computer network.
Uses, or causes to be used, computer services.
Adds, alters, damages, deletes, or destroys any data,
computer software, or computer programs which reside or
exist internal or external to a computer, computer system,
or computer network.
Disrupts or causes the disruption of computer services
or denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer
network.
Provides or assists in providing a means of accessing a
computer, computer system, or computer network in violation
of this section.
Accesses, or causes to be accessed, any computer,
computer system, or computer network.
Introduces any computer contaminant into any computer,
computer system, or computer network.
Uses the Internet domain name of another individual,
corporation, or entity in connection with the sending of
one or more electronic mail messages, and thereby damages
or causes damage to a computer, computer system, or
computer network. (Pen. Code 502.01, subd. (c).)
This bill raises the maximum felony fine from $10,000 to $15,000
for a person who knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
devise or execute any scheme or artifice to defraud, deceive, or
extort, or wrongfully control or obtain money, property, or
data.
This bill raises the maximum felony fine from $10,000 to $15,000
(More)
�
AB 22 (Torres)
PageF
for a person who knowingly accesses and without permission
takes, copies or makes use of any data from a computer, computer
system, or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or external
to a computer, computer system, or computer network.
This bill raises the maximum felony fine from $10,000 to $15,000
where a person knowingly accesses and without permission adds,
alters, damages, deletes, or destroys any data, computer
software, or computer programs which reside or exist internal or
external to a computer, computer system, or computer network.
This bill raises the maximum felony fine from $10,000 to $15,000
for a person who knowingly and without permission disrupts or
causes the disruption of computer services or who denies or
causes the denial of computer services or denies or causes the
denial of computer services to an authorized user of a computer,
computer system, or computer network.
This bill raises the maximum felony fine from $10,000 to $15,000
for a person who knowingly and without permission provides or
assists in providing a means of accessing a computer, computer
system, or computer network that results in a victim expenditure
in an amount greater than $5000.
This bill raises the maximum felony fine from $10,000 to $15,000
for a person who knowingly and without permission accesses or
causes to be accessed any computer, computer system or computer
network that results in a victim expenditure in an amount
greater than $5000.
This bill raises the maximum misdemeanor or felony fine from
$10,000 to $15,000 for any person who knowingly introduces any
computer contaminant into any computer, or computer system, or
computer network that results in injury, or for a second or
subsequent violation.
This bill raises the maximum fine from $5000 to $15,000 for any
person who knowingly and without permission uses the Internet
domain name of another individual, corporation, or entity in
(More)
�
AB 22 (Torres)
PageG
connection with the sending of one or more electronic mail
messages, and who thereby causes injurious damage to a computer
or computer system. This crime is a misdemeanor.
This bill raises the maximum fine from $5000 to $15,000 for any
person who is convicted for a second or subsequent time of
knowingly and without permission using the Internet domain name
of another individual, corporation, or entity in connection with
the sending of one or more electronic mail messages. This crime
is a misdemeanor. The prior conviction for using another's
Internet domain name can be an infraction.<1>
RECEIVERSHIP/OVERCROWDING CRISIS AGGRAVATION
California continues to face a severe prison overcrowding
crisis. The Department of Corrections and Rehabilitation (CDCR)
currently has about 170,000 inmates under its jurisdiction. Due
to a lack of traditional housing space available, the department
houses roughly 15,000 inmates in gyms and dayrooms.
California's prison population has increased by 125% (an average
of 4% annually) over the past 20 years, growing from 76,000
inmates to 171,000 inmates, far outpacing the state's population
growth rate for the age cohort with the highest risk of
incarceration.<2>
In December of 2006 plaintiffs in two federal lawsuits against
CDCR sought a court-ordered limit on the prison population
pursuant to the federal Prison Litigation Reform Act. On
February 9, 2009, the three-judge federal court panel issued a
tentative ruling that included the following conclusions with
respect to overcrowding:
---------------------------
<1> Use of another's Internet domain name is an infraction
where no damage occurred. (Pen. Code 502 (d)(4)(A).)
<2> "Between 1987 and 2007, California's population of ages 15
through 44 - the age cohort with the highest risk for
incarceration - grew by an average of less than 1% annually,
which is a pace much slower than the growth in prison
admissions." (2009-2010 Budget Analysis Series, Judicial and
Criminal Justice, Legislative Analyst's Office (January 30,
2009).)
(More)
�
AB 22 (Torres)
PageH
No party contests that California's prisons are
overcrowded, however measured, and whether considered
in comparison to prisons in other states or jails
within this state. There are simply too many
prisoners for the existing capacity. The Governor,
the principal defendant, declared a state of emergency
in 2006 because of the "severe overcrowding" in
California's prisons, which has caused "substantial
risk to the health and safety of the men and women who
work inside these prisons and the inmates housed in
them." . . . A state appellate court upheld the
Governor's proclamation, holding that the evidence
supported the existence of conditions of "extreme
peril to the safety of persons and property."
(citation omitted) The Governor's declaration of the
state of emergency remains in effect to this day.
. . . the evidence is compelling that there is no
relief other than a prisoner release order that will
remedy the unconstitutional prison conditions.
. . .
Although the evidence may be less than perfectly
clear, it appears to the Court that in order to
alleviate the constitutional violations California's
inmate population must be reduced to at most 120% to
145% of design capacity, with some institutions or
clinical programs at or below 100%. We caution the
parties, however, that these are not firm figures and
that the Court reserves the right - until its final
ruling - to determine that a higher or lower figure is
appropriate in general or in particular types of
facilities.
. . .
Under the PLRA, any prisoner release order that we
issue will be narrowly drawn, extend no further than
(More)
�
AB 22 (Torres)
PageI
necessary to correct the violation of constitutional
rights, and be the least intrusive means necessary to
correct the violation of those rights. For this
reason, it is our present intention to adopt an order
requiring the State to develop a plan to reduce the
prison population to 120% or 145% of the prison's
design capacity (or somewhere in between) within a
period of two or three years.<3>
The final outcome of the panel's tentative decision, as well as
any appeal that may be in response to the panel's final
decision, is unknown at the time of this writing.
This bill does not appear to aggravate the prison overcrowding
crisis outlined above.
COMMENTS
1. Need for This Bill
According to the author:
AB 22 increases the maximum fine for serious computer
hacking offenses, offenses which the law currently
treats as wobblers. The increase is significant,
from a maximum of $10,000 per offense to a maximum of
$50,000 per offense.
I have myself been a victim of identity theft, as
have many of my constituents and perhaps - many of
you. It is a crime that violates the sense of
personal security in a particularly insidious and
----------------------
<3> Three Judge Court Tentative Ruling, Coleman v.
Schwarzenegger, Plata v. Schwarzenegger, in the United States
District Courts for the Eastern District of California and the
Northern District of California United States District Court
composed of three judges pursuant to Section 2284, Title 28
United States Code (Feb. 9, 2009).
(More)
�
AB 22 (Torres)
PageJ
painful way. We need more effective deterrents.
(More)
�
Computer hacking and identity theft done through
computer misuse are crimes that often have a motive
of financial gain. By significantly increasing the
maximum fine that a judge may impose on a hacker, AB
22 is intended to provide a more substantial
deterrent to commission of these types of offenses
without imposing on the state the increased costs
associated with longer terms of incarceration.
The bill makes no change in the definition of
computer hacking crimes, and no change in the
assessment of what constitutes a more severe offense.
It simply makes a conviction potentially much more
expensive for an offender.
2. Mandatory Penalty Assessments Increase the Statutory Fine
Nearly Four Times
Fines are subject to penalty assessments. Assuming a person is
fined the maximum fine of $10,000 under Penal Code Section 502,
the following penalty assessments would be imposed pursuant to
the Penal Code and the California Government Code:
Base Fine: $10,000
Penal Code 1464 Assessment: $10,000($10 for every
$10 in fines)
Penal Code 1465.7 Assessment: $ 2,000(20%
surcharge)
Penal Code 1465.8 Assessment: $ 20($20
fee per fine)
Government Code 70372 Assessment: $ 5,000($5 for
every $10 in fines)
Government Code 70373 Assessment $ 30($30 fee per each
conviction)
Government Code 76000 Assessment: $ 7,000($7 for
every $10 in fines)
Government Code 7600.5 Assessment: $ 2,000($2 for
every $10 in fines)
(More)
�
AB 22 (Torres)
PageL
Government Code 76104.6 Assessment: $ 1,000($1 for
every $10 in fines)
Total Fine with Assessments: $37,050
Penal Code Section 502 was enacted through SB 255 (Davis),
Chapter 1499, Statutes of 1988. Assuming the fine is
increased under this bill and the maximum fine of $15,000 is
imposed upon the defendant, the new total fine would be as
follows:
Base Fine: $15,000
Penal Code 1464 Assessment: $15,000($10 for every
$10 in fines)
Penal Code 1465.7 Assessment: $ 3,000(20%
surcharge)
Penal Code 1465.8 Assessment: $ 20($20
fee per fine)
Government Code 70372 Assessment: $ 7,500($5 for
every $10 in fines)
Government Code 70373 Assessment $ 30($30 fee per each
conviction)
Government Code 76000 Assessment:$10,500($7 for every $10 in
fines)
Government Code 7600.5 Assessment: $ 3,000($2 for
every $10 in fines)
Government Code 76104.6 Assessment: $ 1,500($1 for
every $10 in fines)
Total Fine with Assessments: $55,550
3. Punishment and Deterrence Issues
As the charts in Comment #2 demonstrate, a criminal defendant
who is ordered to pay a fine must actually pay nearly four times
the amount that is described in the penalty provision of the
crime itself. Under existing penalty provisions, a defendant
ordered by the court to pay a $4000 fine would actually pay a
fine of approximately $15,200. If this bill is approved, a
�
AB 22 (Torres)
PageM
defendant ordered to pay the maximum fine for computer crimes
would owe over $55,000. It should also be noted that a
sentencing court must order a defendant to pay a restitution
fine and direct restitution to the victim for all losses
occasioned by the crime. Thus, this bill presents the question
whether or not a maximum fine of $55,500 is appropriate for
computer offenses.
The author also argues that raising the fines for computer
crimes will deter potential perpetrators from committing such
offenses. Committee staff is not aware of any studies that
would assist the Committee in determining whether the increased
fines would or would not deter potential offenders.
SHOULD THE MAXIMUM FINE FOR VARIOUS FELONY CRIMES INVOLVING
MISUSE, DAMAGE OR UNAUTHORIZED USE OF COMPUTERS OR DATA BE
RAISED FROM $10,000 TO $15,000, OR A MAXIMUM OF $55,000 WITH
MANDATORY PENALTY ASSESSMENTS?
IS THERE EVIDENCE THAT RAISING FINES FOR COMPUTER MISUSE AND
DAMAGE WOULD DETER DEFENDANTS FROM COMMITTING SUCH CRIMES?
***************