BILL ANALYSIS ��
AB 1649
Page 1
Date of Hearing: March 25, 2014
Counsel: Shaun Naidu
ASSEMBLY COMMITTEE ON PUBLIC SAFETY
Tom Ammiano, Chair
AB 1649 (Waldron) - As Introduced: February 11, 2014
As Proposed to be Amended in Committee
SUMMARY : Specifies the penalties for any person who disrupts or
causes the disruption of, adds, alters, damages, destroys,
provides or assists in providing a means of accessing, or
introduces any computer contaminant into a "government computer
system" or a "public safety infrastructure computer system," as
specified, and changes and adds the definition of specified
terms. Specifically, this bill :
1)Punishes any person who knowingly and without permission
disrupts or causes the disruption of government computer
services or denies or causes the denial of government computer
services to an authorized user of a government computer,
computer system, or computer network by a fine not exceeding
$10,000, by imprisonment pursuant to realignment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
2)Punishes any person who knowingly accesses and without
permission adds, alters, damages, deletes, or destroys any
data, computer software, or computer programs which reside or
exist internal or external to a public safety infrastructure
computer system computer, computer system, or computer network
by a fine not exceeding $10,000, by imprisonment pursuant to
realignment for 16 months, or two or three years, or by both
that fine and imprisonment, or by a fine not exceeding $5,000,
by imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
3)Punishes any person who knowingly and without permission
disrupts or causes the disruption of public safety
infrastructure computer system computer services or denies or
causes the denial of computer services to an authorized user
�
AB 1649
Page 2
of a public safety infrastructure computer system computer,
computer system, or computer network by a fine not exceeding
$10,000, by imprisonment pursuant to realignment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
4)Punishes any person who knowingly and without permission
provides or assists in providing a means of accessing a
computer, computer system, or public safety infrastructure
computer system computer, computer system, or computer network
as follows:
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding $1,000;
b) For a violation that results in a victim expenditure in
an amount not greater than $5,000, or for a second or
subsequent violation, by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
c) For any violation that results in a victim expenditure
in an amount greater than $5,000, by a fine not exceeding
$10,000, by imprisonment pursuant to realignment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment.
5)Punishes any person who knowingly introduces any computer
contaminant into any public safety infrastructure computer
system computer, computer system, or computer network as
follows:
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment in a county jail not exceeding one
year or by imprisonment pursuant to realignment, or by both
�
AB 1649
Page 3
that fine and imprisonment.
6)Adds "cause input to, cause output from, or cause data
processing with" within the meaning of "access."
7)Adds "remote systems" and "mobile devices" within the meaning
of "computer network."
8)Adds "Internet services, electronic mail services, or
electronic message services" within what "computer services"
includes.
9)Defines "government computer system" to mean any computer
system, or part thereof, that is owned, operated, or used by
any federal, state, or local governmental entity.
10)Defines "public safety infrastructure computer system" to
mean any computer system, or part thereof, that is necessary
for the health and safety of the public including computer
systems owned, operated, or used by drinking water and
wastewater treatment facilities, hospitals, emergency service
providers, telecommunication companies, and gas and electric
utility companies.
EXISTING LAW :
1)Punishes the following by a fine not exceeding $10,000, by
imprisonment pursuant to realignment for 16 months, or two or
three years, or by both that fine and imprisonment, or by a
fine not exceeding $5,000, by imprisonment in a county jail
not exceeding one year, or by both that fine and imprisonment:
a) Any person who knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in
order to devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or
obtain money, property or data;
b) Any person who knowingly accesses and without permission
takes, copies or makes use of any data from a computer,
computer system, or computer network, or takes or copies
any supporting documentation, whether existing or residing
internal or external to a computer, computer system, or
computer network;
�
AB 1649
Page 4
c) Any person who knowingly accessing and without
permission adds, alters, damages, deletes, or destroys any
data, computer software, or computer programs which reside
or exist internal or external to a computer, computer
system, or computer network; and
d) Any person who knowingly and without permission
disrupting or causing the disruption of computer services
or denies or causes the denial of computer services or
denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer
network. (Pen. Code, � 502, subds. (c) and (d)(1).)
2)Punishes any person who knowingly and without permission uses
or causes to be used computer services as follows:
a) For the first violation that does not result in injury,
and where the value of the computer services used does not
exceed $950, by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
b) For any violation that results in a victim expenditure
in an amount more than $5,000 or in an injury, if the value
of the computer services used exceeds $950, or for any
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment pursuant to realignment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment. (Pen. Code, � 502, subds.
(c) and (d)(2).)
3)Punishes any person who knowingly and without permission
provides or assists in providing a means of accessing,
accesses, or causes to be accessed a computer, computer
system, or computer network as follows:
a) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding $1,000;
b) For any violation that results in a victim expenditure
in an amount not more than $5,000, or for a second or
subsequent violation, by a fine not exceeding $5,000, by
�
AB 1649
Page 5
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
c) For any violation that results in a victim expenditure
in an amount more than $5,000, by a fine not exceeding ten
thousand dollars $10,000, by imprisonment pursuant to
realignment for 16 months, or two or three years, or by
both that fine and imprisonment, or by a fine not exceeding
$5,000, by imprisonment in a county jail not exceeding one
year, or by both that fine and imprisonment. (Pen. Code, �
502, subds. (c) and (d)(3).)
4)Punishes any person who knowingly introduces any computer
contaminant into any computer, or computer system, or computer
network as follows:
a) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment in a county jail not exceeding one
year, or by imprisonment pursuant to realignment, or by
both that fine and imprisonment. (Pen. Code, � 502, subds.
(c) and (d)(4).)
5)Punishes any person who knowingly and without permission uses
the Internet domain name of another individual, corporation,
or entity in connection with the sending of one or more
electronic mail messages, and thereby damages or causes damage
to a computer, computer system, or computer network as
follows:
a) For a first violation that does not result in injury, an
infraction punishable by a fine not $1,000; and
b) For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine
and imprisonment. (Pen. Code, � 502, subds. (c) and
(d)(5).)
�
AB 1649
Page 6
6)Creates an exemption to the violation of the provisions above
for any person who accesses his or her employer's computer
system, network, program or data when acting within the scope
of lawful employment. (Pen. Code, � 502, subd. (h)(1).)
7)Allows an exemption for a person using computer services
without permission and outside his or her employment if that
the acts do not cause an injury, as defined, to the employer
or another, provided that the value of supplies or computer
services used does not exceed $250. (Pen. Code, � 502, subd.
(h)(2).)
8)Requires the forfeiture of computer equipment where the
defendant:
a) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either (i) devise or execute any scheme or artifice to
defraud, deceive, or extort or (ii) wrongfully control or
obtain money, property, or data'
b) Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network;
c) Knowingly and without permission uses or causes to be
used computer services;
d) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a computer, computer system, or computer
network;
e) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network;
f) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
�
AB 1649
Page 7
or computer network in violation of specified law;
g) Knowingly and without permission accesses or causes to
be accessed any computer, computer system, or computer
network;
h) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network; and
i) Knowingly and without permission uses the Internet
domain name of another individual, corporation, or entity
in connection with the sending of one or more electronic
mail messages, and thereby damages or causes damage to a
computer, computer system, or computer network. (Pen.
Code, � 502.01, subd. (c).)
9)Punishes as vandalism every person who maliciously defaces
with graffiti or other inscribed material, damages, or
destroys any real or personal property not his or her own, in
cases other than those specified by state law as follows:
a) If the amount of defacement, damage, or destruction is
$400 or more, by imprisonment pursuant to realignment or in
a county jail not exceeding one year, by a fine of not more
than $10,000, or if the amount of defacement, damage, or
destruction is $10,000 or more, by a fine of not more than
$50,000, or by both that fine and imprisonment;
b) If the amount of defacement, damage, or destruction is
less than $400, by imprisonment in a county jail not
exceeding one year, by a fine of not more than $1,000, or
by both that fine and imprisonment; and
c) If the amount of defacement, damage, or destruction is
less than $400, and the defendant has been previously
convicted of vandalism or affixing graffiti or other
inscribed material, as specified, by imprisonment in a
county jail for not more than one year, by a fine of not
more than $5,000, or by both that fine and imprisonment.
(Pen. Code, � 594.)
FISCAL EFFECT : Unknown
COMMENTS :
�
AB 1649
Page 8
1)Author's Statement : According to the author, "AB 1649 would
increase protection to government systems such as websites and
phone lines that are utilized by hospitals, schools, cities,
and many other organizations. This bill would also increase
fines for these escalating crimes and the threat they impose
to public safety. Cyber criminals often target government
computer systems, resulting in tampering, interferences, or
damages. Numerous incidents have occurred that have
compromised the privacy, safety, and personal information of
many individuals. For example in 2013, a caller to a San Diego
emergency room threatened the dispatcher that he would
paralyze the hospital's phone service if she didn't pay him
the amount demanded. Shortly after, the emergency room's phone
lines went silent for nearly 48 hours, affecting the
communication services. Recently, another case arose when a
California State University Sacramento employee website was
breached, where Social Security and Driver's License numbers
of 1,800 employees could have been accessed. These few
examples clearly demonstrate the significance of the rapidly
increasing rate of computer related crimes.
"California must keep up with the emerging difficulties
associated with compromised government systems. By expanding
the degree of protection to hospitals, schools, cities, and
many other organizations, along with individuals' private and
personal information will be safe from unauthorized access."
2)Practical Consideration : The author and supporters of this
bill cite as examples for the need of this bill incidences in
which a San Diego hospital's telephone system was paralyzed by
a hacker and a computer attack targeted the San Diego County
Registrar of Voters. As serious as these events are, no one
was prosecuted in either of these information system breaches,
even though existing law already criminalizes these actions
and gives law enforcement the ability and authority to
investigate and prosecute these violations of law. This
raises the concern that if these offenses are as serious as
the supporters of this bill purport them to be and law
enforcement already has the ability to go after individuals
who perpetrate these crimes, why were these computer attacks
not fully investigated and prosecuted. In discussion with the
San Diego County District Attorney's Office, there was no
prosecution in the hospital incident because the hospital did
not report the case. The District Attorney's Office suspects
that a common reason for the underreporting of these types of
�
AB 1649
Page 9
breaches is because entities might not want to bring attention
to the issue, as it would reveal that they had a vulnerability
in their systems, and they want to avoid oversight in making
sure that patients/customers are notified of the potential
unauthorized dissemination of their sensitive information, as
is required by law (see Civ. Code, � 1798.82). (Telephone
interview with the San Diego County District Attorney's Office
(Mar. 19, 2014).) The San Diego County Registrar of Voters'
Office did not report the hack into its system, because the
office was unaware that it was a prosecutable crime. (Ibid.)
Considering that the local prosecuting attorney's office did
find out about these computer attacks, be it through the news
media or some other avenue, it was still within that office's
ability to investigate and prosecute the offense.
3)Tracking : The most reliable data available are rough figures
provided by the California Highway Patrol (CHP), which
investigates attacks on state computer systems. CHP data
shows that there were 10 convictions in 2012 and 4 convictions
in 2013 of possible Penal Code � 502 violations. Currently,
the state does not track how many defendants are being charged
with or convicted of violating Penal Code � 502, so
policymakers do not have firm data available that shows the
scope and scale of these crimes. Creating separate offenses
specific to computer attacks on government computer systems
and public safety infrastructure systems will allow California
to track to what extent these attacks are taking place and if
they are increasing, decreasing, or remaining constants and
will allow the Legislature to make policy decisions using
concrete data instead of relying on anecdotes and conjectures.
4)Penalty Assessments : The amount spelled out in statute as a
fine for violating a criminal offense are base figures, as
these amounts are subject to statutorily-imposed penalty
assessments, such as fees and surcharges. Assuming a
defendant is fined the maximum fine of $10,000 under Penal
Code Section 502, the following penalty assessments would be
imposed pursuant to the Government and Penal codes:
-------------------------------------------------------
|Base Fine: |$10,000.|
| | 00|
|----------------------------------------------+--------|
| | |
|----------------------------------------------+--------|
|Penal Code � 1464 assessment ($10 for every |$10,000.|
�
AB 1649
Page 10
|$10): | 00|
|----------------------------------------------+--------|
|Penal Code � 1465.7 assessment (20% |$2,000.0|
|surcharge): | 0|
|----------------------------------------------+--------|
|Penal Code � 1465.8 assessment ($40 per | $40.00|
|criminal offense): | |
|----------------------------------------------+--------|
|Government Code � 70372 assessment ($5 for |$5,000.0|
|every $10): | 0|
|----------------------------------------------+--------|
|Government Code � 70373 assessment ($30 for | $30.00|
|felony or misdemeanor offense): | |
|----------------------------------------------+--------|
|Government Code � 76000 assessment ($7 for |$7,000.0|
|every $10): | 0|
|----------------------------------------------+--------|
|Government Code � 76000.5 assessment ($2 for |$2,000.0|
|every $10): | 0|
|----------------------------------------------+--------|
|Government Code � 76104.6 assessment ($1 for |$1,000.0|
|every $10): | 0|
|----------------------------------------------+--------|
|Government Code � 76104.7 assessment ($4 for |$4,000.0|
|every $10): | 0|
|----------------------------------------------+--------|
| | |
|----------------------------------------------+--------|
|Fine with Assessments: | |
| |$41,070.00*|
-------------------------------------------------------
*In addition to the assessments detailed in the chart, the
defendant could be subject to pay "actual administrative
costs" related to his or her arrest and booking (Gov. Code, �
29550 et seq.) and victim restitution for damages impose by
the court.
Assuming the fine is increased to up to $20,000 and the
maximum fine is imposed upon the defendant, the new fine
(before actual administrative costs and restitution) would be
as follows:
--------------------------------------------------------
�
AB 1649
Page 11
|Base Fine: |$20,000.0|
| | 0|
|----------------------------------------------+---------|
| | |
|----------------------------------------------+---------|
|Penal Code � 1464 assessment ($10 for every |$20,000.0|
|$10): | 0|
|----------------------------------------------+---------|
|Penal Code � 1465.7 assessment (20% |$4,000.00|
|surcharge): | |
|----------------------------------------------+---------|
|Penal Code � 1465.8 assessment ($40 per | $40.00|
|criminal offense): | |
|----------------------------------------------+---------|
|Government Code � 70372 assessment ($5 for |$10,000.0|
|every $10): | 0|
|----------------------------------------------+---------|
|Government Code � 70373 assessment ($30 for | $30.00|
|felony or misdemeanor offense): | |
|----------------------------------------------+---------|
|Government Code � 76000 assessment ($7 for |$14,000.0|
|every $10): | 0|
|----------------------------------------------+---------|
|Government Code � 76000.5 assessment ($2 for |$4,000.00|
|every $10): | |
|----------------------------------------------+---------|
|Government Code � 76104.6 assessment ($1 for |$2,000.00|
|every $10): | |
|----------------------------------------------+---------|
|Government Code � 76104.7 assessment ($4 for |$8,000.00|
|every $10): | |
|----------------------------------------------+---------|
| | |
|----------------------------------------------+---------|
|Fine with Assessments: |$82,070.0|
| |0* |
| | |
--------------------------------------------------------
5)Argument in Support : As stated by the San Diego County
District Attorney , "An example of this new type of computer
crime involves 'paralyzing' phone systems. It is a variation
of 'distributed denial-of-service' (DDOS) attacks. Rather
than taking a website down by clicking a mouse and forcing
thousands of compromised personal computers to visit the site,
�
AB 1649
Page 12
the new crime is to use a computer to inundate phone lines by
exploiting the vulnerabilities in the latest technology called
Voice over Internet Protocol (VoIP). Phone traffic carried
over the Internet surged 25% last year. Government agencies,
law enforcement, public utilities and public safety
infrastructure computer systems are being forced to take a
more serious look at their critical computer-based
infrastructure as a potential 'hacking' target. AB 1649 will
provide a deterrent to this specific computer crime.
"In recent years, there have been several cases of this type
of computer attack reported throughout the state, targeting
systems belonging to the City of San Francisco, the City of
Santa Cruz, the San Diego Registrar of Voters, and the San
Francisco's Bay Area Rapid Transit (BART). More recently,
there was an event that proved this crime has the potential to
create a life and death situation. According to a July 2013
Los Angeles Times article, a caller promised a San Diego
emergency room dispatcher that he would paralyze the
hospital's phone service if she didn't pay him hundreds of
dollars. Shortly after, the ER's six phone lines went silent.
For nearly 48 hours, ambulances and patients' families
calling the hospital only heard a busy signal. The suspect
had simply generated enough calls to tie up the lines
indefinitely.
"AB 1649 simply updates PC 502 by specifically including and
defining Government computer system and Public Safety
infrastructure computer system. It also increases the fine
for compromising these critical systems."
REGISTERED SUPPORT / OPPOSITION :
Support
San Diego County District Attorney's Office (Sponsor)
California District Attorneys Association
California Municipal Utilities Association
California State Sheriffs' Association
Opposition
None
�
AB 1649
Page 13
Analysis Prepared by : Shaun Naidu / PUB. S. / (916) 319-3744