[BreachExchange] California bill to treat ransomware as form of extortion heads to governor

Thu Sep 1 19:16:27 EDT 2016

http://statescoop.com/california-bill-to-treat-ransomware-as-form-of-
extortion-heads-to-governor?utm_content=buffer65eee&utm_
medium=social&utm_source=twitter.com&utm_campaign=buffer

A California bill that would classify the use of ransomware as a form of
extortion is now headed to Gov. Jerry Brown’s desk.

State Sen. Robert Hertzberg’s S.B. 1137 unanimously passed the Assembly
last week, and once Senate lawmakers followed up by approving its
amendments, the Legislature sent it on to the governor for his approval.

While the state already has a variety of laws on the books prohibiting
electronic crimes, Hertzberg’s bill specifically includes the use of
ransomware in its definition of extortion, making it possible for
prosecutors to seek a jail sentence of anywhere from two to four years for
anyone caught using the malware.

“Nearly every day, we read in the news about ransomware attacks stifling
government agencies or private companies,” Hertzberg said in a statement.
“This is essentially an electronic stickup, and we need to treat it with
the same seriousness and severity we would treat any stickup.”

Hertzberg pointed to a February ransomware attack on the Hollywood
Presbyterian Medical Center in Los Angeles — hackers forced the hospital to
pay $17,000 in bitcoin to regain control of its systems — as evidence that
there’s an urgent for the legislation in the state.

His bill also gained widespread support from law enforcement, with Los
Angeles County District Attorney Jackie Lacey helping to introduce the
legislation and groups like the California Police Chiefs Association and
the California Statewide Law Enforcement Association registering their
support for the bill.

In an Assembly committee report on the legislation, Lacey’s office argued
that the bill was a crucial tool for the state’s lawyers, since “existing
law does not adequately provide prosecutors with the tools to prosecute
this type of crime.”

Specifically, the prosecutors claimed that the bill would more clearly
define things like “triggering a system malfunction” or “password lockout”
attacks as felonies, and bring the state’s existing extortion statute into
line with the dangers posed by ransomware. After all, they note that
current law simply “makes it a crime to obtain property from an individual
with the individual's consent by a wrongful use of force or fear,” leaving
it a bit out of step with the modern age.

“When ransomware is used there is no threat to commit a future harm unless
a ransom is paid, the harm has already occurred,” the prosecutors wrote.
“The attacker is demanding payment to undo the harm they have already
committed. The difference is slight but extremely important in a criminal
prosecution."

The state’s tech sector also threw its support behind the bill. TechNet — a
trade group lobbying on behalf of companies like Google, Apple, Facebook
and Microsoft — also helped Hertzberg introduce the bill.

"Ransomware does not just impact home computers — far from it,” TechNet
Executive Director Andrea Deveau said in a statement. “Hospitals, data
centers, retailers, financial institutions and many others are becoming
growing targets for the perpetrators. S.B. 1137 provides a clear signal to
these criminals that ransomware is a criminal act and will be prosecuted as
such.”

Yet the Legal Services for Prisoners with Children group — a San Francisco
nonprofit and the lone organization opposing the bill — charged that the
legislation would be redundant and prove overly burdensome to people caught
up in the criminal justice system.

“[Ransomware] is already covered by existing law,” the group wrote in the
committee report. “Because these actions are already prohibited, a new
crime and additional punishment is neither necessary nor prudent. This will
simply create longer sentences for individuals convicted of violating these
provisions, which does not better protect [an] individual's privacy."

But despite those concerns, the bill is just inches from becoming law. The
governor could decide to sign or veto the legislation before the
Legislature adjourns on Aug. 31, but if he doesn’t take any action on it,
he’ll have until Sept. 30 to make a decision on the legislation before it
becomes law with or without his signature.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160901/dfe44ef4/attachment.html>