SB 1137 makes intentionally introducing ransomware into any computer, system or network a crime equivalent to extortion
SACRAMENTO – Legislation by Sen. Bob Hertzberg, D-Van Nuys, to help protect computer users by outlawing the practice of infecting computers with ransomware and making it the criminal equivalent of extortion today passed the Senate Public Safety Committee.
Ransomware is software that allows a computer hacker to access your computer, hold it hostage and demand payment in exchange for relinquishing the attack. Under the bill, a person engaged in the activity could be convicted of a felony and be given a sentence of up to four years in jail.
In recent months, ransomware attacks have become more sophisticated and hit hospitals and health care organizations particularly hard. In February, a ransomware attack on the Hollywood Presbyterian Medical Center prompted the hospital to pay a $17,000 ransom in bitcoin to restore access to its computer system.
“Sadly, ransomware attacks are increasingly common,” Hertzberg said. “Basically, this is an electronic stickup. We need to make clear that intentionally using ransomware is a very serious crime that will not be tolerated and will be prosecuted, just like any stickup. That’s what this legislation does.”
Ransomware attacks have skyrocketed this year. More than $209 million in ransomware payments have been paid in the United States in the first three months of 2016, according to the FBI, compared to $25 million made in all of last year.
The full extent of the ransomware attacks, though, is difficult to assess because victims are sometimes reluctant to come forward and businesses, which have a financial incentive to protect their credibility and reputation, don’t want the public to know if their cybersecurity has been breached.
Ransomware can often go beyond the simple extortion of money. It can allow hackers to steal passwords and gain access to bank accounts or other private or sensitive information that can be used for identity theft.
Even if ransom is paid, attackers rarely unlock the victim’s computer. For those who don’t fall for the scam but instead try to regain control of their computer, it can require the costly assistance of a professional computer technician.
The legislation is co-sponsored by Los Angeles County District Attorney Jackie Lacey and TechNet, a bipartisan trade organization that advocates for technology companies.
“SB 1137 provides a clear code section to prosecute this specific type of computer crime,” according to the Los Angeles County District Attorney’s Office. “SB 1137 also provides prosecutors a much needed tool to prosecute attackers who use ransomware because California’s existing extortion statute may not properly cover the type of harm caused by ransomware.”
Ransomware is just one type of electronic criminal activity that has risen along with widespread use of computers, cell phones and the Internet. According to a recent report, 43 percent of companies in 2014 experienced some sort of data breach, including highly visible and damaging attacks that hit Sony, Home Depot, Target and JP Morgan Chase.
“Ransomware attacks are becoming more prevalent and more targeted,” said Andrea Deveau, Executive Director at TechNet. “If not stopped, the increasing number of these attacks will become inherently world-changing as we are seeing this emerging class of criminals with greater skills hitting targeted organizations such as hospitals and health care institutions.”
“These criminals,” Deveau added, “are turning ransomware into a sure way to cash in on just about any network intrusion and we must send the signal that this criminal activity is punishable in a way that will deter this type of activity. This is what Senator Herzberg’s Bill, SB 1137, is poised to do, and TechNet is proud to co-sponsor this initiative and thanks Senator Hertzberg for his leadership.”
SB 1137, which received strong bipartisan support from the committee, moves next to the Senate Appropriations Committee.