What can we learn from California’s proposed ransomware law?

What can we learn from California’s proposed ransomware law?

In some instances, laws can be very specific, leaving a judge with little room for interpretation. In other instances, a law can be surprisingly vague. Sometimes, over time, and as societies and their technologies evolve, laws may end up being interpreted differently. This is often the case with the penal law. One notable area is our computer and internet criminal code. Technology changes rapidly. For example, a host of new laws regarding computer access has been created as a result of the internet usage. After all, the internet has only been around for a few decades. Additionally, smartphones have created additional security and privacy dilemmas that our justice departments have had to tackle more recently. A new frontier in cyber law is ransomware.

What is ransomware?

Ransomware is a combination of extortion and unauthorized use or access of a computer or computer network. Ransomware can be a state crime and/or a federal crime (should the action cross state borders or be intended to cross state borders) and may result in imprisonment, a fine or both if one is convicted.

Ransomware is the act of gaining access to someone else’s computer through the internet—perhaps by installing malicious software on the computer—and locking the computer or encrypting certain files and preventing the owner opening or using the files unless the computer owner pays a monetary ransom. This is a form of cyber extortion.  Another form of this cyber extortion is by threat. Someone committing ransomware may make a threat to the computer owner, “If you do not pay me $100, then I will prevent you from accessing your computer files”.  The best way to deal with ransomware depends on the type of situation you find yourself in.

Will New York and other states take the California approach?

Being accused of a computer or internet crime is a serious matter. In fact, the State of California may explicitly add ransomware to its criminal code section that deals with computer and internet crimes. If the State Senate Bill is passed, Section 523 of the penal code will be amended to read:

(a) Every person who, with intent to extort any money or other property from another, sends or delivers to any person any letter or other writing, whether subscribed or not, expressing or implying, or adapted to imply, any threat such as is specified in Section 519 is punishable in the same manner as if such money or property were actually obtained by means of such threat.

(b) (1) Every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such money or other consideration were actually obtained by means of the ransomware.

(2) Prosecution pursuant to this subdivision does not prohibit or limit prosecution under any other law.

(c) (1) “Ransomware” means a computer contaminant, as defined in Section 502, or lock placed or introduced without authorization into a computer, computer system, or computer network that restricts access by an authorized person to the computer, computer system, computer network, or any data therein under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant, restore access to the computer, computer system, computer network, or data, or otherwise remediate the impact of the computer contaminant or lock.

(2) A person is responsible for placing or introducing ransomware into a computer, computer system, or computer network if the person directly places or introduces the ransomware or directs or induces another person to do so, with the intent of demanding payment or other consideration to remove the ransomware, restore access, or otherwise remediate the impact of the ransomware.

It is possible that more states will follow in California’s footsteps in updating their criminal codes. Will New York State update its laws? Will the New York State Penal Law specifically mention “ransomware?” Only time will tell.

If you have been accused of extortion, whether online or offline, then you should contact a qualified criminal defense attorney who can help defend your rights. There may be strong defenses to these criminal allegations and charges depending on your situation. Julie Rendelman is a criminal defense attorney with a background as a prosecutor. She has over 20 years of experience practicing law and can be reached at 212-951-1232 for a free consultation. Visit www.RendelmanLaw.com to learn more about our firm.