California bill to treat ransomware as form of extortion heads to governor

State Sen. Robert Hertzberg's legislation is aimed at giving prosecutors more clarity as they pursue criminal charges against hackers.

A California bill that would classify the use of ransomware as a form of extortion is now headed to Gov. Jerry Brown’s desk.

State Sen. Robert Hertzberg’s S.B. 1137 unanimously passed the Assembly last week, and once Senate lawmakers followed up by approving its amendments, the Legislature sent it on to the governor for his approval.

While the state already has a variety of laws on the books prohibiting electronic crimes, Hertzberg’s bill specifically includes the use of ransomware in its definition of extortion, making it possible for prosecutors to seek a jail sentence of anywhere from two to four years for anyone caught using the malware.

“Nearly every day, we read in the news about ransomware attacks stifling government agencies or private companies,” Hertzberg said in a statement. “This is essentially an electronic stickup, and we need to treat it with the same seriousness and severity we would treat any stickup.”


Hertzberg pointed to a February ransomware attack on the Hollywood Presbyterian Medical Center in Los Angeles — hackers forced the hospital to pay $17,000 in bitcoin to regain control of its systems — as evidence that there’s an urgent for the legislation in the state.

His bill also gained widespread support from law enforcement, with Los Angeles County District Attorney Jackie Lacey helping to introduce the legislation and groups like the California Police Chiefs Association and the California Statewide Law Enforcement Association registering their support for the bill.

In an Assembly committee report on the legislation, Lacey’s office argued that the bill was a crucial tool for the state’s lawyers, since “existing law does not adequately provide prosecutors with the tools to prosecute this type of crime.”

Specifically, the prosecutors claimed that the bill would more clearly define things like “triggering a system malfunction” or “password lockout” attacks as felonies, and bring the state’s existing extortion statute into line with the dangers posed by ransomware. After all, they note that current law simply “makes it a crime to obtain property from an individual with the individual’s consent by a wrongful use of force or fear,” leaving it a bit out of step with the modern age.

[Read more: MS-ISAC official: Ransomware is top malware of concern for states, counties]


“When ransomware is used there is no threat to commit a future harm unless a ransom is paid, the harm has already occurred,” the prosecutors wrote. “The attacker is demanding payment to undo the harm they have already committed. The difference is slight but extremely important in a criminal prosecution.”

The state’s tech sector also threw its support behind the bill. TechNet — a trade group lobbying on behalf of companies like Google, Apple, Facebook and Microsoft — also helped Hertzberg introduce the bill.

“Ransomware does not just impact home computers — far from it,” TechNet Executive Director Andrea Deveau said in a statement. “Hospitals, data centers, retailers, financial institutions and many others are becoming growing targets for the perpetrators. S.B. 1137 provides a clear signal to these criminals that ransomware is a criminal act and will be prosecuted as such.”

Yet the Legal Services for Prisoners with Children group — a San Francisco nonprofit and the lone organization opposing the bill — charged that the legislation would be redundant and prove overly burdensome to people caught up in the criminal justice system.

“[Ransomware] is already covered by existing law,” the group wrote in the committee report. “Because these actions are already prohibited, a new crime and additional punishment is neither necessary nor prudent. This will simply create longer sentences for individuals convicted of violating these provisions, which does not better protect [an] individual’s privacy.”


But despite those concerns, the bill is just inches from becoming law. The governor could decide to sign or veto the legislation before the Legislature adjourns on Aug. 31, but if he doesn’t take any action on it, he’ll have until Sept. 30 to make a decision on the legislation before it becomes law with or without his signature.

Latest Podcasts