Lawmakers in Ohio this week voted overwhelmingly in favor of a bill that would expand the state’s definition of what constitutes a cybercrime and increase penalties.
The legislation, which passed the Ohio House of Representatives on Wednesday, would make attempted hacking a felony-level offense. Current state law only criminalizes successful cyberattacks, which are currently defined broadly as either criminal mischief or unauthorized use of a computer.
But House Bill 328, which passed the House by a vote of 93-1 and now heads to the state Senate, specifically targets the electronic tampering, manipulation or theft of data, defining those acts as felonies punishable by fines and jail time. It would also make unauthorized data disclosures a felony.
The bill also gives computer-crime victims the ability to sue people convicted of cybercrimes for civil damages. According the FBI Internet Crime Complaint Center’s 2019 annual report, Ohioans lost nearly $265 million to computer crimes last year, the third-most of any state, trailing only California and Florida.
While Bill 328 would stiffen Ohio’s statutes against cybercrimes, state-level laws on the matter can be difficult to enforce, especially if hacking threats come from out of state or overseas. A bill introduced in the Maryland state legislature in January would’ve made it illegal for Marylanders to possess ransomware similar to the malware that crippled Baltimore last year, despite the fact that most ransomware attacks — including the one against Baltimore — emanate from foreign countries.
According to a 2018 report by the think tank Third Way, the enforcement rate for cybercrimes against U.S. victims is 0.3% and may actually be lower when accounting for incidents that are not reported to law enforcement.
But cyberattacks do sometimes come from within the U.S. When the Ohio bill was introduced last November, some lawmakers pointed to an incident in which a disgruntled former employee of a credit union attempted to access its network. That alleged hacking attempt could not be prosecuted, however, because Ohio’s current statutes don’t cover unsuccessful attacks.
And on Wednesday, Cleveland.com reported that one of the bill’s backers said it would give Ohio authorities the ability to investigate and prosecute the recently reported attempt by a hacker to disrupt the state’s unemployment system by submitting phony reports to a website the state created to deny benefits to people who do not return to work amid the COVID-19 pandemic.