BILL NUMBER: AB 195 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY APRIL 6, 2015
INTRODUCED BY Assembly Member Chau
JANUARY 28, 2015
An act to amend Sections 502 and Section
653f of the Penal Code, relating to computer crimes.
LEGISLATIVE COUNSEL'S DIGEST
AB 195, as amended, Chau. Unauthorized access to computer systems.
(1) Existing
Existing law establishes various crimes related to
computer services and systems. Existing law makes it a crime to
knowingly, and without permission, access, cause to be accessed, or
provide or assist in providing a means of accessing, a computer,
computer system, computer network, or computer data in violation of
prescribed provisions, and defines related terms.
This bill would specify that "computer network" for these purposes
includes smartphones, as defined, and would make a conforming
change.
(2) Existing
Existing law makes it a crime for a person, with the
intent that the crime be committed, to solicit another to commit or
join in the commission of prescribed crimes.
This bill would expand these provisions to make it a crime for a
person, with the intent that the crime be committed, to solicit
another to commit or join in the commission of the access crimes
related to computer services and systems. The bill would make it a
crime to offer to obtain or procure assistance for another to obtain
unauthorized access, or to assist others in locating hacking
services, as defined. The bill would make a violation of this
provision punishable by imprisonment in a county jail for a term not
to exceed 6 months, or imprisonment for a term not to exceed one year
for subsequent violations.
(3) By
By expanding the definitions of existing crimes, this
bill would impose a state-mandated local program.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 502 of the Penal Code is
amended to read:
502. (a) It is the intent of the Legislature in enacting this
section to expand the degree of protection afforded to individuals,
businesses, and governmental agencies from tampering, interference,
damage, and unauthorized access to lawfully created computer data and
computer systems. The Legislature finds and declares that the
proliferation of computer technology has resulted in a concomitant
proliferation of computer crime and other forms of unauthorized
access to computers, computer systems, and computer data.
The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers,
computer systems, and computer data is vital to the protection of the
privacy of individuals as well as to the well-being of financial
institutions, business concerns, governmental agencies, and others
within this state that lawfully utilize those computers, computer
systems, and data.
(b) For the purposes of this section, the following terms have the
following meanings:
(1) "Access" means to gain entry to, instruct, cause input to,
cause output from, cause data processing with, or communicate with,
the logical, arithmetical, or memory function resources of a
computer, computer system, or computer network.
(2) "Computer network" means any system that provides
communications between one or more computer systems and input/output
devices including, but not limited to, display terminals, remote
systems, mobile devices, smartphones, and printers connected by
telecommunication facilities.
(3) "Computer program or software" means a set of instructions or
statements, and related data, that when executed in actual or
modified form, cause a computer, computer system, or computer network
to perform specified functions.
(4) "Computer services" includes, but is not limited to, computer
time, data processing, or storage functions, Internet services,
electronic mail services, electronic message services, or other uses
of a computer, computer system, or computer network.
(5) "Computer system" means a device or collection of devices,
including support devices and excluding calculators that are not
programmable and capable of being used in conjunction with external
files, one or more of which contain computer programs, electronic
instructions, input data, and output data, that performs functions
including, but not limited to, logic, arithmetic, data storage and
retrieval, communication, and control.
(6) "Government computer system" means any computer system, or
part thereof, that is owned, operated, or used by any federal, state,
or local governmental entity.
(7) "Public safety infrastructure computer system" means any
computer system, or part thereof, that is necessary for the health
and safety of the public including computer systems owned, operated,
or used by drinking water and wastewater treatment facilities,
hospitals, emergency service providers, telecommunication companies,
and gas and electric utility companies.
(8) "Data" means a representation of information, knowledge,
facts, concepts, computer software, computer programs or
instructions, or smartphone applications. Data may be in any form, in
storage media, or as stored in the memory of the computer or in
transit or presented on a display device.
(9) "Supporting documentation" includes, but is not limited to,
all information, in any form, pertaining to the design, construction,
classification, implementation, use, or modification of a computer,
computer system, computer network, computer program, or computer
software, which information is not generally available to the public
and is necessary for the operation of a computer, computer system,
computer network, computer program, or computer software.
(10) "Injury" means any alteration, deletion, damage, or
destruction of a computer system, computer network, computer program,
or data caused by the access, or the denial of access to legitimate
users of a computer system, network, or program.
(11) "Victim expenditure" means any expenditure reasonably and
necessarily incurred by the owner or lessee to verify that a computer
system, computer network, computer program, or data was or was not
altered, deleted, damaged, or destroyed by the access.
(12) "Computer contaminant" means any set of computer instructions
that are designed to modify, damage, destroy, record, or transmit
information within a computer, computer system, or computer network
without the intent or permission of the owner of the information.
They include, but are not limited to, a group of computer
instructions commonly called viruses or worms, that are
self-replicating or self-propagating and are designed to contaminate
other computer programs or computer data, consume computer resources,
modify, destroy, record, or transmit data, or in some other fashion
usurp the normal operation of the computer, computer system, or
computer network.
(13) "Internet domain name" means a globally unique, hierarchical
reference to an Internet host or service, assigned through
centralized Internet naming authorities, comprising a series of
character strings separated by periods, with the rightmost character
string specifying the top of the hierarchy.
(14) "Electronic mail" means an electronic message or computer
file that is transmitted between two or more telecommunications
devices; computers; computer networks, regardless of whether the
network is a local, regional, or global network; or electronic
devices capable or receiving electronic messages, regardless of
whether the message is converted to hard copy format after receipt,
viewed upon transmission, or stored for later retrieval.
(15) "Profile" means either of the following:
(A) A configuration of user data required by a computer so that
the user may access programs or services and have the desired
functionality on that computer.
(B) An Internet Web site user's personal page or section of a page
that is made up of data, in text of graphical form, that displays
significant, unique, or identifying information, including, but not
limited to, listing acquaintances, interests, associations,
activities, or personal statements.
(16) "Smartphone" means a cellular radio telephone or other mobile
communications device that performs many of the functions of a
computer, typically having a touchscreen interface, Internet access,
and an operating system capable of running downloaded applications.
(c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer, computer
system, or computer network in order to either (A) devise or execute
any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or
makes use of any data from a computer, computer system, or computer
network, or takes or copies any supporting documentation, whether
existing or residing internal or external to a computer, computer
system, or computer network.
(3) Knowingly and without permission uses or causes to be used
computer services.
(4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network.
(6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or
computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be
accessed any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.
(9) Knowingly and without permission uses the Internet domain name
or profile of another individual, corporation, or entity in
connection with the sending of one or more electronic mail messages
or posts and thereby damages or causes damage to a computer, computer
data, computer system, or computer network.
(10) Knowingly and without permission disrupts or causes the
disruption of government computer services or denies or causes the
denial of government computer services to an authorized user of a
government computer, computer system, or computer network.
(11) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
public safety infrastructure computer system computer, computer
system, or computer network.
(12) Knowingly and without permission disrupts or causes the
disruption of public safety infrastructure computer system computer
services or denies or causes the denial of computer services to an
authorized user of a public safety infrastructure computer system
computer, computer system, or computer network.
(13) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or public
safety infrastructure computer system computer, computer system, or
computer network in violation of this section.
(14) Knowingly introduces any computer contaminant into any public
safety infrastructure computer system computer, computer system, or
computer network.
(d) (1) Any person who violates any of the provisions of paragraph
(1), (2), (4), (5), (10), (11), or (12) of subdivision (c) is
punishable by a fine not exceeding ten thousand dollars ($10,000), or
by imprisonment pursuant to subdivision (h) of Section 1170 for 16
months, or two or three years, or by both that fine and imprisonment,
or by a fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by both that
fine and imprisonment.
(2) Any person who violates paragraph (3) of subdivision (c) is
punishable as follows:
(A) For the first violation that does not result in injury, and
where the value of the computer services used does not exceed nine
hundred fifty dollars ($950), by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
(B) For any violation that results in a victim expenditure in an
amount greater than five thousand dollars ($5,000) or in an injury,
or if the value of the computer services used exceeds nine hundred
fifty dollars ($950), or for any second or subsequent violation, by a
fine not exceeding ten thousand dollars ($10,000), or by
imprisonment pursuant to subdivision (h) of Section 1170 for 16
months, or two or three years, or by both that fine and imprisonment,
or by a fine not exceeding five thousand dollars ($5,000), or by
imprisonment in a county jail not exceeding one year, or by both that
fine and imprisonment.
(3) Any person who violates paragraph (6), (7), or (13) of
subdivision (c) is punishable as follows:
(A) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand dollars
($1,000).
(B) For any violation that results in a victim expenditure in an
amount not greater than five thousand dollars ($5,000), or for a
second or subsequent violation, by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
(C) For any violation that results in a victim expenditure in an
amount greater than five thousand dollars ($5,000), by a fine not
exceeding ten thousand dollars ($10,000), or by imprisonment pursuant
to subdivision (h) of Section 1170 for 16 months, or two or three
years, or by both that fine and imprisonment, or by a fine not
exceeding five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine and
imprisonment.
(4) Any person who violates paragraph (8) or (14) of subdivision
(c) is punishable as follows:
(A) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one year,
or by both that fine and imprisonment.
(B) For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding ten thousand dollars
($10,000), or by imprisonment in a county jail not exceeding one
year, or by imprisonment pursuant to subdivision (h) of Section 1170,
or by both that fine and imprisonment.
(5) Any person who violates paragraph (9) of subdivision (c) is
punishable as follows:
(A) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand dollars
($1,000).
(B) For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one year,
or by both that fine and imprisonment.
(e) (1) In addition to any other civil remedy available, the owner
or lessee of the computer, computer system, computer network,
computer program, or data who suffers damage or loss by reason of a
violation of any of the provisions of subdivision (c) may bring a
civil action against the violator for compensatory damages and
injunctive relief or other equitable relief. Compensatory damages
shall include any expenditure reasonably and necessarily incurred by
the owner or lessee to verify that a computer system, computer
network, computer program, or data was or was not altered, damaged,
or deleted by the access. For the purposes of actions authorized by
this subdivision, the conduct of an unemancipated minor shall be
imputed to the parent or legal guardian having control or custody of
the minor, pursuant to the provisions of Section 1714.1 of the Civil
Code.
(2) In any action brought pursuant to this subdivision the court
may award reasonable attorney's fees.
(3) A community college, state university, or academic institution
accredited in this state is required to include computer-related
crimes as a specific violation of college or university student
conduct policies and regulations that may subject a student to
disciplinary sanctions up to and including dismissal from the
academic institution. This paragraph shall not apply to the
University of California unless the Board of Regents adopts a
resolution to that effect.
(4) In any action brought pursuant to this subdivision for a
willful violation of the provisions of subdivision (c), where it is
proved by clear and convincing evidence that a defendant has been
guilty of oppression, fraud, or malice as defined in subdivision (c)
of Section 3294 of the Civil Code, the court may additionally award
punitive or exemplary damages.
(5) No action may be brought pursuant to this subdivision unless
it is initiated within three years of the date of the act complained
of, or the date of the discovery of the damage, whichever is later.
(f) This section shall not be construed to preclude the
applicability of any other provision of the criminal law of this
state which applies or may apply to any transaction, nor shall it
make illegal any employee labor relations activities that are within
the scope and protection of state or federal labor laws.
(g) Any computer, computer system, computer network, or any
software or data, owned by the defendant, that is used during the
commission of any public offense described in subdivision (c) or any
computer, owned by the defendant, which is used as a repository for
the storage of software or data illegally obtained in violation of
subdivision (c) shall be subject to forfeiture, as specified in
Section 502.01.
(h) (1) Subdivision (c) does not apply to punish any acts which
are committed by a person within the scope of his or her lawful
employment. For purposes of this section, a person acts within the
scope of his or her employment when he or she performs acts which are
reasonably necessary to the performance of his or her work
assignment.
(2) Paragraph (3) of subdivision (c) does not apply to penalize
any acts committed by a person acting outside of his or her lawful
employment, provided that the employee's activities do not cause an
injury, to the employer or another, or provided that the value of
supplies or computer services which are used does not exceed an
accumulated total of two hundred fifty dollars ($250).
(i) No activity exempted from prosecution under paragraph (2) of
subdivision (h) which incidentally violates paragraph (2), (4), or
(7) of subdivision (c) shall be prosecuted under those paragraphs.
(j) For purposes of bringing a civil or a criminal action under
this section, a person who causes, by any means, the access of a
computer, computer system, or computer network in one jurisdiction
from another jurisdiction is deemed to have personally accessed the
computer, computer system, or computer network in each jurisdiction.
(k) In determining the terms and conditions applicable to a person
convicted of a violation of this section the court shall consider
the following:
(1) The court shall consider prohibitions on access to and use of
computers.
(2) Except as otherwise required by law, the court shall consider
alternate sentencing, including community service, if the defendant
shows remorse and recognition of the wrongdoing, and an inclination
not to repeat the offense.
SEC. 2. SECTION 1. Section 653f of
the Penal Code is amended to read:
653f. (a) Every person who, with the intent that the crime be
committed, solicits another to offer, accept, or join in the offer or
acceptance of a bribe, or to commit or join in the commission of
carjacking, robbery, burglary, grand theft, receiving stolen
property, extortion, perjury, subornation of perjury, forgery,
kidnapping, arson or assault with a deadly weapon or instrument or by
means of force likely to produce great bodily injury, or, by the use
of force or a threat of force, to prevent or dissuade any person who
is or may become a witness from attending upon, or testifying at,
any trial, proceeding, or inquiry authorized by law, shall be
punished by imprisonment in a county jail for not more than one year
or pursuant to subdivision (h) of Section 1170, or by a fine of not
more than ten thousand dollars ($10,000), or the amount which could
have been assessed for commission of the offense itself, whichever is
greater, or by both the fine and imprisonment.
(b) Every person who, with the intent that the crime be committed,
solicits another to commit or join in the commission of murder shall
be punished by imprisonment in the state prison for three, six, or
nine years.
(c) Every person who, with the intent that the crime be committed,
solicits another to commit rape by force or violence, sodomy by
force or violence, oral copulation by force or violence, or any
violation of Section 264.1, 288, or 289, shall be punished by
imprisonment in the state prison for two, three, or four years.
(d) (1) Every person who, with the intent that the crime be
committed, solicits another to commit an offense specified in Section
11352, 11379, 11379.5, 11379.6, or 11391 of the Health and Safety
Code shall be punished by imprisonment in a county jail not exceeding
six months. Every person, person who,
having been convicted of soliciting another to commit an offense
specified in this subdivision, is subsequently convicted of the
proscribed solicitation, shall be punished by imprisonment in a
county jail not exceeding one year, or pursuant to subdivision (h) of
Section 1170.
(2) This subdivision does not apply where the term of imprisonment
imposed under other provisions of law would result in a longer term
of imprisonment.
(e) Every person who, with the intent that the crime be committed,
solicits another to commit an offense specified in Section 14014 of
the Welfare and Institutions Code shall be punished by imprisonment
in a county jail for not exceeding six months. Every person who,
having been convicted of soliciting another to commit an offense
specified in this subdivision, is subsequently convicted of the
proscribed solicitation, shall be punished by imprisonment in a
county jail not exceeding one year, or pursuant to subdivision (h) of
Section 1170.
(f) (1) Every person who, with the intent that the crime be
committed, solicits another to commit an offense set forth in Section
502 shall be punished as set forth in paragraph (3).
(2) Every person who, with the intent that the crime be committed,
offers to solicit assistance for another to conduct activities in
violation of Section 502 shall be punished as set forth in paragraph
(3). This includes persons operating Internet Web sites that offer to
assist others in locating hacking services. For the purposes of this
section "hacking services" means assistance in the unauthorized
access to computers, computer systems, or computer
data in violation of Section 502.
(3) Every person who violates this subdivision shall be punished
by imprisonment in a county jail for a period not to exceed six
months. Every subsequent violation of this subdivision by that same
person shall be punished by imprisonment in a county jail not
exceeding one year, or pursuant to subdivision (h) of
Section 1170. year.
(g) An offense charged in violation of subdivision (a), (b), or
(c) shall be proven by the testimony of two witnesses, or of one
witness and corroborating circumstances. An offense charged in
violation of subdivision (d), (e), or (f) shall be proven by the
testimony of one witness and corroborating circumstances.
SEC. 3. SEC. 2. No reimbursement is
required by this act pursuant to Section 6 of Article XIII B of the
California Constitution because the only costs that may be incurred
by a local agency or school district will be incurred because this
act creates a new crime or infraction, eliminates a crime or
infraction, or changes the penalty for a crime or infraction, within
the meaning of Section 17556 of the Government Code, or changes the
definition of a crime within the meaning of Section 6 of Article XIII
B of the California Constitution.