California poised to add ransomware law that carries sentence of up to four years

The bill, SB 1137, was authored by Sen. Robert Hertzberg. Last week, the bill passed the state assembly with a couple of amendments, and headed to the desk of Gov. Jerry Brown, along with a number of other bills, to be signed into law.

Cybercrime was previously covered in California by older laws but this newer bill classifies ransomware as extortion because it is specifically used to make money off victims. Ransomware encrypts a person’s device and holds it hostage until a ransom has been paid.

By classifying this particular cybercrime tactic as extortion, it allows prosecutors to call for jail terms of between two and four years. The bill also defines “triggering a system malfunction” or “password lockout” as felonies.

Hertzberg described ransomware as “electronic stickup,” and said the existing law needed greater clarity. “We need to make clear that intentionally using ransomware is a very serious crime that will not be tolerated and will be prosecuted, just like any stickup. That’s what this legislation does,” he said.

TechNet, a trade organization whose members include Microsoft, Cisco, and Apple, along with Los Angeles County District Attorney Jackie Lacey, co-sponsored the bill.

“These criminals are turning ransomware into a sure way to cash in on just about any network intrusion, and we must send the signal that this criminal activity is punishable in a way that will deter this type of activity,” said Andrea Deveau, executive director of TechNet.

California has had a few notable run-ins with ransomware. In February, a Los Angeles hospital paid $17,000 to pay off its ransom and regain access to its files.

Only one organization is known opposed the bill, according to StateScoop. Legal Services for Prisoners with Children said the bill will only make jail sentences longer and will not add any further protections to victims of ransomware.