PA 17-223—sHB 7304

Judiciary Committee

AN ACT CONCERNING COMPUTER EXTORTION BY USE OF RANSOMWARE

SUMMARY: This act creates a specific class E felony offense for computer extortion involving ransomware (see Table on Penalties). Under the act, this offense consists of introducing ransomware into a computer, computer system, or computer network and demanding payment to (1) remove the ransomware; (2) restore access to the computer, system, or network or data contained therein; or (3) otherwise remediate the ransomware's impact. These actions may also be considered computer crimes, computer-related offenses, and extortion under existing law (see BACKGROUND).

The act defines “ransomware” as any computer contaminant or lock placed or introduced without authorization into a computer, computer system, or computer network that restricts the authorized person's access to the affected computer, system, network, or data contained therein. It does not include (1) authentication required to upgrade or access purchased content or (2) blocking access to subscription content in the case of nonpayment.

The act defines a “computer contaminant” as any set of computer instructions designed to modify, damage, destroy, record, or transmit data held by a computer, computer system, or computer network without the data owner's intent or permission.

EFFECTIVE DATE: October 1, 2017

BACKGROUND

Computer Crimes

The law designates various actions as computer crimes, including unauthorized use of a computer or computer network with the intent to (1) temporarily or permanently remove, or otherwise disable, computer programs, software, or data or (2) cause a computer to malfunction regardless how long the malfunction persists. Any such action is punishable as a (1) class A or B misdemeanor depending on the amount of property damage the action causes or (2) class D felony if the action was malicious and caused more than $2,500 in property damage (CGS 53-451).

Computer-Related Offenses

The law designates various actions as computer-related offenses, including (1) accessing a computer system without authorization, (2) stealing or interrupting computer services, (3) misusing computer system information, and (4) destroying computer equipment. The penalties range from a class B misdemeanor to a class B felony depending on the amount of damage to, or value of, the property or computer services (CGS 53a-250 et seq.).

Extortion

By law, obtaining property by extortion consists of compelling or inducing someone to deliver property to the actor or another person by instilling fear that, if the property is not delivered, the actor will take certain measures, including damaging the property or inflicting other harm. Obtaining property by extortion constitutes 1st degree larceny, a class B felony (CGS 53a-119 and 53a-122).