Iowa-2023-SSB1072-Introduced

S.F. _____ Section 1. Section 715.2, Code 2023, is amended to read as 1 follows: 2 715.2 Title. 3 This chapter shall be known and may be cited as the “Computer 4 Spyware , Malware, and Ransomware Protection Act” . 5 Sec. 2. Section 715.3, Code 2023, is amended by adding the 6 following new subsections: 7 NEW SUBSECTION . 1A. “Computer control language” means 8 ordered statements that direct a computer to perform specific 9 functions. 10 NEW SUBSECTION . 1B. “Computer database” means a 11 representation of information, knowledge, facts, concepts, or 12 instructions that is intended for use in a computer, computer 13 system, or computer network that is being prepared or has been 14 prepared in a formalized manner, or is being produced or has 15 been produced by a computer, computer system, or computer 16 network. 17 NEW SUBSECTION . 9A. “Ransomware” means a computer or data 18 contaminant, encryption, or lock that is placed or introduced 19 without authorization into a computer, computer network, or 20 computer system that restricts access by an authorized person 21 to a computer, computer data, a computer system, or a computer 22 network in a manner that results in the person responsible for 23 the placement or introduction of the contaminant, encryption, 24 or lock making a demand for payment of money or other 25 consideration to remove the contaminant, encryption, or lock. 26 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended 27 to read as follows: 28 2. Using intentionally deceptive means to cause the 29 execution of a computer software component with the intent of 30 causing an owner or operator to use such component in a manner 31 that violates any other provision of this chapter subchapter . 32 Sec. 4. Section 715.6, Code 2023, is amended to read as 33 follows: 34 715.6 Exceptions. 35 -1- LSB 1266XC (1) 90 as/rh 1/ 7

S.F. _____ Sections 715.4 and 715.5 shall not apply to the monitoring 1 of, or interaction with, an owner’s or an operator’s internet 2 or other network connection, service, or computer, by a 3 telecommunications carrier, cable operator, computer hardware 4 or software provider, or provider of information service or 5 interactive computer service for network or computer security 6 purposes, diagnostics, technical support, maintenance, repair, 7 authorized updates of computer software or system firmware, 8 authorized remote system management, or detection, criminal 9 investigation, or prevention of the use of or fraudulent 10 or other illegal activities prohibited in this chapter 11 subchapter in connection with a network, service, or computer 12 software, including scanning for and removing computer software 13 prescribed under this chapter subchapter . Nothing in this 14 chapter subchapter shall limit the rights of providers of wire 15 and electronic communications under 18 U.S.C. §2511. 16 Sec. 5. Section 715.7, Code 2023, is amended to read as 17 follows: 18 715.7 Criminal penalties. 19 1. A person who commits an unlawful act under this chapter 20 subchapter is guilty of an aggravated misdemeanor. 21 2. A person who commits an unlawful act under this chapter 22 subchapter and who causes pecuniary losses exceeding one 23 thousand dollars to a victim of the unlawful act is guilty of a 24 class “D” felony. 25 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023, 26 is amended to read as follows: 27 For the purpose of determining proper venue, a violation 28 of this chapter subchapter shall be considered to have been 29 committed in any county in which any of the following apply: 30 Sec. 7. NEW SECTION . 715.9 Ransomware prohibition. 31 1. A person shall not intentionally, willfully, and without 32 authorization do any of the following: 33 a. Access, attempt to access, cause to be accessed, or 34 exceed the person’s authorized access to all or a part of a 35 -2- LSB 1266XC (1) 90 as/rh 2/ 7

S.F. _____ computer network, computer control language, computer, computer 1 software, computer system, or computer database. 2 b. Copy, attempt to copy, possess, or attempt to possess 3 the contents of all or part of a computer database accessed in 4 violation of paragraph “a” . 5 2. A person shall not commit an act prohibited in subsection 6 1 with the intent to do any of the following: 7 a. Cause the malfunction or interruption of the operation 8 of all or any part of a computer, computer network, computer 9 control language, computer software, computer system, computer 10 service, or computer data. 11 b. Alter, damage, or destroy all or any part of data or a 12 computer program stored, maintained, or produced by a computer, 13 computer network, computer software, computer system, computer 14 service, or computer database. 15 3. A person shall not intentionally, willfully, and without 16 authorization do any of the following: 17 a. Possess, identify, or attempt to identify a valid 18 computer access code. 19 b. Publicize or distribute a valid computer access code to 20 an unauthorized person. 21 4. A person shall not commit an act prohibited under this 22 section with the intent to interrupt or impair the functioning 23 of any of the following: 24 a. The state. 25 b. A service, device, or system related to the production, 26 transmission, delivery, or storage of electricity or natural 27 gas in the state that is owned, operated, or controlled by a 28 person other than a public utility as defined in chapter 476. 29 c. A service provided in the state by a public utility as 30 defined in chapter 476. 31 d. A hospital or health care facility as defined in section 32 135C.1. 33 e. A public elementary or secondary school, community 34 college, or area education agency under the supervision of the 35 -3- LSB 1266XC (1) 90 as/rh 3/ 7

S.F. _____ department of education. 1 5. This section shall not apply to the use of ransomware for 2 research purposes by a person who has a bona fide scientific, 3 educational, governmental, testing, news, or other similar 4 justification for possessing ransomware. However, a person 5 shall not knowingly possess ransomware with the intent to 6 use the ransomware for the purpose of introduction into the 7 computer, computer network, or computer system of another 8 person without the authorization of the other person. 9 6. A person who has suffered a specific and direct injury 10 because of a violation of this section may bring a civil action 11 in a court of competent jurisdiction. 12 a. In an action under this subsection, the court may award 13 actual damages, reasonable attorney fees, and court costs. 14 b. A conviction for an offense under this section is not a 15 prerequisite for the filing of a civil action. 16 Sec. 8. NEW SECTION . 715.10 Criminal penalties. 17 1. A person who commits an unlawful act under this 18 subchapter and who causes pecuniary losses involving less than 19 ten thousand dollars to a victim of the unlawful act is guilty 20 of an aggravated misdemeanor. 21 2. A person who commits an unlawful act under this 22 subchapter and who causes pecuniary losses involving at least 23 ten thousand dollars but less than fifty thousand dollars to a 24 victim of the unlawful act is guilty of a class “D” felony. 25 3. A person who commits an unlawful act under this 26 subchapter and who causes pecuniary losses involving at least 27 fifty thousand dollars to a victim of the unlawful act is 28 guilty of a class “C” felony. 29 Sec. 9. NEW SECTION . 715.11 Venue. 30 For the purpose of determining proper venue, a violation of 31 this subchapter shall be considered to have been committed in 32 any county in which any of the following apply: 33 1. Where the defendant performed the unlawful act. 34 2. Where the defendant resides. 35 -4- LSB 1266XC (1) 90 as/rh 4/ 7

S.F. _____ 3. Where the accessed computer is located. 1 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall 2 divide chapter 715 into subchapters and shall designate 3 sections 715.1 through 715.8, including sections amended in 4 this Act, as subchapter I entitled “COMPUTER SPYWARE AND 5 MALWARE”, and sections 715.9 through 715.11, as enacted in this 6 Act, as subchapter II entitled “RANSOMWARE”. 7 EXPLANATION 8 The inclusion of this explanation does not constitute agreement with 9 the explanation’s substance by the members of the general assembly. 10 This bill relates to ransomware. 11 The bill defines “ransomware” as a computer or data 12 contaminant, encryption, or lock that is placed or introduced 13 without authorization into a computer, computer network, or a 14 computer system that restricts access by an authorized person 15 to a computer, computer data, a computer network, or a computer 16 system in a manner that results in the person responsible for 17 the placement or introduction of the contaminant, encryption, 18 or lock making a demand for payment of money or other 19 consideration to remove the contaminant, encryption, or lock. 20 The bill provides that a person shall not do any of 21 the following with the intent to cause the malfunction or 22 interruption of the operation of, or alter, damage, or destroy, 23 all or any part of a computer, computer network, computer 24 control language, computer software, computer system, computer 25 service, or computer data: intentionally, willfully, and 26 without authorization access, attempt to access, cause to be 27 accessed, or exceed the person’s authorized access to all 28 or a part of a computer network, computer control language, 29 computer, computer software, computer system, or computer 30 database; or copy, attempt to copy, possess, or attempt to 31 possess the contents of all or part of a computer database. 32 The bill provides that a person shall not intentionally, 33 willfully, and without authorization possess, identify, 34 or attempt to identify a valid access code or publicize or 35 -5- LSB 1266XC (1) 90 as/rh 5/ 7

S.F. _____ distribute a valid access code to an unauthorized person. 1 The bill provides that a person shall not commit a prohibited 2 act with the intent to interrupt or impair the functioning of 3 the state government; a service, device, or system related 4 to the production, transmission, delivery, or storage of 5 electricity or natural gas in the state that is owned, 6 operated, or controlled by a person other than a public utility 7 as defined in Code chapter 476; a service provided in the state 8 by a public utility as defined in Code chapter 476; a hospital 9 or health care facility; or a public elementary or secondary 10 school, community college, or area education agency under the 11 supervision of the department of education. 12 The bill does not apply to the use of ransomware for 13 research purposes by a person who has a bona fide scientific, 14 educational, governmental, testing, news, or other similar 15 justification for possessing ransomware. However, a person 16 shall not knowingly possess ransomware with the intent to 17 use the ransomware for the purpose of introduction into the 18 computer, computer network, or computer system of another 19 person without the authorization of the other person. 20 The bill provides that a person who has suffered a specific 21 and direct injury because of a violation of the bill may bring 22 a civil action in a court of competent jurisdiction, and the 23 court may award actual damages, reasonable attorney fees, and 24 court costs. A conviction for an offense under the bill is not 25 a prerequisite for the filing of a civil action. 26 The bill provides that a person who commits a violation 27 of the bill and who causes pecuniary losses involving less 28 than $10,000 to a victim of the unlawful act is guilty of an 29 aggravated misdemeanor. A person who commits a violation of 30 the bill and who causes pecuniary losses involving at least 31 $10,000 but less than $50,000 to a victim of the unlawful 32 act is guilty of a class “D” felony. A person who commits a 33 violation of the bill and who causes pecuniary losses involving 34 at least $50,000 to a victim of the unlawful act is guilty of a 35 -6- LSB 1266XC (1) 90 as/rh 6/ 7

S.F. _____ class “C” felony. 1 An aggravated misdemeanor is punishable by confinement for 2 no more than two years and a fine of at least $855 but not more 3 than $8,540. A class “D” felony is punishable by confinement 4 for no more than five years and a fine of at least $1,025 but 5 not more than $10,245. A class “C” felony is punishable by 6 confinement for no more than 10 years and a fine of at least 7 $1,370 but not more than $13,660. 8 The bill provides that for the purpose of determining 9 venue, a violation of the bill shall be considered to have 10 been committed in any county where the defendant performed 11 the unlawful act, where the defendant resides, or where the 12 accessed computer is located. 13 -7- LSB 1266XC (1) 90 as/rh 7/ 7