S.F. 203 Section 1. Section 715.2, Code 2023, is amended to read as 1 follows: 2 715.2 Title. 3 This chapter shall be known and may be cited as the “Computer 4 Spyware , Malware, and Ransomware Protection Act” . 5 Sec. 2. Section 715.3, Code 2023, is amended by adding the 6 following new subsections: 7 NEW SUBSECTION . 1A. “Computer control language” means 8 ordered statements that direct a computer to perform specific 9 functions. 10 NEW SUBSECTION . 1B. “Computer database” means a 11 representation of information, knowledge, facts, concepts, or 12 instructions that is intended for use in a computer, computer 13 system, or computer network that is being prepared or has been 14 prepared in a formalized manner, or is being produced or has 15 been produced by a computer, computer system, or computer 16 network. 17 NEW SUBSECTION . 9A. “Ransomware” means a computer or data 18 contaminant, encryption, or lock that is placed or introduced 19 without authorization into a computer, computer network, or 20 computer system that restricts access by an authorized person 21 to a computer, computer data, a computer system, or a computer 22 network in a manner that results in the person responsible for 23 the placement or introduction of the contaminant, encryption, 24 or lock making a demand for payment of money or other 25 consideration to remove the contaminant, encryption, or lock. 26 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended 27 to read as follows: 28 2. Using intentionally deceptive means to cause the 29 execution of a computer software component with the intent of 30 causing an owner or operator to use such component in a manner 31 that violates any other provision of this chapter subchapter . 32 Sec. 4. Section 715.6, Code 2023, is amended to read as 33 follows: 34 715.6 Exceptions. 35 -1- LSB 1266SV (2) 90 as/rh 1/ 7

S.F. 203 Sections 715.4 and 715.5 shall not apply to the following: 1 1. The monitoring of, or interaction with, an owner’s or 2 an operator’s internet or other network connection, service, 3 or computer, by a telecommunications carrier, cable operator, 4 computer hardware or software provider, or provider of 5 information service or interactive computer service for network 6 or computer security purposes, diagnostics, technical support, 7 maintenance, repair, authorized updates of computer software 8 or system firmware, authorized remote system management, or 9 detection, criminal investigation, or prevention of the use of 10 or fraudulent or other illegal activities prohibited in this 11 chapter in connection with a network, service, or computer 12 software, including scanning for and removing computer software 13 prescribed under this chapter subchapter . Nothing in this 14 chapter subchapter shall limit the rights of providers of wire 15 and electronic communications under 18 U.S.C. §2511. 16 2. The nonpayment or a violation of the terms of a legal 17 contract with the owner or operator. 18 3. For complying with federal, state, and local law 19 enforcement requests. 20 Sec. 5. Section 715.7, Code 2023, is amended to read as 21 follows: 22 715.7 Criminal penalties. 23 1. A person who commits an unlawful act under this chapter 24 subchapter is guilty of an aggravated misdemeanor. 25 2. A person who commits an unlawful act under this chapter 26 subchapter and who causes pecuniary losses exceeding one 27 thousand dollars to a victim of the unlawful act is guilty of a 28 class “D” felony. 29 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023, 30 is amended to read as follows: 31 For the purpose of determining proper venue, a violation 32 of this chapter subchapter shall be considered to have been 33 committed in any county in which any of the following apply: 34 Sec. 7. NEW SECTION . 715.9 Ransomware prohibition. 35 -2- LSB 1266SV (2) 90 as/rh 2/ 7

S.F. 203 1. A person shall not intentionally, willfully, and without 1 authorization do any of the following: 2 a. Access, attempt to access, cause to be accessed, or 3 exceed the person’s authorized access to all or a part of a 4 computer network, computer control language, computer, computer 5 software, computer system, or computer database. 6 b. Copy, attempt to copy, possess, or attempt to possess 7 the contents of all or part of a computer database accessed in 8 violation of paragraph “a” . 9 2. A person shall not commit an act prohibited in subsection 10 1 with the intent to do any of the following: 11 a. Cause the malfunction or interruption of the operation 12 of all or any part of a computer, computer network, computer 13 control language, computer software, computer system, computer 14 service, or computer data. 15 b. Alter, damage, or destroy all or any part of data or a 16 computer program stored, maintained, or produced by a computer, 17 computer network, computer software, computer system, computer 18 service, or computer database. 19 3. A person shall not intentionally, willfully, and without 20 authorization do any of the following: 21 a. Possess, identify, or attempt to identify a valid 22 computer access code. 23 b. Publicize or distribute a valid computer access code to 24 an unauthorized person. 25 4. A person shall not commit an act prohibited under this 26 section with the intent to interrupt or impair the functioning 27 of any of the following: 28 a. The state. 29 b. A service, device, or system related to the production, 30 transmission, delivery, or storage of electricity or natural 31 gas in the state that is owned, operated, or controlled by a 32 person other than a public utility as defined in chapter 476. 33 c. A service provided in the state by a public utility as 34 defined in section 476.1, subsection 3. 35 -3- LSB 1266SV (2) 90 as/rh 3/ 7

S.F. 203 d. A hospital or health care facility as defined in section 1 135C.1. 2 e. A public elementary or secondary school, community 3 college, or area education agency under the supervision of the 4 department of education. 5 f. A city, city utility, or city service. 6 g. An authority as defined in section 330A.2. 7 5. This section shall not apply to the use of ransomware for 8 research purposes by a person who has a bona fide scientific, 9 educational, governmental, testing, news, or other similar 10 justification for possessing ransomware. However, a person 11 shall not knowingly possess ransomware with the intent to 12 use the ransomware for the purpose of introduction into the 13 computer, computer network, or computer system of another 14 person without the authorization of the other person. 15 6. A person who has suffered a specific and direct injury 16 because of a violation of this section may bring a civil action 17 in a court of competent jurisdiction. 18 a. In an action under this subsection, the court may award 19 actual damages, reasonable attorney fees, and court costs. 20 b. A conviction for an offense under this section is not a 21 prerequisite for the filing of a civil action. 22 Sec. 8. NEW SECTION . 715.10 Criminal penalties. 23 1. A person who commits an unlawful act under this 24 subchapter and who causes pecuniary losses involving less than 25 ten thousand dollars to a victim of the unlawful act is guilty 26 of an aggravated misdemeanor. 27 2. A person who commits an unlawful act under this 28 subchapter and who causes pecuniary losses involving at least 29 ten thousand dollars but less than fifty thousand dollars to a 30 victim of the unlawful act is guilty of a class “D” felony. 31 3. A person who commits an unlawful act under this 32 subchapter and who causes pecuniary losses involving at least 33 fifty thousand dollars to a victim of the unlawful act is 34 guilty of a class “C” felony. 35 -4- LSB 1266SV (2) 90 as/rh 4/ 7

S.F. 203 Sec. 9. NEW SECTION . 715.11 Venue. 1 For the purpose of determining proper venue, a violation of 2 this subchapter shall be considered to have been committed in 3 any county in which any of the following apply: 4 1. Where the defendant performed the unlawful act. 5 2. Where the defendant resides. 6 3. Where the accessed computer is located. 7 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall 8 divide chapter 715 into subchapters and shall designate 9 sections 715.1 through 715.3, including sections amended in 10 this Act, as subchapter I entitled “INTENT AND DEFINITIONS”, 11 sections 715.4 through 715.8, including sections amended in 12 this Act, as subchapter II entitled “COMPUTER SPYWARE AND 13 MALWARE”, and sections 715.9 through 715.11, as enacted in this 14 Act, as subchapter III entitled “RANSOMWARE”. 15 EXPLANATION 16 The inclusion of this explanation does not constitute agreement with 17 the explanation’s substance by the members of the general assembly. 18 This bill relates to ransomware. 19 The bill defines “ransomware” as a computer or data 20 contaminant, encryption, or lock that is placed or introduced 21 without authorization into a computer, computer network, or a 22 computer system that restricts access by an authorized person 23 to a computer, computer data, a computer network, or a computer 24 system in a manner that results in the person responsible for 25 the placement or introduction of the contaminant, encryption, 26 or lock making a demand for payment of money or other 27 consideration to remove the contaminant, encryption, or lock. 28 The bill provides that the monitoring of, or interaction 29 with, an owner’s or operator’s internet or other network 30 connection, service, or computer is not prohibited for support 31 or maintenance, the investigation of illegal activities, the 32 nonpayment or violation of the terms of a contract, or for 33 complying with federal, state, and local law enforcement 34 requests. 35 -5- LSB 1266SV (2) 90 as/rh 5/ 7

S.F. 203 The bill provides that a person shall not do any of 1 the following with the intent to cause the malfunction or 2 interruption of the operation of, or alter, damage, or destroy, 3 all or any part of a computer, computer network, computer 4 control language, computer software, computer system, computer 5 service, or computer data: intentionally, willfully, and 6 without authorization access, attempt to access, cause to be 7 accessed, or exceed the person’s authorized access to all 8 or a part of a computer network, computer control language, 9 computer, computer software, computer system, or computer 10 database; or copy, attempt to copy, possess, or attempt to 11 possess the contents of all or part of a computer database. 12 The bill provides that a person shall not intentionally, 13 willfully, and without authorization possess, identify, 14 or attempt to identify a valid access code or publicize or 15 distribute a valid access code to an unauthorized person. 16 The bill provides that a person shall not commit a prohibited 17 act with the intent to interrupt or impair the functioning of 18 the state government; a service, device, or system related 19 to the production, transmission, delivery, or storage of 20 electricity or natural gas in the state that is owned, 21 operated, or controlled by a person other than a public utility 22 as defined in Code section 476.1(3); a service provided in 23 the state by a public utility as defined in Code chapter 476; 24 a hospital or health care facility; a public elementary or 25 secondary school, community college, or area education agency 26 under the supervision of the department of education; a city, 27 city utility, or city service; or an aviation authority. 28 The bill does not apply to the use of ransomware for 29 research purposes by a person who has a bona fide scientific, 30 educational, governmental, testing, news, or other similar 31 justification for possessing ransomware. However, a person 32 shall not knowingly possess ransomware with the intent to 33 use the ransomware for the purpose of introduction into the 34 computer, computer network, or computer system of another 35 -6- LSB 1266SV (2) 90 as/rh 6/ 7

S.F. 203 person without the authorization of the other person. 1 The bill provides that a person who has suffered a specific 2 and direct injury because of a violation of the bill may bring 3 a civil action in a court of competent jurisdiction, and the 4 court may award actual damages, reasonable attorney fees, and 5 court costs. A conviction for an offense under the bill is not 6 a prerequisite for the filing of a civil action. 7 The bill provides that a person who commits a violation 8 of the bill and who causes pecuniary losses involving less 9 than $10,000 to a victim of the unlawful act is guilty of an 10 aggravated misdemeanor. A person who commits a violation of 11 the bill and who causes pecuniary losses involving at least 12 $10,000 but less than $50,000 to a victim of the unlawful 13 act is guilty of a class “D” felony. A person who commits a 14 violation of the bill and who causes pecuniary losses involving 15 at least $50,000 to a victim of the unlawful act is guilty of a 16 class “C” felony. 17 An aggravated misdemeanor is punishable by confinement for 18 no more than two years and a fine of at least $855 but not more 19 than $8,540. A class “D” felony is punishable by confinement 20 for no more than five years and a fine of at least $1,025 but 21 not more than $10,245. A class “C” felony is punishable by 22 confinement for no more than 10 years and a fine of at least 23 $1,370 but not more than $13,660. 24 The bill provides that for the purpose of determining 25 venue, a violation of the bill shall be considered to have 26 been committed in any county where the defendant performed 27 the unlawful act, where the defendant resides, or where the 28 accessed computer is located. 29 -7- LSB 1266SV (2) 90 as/rh 7/ 7