Print
House File 2461 - IntroducedA Bill ForAn Act 1relating to ransomware and providing penalties.
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715.2, Code 2022, is amended to read as
2follows:
3715.2 Title.
4This chapter shall be known and may be cited as the “Computer
5Spyware, Malware, and Ransomware Protection Act”.
6 Sec. 2. Section 715.3, Code 2022, is amended by adding the
7following new subsections:
8 NEW SUBSECTION. 1A. “Computer control language” means
9ordered statements that direct a computer to perform specific
10functions.
11 NEW SUBSECTION. 1B. “Computer database” means a
12representation of information, knowledge, facts, concepts, or
13instructions that is intended for use in a computer, computer
14system, or computer network that is being prepared or has been
15prepared in a formalized manner, or is being produced or has
16been produced by a computer, computer system, or computer
17network.
18 NEW SUBSECTION. 9A. “Ransomware” means a computer or data
19contaminant, encryption, or lock that is placed or introduced
20without authorization into a computer, computer network, or
21computer system that restricts access by an authorized person
22to a computer, computer data, a computer system, or a computer
23network in a manner that results in the person responsible for
24the placement or introduction of the contaminant, encryption,
25or lock making a demand for payment of money or other
26consideration to remove the contaminant, encryption, or lock.
27 Sec. 3. Section 715.5, subsection 2, Code 2022, is amended
28to read as follows:
292. Using intentionally deceptive means to cause the
30execution of a computer software component with the intent of
31causing an owner or operator to use such component in a manner
32that violates any other provision of this chapter subchapter.
33 Sec. 4. Section 715.6, Code 2022, is amended to read as
34follows:
35715.6 Exceptions.
-1- 1Sections 715.4 and 715.5 shall not apply to the monitoring
2of, or interaction with, an owner’s or an operator’s internet
3or other network connection, service, or computer, by a
4telecommunications carrier, cable operator, computer hardware
5or software provider, or provider of information service or
6interactive computer service for network or computer security
7purposes, diagnostics, technical support, maintenance, repair,
8authorized updates of computer software or system firmware,
9authorized remote system management, or detection, criminal
10investigation, or prevention of the use of or fraudulent
11or other illegal activities prohibited in this chapter
12 subchapter in connection with a network, service, or computer
13software, including scanning for and removing computer software
14prescribed under this chapter subchapter. Nothing in this
15chapter subchapter shall limit the rights of providers of wire
16and electronic communications under 18 U.S.C. §2511.
17 Sec. 5. Section 715.7, Code 2022, is amended to read as
18follows:
19715.7 Criminal penalties.
201. A person who commits an unlawful act under this chapter
21 subchapter is guilty of an aggravated misdemeanor.
222. A person who commits an unlawful act under this chapter
23 subchapter and who causes pecuniary losses exceeding one
24thousand dollars to a victim of the unlawful act is guilty of a
25class “D” felony.
26 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2022,
27is amended to read as follows:
28For the purpose of determining proper venue, a violation
29of this chapter subchapter shall be considered to have been
30committed in any county in which any of the following apply:
31 Sec. 7. NEW SECTION. 715.9 Ransomware prohibition.
321. A person shall not intentionally, willfully, and without
33authorization do any of the following:
34a. Access, attempt to access, cause to be accessed, or
35exceed the person’s authorized access to all or a part of a
-2-1computer network, computer control language, computer, computer
2software, computer system, or computer database.
3b. Copy, attempt to copy, possess, or attempt to possess
4the contents of all or part of a computer database accessed in
5violation of paragraph “a”.
62. A person shall not commit an act prohibited in subsection
71 with the intent to do any of the following:
8a. Cause the malfunction or interruption of the operation
9of all or any part of a computer, computer network, computer
10control language, computer software, computer system, computer
11service, or computer data.
12b. Alter, damage, or destroy all or any part of data or a
13computer program stored, maintained, or produced by a computer,
14computer network, computer software, computer system, computer
15service, or computer database.
163. A person shall not intentionally, willfully, and without
17authorization do any of the following:
18a. Possess, identify, or attempt to identify a valid
19computer access code.
20b. Publicize or distribute a valid computer access code to
21an unauthorized person.
224. A person shall not commit an act prohibited under this
23section with the intent to interrupt or impair the functioning
24of any of the following:
25a. The state.
26b. A service, device, or system related to the production,
27transmission, delivery, or storage of electricity or natural
28gas in the state that is owned, operated, or controlled by a
29person other than a public utility as defined in chapter 476.
30c. A service provided in the state by a public utility as
31defined in chapter 476.
32d. A hospital or health care facility as defined in section
33135C.1.
34e. A public elementary or secondary school, community
35college, or area education agency under the supervision of the
-3-1department of education.
25. This section shall not apply to the use of ransomware for
3research purposes by a person who has a bona fide scientific,
4educational, governmental, testing, news, or other similar
5justification for possessing ransomware. However, a person
6shall not knowingly possess ransomware with the intent to
7use the ransomware for the purpose of introduction into the
8computer, computer network, or computer system of another
9person without the authorization of the other person.
106. A person who has suffered a specific and direct injury
11because of a violation of this section may bring a civil action
12in a court of competent jurisdiction.
13a. In an action under this subsection, the court may award
14actual damages, reasonable attorney fees, and court costs.
15b. A conviction for an offense under this section is not a
16prerequisite for the filing of a civil action.
17 Sec. 8. NEW SECTION. 715.10 Criminal penalties.
181. A person who commits an unlawful act under this
19subchapter and who causes pecuniary losses involving less than
20ten thousand dollars to a victim of the unlawful act is guilty
21of an aggravated misdemeanor.
222. A person who commits an unlawful act under this
23subchapter and who causes pecuniary losses involving at least
24ten thousand dollars but less than fifty thousand dollars to a
25victim of the unlawful act is guilty of a class “D” felony.
263. A person who commits an unlawful act under this
27subchapter and who causes pecuniary losses involving at least
28fifty thousand dollars to a victim of the unlawful act is
29guilty of a class “C” felony.
30 Sec. 9. NEW SECTION. 715.11 Venue.
31For the purpose of determining proper venue, a violation of
32this subchapter shall be considered to have been committed in
33any county in which any of the following apply:
341. Where the defendant performed the unlawful act.
352. Where the defendant resides.
-4- 13. Where the accessed computer is located.
2 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall
3divide chapter 715 into subchapters and shall designate
4sections 715.1 through 715.8, including sections amended in
5this Act, as subchapter I entitled “COMPUTER SPYWARE AND
6MALWARE”, and sections 715.9 through 715.11, as enacted in this
7Act, as subchapter II entitled “RANSOMWARE”.
8EXPLANATION
9The inclusion of this explanation does not constitute agreement with
10the explanation’s substance by the members of the general assembly.
11This bill relates to ransomware.
12The bill defines “ransomware” as a computer or data
13contaminant, encryption, or lock that is placed or introduced
14without authorization into a computer, computer network, or a
15computer system that restricts access by an authorized person
16to a computer, computer data, a computer network, or a computer
17system in a manner that results in the person responsible for
18the placement or introduction of the contaminant, encryption,
19or lock making a demand for payment of money or other
20consideration to remove the contaminant, encryption, or lock.
21The bill provides that a person shall not do any of
22the following with the intent to cause the malfunction or
23interruption of the operation of, or alter, damage, or destroy,
24all or any part of a computer, computer network, computer
25control language, computer software, computer system, computer
26service, or computer data: intentionally, willfully, and
27without authorization access, attempt to access, cause to be
28accessed, or exceed the person’s authorized access to all
29or a part of a computer network, computer control language,
30computer, computer software, computer system, or computer
31database; or copy, attempt to copy, possess, or attempt to
32possess the contents of all or part of a computer database.
33The bill provides that a person shall not intentionally,
34willfully, and without authorization possess, identify,
35or attempt to identify a valid access code or publicize or
-5-1distribute a valid access code to an unauthorized person.
2The bill provides that a person shall not commit a prohibited
3act with the intent to interrupt or impair the functioning of
4the state government; a service, device, or system related
5to the production, transmission, delivery, or storage of
6electricity or natural gas in the state that is owned,
7operated, or controlled by a person other than a public utility
8as defined in Code chapter 476; a service provided in the state
9by a public utility as defined in Code chapter 476; a hospital
10or health care facility; or a public elementary or secondary
11school, community college, or area education agency under the
12supervision of the department of education.
13The bill does not apply to the use of ransomware for
14research purposes by a person who has a bona fide scientific,
15educational, governmental, testing, news, or other similar
16justification for possessing ransomware. However, a person
17shall not knowingly possess ransomware with the intent to
18use the ransomware for the purpose of introduction into the
19computer, computer network, or computer system of another
20person without the authorization of the other person.
21The bill provides that a person who has suffered a specific
22and direct injury because of a violation of the bill may bring
23a civil action in a court of competent jurisdiction, and the
24court may award actual damages, reasonable attorney fees, and
25court costs. A conviction for an offense under the bill is not
26a prerequisite for the filing of a civil action.
27The bill provides that a person who commits a violation
28of the bill and who causes pecuniary losses involving less
29than $10,000 to a victim of the unlawful act is guilty of an
30aggravated misdemeanor. A person who commits a violation of
31the bill and who causes pecuniary losses involving at least
32$10,000 but less than $50,000 to a victim of the unlawful
33act is guilty of a class “D” felony. A person who commits a
34violation of the bill and who causes pecuniary losses involving
35at least $50,000 to a victim of the unlawful act is guilty of a
-6-1class “C” felony.
2An aggravated misdemeanor is punishable by confinement for
3no more than two years and a fine of at least $855 but not more
4than $8,540. A class “D” felony is punishable by confinement
5for no more than five years and a fine of at least $1,025 but
6not more than $10,245. A class “C” felony is punishable by
7confinement for no more than 10 years and a fine of at least
8$1,370 but not more than $13,660.
9The bill provides that for the purpose of determining
10venue, a violation of the bill shall be considered to have
11been committed in any county where the defendant performed
12the unlawful act, where the defendant resides, or where the
13accessed computer is located.
-7-as/rh
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715.2, Code 2022, is amended to read as
2follows:
3715.2 Title.
4This chapter shall be known and may be cited as the “Computer
5Spyware, Malware, and Ransomware Protection Act”.
6 Sec. 2. Section 715.3, Code 2022, is amended by adding the
7following new subsections:
8 NEW SUBSECTION. 1A. “Computer control language” means
9ordered statements that direct a computer to perform specific
10functions.
11 NEW SUBSECTION. 1B. “Computer database” means a
12representation of information, knowledge, facts, concepts, or
13instructions that is intended for use in a computer, computer
14system, or computer network that is being prepared or has been
15prepared in a formalized manner, or is being produced or has
16been produced by a computer, computer system, or computer
17network.
18 NEW SUBSECTION. 9A. “Ransomware” means a computer or data
19contaminant, encryption, or lock that is placed or introduced
20without authorization into a computer, computer network, or
21computer system that restricts access by an authorized person
22to a computer, computer data, a computer system, or a computer
23network in a manner that results in the person responsible for
24the placement or introduction of the contaminant, encryption,
25or lock making a demand for payment of money or other
26consideration to remove the contaminant, encryption, or lock.
27 Sec. 3. Section 715.5, subsection 2, Code 2022, is amended
28to read as follows:
292. Using intentionally deceptive means to cause the
30execution of a computer software component with the intent of
31causing an owner or operator to use such component in a manner
32that violates any other provision of this chapter subchapter.
33 Sec. 4. Section 715.6, Code 2022, is amended to read as
34follows:
35715.6 Exceptions.
-1- 1Sections 715.4 and 715.5 shall not apply to the monitoring
2of, or interaction with, an owner’s or an operator’s internet
3or other network connection, service, or computer, by a
4telecommunications carrier, cable operator, computer hardware
5or software provider, or provider of information service or
6interactive computer service for network or computer security
7purposes, diagnostics, technical support, maintenance, repair,
8authorized updates of computer software or system firmware,
9authorized remote system management, or detection, criminal
10investigation, or prevention of the use of or fraudulent
11or other illegal activities prohibited in this chapter
12 subchapter in connection with a network, service, or computer
13software, including scanning for and removing computer software
14prescribed under this chapter subchapter. Nothing in this
15chapter subchapter shall limit the rights of providers of wire
16and electronic communications under 18 U.S.C. §2511.
17 Sec. 5. Section 715.7, Code 2022, is amended to read as
18follows:
19715.7 Criminal penalties.
201. A person who commits an unlawful act under this chapter
21 subchapter is guilty of an aggravated misdemeanor.
222. A person who commits an unlawful act under this chapter
23 subchapter and who causes pecuniary losses exceeding one
24thousand dollars to a victim of the unlawful act is guilty of a
25class “D” felony.
26 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2022,
27is amended to read as follows:
28For the purpose of determining proper venue, a violation
29of this chapter subchapter shall be considered to have been
30committed in any county in which any of the following apply:
31 Sec. 7. NEW SECTION. 715.9 Ransomware prohibition.
321. A person shall not intentionally, willfully, and without
33authorization do any of the following:
34a. Access, attempt to access, cause to be accessed, or
35exceed the person’s authorized access to all or a part of a
-2-1computer network, computer control language, computer, computer
2software, computer system, or computer database.
3b. Copy, attempt to copy, possess, or attempt to possess
4the contents of all or part of a computer database accessed in
5violation of paragraph “a”.
62. A person shall not commit an act prohibited in subsection
71 with the intent to do any of the following:
8a. Cause the malfunction or interruption of the operation
9of all or any part of a computer, computer network, computer
10control language, computer software, computer system, computer
11service, or computer data.
12b. Alter, damage, or destroy all or any part of data or a
13computer program stored, maintained, or produced by a computer,
14computer network, computer software, computer system, computer
15service, or computer database.
163. A person shall not intentionally, willfully, and without
17authorization do any of the following:
18a. Possess, identify, or attempt to identify a valid
19computer access code.
20b. Publicize or distribute a valid computer access code to
21an unauthorized person.
224. A person shall not commit an act prohibited under this
23section with the intent to interrupt or impair the functioning
24of any of the following:
25a. The state.
26b. A service, device, or system related to the production,
27transmission, delivery, or storage of electricity or natural
28gas in the state that is owned, operated, or controlled by a
29person other than a public utility as defined in chapter 476.
30c. A service provided in the state by a public utility as
31defined in chapter 476.
32d. A hospital or health care facility as defined in section
33135C.1.
34e. A public elementary or secondary school, community
35college, or area education agency under the supervision of the
-3-1department of education.
25. This section shall not apply to the use of ransomware for
3research purposes by a person who has a bona fide scientific,
4educational, governmental, testing, news, or other similar
5justification for possessing ransomware. However, a person
6shall not knowingly possess ransomware with the intent to
7use the ransomware for the purpose of introduction into the
8computer, computer network, or computer system of another
9person without the authorization of the other person.
106. A person who has suffered a specific and direct injury
11because of a violation of this section may bring a civil action
12in a court of competent jurisdiction.
13a. In an action under this subsection, the court may award
14actual damages, reasonable attorney fees, and court costs.
15b. A conviction for an offense under this section is not a
16prerequisite for the filing of a civil action.
17 Sec. 8. NEW SECTION. 715.10 Criminal penalties.
181. A person who commits an unlawful act under this
19subchapter and who causes pecuniary losses involving less than
20ten thousand dollars to a victim of the unlawful act is guilty
21of an aggravated misdemeanor.
222. A person who commits an unlawful act under this
23subchapter and who causes pecuniary losses involving at least
24ten thousand dollars but less than fifty thousand dollars to a
25victim of the unlawful act is guilty of a class “D” felony.
263. A person who commits an unlawful act under this
27subchapter and who causes pecuniary losses involving at least
28fifty thousand dollars to a victim of the unlawful act is
29guilty of a class “C” felony.
30 Sec. 9. NEW SECTION. 715.11 Venue.
31For the purpose of determining proper venue, a violation of
32this subchapter shall be considered to have been committed in
33any county in which any of the following apply:
341. Where the defendant performed the unlawful act.
352. Where the defendant resides.
-4- 13. Where the accessed computer is located.
2 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall
3divide chapter 715 into subchapters and shall designate
4sections 715.1 through 715.8, including sections amended in
5this Act, as subchapter I entitled “COMPUTER SPYWARE AND
6MALWARE”, and sections 715.9 through 715.11, as enacted in this
7Act, as subchapter II entitled “RANSOMWARE”.
8EXPLANATION
9The inclusion of this explanation does not constitute agreement with
10the explanation’s substance by the members of the general assembly.
11This bill relates to ransomware.
12The bill defines “ransomware” as a computer or data
13contaminant, encryption, or lock that is placed or introduced
14without authorization into a computer, computer network, or a
15computer system that restricts access by an authorized person
16to a computer, computer data, a computer network, or a computer
17system in a manner that results in the person responsible for
18the placement or introduction of the contaminant, encryption,
19or lock making a demand for payment of money or other
20consideration to remove the contaminant, encryption, or lock.
21The bill provides that a person shall not do any of
22the following with the intent to cause the malfunction or
23interruption of the operation of, or alter, damage, or destroy,
24all or any part of a computer, computer network, computer
25control language, computer software, computer system, computer
26service, or computer data: intentionally, willfully, and
27without authorization access, attempt to access, cause to be
28accessed, or exceed the person’s authorized access to all
29or a part of a computer network, computer control language,
30computer, computer software, computer system, or computer
31database; or copy, attempt to copy, possess, or attempt to
32possess the contents of all or part of a computer database.
33The bill provides that a person shall not intentionally,
34willfully, and without authorization possess, identify,
35or attempt to identify a valid access code or publicize or
-5-1distribute a valid access code to an unauthorized person.
2The bill provides that a person shall not commit a prohibited
3act with the intent to interrupt or impair the functioning of
4the state government; a service, device, or system related
5to the production, transmission, delivery, or storage of
6electricity or natural gas in the state that is owned,
7operated, or controlled by a person other than a public utility
8as defined in Code chapter 476; a service provided in the state
9by a public utility as defined in Code chapter 476; a hospital
10or health care facility; or a public elementary or secondary
11school, community college, or area education agency under the
12supervision of the department of education.
13The bill does not apply to the use of ransomware for
14research purposes by a person who has a bona fide scientific,
15educational, governmental, testing, news, or other similar
16justification for possessing ransomware. However, a person
17shall not knowingly possess ransomware with the intent to
18use the ransomware for the purpose of introduction into the
19computer, computer network, or computer system of another
20person without the authorization of the other person.
21The bill provides that a person who has suffered a specific
22and direct injury because of a violation of the bill may bring
23a civil action in a court of competent jurisdiction, and the
24court may award actual damages, reasonable attorney fees, and
25court costs. A conviction for an offense under the bill is not
26a prerequisite for the filing of a civil action.
27The bill provides that a person who commits a violation
28of the bill and who causes pecuniary losses involving less
29than $10,000 to a victim of the unlawful act is guilty of an
30aggravated misdemeanor. A person who commits a violation of
31the bill and who causes pecuniary losses involving at least
32$10,000 but less than $50,000 to a victim of the unlawful
33act is guilty of a class “D” felony. A person who commits a
34violation of the bill and who causes pecuniary losses involving
35at least $50,000 to a victim of the unlawful act is guilty of a
-6-1class “C” felony.
2An aggravated misdemeanor is punishable by confinement for
3no more than two years and a fine of at least $855 but not more
4than $8,540. A class “D” felony is punishable by confinement
5for no more than five years and a fine of at least $1,025 but
6not more than $10,245. A class “C” felony is punishable by
7confinement for no more than 10 years and a fine of at least
8$1,370 but not more than $13,660.
9The bill provides that for the purpose of determining
10venue, a violation of the bill shall be considered to have
11been committed in any county where the defendant performed
12the unlawful act, where the defendant resides, or where the
13accessed computer is located.
-7-as/rh