Print
House File 143 - IntroducedA Bill ForAn Act 1relating to ransomware and providing penalties.
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715.2, Code 2023, is amended to read as
2follows:
3715.2 Title.
4This chapter shall be known and may be cited as the “Computer
5Spyware, Malware, and Ransomware Protection Act”.
6 Sec. 2. Section 715.3, Code 2023, is amended by adding the
7following new subsections:
8 NEW SUBSECTION. 1A. “Computer control language” means
9ordered statements that direct a computer to perform specific
10functions.
11 NEW SUBSECTION. 1B. “Computer database” means a
12representation of information, knowledge, facts, concepts, or
13instructions that is intended for use in a computer, computer
14system, or computer network that is being prepared or has been
15prepared in a formalized manner, or is being produced or has
16been produced by a computer, computer system, or computer
17network.
18 NEW SUBSECTION. 9A. “Ransomware” means a computer or data
19contaminant, encryption, or lock that is placed or introduced
20without authorization into a computer, computer network, or
21computer system that restricts access by an authorized person
22to a computer, computer data, a computer system, or a computer
23network in a manner that results in the person responsible for
24the placement or introduction of the contaminant, encryption,
25or lock making a demand for payment of money or other
26consideration to remove the contaminant, encryption, or lock.
27 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended
28to read as follows:
292. Using intentionally deceptive means to cause the
30execution of a computer software component with the intent of
31causing an owner or operator to use such component in a manner
32that violates any other provision of this chapter subchapter.
33 Sec. 4. Section 715.6, Code 2023, is amended to read as
34follows:
35715.6 Exceptions.
-1- 1Sections 715.4 and 715.5 shall not apply to the monitoring
2of, or interaction with, an owner’s or an operator’s internet
3or other network connection, service, or computer, by a
4telecommunications carrier, cable operator, computer hardware
5or software provider, or provider of information service or
6interactive computer service for network or computer security
7purposes, diagnostics, technical support, maintenance, repair,
8authorized updates of computer software or system firmware,
9authorized remote system management, or detection, criminal
10investigation, or prevention of the use of or fraudulent
11or other illegal activities prohibited in this chapter
12 subchapter in connection with a network, service, or computer
13software, including scanning for and removing computer software
14prescribed under this chapter subchapter. Nothing in this
15chapter subchapter shall limit the rights of providers of wire
16and electronic communications under 18 U.S.C. §2511.
17 Sec. 5. Section 715.7, Code 2023, is amended to read as
18follows:
19715.7 Criminal penalties.
201. A person who commits an unlawful act under this chapter
21 subchapter is guilty of an aggravated misdemeanor.
222. A person who commits an unlawful act under this chapter
23 subchapter and who causes pecuniary losses exceeding one
24thousand dollars to a victim of the unlawful act is guilty of a
25class “D” felony.
26 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023,
27is amended to read as follows:
28For the purpose of determining proper venue, a violation
29of this chapter subchapter shall be considered to have been
30committed in any county in which any of the following apply:
31 Sec. 7. NEW SECTION. 715.9 Ransomware prohibition.
321. A person shall not intentionally, willfully, and without
33authorization do any of the following:
34a. Access, attempt to access, cause to be accessed, or
35exceed the person’s authorized access to all or a part of a
-2-1computer network, computer control language, computer, computer
2software, computer system, or computer database.
3b. Copy, attempt to copy, possess, or attempt to possess
4the contents of all or part of a computer database accessed in
5violation of paragraph “a”.
62. A person shall not commit an act prohibited in subsection
71 with the intent to do any of the following:
8a. Cause the malfunction or interruption of the operation
9of all or any part of a computer, computer network, computer
10control language, computer software, computer system, computer
11service, or computer data.
12b. Alter, damage, or destroy all or any part of data or a
13computer program stored, maintained, or produced by a computer,
14computer network, computer software, computer system, computer
15service, or computer database.
163. A person shall not intentionally, willfully, and without
17authorization do any of the following:
18a. Possess, identify, or attempt to identify a valid
19computer access code.
20b. Publicize or distribute a valid computer access code to
21an unauthorized person.
224. A person shall not commit an act prohibited under this
23section with the intent to interrupt or impair the functioning
24of any of the following:
25a. The state.
26b. A service, device, or system related to the production,
27transmission, delivery, or storage of electricity or natural
28gas in the state that is owned, operated, or controlled by a
29person other than a public utility as defined in chapter 476.
30c. A service provided in the state by a public utility as
31defined in chapter 476.
32d. A hospital or health care facility as defined in section
33135C.1.
34e. A public elementary or secondary school, community
35college, or area education agency under the supervision of the
-3-1department of education.
2f. A city, city utility, or city service.
35. This section shall not apply to the use of ransomware for
4research purposes by a person who has a bona fide scientific,
5educational, governmental, testing, news, or other similar
6justification for possessing ransomware. However, a person
7shall not knowingly possess ransomware with the intent to
8use the ransomware for the purpose of introduction into the
9computer, computer network, or computer system of another
10person without the authorization of the other person.
116. A person who has suffered a specific and direct injury
12because of a violation of this section may bring a civil action
13in a court of competent jurisdiction.
14a. In an action under this subsection, the court may award
15actual damages, reasonable attorney fees, and court costs.
16b. A conviction for an offense under this section is not a
17prerequisite for the filing of a civil action.
18 Sec. 8. NEW SECTION. 715.10 Criminal penalties.
191. A person who commits an unlawful act under this
20subchapter and who causes pecuniary losses involving less than
21ten thousand dollars to a victim of the unlawful act is guilty
22of an aggravated misdemeanor.
232. A person who commits an unlawful act under this
24subchapter and who causes pecuniary losses involving at least
25ten thousand dollars but less than fifty thousand dollars to a
26victim of the unlawful act is guilty of a class “D” felony.
273. A person who commits an unlawful act under this
28subchapter and who causes pecuniary losses involving at least
29fifty thousand dollars to a victim of the unlawful act is
30guilty of a class “C” felony.
31 Sec. 9. NEW SECTION. 715.11 Venue.
32For the purpose of determining proper venue, a violation of
33this subchapter shall be considered to have been committed in
34any county in which any of the following apply:
351. Where the defendant performed the unlawful act.
-4- 12. Where the defendant resides.
23. Where the accessed computer is located.
3 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall
4divide chapter 715 into subchapters and shall designate
5sections 715.1 through 715.8, including sections amended in
6this Act, as subchapter I entitled “COMPUTER SPYWARE AND
7MALWARE”, and sections 715.9 through 715.11, as enacted in this
8Act, as subchapter II entitled “RANSOMWARE”.
9EXPLANATION
10The inclusion of this explanation does not constitute agreement with
11the explanation’s substance by the members of the general assembly.
12This bill relates to ransomware.
13The bill defines “ransomware” as a computer or data
14contaminant, encryption, or lock that is placed or introduced
15without authorization into a computer, computer network, or a
16computer system that restricts access by an authorized person
17to a computer, computer data, a computer network, or a computer
18system in a manner that results in the person responsible for
19the placement or introduction of the contaminant, encryption,
20or lock making a demand for payment of money or other
21consideration to remove the contaminant, encryption, or lock.
22The bill provides that a person shall not do any of
23the following with the intent to cause the malfunction or
24interruption of the operation of, or alter, damage, or destroy,
25all or any part of a computer, computer network, computer
26control language, computer software, computer system, computer
27service, or computer data: intentionally, willfully, and
28without authorization access, attempt to access, cause to be
29accessed, or exceed the person’s authorized access to all
30or a part of a computer network, computer control language,
31computer, computer software, computer system, or computer
32database; or copy, attempt to copy, possess, or attempt to
33possess the contents of all or part of a computer database.
34The bill provides that a person shall not intentionally,
35willfully, and without authorization possess, identify,
-5-1or attempt to identify a valid access code or publicize or
2distribute a valid access code to an unauthorized person.
3The bill provides that a person shall not commit a prohibited
4act with the intent to interrupt or impair the functioning of
5the state government; a service, device, or system related
6to the production, transmission, delivery, or storage of
7electricity or natural gas in the state that is owned,
8operated, or controlled by a person other than a public utility
9as defined in Code chapter 476; a service provided in the state
10by a public utility as defined in Code chapter 476; a hospital
11or health care facility; a public elementary or secondary
12school, community college, or area education agency under the
13supervision of the department of education; or a city, city
14utility, or city services.
15The bill does not apply to the use of ransomware for
16research purposes by a person who has a bona fide scientific,
17educational, governmental, testing, news, or other similar
18justification for possessing ransomware. However, a person
19shall not knowingly possess ransomware with the intent to
20use the ransomware for the purpose of introduction into the
21computer, computer network, or computer system of another
22person without the authorization of the other person.
23The bill provides that a person who has suffered a specific
24and direct injury because of a violation of the bill may bring
25a civil action in a court of competent jurisdiction, and the
26court may award actual damages, reasonable attorney fees, and
27court costs. A conviction for an offense under the bill is not
28a prerequisite for the filing of a civil action.
29The bill provides that a person who commits a violation
30of the bill and who causes pecuniary losses involving less
31than $10,000 to a victim of the unlawful act is guilty of an
32aggravated misdemeanor. A person who commits a violation of
33the bill and who causes pecuniary losses involving at least
34$10,000 but less than $50,000 to a victim of the unlawful
35act is guilty of a class “D” felony. A person who commits a
-6-1violation of the bill and who causes pecuniary losses involving
2at least $50,000 to a victim of the unlawful act is guilty of a
3class “C” felony.
4An aggravated misdemeanor is punishable by confinement for
5no more than two years and a fine of at least $855 but not more
6than $8,540. A class “D” felony is punishable by confinement
7for no more than five years and a fine of at least $1,025 but
8not more than $10,245. A class “C” felony is punishable by
9confinement for no more than 10 years and a fine of at least
10$1,370 but not more than $13,660.
11The bill provides that for the purpose of determining
12venue, a violation of the bill shall be considered to have
13been committed in any county where the defendant performed
14the unlawful act, where the defendant resides, or where the
15accessed computer is located.
-7-as/rh
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715.2, Code 2023, is amended to read as
2follows:
3715.2 Title.
4This chapter shall be known and may be cited as the “Computer
5Spyware, Malware, and Ransomware Protection Act”.
6 Sec. 2. Section 715.3, Code 2023, is amended by adding the
7following new subsections:
8 NEW SUBSECTION. 1A. “Computer control language” means
9ordered statements that direct a computer to perform specific
10functions.
11 NEW SUBSECTION. 1B. “Computer database” means a
12representation of information, knowledge, facts, concepts, or
13instructions that is intended for use in a computer, computer
14system, or computer network that is being prepared or has been
15prepared in a formalized manner, or is being produced or has
16been produced by a computer, computer system, or computer
17network.
18 NEW SUBSECTION. 9A. “Ransomware” means a computer or data
19contaminant, encryption, or lock that is placed or introduced
20without authorization into a computer, computer network, or
21computer system that restricts access by an authorized person
22to a computer, computer data, a computer system, or a computer
23network in a manner that results in the person responsible for
24the placement or introduction of the contaminant, encryption,
25or lock making a demand for payment of money or other
26consideration to remove the contaminant, encryption, or lock.
27 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended
28to read as follows:
292. Using intentionally deceptive means to cause the
30execution of a computer software component with the intent of
31causing an owner or operator to use such component in a manner
32that violates any other provision of this chapter subchapter.
33 Sec. 4. Section 715.6, Code 2023, is amended to read as
34follows:
35715.6 Exceptions.
-1- 1Sections 715.4 and 715.5 shall not apply to the monitoring
2of, or interaction with, an owner’s or an operator’s internet
3or other network connection, service, or computer, by a
4telecommunications carrier, cable operator, computer hardware
5or software provider, or provider of information service or
6interactive computer service for network or computer security
7purposes, diagnostics, technical support, maintenance, repair,
8authorized updates of computer software or system firmware,
9authorized remote system management, or detection, criminal
10investigation, or prevention of the use of or fraudulent
11or other illegal activities prohibited in this chapter
12 subchapter in connection with a network, service, or computer
13software, including scanning for and removing computer software
14prescribed under this chapter subchapter. Nothing in this
15chapter subchapter shall limit the rights of providers of wire
16and electronic communications under 18 U.S.C. §2511.
17 Sec. 5. Section 715.7, Code 2023, is amended to read as
18follows:
19715.7 Criminal penalties.
201. A person who commits an unlawful act under this chapter
21 subchapter is guilty of an aggravated misdemeanor.
222. A person who commits an unlawful act under this chapter
23 subchapter and who causes pecuniary losses exceeding one
24thousand dollars to a victim of the unlawful act is guilty of a
25class “D” felony.
26 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023,
27is amended to read as follows:
28For the purpose of determining proper venue, a violation
29of this chapter subchapter shall be considered to have been
30committed in any county in which any of the following apply:
31 Sec. 7. NEW SECTION. 715.9 Ransomware prohibition.
321. A person shall not intentionally, willfully, and without
33authorization do any of the following:
34a. Access, attempt to access, cause to be accessed, or
35exceed the person’s authorized access to all or a part of a
-2-1computer network, computer control language, computer, computer
2software, computer system, or computer database.
3b. Copy, attempt to copy, possess, or attempt to possess
4the contents of all or part of a computer database accessed in
5violation of paragraph “a”.
62. A person shall not commit an act prohibited in subsection
71 with the intent to do any of the following:
8a. Cause the malfunction or interruption of the operation
9of all or any part of a computer, computer network, computer
10control language, computer software, computer system, computer
11service, or computer data.
12b. Alter, damage, or destroy all or any part of data or a
13computer program stored, maintained, or produced by a computer,
14computer network, computer software, computer system, computer
15service, or computer database.
163. A person shall not intentionally, willfully, and without
17authorization do any of the following:
18a. Possess, identify, or attempt to identify a valid
19computer access code.
20b. Publicize or distribute a valid computer access code to
21an unauthorized person.
224. A person shall not commit an act prohibited under this
23section with the intent to interrupt or impair the functioning
24of any of the following:
25a. The state.
26b. A service, device, or system related to the production,
27transmission, delivery, or storage of electricity or natural
28gas in the state that is owned, operated, or controlled by a
29person other than a public utility as defined in chapter 476.
30c. A service provided in the state by a public utility as
31defined in chapter 476.
32d. A hospital or health care facility as defined in section
33135C.1.
34e. A public elementary or secondary school, community
35college, or area education agency under the supervision of the
-3-1department of education.
2f. A city, city utility, or city service.
35. This section shall not apply to the use of ransomware for
4research purposes by a person who has a bona fide scientific,
5educational, governmental, testing, news, or other similar
6justification for possessing ransomware. However, a person
7shall not knowingly possess ransomware with the intent to
8use the ransomware for the purpose of introduction into the
9computer, computer network, or computer system of another
10person without the authorization of the other person.
116. A person who has suffered a specific and direct injury
12because of a violation of this section may bring a civil action
13in a court of competent jurisdiction.
14a. In an action under this subsection, the court may award
15actual damages, reasonable attorney fees, and court costs.
16b. A conviction for an offense under this section is not a
17prerequisite for the filing of a civil action.
18 Sec. 8. NEW SECTION. 715.10 Criminal penalties.
191. A person who commits an unlawful act under this
20subchapter and who causes pecuniary losses involving less than
21ten thousand dollars to a victim of the unlawful act is guilty
22of an aggravated misdemeanor.
232. A person who commits an unlawful act under this
24subchapter and who causes pecuniary losses involving at least
25ten thousand dollars but less than fifty thousand dollars to a
26victim of the unlawful act is guilty of a class “D” felony.
273. A person who commits an unlawful act under this
28subchapter and who causes pecuniary losses involving at least
29fifty thousand dollars to a victim of the unlawful act is
30guilty of a class “C” felony.
31 Sec. 9. NEW SECTION. 715.11 Venue.
32For the purpose of determining proper venue, a violation of
33this subchapter shall be considered to have been committed in
34any county in which any of the following apply:
351. Where the defendant performed the unlawful act.
-4- 12. Where the defendant resides.
23. Where the accessed computer is located.
3 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall
4divide chapter 715 into subchapters and shall designate
5sections 715.1 through 715.8, including sections amended in
6this Act, as subchapter I entitled “COMPUTER SPYWARE AND
7MALWARE”, and sections 715.9 through 715.11, as enacted in this
8Act, as subchapter II entitled “RANSOMWARE”.
9EXPLANATION
10The inclusion of this explanation does not constitute agreement with
11the explanation’s substance by the members of the general assembly.
12This bill relates to ransomware.
13The bill defines “ransomware” as a computer or data
14contaminant, encryption, or lock that is placed or introduced
15without authorization into a computer, computer network, or a
16computer system that restricts access by an authorized person
17to a computer, computer data, a computer network, or a computer
18system in a manner that results in the person responsible for
19the placement or introduction of the contaminant, encryption,
20or lock making a demand for payment of money or other
21consideration to remove the contaminant, encryption, or lock.
22The bill provides that a person shall not do any of
23the following with the intent to cause the malfunction or
24interruption of the operation of, or alter, damage, or destroy,
25all or any part of a computer, computer network, computer
26control language, computer software, computer system, computer
27service, or computer data: intentionally, willfully, and
28without authorization access, attempt to access, cause to be
29accessed, or exceed the person’s authorized access to all
30or a part of a computer network, computer control language,
31computer, computer software, computer system, or computer
32database; or copy, attempt to copy, possess, or attempt to
33possess the contents of all or part of a computer database.
34The bill provides that a person shall not intentionally,
35willfully, and without authorization possess, identify,
-5-1or attempt to identify a valid access code or publicize or
2distribute a valid access code to an unauthorized person.
3The bill provides that a person shall not commit a prohibited
4act with the intent to interrupt or impair the functioning of
5the state government; a service, device, or system related
6to the production, transmission, delivery, or storage of
7electricity or natural gas in the state that is owned,
8operated, or controlled by a person other than a public utility
9as defined in Code chapter 476; a service provided in the state
10by a public utility as defined in Code chapter 476; a hospital
11or health care facility; a public elementary or secondary
12school, community college, or area education agency under the
13supervision of the department of education; or a city, city
14utility, or city services.
15The bill does not apply to the use of ransomware for
16research purposes by a person who has a bona fide scientific,
17educational, governmental, testing, news, or other similar
18justification for possessing ransomware. However, a person
19shall not knowingly possess ransomware with the intent to
20use the ransomware for the purpose of introduction into the
21computer, computer network, or computer system of another
22person without the authorization of the other person.
23The bill provides that a person who has suffered a specific
24and direct injury because of a violation of the bill may bring
25a civil action in a court of competent jurisdiction, and the
26court may award actual damages, reasonable attorney fees, and
27court costs. A conviction for an offense under the bill is not
28a prerequisite for the filing of a civil action.
29The bill provides that a person who commits a violation
30of the bill and who causes pecuniary losses involving less
31than $10,000 to a victim of the unlawful act is guilty of an
32aggravated misdemeanor. A person who commits a violation of
33the bill and who causes pecuniary losses involving at least
34$10,000 but less than $50,000 to a victim of the unlawful
35act is guilty of a class “D” felony. A person who commits a
-6-1violation of the bill and who causes pecuniary losses involving
2at least $50,000 to a victim of the unlawful act is guilty of a
3class “C” felony.
4An aggravated misdemeanor is punishable by confinement for
5no more than two years and a fine of at least $855 but not more
6than $8,540. A class “D” felony is punishable by confinement
7for no more than five years and a fine of at least $1,025 but
8not more than $10,245. A class “C” felony is punishable by
9confinement for no more than 10 years and a fine of at least
10$1,370 but not more than $13,660.
11The bill provides that for the purpose of determining
12venue, a violation of the bill shall be considered to have
13been committed in any county where the defendant performed
14the unlawful act, where the defendant resides, or where the
15accessed computer is located.
-7-as/rh