Print
House File 143 - ReprintedA Bill ForAn Act 1relating to ransomware and providing penalties.
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715.2, Code 2023, is amended to read as
2follows:
3715.2 Title.
4This chapter shall be known and may be cited as the “Computer
5Spyware, Malware, and Ransomware Protection Act”.
6 Sec. 2. Section 715.3, Code 2023, is amended by adding the
7following new subsections:
8 NEW SUBSECTION. 1A. “Computer control language” means
9ordered statements that direct a computer to perform specific
10functions.
11 NEW SUBSECTION. 1B. “Computer database” means a
12representation of information, knowledge, facts, concepts, or
13instructions that is intended for use in a computer, computer
14system, or computer network that is being prepared or has been
15prepared in a formalized manner, or is being produced or has
16been produced by a computer, computer system, or computer
17network.
18 NEW SUBSECTION. 9A. “Ransomware” means a computer or data
19contaminant, encryption, or lock that is placed or introduced
20without authorization into a computer, computer network, or
21computer system that restricts access by an authorized person
22to a computer, computer data, a computer system, or a computer
23network in a manner that results in the person responsible for
24the placement or introduction of the contaminant, encryption,
25or lock making a demand for payment of money or other
26consideration to remove the contaminant, encryption, or lock.
27 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended
28to read as follows:
292. Using intentionally deceptive means to cause the
30execution of a computer software component with the intent of
31causing an owner or operator to use such component in a manner
32that violates any other provision of this chapter subchapter.
33 Sec. 4. Section 715.6, Code 2023, is amended to read as
34follows:
35715.6 Exceptions.
-1- 1Sections 715.4 and 715.5 shall not apply to the following:
21. Themonitoring of, or interaction with, an owner’s or
3an operator’s internet or other network connection, service,
4or computer, by a telecommunications carrier, cable operator,
5computer hardware or software provider, or provider of
6information service or interactive computer service for network
7or computer security purposes, diagnostics, technical support,
8maintenance, repair, authorized updates of computer software
9or system firmware, authorized remote system management, or
10detection, criminal investigation, or prevention of the use of
11or fraudulent or other illegal activities prohibited in this
12chapter in connection with a network, service, or computer
13software, including scanning for and removing computer software
14prescribed under this chapter subchapter. Nothing in this
15chapter subchapter shall limit the rights of providers of wire
16and electronic communications under 18 U.S.C. §2511.
172. The nonpayment or a violation of the terms of a legal
18contract with the owner or operator.
193. For complying with federal, state, and local law
20enforcement requests.
21 Sec. 5. Section 715.7, Code 2023, is amended to read as
22follows:
23715.7 Criminal penalties.
241. A person who commits an unlawful act under this chapter
25 subchapter is guilty of an aggravated misdemeanor.
262. A person who commits an unlawful act under this chapter
27 subchapter and who causes pecuniary losses exceeding one
28thousand dollars to a victim of the unlawful act is guilty of a
29class “D” felony.
30 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023,
31is amended to read as follows:
32For the purpose of determining proper venue, a violation
33of this chapter subchapter shall be considered to have been
34committed in any county in which any of the following apply:
35 Sec. 7. NEW SECTION. 715.9 Ransomware prohibition.
-2- 11. A person shall not intentionally, willfully, and without
2authorization do any of the following:
3a. Access, attempt to access, cause to be accessed, or
4exceed the person’s authorized access to all or a part of a
5computer network, computer control language, computer, computer
6software, computer system, or computer database.
7b. Copy, attempt to copy, possess, or attempt to possess
8the contents of all or part of a computer database accessed in
9violation of paragraph “a”.
102. A person shall not commit an act prohibited in subsection
111 with the intent to do any of the following:
12a. Cause the malfunction or interruption of the operation
13of all or any part of a computer, computer network, computer
14control language, computer software, computer system, computer
15service, or computer data.
16b. Alter, damage, or destroy all or any part of data or a
17computer program stored, maintained, or produced by a computer,
18computer network, computer software, computer system, computer
19service, or computer database.
203. A person shall not intentionally, willfully, and without
21authorization do any of the following:
22a. Possess, identify, or attempt to identify a valid
23computer access code.
24b. Publicize or distribute a valid computer access code to
25an unauthorized person.
264. A person shall not commit an act prohibited under this
27section with the intent to interrupt or impair the functioning
28of any of the following:
29a. The state.
30b. A service, device, or system related to the production,
31transmission, delivery, or storage of electricity or natural
32gas in the state that is owned, operated, or controlled by a
33person other than a public utility as defined in chapter 476.
34c. A service provided in the state by a public utility as
35defined in section 476.1, subsection 3.
-3- 1d. A hospital or health care facility as defined in section
2135C.1.
3e. A public elementary or secondary school, community
4college, or area education agency under the supervision of the
5department of education.
6f. A city, city utility, or city service.
7g. An authority as defined in section 330A.2.
85. This section shall not apply to the use of ransomware for
9research purposes by a person who has a bona fide scientific,
10educational, governmental, testing, news, or other similar
11justification for possessing ransomware. However, a person
12shall not knowingly possess ransomware with the intent to
13use the ransomware for the purpose of introduction into the
14computer, computer network, or computer system of another
15person without the authorization of the other person.
166. A person who has suffered a specific and direct injury
17because of a violation of this section may bring a civil action
18in a court of competent jurisdiction.
19a. In an action under this subsection, the court may award
20actual damages, reasonable attorney fees, and court costs.
21b. A conviction for an offense under this section is not a
22prerequisite for the filing of a civil action.
23 Sec. 8. NEW SECTION. 715.10 Criminal penalties.
241. A person who commits an unlawful act under this
25subchapter and who causes pecuniary losses involving less than
26ten thousand dollars to a victim of the unlawful act is guilty
27of an aggravated misdemeanor.
282. A person who commits an unlawful act under this
29subchapter and who causes pecuniary losses involving at least
30ten thousand dollars but less than fifty thousand dollars to a
31victim of the unlawful act is guilty of a class “D” felony.
323. A person who commits an unlawful act under this
33subchapter and who causes pecuniary losses involving at least
34fifty thousand dollars to a victim of the unlawful act is
35guilty of a class “C” felony.
-4-1 Sec. 9. NEW SECTION. 715.11 Venue.
2For the purpose of determining proper venue, a violation of
3this subchapter shall be considered to have been committed in
4any county in which any of the following apply:
51. Where the defendant performed the unlawful act.
62. Where the defendant resides.
73. Where the accessed computer is located.
8 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall
9divide chapter 715 into subchapters and shall designate
10sections 715.1 through 715.3, including sections amended in
11this Act, as subchapter I entitled “INTENT AND DEFINITIONS”,
12sections 715.4 through 715.8, including sections amended in
13this Act, as subchapter II entitled “COMPUTER SPYWARE AND
14MALWARE”, and sections 715.9 through 715.11, as enacted in this
15Act, as subchapter III entitled “RANSOMWARE”.
as/rh/md
2BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715.2, Code 2023, is amended to read as
2follows:
3715.2 Title.
4This chapter shall be known and may be cited as the “Computer
5Spyware, Malware, and Ransomware Protection Act”.
6 Sec. 2. Section 715.3, Code 2023, is amended by adding the
7following new subsections:
8 NEW SUBSECTION. 1A. “Computer control language” means
9ordered statements that direct a computer to perform specific
10functions.
11 NEW SUBSECTION. 1B. “Computer database” means a
12representation of information, knowledge, facts, concepts, or
13instructions that is intended for use in a computer, computer
14system, or computer network that is being prepared or has been
15prepared in a formalized manner, or is being produced or has
16been produced by a computer, computer system, or computer
17network.
18 NEW SUBSECTION. 9A. “Ransomware” means a computer or data
19contaminant, encryption, or lock that is placed or introduced
20without authorization into a computer, computer network, or
21computer system that restricts access by an authorized person
22to a computer, computer data, a computer system, or a computer
23network in a manner that results in the person responsible for
24the placement or introduction of the contaminant, encryption,
25or lock making a demand for payment of money or other
26consideration to remove the contaminant, encryption, or lock.
27 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended
28to read as follows:
292. Using intentionally deceptive means to cause the
30execution of a computer software component with the intent of
31causing an owner or operator to use such component in a manner
32that violates any other provision of this chapter subchapter.
33 Sec. 4. Section 715.6, Code 2023, is amended to read as
34follows:
35715.6 Exceptions.
-1- 1Sections 715.4 and 715.5 shall not apply to the following:
21. Themonitoring of, or interaction with, an owner’s or
3an operator’s internet or other network connection, service,
4or computer, by a telecommunications carrier, cable operator,
5computer hardware or software provider, or provider of
6information service or interactive computer service for network
7or computer security purposes, diagnostics, technical support,
8maintenance, repair, authorized updates of computer software
9or system firmware, authorized remote system management, or
10detection, criminal investigation, or prevention of the use of
11or fraudulent or other illegal activities prohibited in this
12chapter in connection with a network, service, or computer
13software, including scanning for and removing computer software
14prescribed under this chapter subchapter. Nothing in this
15chapter subchapter shall limit the rights of providers of wire
16and electronic communications under 18 U.S.C. §2511.
172. The nonpayment or a violation of the terms of a legal
18contract with the owner or operator.
193. For complying with federal, state, and local law
20enforcement requests.
21 Sec. 5. Section 715.7, Code 2023, is amended to read as
22follows:
23715.7 Criminal penalties.
241. A person who commits an unlawful act under this chapter
25 subchapter is guilty of an aggravated misdemeanor.
262. A person who commits an unlawful act under this chapter
27 subchapter and who causes pecuniary losses exceeding one
28thousand dollars to a victim of the unlawful act is guilty of a
29class “D” felony.
30 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023,
31is amended to read as follows:
32For the purpose of determining proper venue, a violation
33of this chapter subchapter shall be considered to have been
34committed in any county in which any of the following apply:
35 Sec. 7. NEW SECTION. 715.9 Ransomware prohibition.
-2- 11. A person shall not intentionally, willfully, and without
2authorization do any of the following:
3a. Access, attempt to access, cause to be accessed, or
4exceed the person’s authorized access to all or a part of a
5computer network, computer control language, computer, computer
6software, computer system, or computer database.
7b. Copy, attempt to copy, possess, or attempt to possess
8the contents of all or part of a computer database accessed in
9violation of paragraph “a”.
102. A person shall not commit an act prohibited in subsection
111 with the intent to do any of the following:
12a. Cause the malfunction or interruption of the operation
13of all or any part of a computer, computer network, computer
14control language, computer software, computer system, computer
15service, or computer data.
16b. Alter, damage, or destroy all or any part of data or a
17computer program stored, maintained, or produced by a computer,
18computer network, computer software, computer system, computer
19service, or computer database.
203. A person shall not intentionally, willfully, and without
21authorization do any of the following:
22a. Possess, identify, or attempt to identify a valid
23computer access code.
24b. Publicize or distribute a valid computer access code to
25an unauthorized person.
264. A person shall not commit an act prohibited under this
27section with the intent to interrupt or impair the functioning
28of any of the following:
29a. The state.
30b. A service, device, or system related to the production,
31transmission, delivery, or storage of electricity or natural
32gas in the state that is owned, operated, or controlled by a
33person other than a public utility as defined in chapter 476.
34c. A service provided in the state by a public utility as
35defined in section 476.1, subsection 3.
-3- 1d. A hospital or health care facility as defined in section
2135C.1.
3e. A public elementary or secondary school, community
4college, or area education agency under the supervision of the
5department of education.
6f. A city, city utility, or city service.
7g. An authority as defined in section 330A.2.
85. This section shall not apply to the use of ransomware for
9research purposes by a person who has a bona fide scientific,
10educational, governmental, testing, news, or other similar
11justification for possessing ransomware. However, a person
12shall not knowingly possess ransomware with the intent to
13use the ransomware for the purpose of introduction into the
14computer, computer network, or computer system of another
15person without the authorization of the other person.
166. A person who has suffered a specific and direct injury
17because of a violation of this section may bring a civil action
18in a court of competent jurisdiction.
19a. In an action under this subsection, the court may award
20actual damages, reasonable attorney fees, and court costs.
21b. A conviction for an offense under this section is not a
22prerequisite for the filing of a civil action.
23 Sec. 8. NEW SECTION. 715.10 Criminal penalties.
241. A person who commits an unlawful act under this
25subchapter and who causes pecuniary losses involving less than
26ten thousand dollars to a victim of the unlawful act is guilty
27of an aggravated misdemeanor.
282. A person who commits an unlawful act under this
29subchapter and who causes pecuniary losses involving at least
30ten thousand dollars but less than fifty thousand dollars to a
31victim of the unlawful act is guilty of a class “D” felony.
323. A person who commits an unlawful act under this
33subchapter and who causes pecuniary losses involving at least
34fifty thousand dollars to a victim of the unlawful act is
35guilty of a class “C” felony.
-4-1 Sec. 9. NEW SECTION. 715.11 Venue.
2For the purpose of determining proper venue, a violation of
3this subchapter shall be considered to have been committed in
4any county in which any of the following apply:
51. Where the defendant performed the unlawful act.
62. Where the defendant resides.
73. Where the accessed computer is located.
8 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall
9divide chapter 715 into subchapters and shall designate
10sections 715.1 through 715.3, including sections amended in
11this Act, as subchapter I entitled “INTENT AND DEFINITIONS”,
12sections 715.4 through 715.8, including sections amended in
13this Act, as subchapter II entitled “COMPUTER SPYWARE AND
14MALWARE”, and sections 715.9 through 715.11, as enacted in this
15Act, as subchapter III entitled “RANSOMWARE”.
as/rh/md