Bill Text: IA HF143 | 2023-2024 | 90th General Assembly | Enrolled


Bill Title: A bill for an act relating to ransomware and providing penalties. (Formerly HSB 13.) Effective date: 07/01/2023.

Spectrum: Committee Bill

Status: (Passed) 2023-05-11 - Signed by Governor. H.J. 1038. [HF143 Detail]

Download: Iowa-2023-HF143-Enrolled.html
House File 143 - Enrolled House File 143 AN ACT RELATING TO RANSOMWARE AND PROVIDING PENALTIES. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: Section 1. Section 715.2, Code 2023, is amended to read as follows: 715.2 Title. This chapter shall be known and may be cited as the “Computer Spyware , Malware, and Ransomware Protection Act” . Sec. 2. Section 715.3, Code 2023, is amended by adding the following new subsections: NEW SUBSECTION . 1A. “Computer control language” means ordered statements that direct a computer to perform specific functions. NEW SUBSECTION . 1B. “Computer database” means a representation of information, knowledge, facts, concepts, or instructions that is intended for use in a computer, computer system, or computer network that is being prepared or has been prepared in a formalized manner, or is being produced or has been produced by a computer, computer system, or computer network. NEW SUBSECTION . 9A. “Ransomware” means a computer or data contaminant, encryption, or lock that is placed or introduced without authorization into a computer, computer network, or computer system that restricts access by an authorized person to a computer, computer data, a computer system, or a computer network in a manner that results in the person responsible for
House File 143, p. 2 the placement or introduction of the contaminant, encryption, or lock making a demand for payment of money or other consideration to remove the contaminant, encryption, or lock. Sec. 3. Section 715.5, subsection 2, Code 2023, is amended to read as follows: 2. Using intentionally deceptive means to cause the execution of a computer software component with the intent of causing an owner or operator to use such component in a manner that violates any other provision of this chapter subchapter . Sec. 4. Section 715.6, Code 2023, is amended to read as follows: 715.6 Exceptions. Sections 715.4 and 715.5 shall not apply to the following: 1. The monitoring of, or interaction with, an owner’s or an operator’s internet or other network connection, service, or computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, maintenance, repair, authorized updates of computer software or system firmware, authorized remote system management, or detection, criminal investigation, or prevention of the use of or fraudulent or other illegal activities prohibited in this chapter in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this chapter subchapter . Nothing in this chapter subchapter shall limit the rights of providers of wire and electronic communications under 18 U.S.C. §2511. 2. The nonpayment or a violation of the terms of a legal contract with the owner or operator. 3. For complying with federal, state, and local law enforcement requests. Sec. 5. Section 715.7, Code 2023, is amended to read as follows: 715.7 Criminal penalties. 1. A person who commits an unlawful act under this chapter subchapter is guilty of an aggravated misdemeanor. 2. A person who commits an unlawful act under this chapter subchapter and who causes pecuniary losses exceeding one
House File 143, p. 3 thousand dollars to a victim of the unlawful act is guilty of a class “D” felony. Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023, is amended to read as follows: For the purpose of determining proper venue, a violation of this chapter subchapter shall be considered to have been committed in any county in which any of the following apply: Sec. 7. NEW SECTION . 715.9 Ransomware prohibition. 1. A person shall not intentionally, willfully, and without authorization do any of the following: a. Access, attempt to access, cause to be accessed, or exceed the person’s authorized access to all or a part of a computer network, computer control language, computer, computer software, computer system, or computer database. b. Copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed in violation of paragraph “a” . 2. A person shall not commit an act prohibited in subsection 1 with the intent to do any of the following: a. Cause the malfunction or interruption of the operation of all or any part of a computer, computer network, computer control language, computer software, computer system, computer service, or computer data. b. Alter, damage, or destroy all or any part of data or a computer program stored, maintained, or produced by a computer, computer network, computer software, computer system, computer service, or computer database. 3. A person shall not intentionally, willfully, and without authorization do any of the following: a. Possess, identify, or attempt to identify a valid computer access code. b. Publicize or distribute a valid computer access code to an unauthorized person. 4. A person shall not commit an act prohibited under this section with the intent to interrupt or impair the functioning of any of the following: a. The state. b. A service, device, or system related to the production, transmission, delivery, or storage of electricity or natural
House File 143, p. 4 gas in the state that is owned, operated, or controlled by a person other than a public utility as defined in chapter 476. c. A service provided in the state by a public utility as defined in section 476.1, subsection 3. d. A hospital or health care facility as defined in section 135C.1. e. A public elementary or secondary school, community college, or area education agency under the supervision of the department of education. f. A city, city utility, or city service. g. An authority as defined in section 330A.2. 5. This section shall not apply to the use of ransomware for research purposes by a person who has a bona fide scientific, educational, governmental, testing, news, or other similar justification for possessing ransomware. However, a person shall not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into the computer, computer network, or computer system of another person without the authorization of the other person. 6. A person who has suffered a specific and direct injury because of a violation of this section may bring a civil action in a court of competent jurisdiction. a. In an action under this subsection, the court may award actual damages, reasonable attorney fees, and court costs. b. A conviction for an offense under this section is not a prerequisite for the filing of a civil action. Sec. 8. NEW SECTION . 715.10 Criminal penalties. 1. A person who commits an unlawful act under this subchapter and who causes pecuniary losses involving less than ten thousand dollars to a victim of the unlawful act is guilty of an aggravated misdemeanor. 2. A person who commits an unlawful act under this subchapter and who causes pecuniary losses involving at least ten thousand dollars but less than fifty thousand dollars to a victim of the unlawful act is guilty of a class “D” felony. 3. A person who commits an unlawful act under this subchapter and who causes pecuniary losses involving at least fifty thousand dollars to a victim of the unlawful act is guilty of a class “C” felony.
House File 143, p. 5 Sec. 9. NEW SECTION . 715.11 Venue. For the purpose of determining proper venue, a violation of this subchapter shall be considered to have been committed in any county in which any of the following apply: 1. Where the defendant performed the unlawful act. 2. Where the defendant resides. 3. Where the accessed computer is located. Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall divide chapter 715 into subchapters and shall designate sections 715.1 through 715.3, including sections amended in this Act, as subchapter I entitled “INTENT AND DEFINITIONS”, sections 715.4 through 715.8, including sections amended in this Act, as subchapter II entitled “COMPUTER SPYWARE AND MALWARE”, and sections 715.9 through 715.11, as enacted in this Act, as subchapter III entitled “RANSOMWARE”. ______________________________ PAT GRASSLEY Speaker of the House ______________________________ AMY SINCLAIR President of the Senate I hereby certify that this bill originated in the House and is known as House File 143, Ninetieth General Assembly. ______________________________ MEGHAN NELSON Chief Clerk of the House Approved _______________, 2023 ______________________________ KIM REYNOLDS Governor
feedback