Bill Text: IA SF203 | 2023-2024 | 90th General Assembly | Introduced
Bill Title: A bill for an act relating to ransomware and providing penalties.(Formerly SSB 1072.)
Spectrum: Committee Bill
Status: (Introduced) 2023-04-17 - Withdrawn. S.J. 807. [SF203 Detail]
Download: Iowa-2023-SF203-Introduced.html
Senate
File
203
-
Introduced
SENATE
FILE
203
BY
COMMITTEE
ON
TECHNOLOGY
(SUCCESSOR
TO
SSB
1072)
A
BILL
FOR
An
Act
relating
to
ransomware
and
providing
penalties.
1
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
2
TLSB
1266SV
(2)
90
as/rh
S.F.
203
Section
1.
Section
715.2,
Code
2023,
is
amended
to
read
as
1
follows:
2
715.2
Title.
3
This
chapter
shall
be
known
and
may
be
cited
as
the
“Computer
4
Spyware
,
Malware,
and
Ransomware
Protection
Act”
.
5
Sec.
2.
Section
715.3,
Code
2023,
is
amended
by
adding
the
6
following
new
subsections:
7
NEW
SUBSECTION
.
1A.
“Computer
control
language”
means
8
ordered
statements
that
direct
a
computer
to
perform
specific
9
functions.
10
NEW
SUBSECTION
.
1B.
“Computer
database”
means
a
11
representation
of
information,
knowledge,
facts,
concepts,
or
12
instructions
that
is
intended
for
use
in
a
computer,
computer
13
system,
or
computer
network
that
is
being
prepared
or
has
been
14
prepared
in
a
formalized
manner,
or
is
being
produced
or
has
15
been
produced
by
a
computer,
computer
system,
or
computer
16
network.
17
NEW
SUBSECTION
.
9A.
“Ransomware”
means
a
computer
or
data
18
contaminant,
encryption,
or
lock
that
is
placed
or
introduced
19
without
authorization
into
a
computer,
computer
network,
or
20
computer
system
that
restricts
access
by
an
authorized
person
21
to
a
computer,
computer
data,
a
computer
system,
or
a
computer
22
network
in
a
manner
that
results
in
the
person
responsible
for
23
the
placement
or
introduction
of
the
contaminant,
encryption,
24
or
lock
making
a
demand
for
payment
of
money
or
other
25
consideration
to
remove
the
contaminant,
encryption,
or
lock.
26
Sec.
3.
Section
715.5,
subsection
2,
Code
2023,
is
amended
27
to
read
as
follows:
28
2.
Using
intentionally
deceptive
means
to
cause
the
29
execution
of
a
computer
software
component
with
the
intent
of
30
causing
an
owner
or
operator
to
use
such
component
in
a
manner
31
that
violates
any
other
provision
of
this
chapter
subchapter
.
32
Sec.
4.
Section
715.6,
Code
2023,
is
amended
to
read
as
33
follows:
34
715.6
Exceptions.
35
-1-
LSB
1266SV
(2)
90
as/rh
1/
7
S.F.
203
Sections
715.4
and
715.5
shall
not
apply
to
the
following:
1
1.
The
monitoring
of,
or
interaction
with,
an
owner’s
or
2
an
operator’s
internet
or
other
network
connection,
service,
3
or
computer,
by
a
telecommunications
carrier,
cable
operator,
4
computer
hardware
or
software
provider,
or
provider
of
5
information
service
or
interactive
computer
service
for
network
6
or
computer
security
purposes,
diagnostics,
technical
support,
7
maintenance,
repair,
authorized
updates
of
computer
software
8
or
system
firmware,
authorized
remote
system
management,
or
9
detection,
criminal
investigation,
or
prevention
of
the
use
of
10
or
fraudulent
or
other
illegal
activities
prohibited
in
this
11
chapter
in
connection
with
a
network,
service,
or
computer
12
software,
including
scanning
for
and
removing
computer
software
13
prescribed
under
this
chapter
subchapter
.
Nothing
in
this
14
chapter
subchapter
shall
limit
the
rights
of
providers
of
wire
15
and
electronic
communications
under
18
U.S.C.
§2511.
16
2.
The
nonpayment
or
a
violation
of
the
terms
of
a
legal
17
contract
with
the
owner
or
operator.
18
3.
For
complying
with
federal,
state,
and
local
law
19
enforcement
requests.
20
Sec.
5.
Section
715.7,
Code
2023,
is
amended
to
read
as
21
follows:
22
715.7
Criminal
penalties.
23
1.
A
person
who
commits
an
unlawful
act
under
this
chapter
24
subchapter
is
guilty
of
an
aggravated
misdemeanor.
25
2.
A
person
who
commits
an
unlawful
act
under
this
chapter
26
subchapter
and
who
causes
pecuniary
losses
exceeding
one
27
thousand
dollars
to
a
victim
of
the
unlawful
act
is
guilty
of
a
28
class
“D”
felony.
29
Sec.
6.
Section
715.8,
unnumbered
paragraph
1,
Code
2023,
30
is
amended
to
read
as
follows:
31
For
the
purpose
of
determining
proper
venue,
a
violation
32
of
this
chapter
subchapter
shall
be
considered
to
have
been
33
committed
in
any
county
in
which
any
of
the
following
apply:
34
Sec.
7.
NEW
SECTION
.
715.9
Ransomware
prohibition.
35
-2-
LSB
1266SV
(2)
90
as/rh
2/
7
S.F.
203
1.
A
person
shall
not
intentionally,
willfully,
and
without
1
authorization
do
any
of
the
following:
2
a.
Access,
attempt
to
access,
cause
to
be
accessed,
or
3
exceed
the
person’s
authorized
access
to
all
or
a
part
of
a
4
computer
network,
computer
control
language,
computer,
computer
5
software,
computer
system,
or
computer
database.
6
b.
Copy,
attempt
to
copy,
possess,
or
attempt
to
possess
7
the
contents
of
all
or
part
of
a
computer
database
accessed
in
8
violation
of
paragraph
“a”
.
9
2.
A
person
shall
not
commit
an
act
prohibited
in
subsection
10
1
with
the
intent
to
do
any
of
the
following:
11
a.
Cause
the
malfunction
or
interruption
of
the
operation
12
of
all
or
any
part
of
a
computer,
computer
network,
computer
13
control
language,
computer
software,
computer
system,
computer
14
service,
or
computer
data.
15
b.
Alter,
damage,
or
destroy
all
or
any
part
of
data
or
a
16
computer
program
stored,
maintained,
or
produced
by
a
computer,
17
computer
network,
computer
software,
computer
system,
computer
18
service,
or
computer
database.
19
3.
A
person
shall
not
intentionally,
willfully,
and
without
20
authorization
do
any
of
the
following:
21
a.
Possess,
identify,
or
attempt
to
identify
a
valid
22
computer
access
code.
23
b.
Publicize
or
distribute
a
valid
computer
access
code
to
24
an
unauthorized
person.
25
4.
A
person
shall
not
commit
an
act
prohibited
under
this
26
section
with
the
intent
to
interrupt
or
impair
the
functioning
27
of
any
of
the
following:
28
a.
The
state.
29
b.
A
service,
device,
or
system
related
to
the
production,
30
transmission,
delivery,
or
storage
of
electricity
or
natural
31
gas
in
the
state
that
is
owned,
operated,
or
controlled
by
a
32
person
other
than
a
public
utility
as
defined
in
chapter
476.
33
c.
A
service
provided
in
the
state
by
a
public
utility
as
34
defined
in
section
476.1,
subsection
3.
35
-3-
LSB
1266SV
(2)
90
as/rh
3/
7
S.F.
203
d.
A
hospital
or
health
care
facility
as
defined
in
section
1
135C.1.
2
e.
A
public
elementary
or
secondary
school,
community
3
college,
or
area
education
agency
under
the
supervision
of
the
4
department
of
education.
5
f.
A
city,
city
utility,
or
city
service.
6
g.
An
authority
as
defined
in
section
330A.2.
7
5.
This
section
shall
not
apply
to
the
use
of
ransomware
for
8
research
purposes
by
a
person
who
has
a
bona
fide
scientific,
9
educational,
governmental,
testing,
news,
or
other
similar
10
justification
for
possessing
ransomware.
However,
a
person
11
shall
not
knowingly
possess
ransomware
with
the
intent
to
12
use
the
ransomware
for
the
purpose
of
introduction
into
the
13
computer,
computer
network,
or
computer
system
of
another
14
person
without
the
authorization
of
the
other
person.
15
6.
A
person
who
has
suffered
a
specific
and
direct
injury
16
because
of
a
violation
of
this
section
may
bring
a
civil
action
17
in
a
court
of
competent
jurisdiction.
18
a.
In
an
action
under
this
subsection,
the
court
may
award
19
actual
damages,
reasonable
attorney
fees,
and
court
costs.
20
b.
A
conviction
for
an
offense
under
this
section
is
not
a
21
prerequisite
for
the
filing
of
a
civil
action.
22
Sec.
8.
NEW
SECTION
.
715.10
Criminal
penalties.
23
1.
A
person
who
commits
an
unlawful
act
under
this
24
subchapter
and
who
causes
pecuniary
losses
involving
less
than
25
ten
thousand
dollars
to
a
victim
of
the
unlawful
act
is
guilty
26
of
an
aggravated
misdemeanor.
27
2.
A
person
who
commits
an
unlawful
act
under
this
28
subchapter
and
who
causes
pecuniary
losses
involving
at
least
29
ten
thousand
dollars
but
less
than
fifty
thousand
dollars
to
a
30
victim
of
the
unlawful
act
is
guilty
of
a
class
“D”
felony.
31
3.
A
person
who
commits
an
unlawful
act
under
this
32
subchapter
and
who
causes
pecuniary
losses
involving
at
least
33
fifty
thousand
dollars
to
a
victim
of
the
unlawful
act
is
34
guilty
of
a
class
“C”
felony.
35
-4-
LSB
1266SV
(2)
90
as/rh
4/
7
S.F.
203
Sec.
9.
NEW
SECTION
.
715.11
Venue.
1
For
the
purpose
of
determining
proper
venue,
a
violation
of
2
this
subchapter
shall
be
considered
to
have
been
committed
in
3
any
county
in
which
any
of
the
following
apply:
4
1.
Where
the
defendant
performed
the
unlawful
act.
5
2.
Where
the
defendant
resides.
6
3.
Where
the
accessed
computer
is
located.
7
Sec.
10.
CODE
EDITOR
DIRECTIVE.
The
Code
editor
shall
8
divide
chapter
715
into
subchapters
and
shall
designate
9
sections
715.1
through
715.3,
including
sections
amended
in
10
this
Act,
as
subchapter
I
entitled
“INTENT
AND
DEFINITIONS”,
11
sections
715.4
through
715.8,
including
sections
amended
in
12
this
Act,
as
subchapter
II
entitled
“COMPUTER
SPYWARE
AND
13
MALWARE”,
and
sections
715.9
through
715.11,
as
enacted
in
this
14
Act,
as
subchapter
III
entitled
“RANSOMWARE”.
15
EXPLANATION
16
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
17
the
explanation’s
substance
by
the
members
of
the
general
assembly.
18
This
bill
relates
to
ransomware.
19
The
bill
defines
“ransomware”
as
a
computer
or
data
20
contaminant,
encryption,
or
lock
that
is
placed
or
introduced
21
without
authorization
into
a
computer,
computer
network,
or
a
22
computer
system
that
restricts
access
by
an
authorized
person
23
to
a
computer,
computer
data,
a
computer
network,
or
a
computer
24
system
in
a
manner
that
results
in
the
person
responsible
for
25
the
placement
or
introduction
of
the
contaminant,
encryption,
26
or
lock
making
a
demand
for
payment
of
money
or
other
27
consideration
to
remove
the
contaminant,
encryption,
or
lock.
28
The
bill
provides
that
the
monitoring
of,
or
interaction
29
with,
an
owner’s
or
operator’s
internet
or
other
network
30
connection,
service,
or
computer
is
not
prohibited
for
support
31
or
maintenance,
the
investigation
of
illegal
activities,
the
32
nonpayment
or
violation
of
the
terms
of
a
contract,
or
for
33
complying
with
federal,
state,
and
local
law
enforcement
34
requests.
35
-5-
LSB
1266SV
(2)
90
as/rh
5/
7
S.F.
203
The
bill
provides
that
a
person
shall
not
do
any
of
1
the
following
with
the
intent
to
cause
the
malfunction
or
2
interruption
of
the
operation
of,
or
alter,
damage,
or
destroy,
3
all
or
any
part
of
a
computer,
computer
network,
computer
4
control
language,
computer
software,
computer
system,
computer
5
service,
or
computer
data:
intentionally,
willfully,
and
6
without
authorization
access,
attempt
to
access,
cause
to
be
7
accessed,
or
exceed
the
person’s
authorized
access
to
all
8
or
a
part
of
a
computer
network,
computer
control
language,
9
computer,
computer
software,
computer
system,
or
computer
10
database;
or
copy,
attempt
to
copy,
possess,
or
attempt
to
11
possess
the
contents
of
all
or
part
of
a
computer
database.
12
The
bill
provides
that
a
person
shall
not
intentionally,
13
willfully,
and
without
authorization
possess,
identify,
14
or
attempt
to
identify
a
valid
access
code
or
publicize
or
15
distribute
a
valid
access
code
to
an
unauthorized
person.
16
The
bill
provides
that
a
person
shall
not
commit
a
prohibited
17
act
with
the
intent
to
interrupt
or
impair
the
functioning
of
18
the
state
government;
a
service,
device,
or
system
related
19
to
the
production,
transmission,
delivery,
or
storage
of
20
electricity
or
natural
gas
in
the
state
that
is
owned,
21
operated,
or
controlled
by
a
person
other
than
a
public
utility
22
as
defined
in
Code
section
476.1(3);
a
service
provided
in
23
the
state
by
a
public
utility
as
defined
in
Code
chapter
476;
24
a
hospital
or
health
care
facility;
a
public
elementary
or
25
secondary
school,
community
college,
or
area
education
agency
26
under
the
supervision
of
the
department
of
education;
a
city,
27
city
utility,
or
city
service;
or
an
aviation
authority.
28
The
bill
does
not
apply
to
the
use
of
ransomware
for
29
research
purposes
by
a
person
who
has
a
bona
fide
scientific,
30
educational,
governmental,
testing,
news,
or
other
similar
31
justification
for
possessing
ransomware.
However,
a
person
32
shall
not
knowingly
possess
ransomware
with
the
intent
to
33
use
the
ransomware
for
the
purpose
of
introduction
into
the
34
computer,
computer
network,
or
computer
system
of
another
35
-6-
LSB
1266SV
(2)
90
as/rh
6/
7
S.F.
203
person
without
the
authorization
of
the
other
person.
1
The
bill
provides
that
a
person
who
has
suffered
a
specific
2
and
direct
injury
because
of
a
violation
of
the
bill
may
bring
3
a
civil
action
in
a
court
of
competent
jurisdiction,
and
the
4
court
may
award
actual
damages,
reasonable
attorney
fees,
and
5
court
costs.
A
conviction
for
an
offense
under
the
bill
is
not
6
a
prerequisite
for
the
filing
of
a
civil
action.
7
The
bill
provides
that
a
person
who
commits
a
violation
8
of
the
bill
and
who
causes
pecuniary
losses
involving
less
9
than
$10,000
to
a
victim
of
the
unlawful
act
is
guilty
of
an
10
aggravated
misdemeanor.
A
person
who
commits
a
violation
of
11
the
bill
and
who
causes
pecuniary
losses
involving
at
least
12
$10,000
but
less
than
$50,000
to
a
victim
of
the
unlawful
13
act
is
guilty
of
a
class
“D”
felony.
A
person
who
commits
a
14
violation
of
the
bill
and
who
causes
pecuniary
losses
involving
15
at
least
$50,000
to
a
victim
of
the
unlawful
act
is
guilty
of
a
16
class
“C”
felony.
17
An
aggravated
misdemeanor
is
punishable
by
confinement
for
18
no
more
than
two
years
and
a
fine
of
at
least
$855
but
not
more
19
than
$8,540.
A
class
“D”
felony
is
punishable
by
confinement
20
for
no
more
than
five
years
and
a
fine
of
at
least
$1,025
but
21
not
more
than
$10,245.
A
class
“C”
felony
is
punishable
by
22
confinement
for
no
more
than
10
years
and
a
fine
of
at
least
23
$1,370
but
not
more
than
$13,660.
24
The
bill
provides
that
for
the
purpose
of
determining
25
venue,
a
violation
of
the
bill
shall
be
considered
to
have
26
been
committed
in
any
county
where
the
defendant
performed
27
the
unlawful
act,
where
the
defendant
resides,
or
where
the
28
accessed
computer
is
located.
29
-7-
LSB
1266SV
(2)
90
as/rh
7/
7