WEST virginia legislature

2020 regular session

Enrolled

Committee Substitute

for

Senate Bill 261

Senators Ihlenfeld, Baldwin, Stollings, and Maynard, original sponsors

[Passed March 7, 2020; in effect 90 days from passage]

AN ACT to amend and reenact §61-3C-3 and §61-3C-4 of the Code of West Virginia, 1931, as amended, all relating to contaminating a computer with ransomware; creating criminal offense of introducing ransomware into any computer, computer system, or computer network with the intent to extort money or other consideration; setting forth the elements of the offense; defining terms; and establishing criminal penalties.

Be it enacted by the Legislature of West Virginia:

ARTICLE 3C. WEST VIRGINIA COMPUTER CRIME AND ABUSE ACT.

§61-3C-3. Definitions.

As used in this article, unless the context clearly indicates otherwise:

(1) “Access” means to instruct, communicate with, store data in, retrieve data from, intercept data from, or otherwise make use of any computer, computer network, computer program, computer software, computer data, or other computer resources.

(2) “Authorization” means the express or implied consent given by a person to another to access or use said person’s computer, computer network, computer program, computer software, computer system, password, identifying code, or personal identification number.

(3) “Computer” means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions and includes any data storage facility or communication facility directly related to, or operating in conjunction with, such device. The term “computer” includes any connected or directly related device, equipment, or facility which enables the computer to store, retrieve, or communicate computer programs, computer data, or the results of computer operations to or from a person, another computer, or another device, file servers, mainframe systems, desktop personal computers, laptop personal computers, tablet personal computers, cellular telephones, game consoles, and any other electronic data storage device or equipment, but such term does not include an automated typewriter or typesetter, a portable hand-held calculator, or other similar device.

(4) “Computer contaminant” means any set of computer instructions that are designed to damage or destroy information within a computer, computer system, or computer network without the consent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms that are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, or damage or destroy the normal operation of the computer.

(5) “Computer data” means any representation of knowledge, facts, concepts, instruction, or other information computed, classified, processed, transmitted, received, retrieved, originated, stored, manifested, measured, detected, recorded, reproduced, handled, or utilized by a computer, computer network, computer program, or computer software, and may be in any medium, including, but not limited to, computer printouts, microfilm, microfiche, magnetic storage media, optical storage media, punch paper tape, or punch cards, or it may be stored internally in read-only memory or random access memory of a computer or any other peripheral device.

(6) “Computer network” means a set of connected devices and communication facilities, including more than one computer, with the capability to transmit computer data among them through such communication facilities.

(7) “Computer operations” means arithmetic, logical, storage, display, monitoring, or retrieval functions or any combination thereof and includes, but is not limited to, communication with, storage of data in or to, or retrieval of data from any device, and the human manual manipulation of electronic magnetic impulses. A “computer operation” for a particular computer shall also mean any function for which that computer was designed.

(8) “Computer program” means an ordered set of computer data representing instructions or statements, in a form readable by a computer, which controls, directs, or otherwise influences the functioning of a computer or computer network.

(9) “Computer software” means a set of computer programs, procedures, and associated documentation concerned with computer data or with the operation of a computer, computer program, or computer network.

(10) “Computer services” means computer access time, computer data processing, or computer data storage, and the computer data processed or stored in connection therewith.

(11) “Computer supplies” means punch cards, paper tape, magnetic tape, magnetic disks or diskettes, optical disks or diskettes, disk or diskette packs, paper, microfilm, and any other tangible input, output, or storage medium used in connection with a computer, computer network, computer data, computer software, or computer program.

(12) “Computer resources” includes, but is not limited to, information retrieval; computer data processing, transmission, and storage; and any other functions performed, in whole or in part, by the use of a computer, computer network, computer software, or computer program.

(13) “Financial instrument” includes, but is not limited to, a  check, draft, warrant, money order, note, certificate of deposit, letter of credit, bill of exchange, credit or debit card, transaction authorization mechanism, marketable security, or any computerized representation thereof.

(14) “Owner” means any person who owns or leases or is a licensee of a computer, computer network, computer data, computer program, computer software, computer resources, or computer supplies.

(15) “Person” means any natural person, general partnership, limited partnership, trust, association, corporation, joint venture, or any state, county, or municipal government and any subdivision, branch, department, or agency thereof.

(16) “Property” includes:

(A) Real property;

(B) Computers and computer networks;

(C) Financial instruments, computer data, computer programs, computer software, and all other personal property regardless of whether they are:

(i) Tangible or intangible;

(ii) In a format readable by humans or by a computer;

(iii) In transit between computers or within a computer network or between any devices which comprise a computer; or

(iv) Located on any paper or in any device on which it is stored by a computer or by a human; and

(D) Computer services.

(17) “Ransomware” means a computer contaminant, or lock placed or introduced without authorization into a computer, computer system, or computer network that restricts access by an authorized user to the computer, computer system, computer network, or any data therein under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant, restore access to the computer, computer system, computer network, or data, or otherwise remediate the impact of the computer contaminant or lock.

(18) “Value” means having any potential to provide any direct or indirect gain or advantage to any person.

 (19) “Value of property or computer services” shall be: (A) The market value of the property or computer services at the time of a violation of this article; or  (B) if the property or computer services are unrecoverable, damaged, or destroyed as a result of a violation of §61-3C-6 or §61-3C-7 of this code, the cost of reproducing or replacing the property or computer services at the time of the violation.

§61-3C-4. Computer fraud; access to Legislature computer; criminal penalties.

(a) Any person who, knowingly and willfully, directly or indirectly, accesses or causes to be accessed any computer, computer services, or computer network for the purpose of: (1) Executing any scheme or artifice to defraud; or (2) obtaining money, property, or services by means of fraudulent pretenses, representations, or promises is guilty of a felony and, upon conviction thereof, shall be fined not more than $10,000 or imprisoned in a state correctional facility for a determinate sentence of not more than 10 years, or both fined and imprisoned.

(b) Any person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is guilty of a felony and, upon conviction thereof, shall be fined not more than $100,000 or imprisoned in a state correctional facility for a determinate sentence of not more than 10 years, or both fined and imprisoned.

(c) A person is criminally responsible for placing or introducing ransomware into a computer, computer system, or computer network if the person directly places or introduces the ransomware or directs or induces another person to do so, with the intent of demanding payment or other consideration for removing, restoring access, or other remediation of the impact of the ransomware.

  (d) (1) Any person who, knowingly and willfully, directly or indirectly, accesses, attempts to access, or causes to be accessed any data stored in a computer owned by the Legislature without authorization is guilty of a felony and, upon conviction thereof, shall be fined not more than $5,000 or imprisoned in a state correctional facility for a determinate sentence of not more than five years, or both fined and imprisoned.

(2) Notwithstanding the provisions of §61-3C-17 of this code to the contrary, in any criminal prosecution under this subsection against an employee or member of the Legislature, it shall not be a defense: (A) That the defendant had reasonable grounds to believe that he or she had authorization to access the data merely because of his or her employment or membership; or (B) that the defendant could not have reasonably known he or she did not have authorization to access the data: Provided, That the Joint Committee on Government and Finance shall promulgate rules for the respective houses of the Legislature regarding appropriate access of members and staff and others to the legislative computer system.