POSSESSING AND USING RANSOMWARE
WITHOUT AUTHORIZATION
House Bill 5257 as enacted
Public Act 95 of 2018
Sponsor: Rep. Brandt Iden
House Bill 5258 as enacted
Public Act 96 of 2018
Sponsor: Rep. James A. Lower
House Committee: Communications and Technology
Senate Committee: Judiciary
Complete to 6-20-18
BRIEF SUMMARY: House Bill 5257 amends the Michigan Penal Code to create a prohibition against possessing ransomware with the intent to use it without authorization. House Bill 5258 would amend the Code of Criminal Procedure to add sentencing guidelines for a violation of possessing ransomware with the intent to use it without authorization.
FISCAL IMPACT: House Bill 5257 would have an indeterminate fiscal impact on the state’s correctional system and on local court systems, and House Bill 5258 would not have a direct fiscal impact on the state or on local units of government. See Fiscal Information, below, for further discussion.
THE APPARENT PROBLEM:
According to a 2016 statement by the Lansing police chief, cybercrime is “the crime of the future,” and “[is] always changing.” Additionally, he thinks “that just about every organization and every homeowner, at some point in time, will have to deal with some type of cybercrime.”[1]
Ransomware is a kind of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. This cybercrime can result in millions of dollars in damages, which is exactly what Lansing Board of Water and Light experienced when its information was held for ransom in 2016.
The sponsors of the bills introduced this legislation to ensure that perpetrators of a ransomware attack will face a specific sentence during prosecution. The bill sponsors also hope that a felony sentence will help deter future ransomware attacks.
THE CONTENT OF THE BILLS:
House Bill 5257 would add Section 409b to the Michigan Penal Code to prohibit a person from knowingly possessing ransomware with the intent to use or employ it on the computer or computer data, system, or network of another person without that person’s authorization. A violation of this new section would be punishable by up to 3 years’ imprisonment.
Under the bill, ransomware would mean a computer or data contaminant, encryption, or lock that is placed or introduced without authorization and that restricts access by an authorized person into a computer or computer data, system, or network. The placement or introduction of the ransomware would result in the person responsible for its placement or introduction demanding payment of money or other consideration to remove the computer contaminant or restore access to the computer or computer data, system, or network. Ransomware would not include authentication required to upgrade or access purchased content.
House Bill 5257 would take effect 90 days after it is enacted.
Proposed MCL 750.409b
House Bill 5258 would add sentencing guidelines to the Code of Criminal Procedure for a violation of the section proposed by HB 5257. A violation would be categorized as a crime against public order, classified as a class D violation, and have a statutory maximum prison sentence of 3 years.
House Bill 5258 would take effect 90 days after it is enacted. HB 5258 is tie-barred to HB 5257, which means that HB 5258 could not take effect unless HB 5257 were also enacted.
MCL 777.16t
FISCAL INFORMATION:
House Bill 5257 would have an indeterminate fiscal impact on the state’s correctional system and on local court systems. Information is not available on the number of persons who might be convicted under provisions of the bill, but new felony convictions would result in increased costs related to state prisons and parole supervision. In fiscal year 2017, the average cost of prison incarceration in a state facility was roughly $37,000 per prisoner, a figure that includes various fixed administrative and operational costs. State costs for parole and felony probation supervision averaged about $3,600 per supervised offender in the same year. The fiscal impact on local court systems would depend on how provisions of the bill affected caseloads and related administrative costs.
House Bill 5258 amends sentencing guidelines and does not have a direct fiscal impact on the state or on local units of government.
ARGUMENTS:
For:
Supporters of the bills argue that having a specific sentence for a ransomware cybercrime will encourage victims to report the incident to the police. A representative from the Michigan State Police testified that many attacks go unreported, which could possibly be due to the uncertainty of prosecuting the perpetrator. Proponents of the bills hope that more ransomware attacks will be reported if the victim knows the perpetrator will be prosecuted under this specific law.
Against:
No arguments against the bills were presented.
Legislative Analyst: Emily S. Smith
Fiscal Analyst: Robin Risko
■ This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.