POSSESSING AND USING RANSOMWARE
WITHOUT AUTHORIZATION
House Bill 5257 (reported from committee as H-1)
Sponsor: Rep. Brandt Iden
House Bill 5258 (reported from committee as H-1)
Sponsor: Rep. James A. Lower
Committee: Communications and Technology
Complete to 1-19-18
BRIEF SUMMARY: House Bill 5257 would amend the Michigan Penal Code by creating a prohibition against possessing and using ransomware without authorization. House Bill 5258 would amend the Code of Criminal Procedure by adding sentencing guidelines for a violation of possessing and using ransomware without authorization.
FISCAL IMPACT: House Bill 5257 would have an indeterminate fiscal impact on the state’s correctional system and on local court systems. Information is not available on the number of persons who might be convicted under provisions of the bill, but new felony convictions would result in increased costs related to state prisons and parole supervision. In fiscal year 2017, the average cost of prison incarceration in a state facility was roughly $37,000 per prisoner, a figure that includes various fixed administrative and operational costs. State costs for parole and felony probation supervision averaged about $3,600 per supervised offender in the same year. The fiscal impact on local court systems would depend on how provisions of the bill affected caseloads and related administrative costs.
House Bill 5258 amends sentencing guidelines and does not have a direct fiscal impact on the state or on local units of government.
THE APPARENT PROBLEM:
According to a 2016 statement by the Lansing police chief, cybercrime is “the crime of the future,” and “[is] always changing.” Additionally, he thinks “that just about every organization and every homeowner, at some point in time, will have to deal with some type of cybercrime.”[1]
Ransomware is a kind of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. This cybercrime can result in millions of dollars in damages, which is exactly what Lansing Board of Water and Light experienced when its information was held for ransom in 2016.
The sponsors of the bills introduced this legislation to ensure that perpetrators of a ransomware attack will face a specific sentence during prosecution. The bill sponsors also hope that a felony sentence will help deter future ransomware attacks.
THE CONTENT OF THE BILLS:
House Bill 5257 would add Section 409b to the Michigan Penal Code to prohibit a person from knowingly possessing ransomware with the intent to use or employ it on the computer or computer data, system, or network of another person without that person’s authorization. A violation of this new section would be punishable by up to 3 years’ imprisonment.
Under the bill, ransomware would mean a computer or data contaminant, encryption, or lock that has the ability to be placed or introduced without authorization and that restricts access by an authorized person into a computer or computer data, system, or network. The placement or introduction of the ransomware would enable the person responsible for the placement or introduction to demand payment of money or other consideration to remove the computer contaminant, restore access to the computer or computer data, system, or network, or otherwise remediate the impact of the computer contaminant or lock. Ransomware would not include authentication required to upgrade or access purchased content.
House Bill 5257 would take effect 90 days after it is enacted.
Proposed MCL 750.409b
House Bill 5258 would add sentencing guidelines to the Code of Criminal Procedure for a violation of the section proposed by HB 5257. A violation would be categorized as a crime against public order, classified as a class D violation, and have a statutory maximum prison sentence of 3 years.
House Bill 5258 is tie-barred to HB 5257, which means that HB 5258 cannot take effect unless HB 5257 is also enacted.
ARGUMENTS:
For:
Supporters of the bills argue that having a specific sentence for a ransomware cybercrime will encourage victims to report the incident to the police. A representative from the Michigan State Police testified that many attacks go unreported, which could possibly be due to the uncertainty of prosecuting the perpetrator. Proponents of the bills hope that more ransomware attacks will be reported if the victim knows the perpetrator will be prosecuted under this specific law.
Against:
No arguments against the bills were presented.
POSITIONS:
A representative from the Michigan State Police testified in support of the bills. (12-5-17)
Legislative Analyst: Emily S. Smith
Fiscal Analyst: Robin Risko
■ This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.