|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to cybercrime; creating criminal offenses. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. This Act may be cited as the Texas Cybercrime |
|
Act. |
|
SECTION 2. Section 33.01, Penal Code, is amended by |
|
amending Subdivision (2) and adding Subdivisions (11-a), (13-a), |
|
(13-b), and (13-c) to read as follows: |
|
(2) "Aggregate amount" means the amount of: |
|
(A) any direct or indirect loss incurred by a |
|
victim, including the value of money, property, or service stolen, |
|
appropriated, or rendered unrecoverable by the offense; or |
|
(B) any expenditure required by the victim to: |
|
(i) determine whether data or [verify that] |
|
a computer, computer network, computer program, or computer system |
|
was [not] altered, acquired, appropriated, damaged, deleted, or |
|
disrupted by the offense; or |
|
(ii) attempt to restore, recover, or |
|
replace any data altered, acquired, appropriated, damaged, |
|
deleted, or disrupted. |
|
(11-a) "Decryption," "decrypt," or "decrypted" means |
|
the decoding of encrypted communications or information, whether by |
|
use of a decryption key, by breaking an encryption formula or |
|
algorithm, or by the interference with a person's use of an |
|
encryption service in a manner that causes information or |
|
communications to be stored or transmitted without encryption. |
|
(13-a) "Encrypted private information" means |
|
encrypted data, documents, wire or electronic communications, or |
|
other information stored on a computer or computer system, whether |
|
in the possession of the owner or a provider of an electronic |
|
communications service or a remote computing service, and which has |
|
not been accessible to the public. |
|
(13-b) "Encryption," "encrypt," or "encrypted" means |
|
the encoding of data, documents, wire or electronic communications, |
|
or other information, using mathematical formulas or algorithms in |
|
order to preserve the confidentiality, integrity, or authenticity |
|
of, and prevent unauthorized access to, such information. |
|
(13-c) "Encryption service" means a computing |
|
service, a computer device, computer software, or technology with |
|
encryption capabilities, and includes any subsequent version of or |
|
update to an encryption service. |
|
SECTION 3. Chapter 33, Penal Code, is amended by adding |
|
Sections 33.022, 33.023, and 33.024 to read as follows: |
|
Sec. 33.022. ELECTRONIC ACCESS INTERFERENCE. (a) A |
|
person, other than a network provider acting for a legitimate |
|
network operation or protection purpose, commits an offense if the |
|
person intentionally interrupts or suspends access to a computer |
|
system or computer network without the effective consent of the |
|
owner. |
|
(b) An offense under this section is a third degree felony. |
|
(c) It is a defense to prosecution under this section that |
|
the person acted with the intent to facilitate a lawful seizure or |
|
search of, or lawful access to, a computer, computer network, or |
|
computer system for a legitimate law enforcement purpose. |
|
Sec. 33.023. ELECTRONIC DATA TAMPERING. (a) In this |
|
section: |
|
(1) "Malware" means computer software used to: |
|
(A) gather data without the effective consent of |
|
the owner of the data; |
|
(B) gain access to a computer, computer network, |
|
or computer system without the effective consent of the owner; or |
|
(C) disrupt the operation of a computer, computer |
|
network, or computer system without the effective consent of the |
|
owner. |
|
(2) "Ransomware" means a computer contaminant or lock |
|
that restricts access by an unauthorized person to a computer, |
|
computer system, or computer network or any data in a computer, |
|
computer system, or computer network under circumstances in which a |
|
person demands money, property, or a service to remove the computer |
|
contaminant or lock, restore access to the computer, computer |
|
system, computer network, or data, or otherwise remediate the |
|
impact of the computer contaminant or lock. |
|
(b) A person commits an offense if the person knowingly |
|
alters data as it transmits between two computers in a computer |
|
network or computer system without the effective consent of the |
|
owner. |
|
(c) A person commits an offense if the person knowingly |
|
introduces malware or ransomware onto a computer, computer network, |
|
or computer system without the effective consent of the owner and |
|
without a legitimate business purpose. |
|
(d) An offense under this section is a Class A misdemeanor, |
|
unless the person acted with the intent to defraud or harm another |
|
or alter, appropriate, damage, or delete property, in which event |
|
the offense is: |
|
(1) a state jail felony if the aggregate amount |
|
involved is $2,500 or more but less than $30,000; |
|
(2) a felony of the third degree if the aggregate |
|
amount involved is $30,000 or more but less than $150,000; |
|
(3) a felony of the second degree if: |
|
(A) the aggregate amount involved is $150,000 or |
|
more but less than $300,000; or |
|
(B) the aggregate amount involved is any amount |
|
less than $300,000 and the computer, computer network, or computer |
|
system is owned by the government or a critical infrastructure |
|
facility; or |
|
(4) a felony of the first degree if the aggregate |
|
amount involved is $300,000 or more. |
|
(e) When benefits are obtained, a victim is defrauded or |
|
harmed, or property is altered, appropriated, damaged, or deleted |
|
in violation of this section, whether or not in a single incident, |
|
the conduct may be considered as one offense and the value of the |
|
benefits obtained and of the losses incurred because of the fraud, |
|
harm, or alteration, appropriation, damage, or deletion of property |
|
may be aggregated in determining the grade of the offense. |
|
(f) A person who is subject to prosecution under this |
|
section and any other section of this code may be prosecuted under |
|
either or both sections. |
|
(g) Software is not ransomware for the purposes of this |
|
section if the software restricts access to data because: |
|
(1) authentication is required to upgrade or access |
|
purchased content; or |
|
(2) access to subscription content has been blocked |
|
for nonpayment. |
|
(h) It is an exception to the application of Subsection (b) |
|
that: |
|
(1) the person was an officer, employee, or agent of: |
|
(A) an Internet service provider; |
|
(B) a computer service provider; |
|
(C) a provider of information service, as that |
|
term is defined by 47 U.S.C. Section 153; |
|
(D) an interactive computer service, as that term |
|
is defined by 47 U.S.C. Section 230; |
|
(E) an electronic communications service, as |
|
that term is defined by Article 18.20, Code of Criminal Procedure; |
|
or |
|
(F) a cable service provider or video service |
|
provider, as those terms are defined by Section 66.002, Utilities |
|
Code; |
|
(2) the person committed the proscribed act in the |
|
course of employment while engaged in an activity that is a |
|
necessary incident to the rendition of service or to the protection |
|
of the rights or property of the person's employer; and |
|
(3) the alteration of data was consistent with |
|
accepted industry technical specifications. |
|
Sec. 33.024. UNLAWFUL DECRYPTION. (a) A person commits an |
|
offense if the person decrypts encrypted private information |
|
without the effective consent of the owner. |
|
(b) An offense under this section is a Class A misdemeanor, |
|
unless the person acted with the intent to defraud or harm another, |
|
or alter, appropriate, damage, or delete property, in which event |
|
the offense is: |
|
(1) a state jail felony if the aggregate amount |
|
involved is less than $30,000; |
|
(2) a felony of the third degree if the aggregate |
|
amount involved is $30,000 or more but less than $150,000; |
|
(3) a felony of the second degree if: |
|
(A) the aggregate amount involved is $150,000 or |
|
more but less than $300,000; or |
|
(B) the aggregate amount involved is any amount |
|
less than $300,000 and the computer, computer network, or computer |
|
system is owned by the government or a critical infrastructure |
|
facility; or |
|
(4) a felony of the first degree if the aggregate |
|
amount involved is $300,000 or more. |
|
(c) It is a defense to prosecution under this section that |
|
the actor's conduct was pursuant to a contract entered into with the |
|
owner for the purpose of: |
|
(1) assessing or maintaining the security of the |
|
information or of a computer, computer network, or computer system; |
|
or |
|
(2) providing other services related to security. |
|
(d) A person who is subject to prosecution under this |
|
section and any other section of this code may be prosecuted under |
|
either or both sections. |
|
SECTION 4. Section 33.03, Penal Code, is amended to read as |
|
follows: |
|
Sec. 33.03. DEFENSES. It is an affirmative defense to |
|
prosecution under Section 33.02, 33.022, or 33.023(b) that the |
|
actor was an officer, employee, or agent of a communications common |
|
carrier or electric utility and committed the proscribed act or |
|
acts in the course of employment while engaged in an activity that |
|
is a necessary incident to the rendition of service or to the |
|
protection of the rights or property of the communications common |
|
carrier or electric utility. |
|
SECTION 5. The change in law made by this Act applies only |
|
to an offense committed on or after the effective date of this Act. |
|
An offense committed before the effective date of this Act is |
|
governed by the law in effect on the date the offense was committed, |
|
and the former law is continued in effect for that purpose. For |
|
purposes of this section, an offense was committed before the |
|
effective date of this Act if any element of the offense occurred |
|
before that date. |
|
SECTION 6. This Act takes effect September 1, 2017. |