House File 143 - Reprinted HOUSE FILE 143 BY COMMITTEE ON ECONOMIC GROWTH AND TECHNOLOGY (SUCCESSOR TO HSB 13) (As Amended and Passed by the House February 2, 2023 ) A BILL FOR An Act relating to ransomware and providing penalties. 1 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 2 HF 143 (3) 90 as/rh/md
H.F. 143 Section 1. Section 715.2, Code 2023, is amended to read as 1 follows: 2 715.2 Title. 3 This chapter shall be known and may be cited as the Computer 4 Spyware , Malware, and Ransomware Protection Act . 5 Sec. 2. Section 715.3, Code 2023, is amended by adding the 6 following new subsections: 7 NEW SUBSECTION . 1A. Computer control language means 8 ordered statements that direct a computer to perform specific 9 functions. 10 NEW SUBSECTION . 1B. Computer database means a 11 representation of information, knowledge, facts, concepts, or 12 instructions that is intended for use in a computer, computer 13 system, or computer network that is being prepared or has been 14 prepared in a formalized manner, or is being produced or has 15 been produced by a computer, computer system, or computer 16 network. 17 NEW SUBSECTION . 9A. Ransomware means a computer or data 18 contaminant, encryption, or lock that is placed or introduced 19 without authorization into a computer, computer network, or 20 computer system that restricts access by an authorized person 21 to a computer, computer data, a computer system, or a computer 22 network in a manner that results in the person responsible for 23 the placement or introduction of the contaminant, encryption, 24 or lock making a demand for payment of money or other 25 consideration to remove the contaminant, encryption, or lock. 26 Sec. 3. Section 715.5, subsection 2, Code 2023, is amended 27 to read as follows: 28 2. Using intentionally deceptive means to cause the 29 execution of a computer software component with the intent of 30 causing an owner or operator to use such component in a manner 31 that violates any other provision of this chapter subchapter . 32 Sec. 4. Section 715.6, Code 2023, is amended to read as 33 follows: 34 715.6 Exceptions. 35 -1- HF 143 (3) 90 as/rh/md 1/ 5
H.F. 143 Sections 715.4 and 715.5 shall not apply to the following: 1 1. The monitoring of, or interaction with, an owners or 2 an operators internet or other network connection, service, 3 or computer, by a telecommunications carrier, cable operator, 4 computer hardware or software provider, or provider of 5 information service or interactive computer service for network 6 or computer security purposes, diagnostics, technical support, 7 maintenance, repair, authorized updates of computer software 8 or system firmware, authorized remote system management, or 9 detection, criminal investigation, or prevention of the use of 10 or fraudulent or other illegal activities prohibited in this 11 chapter in connection with a network, service, or computer 12 software, including scanning for and removing computer software 13 prescribed under this chapter subchapter . Nothing in this 14 chapter subchapter shall limit the rights of providers of wire 15 and electronic communications under 18 U.S.C. 2511. 16 2. The nonpayment or a violation of the terms of a legal 17 contract with the owner or operator. 18 3. For complying with federal, state, and local law 19 enforcement requests. 20 Sec. 5. Section 715.7, Code 2023, is amended to read as 21 follows: 22 715.7 Criminal penalties. 23 1. A person who commits an unlawful act under this chapter 24 subchapter is guilty of an aggravated misdemeanor. 25 2. A person who commits an unlawful act under this chapter 26 subchapter and who causes pecuniary losses exceeding one 27 thousand dollars to a victim of the unlawful act is guilty of a 28 class D felony. 29 Sec. 6. Section 715.8, unnumbered paragraph 1, Code 2023, 30 is amended to read as follows: 31 For the purpose of determining proper venue, a violation 32 of this chapter subchapter shall be considered to have been 33 committed in any county in which any of the following apply: 34 Sec. 7. NEW SECTION . 715.9 Ransomware prohibition. 35 -2- HF 143 (3) 90 as/rh/md 2/ 5
H.F. 143 1. A person shall not intentionally, willfully, and without 1 authorization do any of the following: 2 a. Access, attempt to access, cause to be accessed, or 3 exceed the persons authorized access to all or a part of a 4 computer network, computer control language, computer, computer 5 software, computer system, or computer database. 6 b. Copy, attempt to copy, possess, or attempt to possess 7 the contents of all or part of a computer database accessed in 8 violation of paragraph a . 9 2. A person shall not commit an act prohibited in subsection 10 1 with the intent to do any of the following: 11 a. Cause the malfunction or interruption of the operation 12 of all or any part of a computer, computer network, computer 13 control language, computer software, computer system, computer 14 service, or computer data. 15 b. Alter, damage, or destroy all or any part of data or a 16 computer program stored, maintained, or produced by a computer, 17 computer network, computer software, computer system, computer 18 service, or computer database. 19 3. A person shall not intentionally, willfully, and without 20 authorization do any of the following: 21 a. Possess, identify, or attempt to identify a valid 22 computer access code. 23 b. Publicize or distribute a valid computer access code to 24 an unauthorized person. 25 4. A person shall not commit an act prohibited under this 26 section with the intent to interrupt or impair the functioning 27 of any of the following: 28 a. The state. 29 b. A service, device, or system related to the production, 30 transmission, delivery, or storage of electricity or natural 31 gas in the state that is owned, operated, or controlled by a 32 person other than a public utility as defined in chapter 476. 33 c. A service provided in the state by a public utility as 34 defined in section 476.1, subsection 3. 35 -3- HF 143 (3) 90 as/rh/md 3/ 5
H.F. 143 d. A hospital or health care facility as defined in section 1 135C.1. 2 e. A public elementary or secondary school, community 3 college, or area education agency under the supervision of the 4 department of education. 5 f. A city, city utility, or city service. 6 g. An authority as defined in section 330A.2. 7 5. This section shall not apply to the use of ransomware for 8 research purposes by a person who has a bona fide scientific, 9 educational, governmental, testing, news, or other similar 10 justification for possessing ransomware. However, a person 11 shall not knowingly possess ransomware with the intent to 12 use the ransomware for the purpose of introduction into the 13 computer, computer network, or computer system of another 14 person without the authorization of the other person. 15 6. A person who has suffered a specific and direct injury 16 because of a violation of this section may bring a civil action 17 in a court of competent jurisdiction. 18 a. In an action under this subsection, the court may award 19 actual damages, reasonable attorney fees, and court costs. 20 b. A conviction for an offense under this section is not a 21 prerequisite for the filing of a civil action. 22 Sec. 8. NEW SECTION . 715.10 Criminal penalties. 23 1. A person who commits an unlawful act under this 24 subchapter and who causes pecuniary losses involving less than 25 ten thousand dollars to a victim of the unlawful act is guilty 26 of an aggravated misdemeanor. 27 2. A person who commits an unlawful act under this 28 subchapter and who causes pecuniary losses involving at least 29 ten thousand dollars but less than fifty thousand dollars to a 30 victim of the unlawful act is guilty of a class D felony. 31 3. A person who commits an unlawful act under this 32 subchapter and who causes pecuniary losses involving at least 33 fifty thousand dollars to a victim of the unlawful act is 34 guilty of a class C felony. 35 -4- HF 143 (3) 90 as/rh/md 4/ 5
H.F. 143 Sec. 9. NEW SECTION . 715.11 Venue. 1 For the purpose of determining proper venue, a violation of 2 this subchapter shall be considered to have been committed in 3 any county in which any of the following apply: 4 1. Where the defendant performed the unlawful act. 5 2. Where the defendant resides. 6 3. Where the accessed computer is located. 7 Sec. 10. CODE EDITOR DIRECTIVE. The Code editor shall 8 divide chapter 715 into subchapters and shall designate 9 sections 715.1 through 715.3, including sections amended in 10 this Act, as subchapter I entitled INTENT AND DEFINITIONS, 11 sections 715.4 through 715.8, including sections amended in 12 this Act, as subchapter II entitled COMPUTER SPYWARE AND 13 MALWARE, and sections 715.9 through 715.11, as enacted in this 14 Act, as subchapter III entitled RANSOMWARE. 15 -5- HF 143 (3) 90 as/rh/md 5/ 5