85R18354 ADM-D
By: Capriglione, Elkins, Blanco, et al. H.B. No. 9
Substitute the following for H.B. No. 9:
By: Lucio III C.S.H.B. No. 9
A BILL TO BE ENTITLED
AN ACT
relating to cybercrime; creating criminal offenses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. This Act may be cited as the Texas Cybercrime
Act.
SECTION 2. Section 33.01, Penal Code, is amended by
amending Subdivision (2) and adding Subdivisions (11-a), (13-a),
(13-b), and (13-c) to read as follows:
(2) "Aggregate amount" means the amount of:
(A) any direct or indirect loss incurred by a
victim, including the value of money, property, or service stolen,
appropriated, or rendered unrecoverable by the offense; or
(B) any expenditure required by the victim to:
(i) determine whether data or [verify that]
a computer, computer network, computer program, or computer system
was [not] altered, acquired, appropriated, damaged, deleted, or
disrupted by the offense; or
(ii) attempt to restore, recover, or
replace any data altered, acquired, appropriated, damaged,
deleted, or disrupted.
(11-a) "Decryption," "decrypt," or "decrypted" means
the decoding of encrypted communications or information, whether by
use of a decryption key, by breaking an encryption formula or
algorithm, or by the interference with a person's use of an
encryption service in a manner that causes information or
communications to be stored or transmitted without encryption.
(13-a) "Encrypted private information" means
encrypted data, documents, wire or electronic communications, or
other information stored on a computer or computer system, whether
in the possession of the owner or a provider of an electronic
communications service or a remote computing service, and which has
not been accessible to the public.
(13-b) "Encryption," "encrypt," or "encrypted" means
the encoding of data, documents, wire or electronic communications,
or other information, using mathematical formulas or algorithms in
order to preserve the confidentiality, integrity, or authenticity
of, and prevent unauthorized access to, such information.
(13-c) "Encryption service" means a computing
service, a computer device, computer software, or technology with
encryption capabilities, and includes any subsequent version of or
update to an encryption service.
SECTION 3. Chapter 33, Penal Code, is amended by adding
Sections 33.022, 33.023, and 33.024 to read as follows:
Sec. 33.022. ELECTRONIC ACCESS INTERFERENCE. (a) A
person, other than a network provider acting for a legitimate
network operation or protection purpose, commits an offense if the
person intentionally interrupts or suspends access to a computer
system or computer network without the effective consent of the
owner.
(b) An offense under this section is a third degree felony.
(c) It is a defense to prosecution under this section that
the person acted with the intent to facilitate a lawful seizure or
search of, or lawful access to, a computer, computer network, or
computer system for a legitimate law enforcement purpose.
Sec. 33.023. ELECTRONIC DATA TAMPERING. (a) In this
section:
(1) "Malware" means computer software used to:
(A) gather data without the effective consent of
the owner of the data;
(B) gain access to a computer, computer network,
or computer system without the effective consent of the owner; or
(C) disrupt the operation of a computer, computer
network, or computer system without the effective consent of the
owner.
(2) "Ransomware" means a computer contaminant or lock
that restricts access by an unauthorized person to a computer,
computer system, or computer network or any data in a computer,
computer system, or computer network under circumstances in which a
person demands money, property, or a service to remove the computer
contaminant or lock, restore access to the computer, computer
system, computer network, or data, or otherwise remediate the
impact of the computer contaminant or lock.
(b) A person commits an offense if the person knowingly
alters data as it transmits between two computers in a computer
network or computer system without the effective consent of the
owner.
(c) A person commits an offense if the person knowingly
introduces malware or ransomware onto a computer, computer network,
or computer system without the effective consent of the owner and
without a legitimate business purpose.
(d) An offense under this section is a Class A misdemeanor,
unless the person acted with the intent to defraud or harm another
or alter, appropriate, damage, or delete property, in which event
the offense is:
(1) a state jail felony if the aggregate amount
involved is $2,500 or more but less than $30,000;
(2) a felony of the third degree if the aggregate
amount involved is $30,000 or more but less than $150,000;
(3) a felony of the second degree if:
(A) the aggregate amount involved is $150,000 or
more but less than $300,000; or
(B) the aggregate amount involved is any amount
less than $300,000 and the computer, computer network, or computer
system is owned by the government or a critical infrastructure
facility; or
(4) a felony of the first degree if the aggregate
amount involved is $300,000 or more.
(e) When benefits are obtained, a victim is defrauded or
harmed, or property is altered, appropriated, damaged, or deleted
in violation of this section, whether or not in a single incident,
the conduct may be considered as one offense and the value of the
benefits obtained and of the losses incurred because of the fraud,
harm, or alteration, appropriation, damage, or deletion of property
may be aggregated in determining the grade of the offense.
(f) A person who is subject to prosecution under this
section and any other section of this code may be prosecuted under
either or both sections.
(g) Software is not ransomware for the purposes of this
section if the software restricts access to data because:
(1) authentication is required to upgrade or access
purchased content; or
(2) access to subscription content has been blocked
for nonpayment.
(h) It is an exception to the application of Subsection (b)
that:
(1) the person was an officer, employee, or agent of:
(A) an Internet service provider;
(B) a computer service provider;
(C) a provider of information service, as that
term is defined by 47 U.S.C. Section 153;
(D) an interactive computer service, as that term
is defined by 47 U.S.C. Section 230;
(E) an electronic communications service, as
that term is defined by Article 18.20, Code of Criminal Procedure;
or
(F) a cable service provider or video service
provider, as those terms are defined by Section 66.002, Utilities
Code;
(2) the person committed the proscribed act in the
course of employment while engaged in an activity that is a
necessary incident to the rendition of service or to the protection
of the rights or property of the person's employer; and
(3) the alteration of data was consistent with
accepted industry technical specifications.
Sec. 33.024. UNLAWFUL DECRYPTION. (a) A person commits an
offense if the person decrypts encrypted private information
without the effective consent of the owner.
(b) An offense under this section is a Class A misdemeanor,
unless the person acted with the intent to defraud or harm another,
or alter, appropriate, damage, or delete property, in which event
the offense is:
(1) a state jail felony if the aggregate amount
involved is less than $30,000;
(2) a felony of the third degree if the aggregate
amount involved is $30,000 or more but less than $150,000;
(3) a felony of the second degree if:
(A) the aggregate amount involved is $150,000 or
more but less than $300,000; or
(B) the aggregate amount involved is any amount
less than $300,000 and the computer, computer network, or computer
system is owned by the government or a critical infrastructure
facility; or
(4) a felony of the first degree if the aggregate
amount involved is $300,000 or more.
(c) It is a defense to prosecution under this section that
the actor's conduct was pursuant to a contract entered into with the
owner for the purpose of:
(1) assessing or maintaining the security of the
information or of a computer, computer network, or computer system;
or
(2) providing other services related to security.
(d) A person who is subject to prosecution under this
section and any other section of this code may be prosecuted under
either or both sections.
SECTION 4. Section 33.03, Penal Code, is amended to read as
follows:
Sec. 33.03. DEFENSES. It is an affirmative defense to
prosecution under Section 33.02, 33.022, or 33.023(b) that the
actor was an officer, employee, or agent of a communications common
carrier or electric utility and committed the proscribed act or
acts in the course of employment while engaged in an activity that
is a necessary incident to the rendition of service or to the
protection of the rights or property of the communications common
carrier or electric utility.
SECTION 5. The change in law made by this Act applies only
to an offense committed on or after the effective date of this Act.
An offense committed before the effective date of this Act is
governed by the law in effect on the date the offense was committed,
and the former law is continued in effect for that purpose. For
purposes of this section, an offense was committed before the
effective date of this Act if any element of the offense occurred
before that date.
SECTION 6. This Act takes effect September 1, 2017.