By: Capriglione, Elkins, Blanco, et al. H.B. No. 9
A BILL TO BE ENTITLED
AN ACT
relating to cybercrime; creating criminal offenses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. This Act may be cited as the Texas Cybercrime
Act.
SECTION 2. Section 33.01, Penal Code, is amended by
amending Subdivision (2) and adding Subdivisions (11-a), (13-a),
(13-b), and (13-c) to read as follows:
(2) "Aggregate amount" means the amount of:
(A) any direct or indirect loss incurred by a
victim, including the value of money, property, or service stolen,
appropriated, or rendered unrecoverable by the offense; or
(B) any expenditure required by the victim to:
(i) determine whether data or [verify that]
a computer, computer network, computer program, or computer system
was [not] altered, acquired, appropriated, damaged, deleted, or
disrupted by the offense; or
(ii) attempt to restore, recover, or
replace any data altered, acquired, appropriated, damaged,
deleted, or disrupted.
(11-a) "Decryption," "decrypt," or "decrypted" means
the decoding of encrypted communications or information, whether by
use of a decryption key, by breaking an encryption formula or
algorithm, or by the interference with a person's use of an
encryption service in a manner that causes information or
communications to be stored or transmitted without encryption.
(13-a) "Encrypted private information" means
encrypted data, documents, wire or electronic communications, or
other information stored on a computer or computer system, whether
in the possession of the owner or a provider of an electronic
communications service or a remote computing service, and which has
not been accessible to the public.
(13-b) "Encryption," "encrypt," or "encrypted" means
the encoding of data, documents, wire or electronic communications,
or other information, using mathematical formulas or algorithms in
order to preserve the confidentiality, integrity, or authenticity
of, and prevent unauthorized access to, such information.
(13-c) "Encryption service" means a computing
service, a computer device, computer software, or technology with
encryption capabilities, and includes any subsequent version of or
update to an encryption service.
SECTION 3. Chapter 33, Penal Code, is amended by adding
Sections 33.022, 33.023, and 33.024 to read as follows:
Sec. 33.022. ELECTRONIC ACCESS INTERFERENCE. (a) A
person, other than a network provider or online service provider
acting for a legitimate business purpose, commits an offense if the
person intentionally interrupts or suspends access to a computer
system or computer network without the effective consent of the
owner.
(b) An offense under this section is a third degree felony.
(c) It is a defense to prosecution under this section that
the person acted with the intent to facilitate a lawful seizure or
search of, or lawful access to, a computer, computer network, or
computer system for a legitimate law enforcement purpose.
Sec. 33.023. ELECTRONIC DATA TAMPERING. (a) In this
section, "ransomware" means a computer contaminant or lock that
restricts access by an unauthorized person to a computer, computer
system, or computer network or any data in a computer, computer
system, or computer network under circumstances in which a person
demands money, property, or a service to remove the computer
contaminant or lock, restore access to the computer, computer
system, computer network, or data, or otherwise remediate the
impact of the computer contaminant or lock.
(b) A person commits an offense if the person intentionally
alters data as it transmits between two computers in a computer
network or computer system through deception and without a
legitimate business purpose.
(c) A person commits an offense if the person intentionally
introduces ransomware onto a computer, computer network, or
computer system through deception and without a legitimate business
purpose.
(d) An offense under this section is a Class A misdemeanor,
unless the person acted with the intent to defraud or harm another,
in which event the offense is:
(1) a state jail felony if the aggregate amount
involved is $2,500 or more but less than $30,000;
(2) a felony of the third degree if the aggregate
amount involved is $30,000 or more but less than $150,000;
(3) a felony of the second degree if:
(A) the aggregate amount involved is $150,000 or
more but less than $300,000; or
(B) the aggregate amount involved is any amount
less than $300,000 and the computer, computer network, or computer
system is owned by the government or a critical infrastructure
facility; or
(4) a felony of the first degree if the aggregate
amount involved is $300,000 or more.
(e) When benefits are obtained, a victim is defrauded or
harmed, or property is altered, appropriated, damaged, or deleted
in violation of this section, whether or not in a single incident,
the conduct may be considered as one offense and the value of the
benefits obtained and of the losses incurred because of the fraud,
harm, or alteration, appropriation, damage, or deletion of property
may be aggregated in determining the grade of the offense.
(f) A person who is subject to prosecution under this
section and any other section of this code may be prosecuted under
either or both sections.
(g) Software is not ransomware for the purposes of this
section if the software restricts access to data because:
(1) authentication is required to upgrade or access
purchased content; or
(2) access to subscription content has been blocked
for nonpayment.
Sec. 33.024. UNLAWFUL DECRYPTION. (a) A person commits an
offense if the person intentionally decrypts encrypted private
information through deception and without a legitimate business
purpose.
(b) An offense under this section is a Class A misdemeanor,
unless the person acted with the intent to defraud or harm another,
in which event the offense is:
(1) a state jail felony if the aggregate amount
involved is less than $30,000;
(2) a felony of the third degree if the aggregate
amount involved is $30,000 or more but less than $150,000;
(3) a felony of the second degree if:
(A) the aggregate amount involved is $150,000 or
more but less than $300,000; or
(B) the aggregate amount involved is any amount
less than $300,000 and the computer, computer network, or computer
system is owned by the government or a critical infrastructure
facility; or
(4) a felony of the first degree if the aggregate
amount involved is $300,000 or more.
(c) It is a defense to prosecution under this section that
the actor's conduct was pursuant to an agreement entered into with
the owner for the purpose of:
(1) assessing or maintaining the security of the
information or of a computer, computer network, or computer system;
or
(2) providing other services related to security.
(d) A person who is subject to prosecution under this
section and any other section of this code may be prosecuted under
either or both sections.
SECTION 4. Section 33.03, Penal Code, is amended to read as
follows:
Sec. 33.03. DEFENSES. It is an affirmative defense to
prosecution under Section 33.02 or 33.022 that the actor was an
officer, employee, or agent of a communications common carrier or
electric utility and committed the proscribed act or acts in the
course of employment while engaged in an activity that is a
necessary incident to the rendition of service or to the protection
of the rights or property of the communications common carrier or
electric utility.
SECTION 5. The change in law made by this Act applies only
to an offense committed on or after the effective date of this Act.
An offense committed before the effective date of this Act is
governed by the law in effect on the date the offense was committed,
and the former law is continued in effect for that purpose. For
purposes of this section, an offense was committed before the
effective date of this Act if any element of the offense occurred
before that date.
SECTION 6. This Act takes effect September 1, 2017.