H.B. No. 9
AN ACT
relating to cybercrime; creating criminal offenses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. This Act may be cited as the Texas Cybercrime
Act.
SECTION 2. Section 33.01, Penal Code, is amended by
amending Subdivision (2) and adding Subdivisions (11-a), (13-a),
(13-b), (13-c), and (15-a) to read as follows:
(2) "Aggregate amount" means the amount of:
(A) any direct or indirect loss incurred by a
victim, including the value of money, property, or service stolen,
appropriated, or rendered unrecoverable by the offense; or
(B) any expenditure required by the victim to:
(i) determine whether data or [verify that]
a computer, computer network, computer program, or computer system
was [not] altered, acquired, appropriated, damaged, deleted, or
disrupted by the offense; or
(ii) attempt to restore, recover, or
replace any data altered, acquired, appropriated, damaged,
deleted, or disrupted.
(11-a) "Decryption," "decrypt," or "decrypted" means
the decoding of encrypted communications or information, whether by
use of a decryption key, by breaking an encryption formula or
algorithm, or by the interference with a person's use of an
encryption service in a manner that causes information or
communications to be stored or transmitted without encryption.
(13-a) "Encrypted private information" means
encrypted data, documents, wire or electronic communications, or
other information stored on a computer or computer system, whether
in the possession of the owner or a provider of an electronic
communications service or a remote computing service, and which has
not been accessible to the public.
(13-b) "Encryption," "encrypt," or "encrypted" means
the encoding of data, documents, wire or electronic communications,
or other information, using mathematical formulas or algorithms in
order to preserve the confidentiality, integrity, or authenticity
of, and prevent unauthorized access to, such information.
(13-c) "Encryption service" means a computing
service, a computer device, computer software, or technology with
encryption capabilities, and includes any subsequent version of or
update to an encryption service.
(15-a) "Privileged information" means:
(A) protected health information, as that term is
defined by Section 182.002, Health and Safety Code;
(B) information that is subject to the
attorney-client privilege; or
(C) information that is subject to the
accountant-client privilege under Section 901.457, Occupations
Code, or other law, if the information is on a computer, computer
network, or computer system owned by a person possessing a license
issued under Subchapter H, Chapter 901, Occupations Code.
SECTION 3. Chapter 33, Penal Code, is amended by adding
Sections 33.022, 33.023, and 33.024 to read as follows:
Sec. 33.022. ELECTRONIC ACCESS INTERFERENCE. (a) A
person, other than a network provider or online service provider
acting for a legitimate business purpose, commits an offense if the
person intentionally interrupts or suspends access to a computer
system or computer network without the effective consent of the
owner.
(b) An offense under this section is a third degree felony.
(c) It is a defense to prosecution under this section that
the person acted with the intent to facilitate a lawful seizure or
search of, or lawful access to, a computer, computer network, or
computer system for a legitimate law enforcement purpose.
Sec. 33.023. ELECTRONIC DATA TAMPERING. (a) In this
section, "ransomware" means a computer contaminant or lock that
restricts access by an unauthorized person to a computer, computer
system, or computer network or any data in a computer, computer
system, or computer network under circumstances in which a person
demands money, property, or a service to remove the computer
contaminant or lock, restore access to the computer, computer
system, computer network, or data, or otherwise remediate the
impact of the computer contaminant or lock.
(b) A person commits an offense if the person intentionally
alters data as it transmits between two computers in a computer
network or computer system through deception and without a
legitimate business purpose.
(c) A person commits an offense if the person intentionally
introduces ransomware onto a computer, computer network, or
computer system through deception and without a legitimate business
purpose.
(d) Subject to Subsections (d-1) and (d-2), an offense under
this section is a Class C misdemeanor.
(d-1) Subject to Subsection (d-2), if it is shown on the
trial of the offense that the defendant acted with the intent to
defraud or harm another, an offense under this section is:
(1) a Class C misdemeanor if the aggregate amount
involved is less than $100 or cannot be determined;
(2) a Class B misdemeanor if the aggregate amount
involved is $100 or more but less than $750;
(3) a Class A misdemeanor if the aggregate amount
involved is $750 or more but less than $2,500;
(4) a state jail felony if the aggregate amount
involved is $2,500 or more but less than $30,000;
(5) a felony of the third degree if the aggregate
amount involved is $30,000 or more but less than $150,000;
(6) a felony of the second degree if the aggregate
amount involved is $150,000 or more but less than $300,000; and
(7) a felony of the first degree if the aggregate
amount involved is $300,000 or more.
(d-2) If it is shown on the trial of the offense that the
defendant knowingly restricted a victim's access to privileged
information, an offense under this section is:
(1) a state jail felony if the value of the aggregate
amount involved is less than $2,500;
(2) a felony of the third degree if:
(A) the value of the aggregate amount involved is
$2,500 or more but less than $30,000; or
(B) a client or patient of a victim suffered harm
attributable to the offense;
(3) a felony of the second degree if:
(A) the value of the aggregate amount involved is
$30,000 or more but less than $150,000; or
(B) a client or patient of a victim suffered
bodily injury attributable to the offense; and
(4) a felony of the first degree if:
(A) the value of the aggregate amount involved is
$150,000 or more; or
(B) a client or patient of a victim suffered
serious bodily injury or death attributable to the offense.
(e) When benefits are obtained, a victim is defrauded or
harmed, or property is altered, appropriated, damaged, or deleted
in violation of this section, whether or not in a single incident,
the conduct may be considered as one offense and the value of the
benefits obtained and of the losses incurred because of the fraud,
harm, or alteration, appropriation, damage, or deletion of property
may be aggregated in determining the grade of the offense.
(f) A person who is subject to prosecution under this
section and any other section of this code may be prosecuted under
either or both sections.
(g) Software is not ransomware for the purposes of this
section if the software restricts access to data because:
(1) authentication is required to upgrade or access
purchased content; or
(2) access to subscription content has been blocked
for nonpayment.
Sec. 33.024. UNLAWFUL DECRYPTION. (a) A person commits an
offense if the person intentionally decrypts encrypted private
information through deception and without a legitimate business
purpose.
(b) Subject to Subsections (b-1) and (b-2), an offense under
this section is a Class C misdemeanor.
(b-1) Subject to Subsection (b-2), if it is shown on the
trial of the offense that the defendant acted with the intent to
defraud or harm another, an offense under this section is:
(1) a Class C misdemeanor if the value of the aggregate
amount involved is less than $100 or cannot be determined;
(2) a Class B misdemeanor if the value of the aggregate
amount involved is $100 or more but less than $750;
(3) a Class A misdemeanor if the value of the aggregate
amount involved is $750 or more but less than $2,500;
(4) a state jail felony if the value of the aggregate
amount involved is $2,500 or more but less than $30,000;
(5) a felony of the third degree if the value of the
aggregate amount involved is $30,000 or more but less than
$150,000;
(6) a felony of the second degree if the value of the
aggregate amount involved is $150,000 or more but less than
$300,000; and
(7) a felony of the first degree if the value of the
aggregate amount involved is $300,000 or more.
(b-2) If it is shown on the trial of the offense that the
defendant knowingly decrypted privileged information, an offense
under this section is:
(1) a state jail felony if the value of the aggregate
amount involved is less than $2,500;
(2) a felony of the third degree if:
(A) the value of the aggregate amount involved is
$2,500 or more but less than $30,000; or
(B) a client or patient of a victim suffered harm
attributable to the offense;
(3) a felony of the second degree if:
(A) the value of the aggregate amount involved is
$30,000 or more but less than $150,000; or
(B) a client or patient of a victim suffered
bodily injury attributable to the offense; and
(4) a felony of the first degree if:
(A) the value of the aggregate amount involved is
$150,000 or more; or
(B) a client or patient of a victim suffered
serious bodily injury or death attributable to the offense.
(c) It is a defense to prosecution under this section that
the actor's conduct was pursuant to an agreement entered into with
the owner for the purpose of:
(1) assessing or maintaining the security of the
information or of a computer, computer network, or computer system;
or
(2) providing other services related to security.
(d) A person who is subject to prosecution under this
section and any other section of this code may be prosecuted under
either or both sections.
SECTION 4. Section 33.03, Penal Code, is amended to read as
follows:
Sec. 33.03. DEFENSES. It is an affirmative defense to
prosecution under Section 33.02 or 33.022 that the actor was an
officer, employee, or agent of a communications common carrier or
electric utility and committed the proscribed act or acts in the
course of employment while engaged in an activity that is a
necessary incident to the rendition of service or to the protection
of the rights or property of the communications common carrier or
electric utility.
SECTION 5. The change in law made by this Act applies only
to an offense committed on or after the effective date of this Act.
An offense committed before the effective date of this Act is
governed by the law in effect on the date the offense was committed,
and the former law is continued in effect for that purpose. For
purposes of this section, an offense was committed before the
effective date of this Act if any element of the offense occurred
before that date.
SECTION 6. This Act takes effect September 1, 2017.
______________________________ ______________________________
President of the Senate Speaker of the House
I certify that H.B. No. 9 was passed by the House on April 13,
2017, by the following vote: Yeas 139, Nays 0, 2 present, not
voting; and that the House concurred in Senate amendments to H.B.
No. 9 on May 26, 2017, by the following vote: Yeas 142, Nays 0, 2
present, not voting.
______________________________
Chief Clerk of the House
I certify that H.B. No. 9 was passed by the Senate, with
amendments, on May 24, 2017, by the following vote: Yeas 31, Nays
0.
______________________________
Secretary of the Senate
APPROVED: __________________
Date
__________________
Governor