What Are Ransomware Laws?

Now, we know what ransomware is and a little on how to fight against it.  So, what are the applicable statutes and how can you recover? Naturally, after a person pays the ransom, or loses their data, they have been harmed by a violation. This could be potentially devastating to a small business or an individual.  Yet, there’s no explicit way to recover the funds or recover from the harm except through a lawsuit. While, there is a statute specific to ransomware in California, individuals do have other avenues and claims.  What is this new statute? What can someone recover in a lawsuit? Are there any difficulties for ransomware lawsuits?

Ransomware Statutes

In September 2016, California passed a ransomware statute under SB 1137, which in essence amended Penal Code § 523.  This was prompted by an uptick of the attacks on hospitals.  In the statute, the use of ransomware is punishable by 2-4 years in prison. This is in line with treating ransomware like extortion crimes.  Furthermore, it defines ransomware in the statute as a “computer contaminant or lock placed or introduced without authorization into a computer . . . which the person responsible for the placement or introduction of the ransomware demands payment . . . to remove the computer contaminant . . .”

California is not the only jurisdiction to prohibit ransomware.  In fact, Wyoming has also enacted ransomware laws. However, in Wyoming, imprisonment can be imposed for as long as 10 years with a possibility of a $10,000 fine.

These laws open another claim for prosecutors, but not for civil cases.  Instead, common law torts still apply. The relevant case in California is eBay, Inc. v. Bidder’s Edge, Inc. (N.D. Cal. 2000) 100 F.Supp.2d 1058, 1069-70.  In general, trespass to chattels requires the intentional and unauthorized interference with plaintiff’s possessory interests in a computer system, and defendant’s unauthorized use causing damage towards plaintiff.

What are the difficulties?

As we’ve mentioned before regarding anonymous online speech, the largest problem is occasionally finding the culprit.  While there may be ways to determine his or her identity–such as email address, phone number, or bank account number–but it is not an easy task. The hacker may be a “script kiddie” purchasing a common ransomware. Thereafter, the ransom may be routed through cryptocurrency to make it harder to trace. Indeed, a person could spend more time trying to find the hacker than he/she may recover at the end.  This is by far the largest problem with any ransomware claim.  From there, common law torts can apply, which includes, trespass to chattels due to the unauthorized access and impairment of the computer system.

That said, the new California law does not appear to provide an actual remedy, but rather provides that a perpetrator can be found and arrested for the crime.  This can possibly assist private entities in identifying possible defendants, but it would still be difficult to do so depending on how the ransomware attack was carried out.

At our law firm, we assist clients with legal issues related to unauthorized access to computers, and computer security or privacy issues.  Please contact us to set up an initial consultation.