California makes ransomware a crime

The law is notoriously slow to react to cybercrime, but California has recently become the second state to put ransomware-specific legislation on the books. 

Senate Bill 1137 went into effect on January 1, 2017 after being signed late last year. It followed a massive ransomware incident that victimized one of the state’s hospitals.

Of course it’s never been legal to infect systems with ransomware. This case merely makes it easier for prosecutors to go after hackers who use it.

Before, the crime would have to have been prosecuted using the notoriously out-of-date and tricky to prove Computer Fraud and Abuse Act (CFAA) or laws against extortion and threats. But by explicitly making ransomware a crime in and of itself, the possibility for a prosecution should be easier to prove once hackers are caught.

Therein lies the rub

Of course, this may not make much of a difference in deterring hackers. Most are smart enough not to be caught, hiding behind several layers of anonymity and using software and payment methods that are difficult to trace.

So it’s unlikely SB1137 will make a measurable difference in deterring any would-be attackers.

It is encouraging, however, to see legislation that specifically targets the kinds of real-world threats that IT deals with day in and day out.

Hacking and extortion are now a part of the IT landscape, and the sooner legislators recognize that, the sooner they can go about finding ways to combat it.