HOUSE BILL REPORT
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
As Reported by House Committee On:
Title: An act relating to modifying cybercrime provisions.
Brief Description: Modifying cybercrime provisions.
Sponsors: Representatives Tarleton, Hudgins, Jinkins, Ortiz-Self and Irwin.
Public Safety: 1/23/18, 2/1/18 [DPS].
HOUSE COMMITTEE ON PUBLIC SAFETY
Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 10 members: Representatives Goodman, Chair; Pellicciotti, Vice Chair; Klippert, Ranking Minority Member; Appleton, Chapman, Griffey, Holy, Orwall, Pettigrew and Van Werven.
Staff: Nate Hickner (786-7291) and Kelly Leonard (786-7147).
A person commits Electronic Data Tampering if he or she maliciously and without authorization:
alters data as it transmits between two data systems over an open or unsecure network; or
introduces any malware into any electronic data, data system, or data network.
Electronic Data Tampering in the second degree is a gross misdemeanor.
A person commits Electronic Data Tampering in the first degree if he or she commits acts constituting Electronic Data Tampering in the second degree, and:
doing so is for the purpose of devising or executing any scheme to defraud, deceive, or extort, or commit any other crime in violation of a state law that is not a cybercrime, or of wrongfully controlling, gaining access to, or obtaining money, property, or electronic data; or
the electronic data, data system, or data network are maintained by a governmental agency.
Electronic Data Tampering in the first degree is a class C felony and a level II offense.
"Malware" means any set of data instructions (such as a computer program) that are designed, without authorization and with malicious intent, for any of the following improper purposes:
to disrupt computer operations;
to gather sensitive information; or
to gain access to private computer systems.
"Malware" does not include software that installs security updates, removes malware, or causes unintentional harm due to some deficiency.
Summary of Substitute Bill:
The definition of "malware" is expanded to include data instructions that are, without authorization and with malicious intent, used or installed for the specified improper purposes. The list of improper purposes is expanded to include data instructions that monitor computer use or gather information about a person or organization.
Electronic Data Tampering in the first and second degrees are expanded by way of the definition of malware. A person is guilty of Electronic Data Tampering if the person has maliciously introduced data instructions to a computer, data, or network that are designed, installed, or used, without authorization and with malicious intent, to:
disrupt computer operations;
monitor computer use;
gather information about a person or organization;
gather sensitive information; or
gain access to private computer systems.
The list of conduct that escalates Electronic Data Tampering in the second degree into Electronic Data Tampering in the first degree is expanded. In addition to current provisions, a person is guilty of Electronic Data Tampering in the first degree when the person maliciously alters data as it transmits between two data systems over an open or unsecure network or introduces malware to any electronic data, data system, or data network for the purpose of devising or executing any scheme to stalk.
Substitute Bill Compared to Original Bill:
Provisions expanding the scope of the crimes of Computer Trespass and Spoofing are removed. Provisions adding or modifying definitions of "computer," "access," "computer software," and "data" are removed. The purpose of devising or executing any scheme to track is removed from the list of motivations that escalate Electronic Data Tampering in the second degree to Electronic Data Tampering in the first degree.
The malicious gathering of information about a person or organization is added to the list of improper purposes within the definition of malware, and an illustrative example of spyware within the definition of malware is removed.
Fiscal Note: Available.
Effective Date of Substitute Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.
Staff Summary of Public Testimony:
(In support) There is a gap in Washington law regarding the ability to track, stalk, and potentially commit crimes against individuals who have absolutely no knowledge that they are being tracked and stalked due to the accessibility of their personal data online.
Today, the technologies available to literally any person are akin to the intelligence that was previously only available to government intelligence officials. Information—about background, personal details, health, work records, knowledge of a person's family life, siblings' personal lives—is all available freely to anyone. This extends to imagery in the form of drones, satellites, and Google images, as well as tracking devices that not only pick up words, but can track what is typed into a computer.
All of this data can be manipulated with sophisticated data analysis tools to construct patterns of behavior, maps, and more. Everyone is vulnerable to being tracked or stalked without his or her knowledge. There are a few things that can be done to protect people and help them understand the risks and the ways they can protect themselves and the rest of society if there is malignant intent out there.
This bill represents a tune-up to the Cybercrime Act passed two years ago, and strengthens our laws in a manner that will help retail customers and employees, who are often victims of cybercrime.
Persons Testifying: Representative Tarleton, prime sponsor; and Mark Johnson, Washington Retail Association.
Persons Signed In To Testify But Not Testifying: None.