By: Capriglione, Elkins, Blanco, et al.	H.B. No. 9

	A BILL TO BE ENTITLED
	AN ACT
	relating to cybercrime; creating criminal offenses.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  This Act may be cited as the Texas Cybercrime
	Act.
	SECTION 2.  Section 33.01, Penal Code, is amended by
	amending Subdivision (2) and adding Subdivisions (11-a), (13-a),
	(13-b), and (13-c) to read as follows:
	(2)  "Aggregate amount" means the amount of:
	(A)  any direct or indirect loss incurred by a
	victim, including the value of money, property, or service stolen,
	appropriated, or rendered unrecoverable by the offense; or
	(B)  any expenditure required by the victim to:
	(i)  determine whether data or [verify that]
	a computer, computer network, computer program, or computer system
	was [not] altered, acquired, appropriated, damaged, deleted, or
	disrupted by the offense; or
	(ii)  attempt to restore, recover, or
	replace any data altered, acquired, appropriated, damaged,
	deleted, or disrupted.
	(11-a)  "Decryption," "decrypt," or "decrypted" means
	the decoding of encrypted communications or information, whether by
	use of a decryption key, by breaking an encryption formula or
	algorithm, or by the interference with a person's use of an
	encryption service in a manner that causes information or
	communications to be stored or transmitted without encryption.
	(13-a)  "Encrypted private information" means
	encrypted data, documents, wire or electronic communications, or
	other information stored on a computer or computer system, whether
	in the possession of the owner or a provider of an electronic
	communications service or a remote computing service, and which has
	not been accessible to the public.
	(13-b)  "Encryption," "encrypt," or "encrypted" means
	the encoding of data, documents, wire or electronic communications,
	or other information, using mathematical formulas or algorithms in
	order to preserve the confidentiality, integrity, or authenticity
	of, and prevent unauthorized access to, such information.
	(13-c)  "Encryption service" means a computing
	service, a computer device, computer software, or technology with
	encryption capabilities, and includes any subsequent version of or
	update to an encryption service.
	SECTION 3.  Chapter 33, Penal Code, is amended by adding
	Sections 33.022, 33.023, and 33.024 to read as follows:
	Sec. 33.022.  ELECTRONIC ACCESS INTERFERENCE. (a) A
	person, other than a network provider or online service provider
	acting for a legitimate business purpose, commits an offense if the
	person intentionally interrupts or suspends access to a computer
	system or computer network without the effective consent of the
	owner.
	(b)  An offense under this section is a third degree felony.
	(c)  It is a defense to prosecution under this section that
	the person acted with the intent to facilitate a lawful seizure or
	search of, or lawful access to, a computer, computer network, or
	computer system for a legitimate law enforcement purpose.
	Sec. 33.023.  ELECTRONIC DATA TAMPERING. (a)  In this
	section, "ransomware" means a computer contaminant or lock that
	restricts access by an unauthorized person to a computer, computer
	system, or computer network or any data in a computer, computer
	system, or computer network under circumstances in which a person
	demands money, property, or a service to remove the computer
	contaminant or lock, restore access to the computer, computer
	system, computer network, or data, or otherwise remediate the
	impact of the computer contaminant or lock.
	(b)  A person commits an offense if the person intentionally
	alters data as it transmits between two computers in a computer
	network or computer system through deception and without a
	legitimate business purpose.
	(c)  A person commits an offense if the person intentionally
	introduces ransomware onto a computer, computer network, or
	computer system through deception and without a legitimate business
	purpose.
	(d)  An offense under this section is a Class A misdemeanor,
	unless the person acted with the intent to defraud or harm another,
	in which event the offense is:
	(1)  a state jail felony if the aggregate amount
	involved is $2,500 or more but less than $30,000;
	(2)  a felony of the third degree if the aggregate
	amount involved is $30,000 or more but less than $150,000;
	(3)  a felony of the second degree if:
	(A)  the aggregate amount involved is $150,000 or
	more but less than $300,000; or
	(B)  the aggregate amount involved is any amount
	less than $300,000 and the computer, computer network, or computer
	system is owned by the government or a critical infrastructure
	facility; or
	(4)  a felony of the first degree if the aggregate
	amount involved is $300,000 or more.
	(e)  When benefits are obtained, a victim is defrauded or
	harmed, or property is altered, appropriated, damaged, or deleted
	in violation of this section, whether or not in a single incident,
	the conduct may be considered as one offense and the value of the
	benefits obtained and of the losses incurred because of the fraud,
	harm, or alteration, appropriation, damage, or deletion of property
	may be aggregated in determining the grade of the offense.
	(f)  A person who is subject to prosecution under this
	section and any other section of this code may be prosecuted under
	either or both sections.
	(g)  Software is not ransomware for the purposes of this
	section if the software restricts access to data because:
	(1)  authentication is required to upgrade or access
	purchased content; or
	(2)  access to subscription content has been blocked
	for nonpayment.
	Sec. 33.024.  UNLAWFUL DECRYPTION. (a)  A person commits an
	offense if the person intentionally decrypts encrypted private
	information through deception and without a legitimate business
	purpose.
	(b)  An offense under this section is a Class A misdemeanor,
	unless the person acted with the intent to defraud or harm another,
	in which event the offense is:
	(1)  a state jail felony if the aggregate amount
	involved is less than $30,000;
	(2)  a felony of the third degree if the aggregate
	amount involved is $30,000 or more but less than $150,000;
	(3)  a felony of the second degree if:
	(A)  the aggregate amount involved is $150,000 or
	more but less than $300,000; or
	(B)  the aggregate amount involved is any amount
	less than $300,000 and the computer, computer network, or computer
	system is owned by the government or a critical infrastructure
	facility; or
	(4)  a felony of the first degree if the aggregate
	amount involved is $300,000 or more.
	(c)  It is a defense to prosecution under this section that
	the actor's conduct was pursuant to an agreement entered into with
	the owner for the purpose of:
	(1)  assessing or maintaining the security of the
	information or of a computer, computer network, or computer system;
	or
	(2)  providing other services related to security.
	(d)  A person who is subject to prosecution under this
	section and any other section of this code may be prosecuted under
	either or both sections.
	SECTION 4.  Section 33.03, Penal Code, is amended to read as
	follows:
	Sec. 33.03.  DEFENSES. It is an affirmative defense to
	prosecution under Section 33.02 or 33.022 that the actor was an
	officer, employee, or agent of a communications common carrier or
	electric utility and committed the proscribed act or acts in the
	course of employment while engaged in an activity that is a
	necessary incident to the rendition of service or to the protection
	of the rights or property of the communications common carrier or
	electric utility.
	SECTION 5.  The change in law made by this Act applies only
	to an offense committed on or after the effective date of this Act.
	An offense committed before the effective date of this Act is
	governed by the law in effect on the date the offense was committed,
	and the former law is continued in effect for that purpose.  For
	purposes of this section, an offense was committed before the
	effective date of this Act if any element of the offense occurred
	before that date.
	SECTION 6.  This Act takes effect September 1, 2017.