On November 5th, Florida State Senator Jeff Brandes (R- Dist. 22) introduced legislation that would amend Florida’s Computer Crimes Act (Fla. Stat. § 815.01–07) (the "FCCA"). While only just introduced and likely subject to further amendments, the Bill (SB 364) provides a few noteworthy changes to the state's current computer crimes statute.
I was able to speak with Senator Brandes about the substance of his Bill and his decision to amend the FCCA. Senator Brandes started looking into the effectiveness of Florida’s computer crimes law after hearing a recent story out of Texas. Back in August, a Texas native, Marc Gilbert, was startled to find a stranger screaming expletives to his 2-year-old daughter through the family’s internet-connected baby monitor. It was later discovered that Gilbert's baby monitor had been hacked, allowing a stranger to take over the device (great coverage of this story can be found by Forbes’ Kashmir Hill here and here). After hearing of Gilbert's story, Senator Brandes wondered whether Florida’s laws would have effectively addressed such activity, and if not, what would be needed to do so. Those questions, and the many discussions that would follow, eventually led to the introduction of Florida Senate Bill 364.
According to Senator Brandes, Florida’s Computer Crimes Act has not been substantially amended in about ten years. This Bill, in turn, proposes a number of amendments intended to "update" the FCCA in order to more effectively respond to our evolving technological environment. When discussing the Bill, Senator Brandes stated that (in addition to deterring would-be baby monitor hackers) he wanted to specifically address the unauthorized access of medical devices and public utilities. “We thought these were two areas that needed to be raised to a higher standard,” Senator Brandes stated. The Bill's language, including the addition of an entirely new section specific to the unauthorized access of public utility computer systems, reflects the Senator’s objectives.
So what, specifically, has Senator Brandes proposed? Here are a few highlights of the Bill’s current language.
Definitions
In addition to rewording the FCCA’s definition of “computer network” (§ 815.03(4)), the Bill would also add a new definition: “electronic device.” Under the current language of the Bill, “electronic device” is defined as
“a device that is capable of communicating across a computer network with other computers or devices for the purpose of transmitting, receiving, or storing data.”
(a) “an individual,”
(b) “A partnership, corporation, association, or other entity doing business in this state, or an officer, agent, or employee of such an entity;” or
(c) “An officer, employee, or agent of the state or a county, municipality, special district, or other political subdivision whether executive, judicial, or legislative, including, but not limited to, a department, division, bureau, commission, authority, district, or agency thereof.”
The newly defined “electronic device” would then be included into many of the Act’s substantive criminal offensives, including the FCCA’s “offenses against intellectual property” (specifically added in § 815.04(1), (2)) and “offenses against computer users” (specifically added in § 815.06(2)(a),(c),(d), and (e)). So, for example, a person who willfully, knowingly, and without authorization, accesses an electronic device with knowledge that such access is unauthorized, would violate the proposed § 815.06(2)(a).
In addition, § 815.06 would be expanded to include a number of additional offenses. One small change would be the additional language in § 815.06(2)(b). The current language of the statute compared to the Bill’s amended language highlights the subtle (yet possibly significant) proposal:
(2) A person commits an offense against users of computer networks or electronic devices if he willfully, knowingly, and without authorization:
CURRENT LANGUAGE: (b) Disrupts or denies or causes the denial of computer system services to an authorized user of such computer system services, which, in whole or part, is owned by, under contract to, or operated for, on behalf of, or in conjunction with another;
AMENDED LANGUAGE: (b) Disrupts or denies or causes the denial of the ability to transmit datacomputer system servicesto or from an authorized user of such computer system or computer network services, which, in whole or in part, is owned by, under contract to, or operated for, on behalf of, or in conjunction with another;
(2) A person commits an offense against users of computer networks or electronic devices if he willfully, knowingly, and without authorization:
. . .
(f) Engages in audio or video surveillance of an individual without that individual's knowledge by accessing any inherent feature or component of a computer, computer system, computer network, or electronic device, including accessing the data or information of a computer, computer system, computer network, or electronic device that is stored by a third party.
Offense against “Public Utilities”
Another major proposal is the addition of an entirely new offense: “Offenses against public utilities.” The new section, § 815.061, would borrow the definition of “public utilities” currently found in §366.02(1):
Specifically, the new § 815.061 would include the following offenses and penalties:“Public utility” means every person, corporation, partnership, association, or other legal entity and their lessees, trustees, or receivers supplying electricity or gas (natural, manufactured, or similar gaseous substance) to or for the public within this state; but the term “public utility” does not include either a cooperative now or hereafter organized and existing under the Rural Electric Cooperative Law of the state; a municipality or any agency thereof; any dependent or independent special natural gas district; any natural gas transmission pipeline company making only sales or transportation delivery of natural gas at wholesale and to direct industrial consumers; any entity selling or arranging for sales of natural gas which neither owns nor operates natural gas transmission or distribution facilities within the state; or a person supplying liquefied petroleum gas, in either liquid or gaseous form, irrespective of the method of distribution or delivery, or owning or operating facilities beyond the outlet of a meter through which natural gas is supplied for compression and delivery into motor vehicle fuel tanks or other transportation containers, unless such person also supplies electricity or manufactured or natural gas.
(2) A person may not willfully, knowingly, and without authorization:Penalties
(a) Gain access to a computer, computer system, computer network, or electronic device owned, operated, or used by a public utility while knowing that such access is unauthorized.
(b) Physically tamper with, insert software into, or otherwise transmit commands or electronic communications to a computer, computer system, computer network, or electronic device which cause a disruption in any service delivered by a public utility.
(3)(a) A person who violates paragraph (2)(a) commits a felony of the third degree, punishable as provided in § 775.082, § 775.083, or § 775.084.
(b) A person who violates paragraph (2)(b) commits a felony of the second degree, punishable as provided in § 775.082, § 775.083, or § 775.084.
The Bill would also add to the current penalties under the FCCA. The Bill would make it a second degree felony for any individual who violates § 815.06(2), and his or her actions
“intentionally interrupt[] the transmittal of data to or from, or gains unauthorized access to, a computer, computer system, computer network, or electronic device belonging to any mode of public or private transit, as defined in § 341.031.”Additionally, the Bill would make it a first degree felony for any individual who violates § 815.06(2), and his or her actions
“disrupt[] a computer, computer system, computer network, or electronic device that affects medical equipment used in the direct administration of medical care or treatment to a person.”Conclusion
Overall, these amendments would provide some significant changes to Florida's Computer Crimes Act. As I stated, this Bill is still in its infancy and will likely be subject to numerous changes as it makes its way through the Florida Legislature (or as Senator Brandes put it, the Bill is still likely to be "heavily vetted").
I'll be interested to see the reaction of those in the computer crimes field once they have an opportunity to read Senator Brandes' proposal. With much of the cybersecurity debate focusing on critical infrastructure protection, specific criminal statutes that prohibit the unauthorized access of public utilities' computer systems might become a popular addition to many state computer crime statutes. Some states already have specific references to public and private utilities in their computer crime statutes (for example West Virginia Code § 61-3C-14 and Illinois 720 ILCS 5/17-52). However, Senator Brandes' proposal seemed to be much more in-depth, and that's just the "public utilities" addition. The specification of "electronic devices," the heightened penalties for tampering with medical devices, and the language in the proposed "unauthorized audio or video surveillance" crime are all proposals that I'm definitely keeping an eye on.
Author's Note: I would like to thank Florida State Senator Jeff Brandes for taking the time to speak with me about Florida Senate Bill 364. I have no doubt that the Senator's time is precious, so for him to take the time that he did to humor a cybercrime law nerd like myself was much appreciated. Thank you, Senator.
0 comments:
Post a Comment