By: Capriglione, Elkins, Blanco, et al. H.B. No. 9 A BILL TO BE ENTITLED AN ACT relating to cybercrime; creating criminal offenses. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. This Act may be cited as the Texas Cybercrime Act. SECTION 2. Section 33.01, Penal Code, is amended by amending Subdivision (2) and adding Subdivisions (11-a), (13-a), (13-b), and (13-c) to read as follows: (2) "Aggregate amount" means the amount of: (A) any direct or indirect loss incurred by a victim, including the value of money, property, or service stolen, appropriated, or rendered unrecoverable by the offense; or (B) any expenditure required by the victim to: (i) determine whether data or [verify that] a computer, computer network, computer program, or computer system was [not] altered, acquired, appropriated, damaged, deleted, or disrupted by the offense; or (ii) attempt to restore, recover, or replace any data altered, acquired, appropriated, damaged, deleted, or disrupted. (11-a) "Decryption," "decrypt," or "decrypted" means the decoding of encrypted communications or information, whether by use of a decryption key, by breaking an encryption formula or algorithm, or by the interference with a person's use of an encryption service in a manner that causes information or communications to be stored or transmitted without encryption. (13-a) "Encrypted private information" means encrypted data, documents, wire or electronic communications, or other information stored on a computer or computer system, whether in the possession of the owner or a provider of an electronic communications service or a remote computing service, and which has not been accessible to the public. (13-b) "Encryption," "encrypt," or "encrypted" means the encoding of data, documents, wire or electronic communications, or other information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized access to, such information. (13-c) "Encryption service" means a computing service, a computer device, computer software, or technology with encryption capabilities, and includes any subsequent version of or update to an encryption service. SECTION 3. Chapter 33, Penal Code, is amended by adding Sections 33.022, 33.023, and 33.024 to read as follows: Sec. 33.022. ELECTRONIC ACCESS INTERFERENCE. (a) A person, other than a network provider or online service provider acting for a legitimate business purpose, commits an offense if the person intentionally interrupts or suspends access to a computer system or computer network without the effective consent of the owner. (b) An offense under this section is a third degree felony. (c) It is a defense to prosecution under this section that the person acted with the intent to facilitate a lawful seizure or search of, or lawful access to, a computer, computer network, or computer system for a legitimate law enforcement purpose. Sec. 33.023. ELECTRONIC DATA TAMPERING. (a) In this section, "ransomware" means a computer contaminant or lock that restricts access by an unauthorized person to a computer, computer system, or computer network or any data in a computer, computer system, or computer network under circumstances in which a person demands money, property, or a service to remove the computer contaminant or lock, restore access to the computer, computer system, computer network, or data, or otherwise remediate the impact of the computer contaminant or lock. (b) A person commits an offense if the person intentionally alters data as it transmits between two computers in a computer network or computer system through deception and without a legitimate business purpose. (c) A person commits an offense if the person intentionally introduces ransomware onto a computer, computer network, or computer system through deception and without a legitimate business purpose. (d) An offense under this section is a Class A misdemeanor, unless the person acted with the intent to defraud or harm another, in which event the offense is: (1) a state jail felony if the aggregate amount involved is $2,500 or more but less than $30,000; (2) a felony of the third degree if the aggregate amount involved is $30,000 or more but less than $150,000; (3) a felony of the second degree if: (A) the aggregate amount involved is $150,000 or more but less than $300,000; or (B) the aggregate amount involved is any amount less than $300,000 and the computer, computer network, or computer system is owned by the government or a critical infrastructure facility; or (4) a felony of the first degree if the aggregate amount involved is $300,000 or more. (e) When benefits are obtained, a victim is defrauded or harmed, or property is altered, appropriated, damaged, or deleted in violation of this section, whether or not in a single incident, the conduct may be considered as one offense and the value of the benefits obtained and of the losses incurred because of the fraud, harm, or alteration, appropriation, damage, or deletion of property may be aggregated in determining the grade of the offense. (f) A person who is subject to prosecution under this section and any other section of this code may be prosecuted under either or both sections. (g) Software is not ransomware for the purposes of this section if the software restricts access to data because: (1) authentication is required to upgrade or access purchased content; or (2) access to subscription content has been blocked for nonpayment. Sec. 33.024. UNLAWFUL DECRYPTION. (a) A person commits an offense if the person intentionally decrypts encrypted private information through deception and without a legitimate business purpose. (b) An offense under this section is a Class A misdemeanor, unless the person acted with the intent to defraud or harm another, in which event the offense is: (1) a state jail felony if the aggregate amount involved is less than $30,000; (2) a felony of the third degree if the aggregate amount involved is $30,000 or more but less than $150,000; (3) a felony of the second degree if: (A) the aggregate amount involved is $150,000 or more but less than $300,000; or (B) the aggregate amount involved is any amount less than $300,000 and the computer, computer network, or computer system is owned by the government or a critical infrastructure facility; or (4) a felony of the first degree if the aggregate amount involved is $300,000 or more. (c) It is a defense to prosecution under this section that the actor's conduct was pursuant to an agreement entered into with the owner for the purpose of: (1) assessing or maintaining the security of the information or of a computer, computer network, or computer system; or (2) providing other services related to security. (d) A person who is subject to prosecution under this section and any other section of this code may be prosecuted under either or both sections. SECTION 4. Section 33.03, Penal Code, is amended to read as follows: Sec. 33.03. DEFENSES. It is an affirmative defense to prosecution under Section 33.02 or 33.022 that the actor was an officer, employee, or agent of a communications common carrier or electric utility and committed the proscribed act or acts in the course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the communications common carrier or electric utility. SECTION 5. The change in law made by this Act applies only to an offense committed on or after the effective date of this Act. An offense committed before the effective date of this Act is governed by the law in effect on the date the offense was committed, and the former law is continued in effect for that purpose. For purposes of this section, an offense was committed before the effective date of this Act if any element of the offense occurred before that date. SECTION 6. This Act takes effect September 1, 2017.