H.B. No. 9         AN ACT   relating to cybercrime; creating criminal offenses.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  This Act may be cited as the Texas Cybercrime   Act.          SECTION 2.  Section 33.01, Penal Code, is amended by   amending Subdivision (2) and adding Subdivisions (11-a), (13-a),   (13-b), (13-c), and (15-a) to read as follows:                (2)  "Aggregate amount" means the amount of:                      (A)  any direct or indirect loss incurred by a   victim, including the value of money, property, or service stolen,   appropriated, or rendered unrecoverable by the offense; or                      (B)  any expenditure required by the victim to:                            (i)  determine whether data or [verify that]   a computer, computer network, computer program, or computer system   was [not] altered, acquired, appropriated, damaged, deleted, or   disrupted by the offense; or                            (ii)  attempt to restore, recover, or   replace any data altered, acquired, appropriated, damaged,   deleted, or disrupted.                (11-a)  "Decryption," "decrypt," or "decrypted" means   the decoding of encrypted communications or information, whether by   use of a decryption key, by breaking an encryption formula or   algorithm, or by the interference with a person's use of an   encryption service in a manner that causes information or   communications to be stored or transmitted without encryption.                (13-a)  "Encrypted private information" means   encrypted data, documents, wire or electronic communications, or   other information stored on a computer or computer system, whether   in the possession of the owner or a provider of an electronic   communications service or a remote computing service, and which has   not been accessible to the public.                (13-b)  "Encryption," "encrypt," or "encrypted" means   the encoding of data, documents, wire or electronic communications,   or other information, using mathematical formulas or algorithms in   order to preserve the confidentiality, integrity, or authenticity   of, and prevent unauthorized access to, such information.                (13-c)  "Encryption service" means a computing   service, a computer device, computer software, or technology with   encryption capabilities, and includes any subsequent version of or   update to an encryption service.                (15-a)  "Privileged information" means:                      (A)  protected health information, as that term is   defined by Section 182.002, Health and Safety Code;                      (B)  information that is subject to the   attorney-client privilege; or                      (C)  information that is subject to the   accountant-client privilege under Section 901.457, Occupations   Code, or other law, if the information is on a computer, computer   network, or computer system owned by a person possessing a license   issued under Subchapter H, Chapter 901, Occupations Code.          SECTION 3.  Chapter 33, Penal Code, is amended by adding   Sections 33.022, 33.023, and 33.024 to read as follows:          Sec. 33.022.  ELECTRONIC ACCESS INTERFERENCE. (a) A   person, other than a network provider or online service provider   acting for a legitimate business purpose, commits an offense if the   person intentionally interrupts or suspends access to a computer   system or computer network without the effective consent of the   owner.          (b)  An offense under this section is a third degree felony.          (c)  It is a defense to prosecution under this section that   the person acted with the intent to facilitate a lawful seizure or   search of, or lawful access to, a computer, computer network, or   computer system for a legitimate law enforcement purpose.          Sec. 33.023.  ELECTRONIC DATA TAMPERING. (a)  In this   section, "ransomware" means a computer contaminant or lock that   restricts access by an unauthorized person to a computer, computer   system, or computer network or any data in a computer, computer   system, or computer network under circumstances in which a person   demands money, property, or a service to remove the computer   contaminant or lock, restore access to the computer, computer   system, computer network, or data, or otherwise remediate the   impact of the computer contaminant or lock.          (b)  A person commits an offense if the person intentionally   alters data as it transmits between two computers in a computer   network or computer system through deception and without a   legitimate business purpose.          (c)  A person commits an offense if the person intentionally   introduces ransomware onto a computer, computer network, or   computer system through deception and without a legitimate business   purpose.            (d)  Subject to Subsections (d-1) and (d-2), an offense under   this section is a Class C misdemeanor.          (d-1)  Subject to Subsection (d-2), if it is shown on the   trial of the offense that the defendant acted with the intent to   defraud or harm another, an offense under this section is:                (1)  a Class C misdemeanor if the aggregate amount   involved is less than $100 or cannot be determined;                (2)  a Class B misdemeanor if the aggregate amount   involved is $100 or more but less than $750;                (3)  a Class A misdemeanor if the aggregate amount   involved is $750 or more but less than $2,500;                (4)  a state jail felony if the aggregate amount   involved is $2,500 or more but less than $30,000;                (5)  a felony of the third degree if the aggregate   amount involved is $30,000 or more but less than $150,000;                (6)  a felony of the second degree if the aggregate   amount involved is $150,000 or more but less than $300,000; and                (7)  a felony of the first degree if the aggregate   amount involved is $300,000 or more.          (d-2)  If it is shown on the trial of the offense that the   defendant knowingly restricted a victim's access to privileged   information, an offense under this section is:                (1)  a state jail felony if the value of the aggregate   amount involved is less than $2,500;                (2)  a felony of the third degree if:                      (A)  the value of the aggregate amount involved is   $2,500 or more but less than $30,000; or                      (B)  a client or patient of a victim suffered harm   attributable to the offense;                (3)  a felony of the second degree if:                      (A)  the value of the aggregate amount involved is   $30,000 or more but less than $150,000; or                      (B)  a client or patient of a victim suffered   bodily injury attributable to the offense; and                (4)  a felony of the first degree if:                      (A)  the value of the aggregate amount involved is   $150,000 or more; or                      (B)  a client or patient of a victim suffered   serious bodily injury or death attributable to the offense.          (e)  When benefits are obtained, a victim is defrauded or   harmed, or property is altered, appropriated, damaged, or deleted   in violation of this section, whether or not in a single incident,   the conduct may be considered as one offense and the value of the   benefits obtained and of the losses incurred because of the fraud,   harm, or alteration, appropriation, damage, or deletion of property   may be aggregated in determining the grade of the offense.          (f)  A person who is subject to prosecution under this   section and any other section of this code may be prosecuted under   either or both sections.          (g)  Software is not ransomware for the purposes of this   section if the software restricts access to data because:                (1)  authentication is required to upgrade or access   purchased content; or                (2)  access to subscription content has been blocked   for nonpayment.          Sec. 33.024.  UNLAWFUL DECRYPTION. (a)  A person commits an   offense if the person intentionally decrypts encrypted private   information through deception and without a legitimate business   purpose.          (b)  Subject to Subsections (b-1) and (b-2), an offense under   this section is a Class C misdemeanor.          (b-1)  Subject to Subsection (b-2), if it is shown on the   trial of the offense that the defendant acted with the intent to   defraud or harm another, an offense under this section is:                (1)  a Class C misdemeanor if the value of the aggregate   amount involved is less than $100 or cannot be determined;                (2)  a Class B misdemeanor if the value of the aggregate   amount involved is $100 or more but less than $750;                (3)  a Class A misdemeanor if the value of the aggregate   amount involved is $750 or more but less than $2,500;                (4)  a state jail felony if the value of the aggregate   amount involved is $2,500 or more but less than $30,000;                (5)  a felony of the third degree if the value of the   aggregate amount involved is $30,000 or more but less than   $150,000;                (6)  a felony of the second degree if the value of the   aggregate amount involved is $150,000 or more but less than   $300,000; and                (7)  a felony of the first degree if the value of the   aggregate amount involved is $300,000 or more.          (b-2)  If it is shown on the trial of the offense that the   defendant knowingly decrypted privileged information, an offense   under this section is:                (1)  a state jail felony if the value of the aggregate   amount involved is less than $2,500;                (2)  a felony of the third degree if:                      (A)  the value of the aggregate amount involved is   $2,500 or more but less than $30,000; or                      (B)  a client or patient of a victim suffered harm   attributable to the offense;                (3)  a felony of the second degree if:                      (A)  the value of the aggregate amount involved is   $30,000 or more but less than $150,000; or                      (B)  a client or patient of a victim suffered   bodily injury attributable to the offense; and                (4)  a felony of the first degree if:                      (A)  the value of the aggregate amount involved is   $150,000 or more; or                      (B)  a client or patient of a victim suffered   serious bodily injury or death attributable to the offense.          (c)  It is a defense to prosecution under this section that   the actor's conduct was pursuant to an agreement entered into with   the owner for the purpose of:                (1)  assessing or maintaining the security of the   information or of a computer, computer network, or computer system;   or                (2)  providing other services related to security.          (d)  A person who is subject to prosecution under this   section and any other section of this code may be prosecuted under   either or both sections.          SECTION 4.  Section 33.03, Penal Code, is amended to read as   follows:          Sec. 33.03.  DEFENSES. It is an affirmative defense to   prosecution under Section 33.02 or 33.022 that the actor was an   officer, employee, or agent of a communications common carrier or   electric utility and committed the proscribed act or acts in the   course of employment while engaged in an activity that is a   necessary incident to the rendition of service or to the protection   of the rights or property of the communications common carrier or   electric utility.          SECTION 5.  The change in law made by this Act applies only   to an offense committed on or after the effective date of this Act.     An offense committed before the effective date of this Act is   governed by the law in effect on the date the offense was committed,   and the former law is continued in effect for that purpose.  For   purposes of this section, an offense was committed before the   effective date of this Act if any element of the offense occurred   before that date.          SECTION 6.  This Act takes effect September 1, 2017.       ______________________________ ______________________________      President of the Senate Speaker of the House                   I certify that H.B. No. 9 was passed by the House on April 13,   2017, by the following vote:  Yeas 139, Nays 0, 2 present, not   voting; and that the House concurred in Senate amendments to H.B.   No. 9 on May 26, 2017, by the following vote:  Yeas 142, Nays 0, 2   present, not voting.     ______________________________   Chief Clerk of the House               I certify that H.B. No. 9 was passed by the Senate, with   amendments, on May 24, 2017, by the following vote:  Yeas 31, Nays   0.     ______________________________   Secretary of the Senate      APPROVED: __________________                   Date                       __________________                 Governor