STATE OF NEW YORK
________________________________________________________________________
8324
2019-2020 Regular Sessions
IN ASSEMBLY
June 14, 2019
___________
Introduced by M. of A. LENTOL -- read once and referred to the Committee
on Codes
AN ACT to amend the penal law and the education law, in relation to
computer-related crimes
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Section 156.00 of the penal law, as amended by chapter 558
2 of the laws of 2006, is amended to read as follows:
3 § 156.00 Offenses involving computers; definition of terms.
4 The following definitions are applicable to this chapter except where
5 different meanings are expressly specified:
6 1. "Computer" means a device or group of devices which, by manipu-
7 lation of electronic, magnetic, optical or electrochemical impulses,
8 pursuant to a computer program, can automatically perform arithmetic,
9 logical, storage or retrieval operations with or on computer data, and
10 includes any connected or directly related device, equipment or facility
11 which enables such computer to store, retrieve or communicate to or from
12 a person, another computer or another device the results of computer
13 operations, computer programs or computer data.
14 2. "Computer program" is property and means an ordered set of data
15 representing coded instructions or statements that, when executed by
16 computer, cause the computer, computer system or computer network to
17 process data or direct the computer, computer system or computer network
18 to perform one or more computer operations or both and may be in any
19 form, including magnetic storage media, punched cards, or stored inter-
20 nally in the memory of the computer.
21 3. "Computer data" is property and means a representation of informa-
22 tion, knowledge, facts, concepts or instructions which are being proc-
23 essed, or have been processed in a computer and may be in any form,
24 including magnetic storage media, punched cards, or stored internally in
25 the memory of the computer.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD08736-01-9
A. 8324 2
1 4. "Computer service" means any and all services provided by or
2 through the facilities of any computer communication system allowing the
3 input, output, examination, or transfer, of computer data or computer
4 programs from one computer to another , including, but not limited to,
5 computer time, data processing, storage functions, internet services,
6 electronic mail services, electronic message services, or other use of a
7 computer, computer system or computer network.
8 5. "Computer material" is property and means any computer data or
9 computer program which:
10 (a) contains records of the medical history or medical treatment of an
11 identified or readily identifiable individual or individuals. This term
12 shall not apply to the gaining access to or duplication solely of the
13 medical history or medical treatment records of a person by that person
14 or by another specifically authorized by the person whose records are
15 gained access to or duplicated; or
16 (b) contains records maintained by the state or any political subdivi-
17 sion thereof or any governmental instrumentality within the state which
18 contains any information concerning a person, as defined in subdivision
19 seven of section 10.00 of this chapter, which because of name, number,
20 symbol, mark or other identifier, can be used to identify the person and
21 which is otherwise prohibited by law from being disclosed. This term
22 shall not apply to the gaining access to or duplication solely of
23 records of a person by that person or by another specifically authorized
24 by the person whose records are gained access to or duplicated; or
25 (c) is not and is not intended to be available to anyone other than
26 the person or persons rightfully in possession thereof or selected
27 persons having access thereto with his, her or their consent and which
28 accords or may accord such rightful possessors an advantage over compet-
29 itors or other persons who do not have knowledge or the benefit thereof.
30 6. "Computer network" means the interconnection of hardwire or wire-
31 less communication lines with a computer through remote terminals, or a
32 complex consisting of two or more interconnected computers, including,
33 but not limited to, display terminals, remote systems, mobile devices,
34 and printers connected by computer facilities.
35 7. "Access" means to gain entry to, instruct, cause input to, cause
36 output from, cause data processing with, communicate with, store data
37 in, retrieve from, or otherwise make use of any resources of a computer,
38 computer system or computer network, physically, directly or by elec-
39 tronic means.
40 8. "Without authorization" means to use or to access a computer,
41 computer service or computer network without the permission of the owner
42 or lessor or someone licensed or privileged by the owner or lessor where
43 such person knew that his or her use or access was without permission or
44 after actual notice to such person that such use or access was without
45 permission. It shall also mean the access of a computer service by a
46 person without permission where such person knew that such access was
47 without permission or after actual notice to such person, that such
48 access was without permission.
49 Proof that such person used or accessed a computer, computer service
50 or computer network through the knowing use of a set of instructions,
51 code or computer program that bypasses, defrauds or otherwise circum-
52 vents a security measure installed or used with the user's authorization
53 on the computer, computer service or computer network shall be presump-
54 tive evidence that such person used or accessed such computer, computer
55 service or computer network without authorization.
A. 8324 3
1 9. "Felony" as used in this article means any felony defined in the
2 laws of this state or any offense defined in the laws of any other
3 jurisdiction for which a sentence to a term of imprisonment in excess of
4 one year is authorized in this state.
5 10. "Computer system" means a device or collection of devices, includ-
6 ing support devices and excluding calculators that are not programmable
7 and capable of being used in conjunction with external files, one or
8 more of which contain computer programs, electronic instructions, input
9 data, and output data, that performs functions, including, but not
10 limited to, logic, arithmetic, data storage and retrieval, communi-
11 cation, and control.
12 11. "Government computer system" means any computer system, or part
13 thereof, that is owned, operated, or used by any federal, state, or
14 local governmental entity.
15 12. "Public safety infrastructure computer system" means any computer
16 system, or part thereof, that is necessary for the health and safety of
17 the public including computer systems owned, operated, or used by drink-
18 ing water and wastewater treatment facilities, hospitals, emergency
19 service providers, telecommunication companies, and gas and electric
20 utility companies.
21 13. "Supporting documentation" includes, but is not limited to, all
22 information, in any form, pertaining to the design, construction, clas-
23 sification, implementation, use, or modification of a computer, computer
24 system, computer network, computer program, or computer software, which
25 information is not generally available to the public and is necessary
26 for the operation of a computer, computer system, computer network,
27 computer program, or computer software.
28 14. "Injury" means any alteration, deletion, damage, or destruction of
29 a computer system, computer network, computer program, or data caused by
30 the access, or the denial of access to legitimate users of a computer
31 system, network, or program.
32 15. "Victim expenditure" means any expenditure reasonably and neces-
33 sarily incurred by the owner or lessee to verify that a computer system,
34 computer network, computer program, or data was or was not altered,
35 deleted, damaged, or destroyed by the access.
36 16. "Computer contaminant" means any set of computer instructions that
37 are designed to modify, damage, destroy, record, or transmit information
38 within a computer, computer system, or computer network without the
39 intent or permission of the owner of the information. They include, but
40 are not limited to, a group of computer instructions commonly called
41 viruses or worms, that are self-replicating or self-propagating and are
42 designed to contaminate other computer programs or computer data,
43 consume computer resources, modify, destroy, record, or transmit data,
44 or in some other fashion usurp the normal operation of the computer,
45 computer system, or computer network.
46 17. "Internet domain name" means a globally unique, hierarchical
47 reference to an internet host or service, assigned through centralized
48 internet naming authorities, comprising a series of character strings
49 separated by periods, with the rightmost character string specifying the
50 top of the hierarchy.
51 18. "Electronic mail" means an electronic message or computer file
52 that is transmitted between two or more telecommunications devices;
53 computers; computer networks, regardless of whether the network is a
54 local, regional, or global network; or electronic devices capable of
55 receiving electronic messages, regardless of whether the message is
A. 8324 4
1 converted to hard copy format after receipt, viewed upon transmission,
2 or stored for later retrieval.
3 19. "Profile" means either of the following:
4 (a) a configuration of user data required by a computer so that the
5 user may access programs or services and have the desired functionality
6 on that computer; or
7 (b) an internet web site user's personal page or section of a page
8 that is made up of data, in text or graphical form, that displays
9 significant, unique, or identifying information, including, but not
10 limited to, listing acquaintances, interests, associations, activities,
11 or personal statements.
12 § 2. Section 156.29 of the penal law, as added by chapter 590 of the
13 laws of 2008, is amended to read as follows:
14 § 156.29 Unlawful duplication of computer related material in the second
15 degree.
16 A person is guilty of unlawful duplication of computer related materi-
17 al in the second degree when having no right to do so, he or she copies,
18 reproduces or duplicates or makes use of in any manner any data or
19 computer material [that contains records of the medical history or
20 medical treatment of an identified or readily identifiable individual or
21 individuals with an intent to commit or further the commission of any
22 crime under this chapter] from a computer, computer system, or computer
23 network or takes or copies any supporting documentation, whether exist-
24 ing or residing internal or external to a computer, computer system, or
25 computer network.
26 Unlawful duplication of computer related material in the second degree
27 is a class B misdemeanor.
28 § 3. Section 156.25 of the penal law, as amended by chapter 89 of the
29 laws of 1993, subdivision 2 as amended by chapter 376 of the laws of
30 1997, is amended to read as follows:
31 § 156.25 Computer tampering in the third degree.
32 A person is guilty of computer tampering in the third degree when he
33 or she commits the crime of computer tampering in the fourth degree and:
34 1. he or she does so with an intent: (a) to commit or attempt to
35 commit or further the commission of any felony, (b) to devise or execute
36 any scheme or artifice to defraud, deceive, or extort, or (c) to wrong-
37 fully control or obtain money, property or data; or
38 2. he or she has been previously convicted of any crime under this
39 article or subdivision eleven of section 165.15 of this chapter; or
40 3. he or she intentionally alters in any manner or destroys computer
41 material; or
42 4. he or she intentionally alters in any manner or destroys computer
43 data or a computer program so as to cause damages in an aggregate amount
44 exceeding one thousand dollars; or
45 5. he or she alters in any manner or destroys any data, computer soft-
46 ware, or computer programs which reside or exist internal or external to
47 a public safety infrastructure computer system computer, computer system
48 or computer network.
49 Computer tampering in the third degree is a class E felony.
50 § 4. The penal law is amended by adding a new section 156.45 to read
51 as follows:
52 § 156.45 Unlawful disruption of computer services in the second degree.
53 A person is guilty of unlawful disruption of computer services in the
54 second degree when he or she knowingly and without permission disrupts
55 or causes the disruption of computer services or denies or causes the
A. 8324 5
1 denial of computer services to an authorized user of a computer, comput-
2 er system, or computer network.
3 Unlawful disruption of computer services in the second degree is a
4 class A misdemeanor.
5 § 5. The penal law is amended by adding a new section 156.46 to read
6 as follows:
7 § 156.46 Unlawful disruption of computer services in the first degree.
8 A person is guilty of unlawful disruption of computer services in the
9 first degree when he or she commits the crime of unlawful disruption of
10 computer services in the second degree and:
11 1. he or she disrupts government computer services or denies or causes
12 the denial of government computer services to an authorized user of a
13 government computer, computer system, or computer network; or
14 2. he or she disrupts public safety infrastructure computer system
15 computer services or denies or causes the denial of computer services to
16 an authorized user of a public safety infrastructure computer system
17 computer, computer system, or computer network.
18 Unlawful disruption of computer services in the second degree is a
19 class E felony.
20 § 6. The penal law is amended by adding a new section 156.15 to read
21 as follows:
22 § 156.15 Unlawful computer access assistance in the second degree.
23 A person is guilty of unlawful computer access assistance in the
24 second degree when he or she knowingly and without permission provides
25 or assists in providing a means of accessing a computer, computer
26 system, or computer network in violation of this article.
27 Unlawful computer access assistance in the second degree is a class A
28 misdemeanor.
29 § 7. The penal law is amended by adding a new section 156.16 to read
30 as follows:
31 § 156.16 Unlawful computer access assistance in the first degree.
32 A person is guilty of unlawful computer access assistance in the first
33 degree when he or she commits the crime of unlawful computer access
34 assistance in the second degree and provides or assists in providing a
35 means of accessing a public safety infrastructure computer system
36 computer, computer system or computer network in violation of this arti-
37 cle.
38 Unlawful computer access assistance in the first degree is a class E
39 felony.
40 § 8. The penal law is amended by adding a new section 156.12 to read
41 as follows:
42 § 156.12 Unauthorized use of internet domain name or profile.
43 A person is guilty of unauthorized use of internet domain name or
44 profile when he or she knowingly and without permission uses the inter-
45 net domain name or profile of another individual, corporation, or entity
46 in connection with the sending of one or more electronic mail messages
47 or posts and thereby damages or causes damage to a computer, computer
48 data, computer system or computer network.
49 Unauthorized use of internet domain name or profile is a class A
50 misdemeanor.
51 § 9. The penal law is amended by adding a new section 156.37 to read
52 as follows:
53 § 156.37 Unlawful introduction of a computer contaminant.
54 A person is guilty of unlawful introduction of a computer contaminant
55 when he or she knowingly introduces a computer contaminant into any
56 computer, computer system, or computer network.
A. 8324 6
1 Unlawful introduction of a computer contaminant is a class A misdemea-
2 nor.
3 § 10. The penal law is amended by adding a new section 156.55 to read
4 as follows:
5 § 156.55 Civil actions.
6 1. In addition to any other civil remedy available, the owner or
7 lessee of the computer, computer system, computer network, computer
8 program, or data who suffers damage or loss by reason of a violation of
9 any section of this article may bring a civil action against the viola-
10 tor for compensatory damages and injunctive relief or other equitable
11 relief. Compensatory damages shall include any expenditure reasonably
12 and necessarily incurred by the owner or lessee to verify that a comput-
13 er system, computer network, computer program, or data was or was not
14 altered, damaged, or deleted by the access. In any action brought pursu-
15 ant to this section, the court may award reasonable attorney's fees. For
16 the purposes of actions authorized by this section, the conduct of an
17 unemancipated minor shall be imputed to the parent or legal guardian
18 having control or custody of the minor.
19 2. No action may be brought pursuant to this section for a willful
20 violation of this article unless it is initiated within three years of
21 the date of the act complained of, or the date of the discovery of the
22 damage, whichever is later.
23 § 11. The penal law is amended by adding a new section 156.60 to read
24 as follows:
25 § 156.60 Offenses involving computers; forfeiture.
26 Any computer, computer system, computer network, or any software or
27 data, owned by the defendant, that is used during the commission of any
28 offense described in this article or any computer, owned by the defend-
29 ant, which is used as a repository for the storage of software or data
30 illegally obtained in violation of this article shall be subject to
31 forfeiture.
32 § 12. Subdivision 1 of section 6430 of the education law, as amended
33 by chapter 75 of the laws of 2004, is amended to read as follows:
34 1. The trustees or other governing board of every college chartered by
35 the regents or incorporated by special act of the legislature and which
36 maintains a campus, unless otherwise provided, shall adopt written rules
37 for implementing all policies required pursuant to this article and for
38 the maintenance of public order on college campuses and other college
39 property used for educational purposes and provide a program for the
40 enforcement thereof. Such rules shall prohibit, among other things, any
41 action or situation which recklessly or intentionally endangers mental
42 or physical health or involves the forced consumption of liquor or drugs
43 for the purpose of initiation into or affiliation with any organization.
44 Such rules shall govern the conduct of students, faculty and other staff
45 as well as visitors and other licensees and invitees on such campuses
46 and property and shall include computer-related crimes as a specific
47 violation of such rules. The penalties for violations of such rules
48 shall be clearly set forth therein and shall include provisions for the
49 ejection of a violator from such campus and property, in the case of a
50 student or faculty violator his or her suspension, expulsion, or other
51 appropriate disciplinary action, and in the case of an organization
52 which authorizes such conduct, recision of permission for that organiza-
53 tion to operate on campus property and shall also include penalties for
54 computer-related crimes that may subject a student to disciplinary sanc-
55 tions up to and including dismissal from the institution. Such penal-
A. 8324 7
1 ties shall be in addition to any penalty pursuant to the penal law or
2 any other law to which a violator or organization may be subject.
3 § 13. This act shall take effect on the one hundred eightieth day
4 after it shall have become a law.