Chapter 9A.90 RCW

WASHINGTON CYBERCRIME ACT

Sections

9A.90.010FindingsIntent2016 c 164.
9A.90.020Short title2016 c 164.
9A.90.030Definitions.
9A.90.040Computer trespass in the first degree.
9A.90.050Computer trespass in the second degree.
9A.90.060Electronic data service interference.
9A.90.070Spoofing.
9A.90.080Electronic data tampering in the first degree.
9A.90.090Electronic data tampering in the second degree.
9A.90.100Electronic data theft.
9A.90.110Commission of other crime.


FindingsIntent2016 c 164.

The legislature finds that the rapid pace of technological change and information computerization in the digital age generates a never ending sequence of anxiety inducing reports highlighting how the latest device or innovation is being used to harm consumers. The legislature finds that this generates an ongoing pattern of legislation being proposed to regulate each new technology. The legislature finds that a more systemic approach is needed to better protect consumers and address these rapidly advancing technologies. The legislature finds that the application of traditional criminal enforcement measures that apply long-standing concepts of trespass, fraud, and theft to activities in the electronic frontier has not provided the essential clarity, certainty, and predictability that regulators, entrepreneurs, and innovators need. The legislature finds that an integrated, comprehensive methodology, rather than a piecemeal approach, will provide significant economic development benefits by providing certainty to the innovation community about the actions and activities that are prohibited. Therefore, the legislature intends to create a new chapter of crimes to the criminal code to punish and deter misuse or abuse of technology, rather than the perceived threats of individual technologies. This new chapter of crimes has been developed from an existing and proven system of computer security threat modeling known as the STRIDE system.
The legislature intends to strike a balance between public safety and civil liberties in the digital world, including creating sufficient space for white hat security research and whistleblowers. The state whistleblower and public record laws prevent this act from being used to hide any deleterious actions by government officials under the guise of security. Furthermore, this act is not intended to criminalize activity solely on the basis that it violates any terms of service.
The purpose of the Washington cybercrime act is to provide prosecutors the twenty-first century tools they need to combat twenty-first century crimes.



Short title2016 c 164.

This act may be known and cited as the Washington cybercrime act.



Definitions.

The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "Access" means to gain entry to, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of electronic data, data network, or data system, including via electronic means.
(2) "Cybercrime" includes crimes of this chapter.
(3) "Data" means a digital representation of information, knowledge, facts, concepts, data software, data programs, or instructions that are being prepared or have been prepared in a formalized manner and are intended for use in a data network, data program, data services, or data system.
(4) "Data network" means any system that provides digital communications between one or more data systems or other digital input/output devices including, but not limited to, display terminals, remote systems, mobile devices, and printers.
(5) "Data program" means an ordered set of electronic data representing coded instructions or statements that when executed by a computer causes the device to process electronic data.
(6) "Data services" includes data processing, storage functions, internet services, email services, electronic message services, web site access, internet-based electronic gaming services, and other similar system, network, or internet-based services.
(7) "Data system" means an electronic device or collection of electronic devices, including support devices one or more of which contain data programs, input data, and output data, and that performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control. This term does not include calculators that are not programmable and incapable of being used in conjunction with external files.
(8) "Identifying information" means information that, alone or in combination, is linked or linkable to a trusted entity that would be reasonably expected to request or provide credentials to access a targeted data system or network. It includes, but is not limited to, recognizable names, addresses, telephone numbers, logos, HTML links, email addresses, registered domain names, reserved IP addresses, user names, social media profiles, cryptographic keys, and biometric identifiers.
(9) "Malware" means any set of data instructions that are designed, without authorization and with malicious intent, to disrupt computer operations, gather sensitive information, or gain access to private computer systems. "Malware" does not include software that installs security updates, removes malware, or causes unintentional harm due to some deficiency. It includes, but is not limited to, a group of data instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to infect other data programs or data, consume data resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the data, data system, or data network.
(10) "White hat security research" means accessing a data program, service, or system solely for purposes of good faith testing, investigation, identification, and/or correction of a security flaw or vulnerability, where such activity is carried out, and where the information derived from the activity is used, primarily to promote security or safety.
(11) "Without authorization" means to knowingly circumvent technological access barriers to a data system in order to obtain information without the express or implied permission of the owner, where such technological access measures are specifically designed to exclude or prevent unauthorized individuals from obtaining such information, but does not include white hat security research or circumventing a technological measure that does not effectively control access to a computer. The term "without the express or implied permission" does not include access in violation of a duty, agreement, or contractual obligation, such as an acceptable use policy or terms of service agreement, with an internet service provider, internet web site, or employer. The term "circumvent technological access barriers" may include unauthorized elevation of privileges, such as allowing a normal user to execute code as administrator, or allowing a remote person without any privileges to run code.



Computer trespass in the first degree.

(1) A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another; and
(a) The access is made with the intent to commit another crime in violation of a state law not included in this chapter; or
(b) The violation involves a computer or database maintained by a government agency.
(2) Computer trespass in the first degree is a class C felony.



Computer trespass in the second degree.

(1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another under circumstances not constituting the offense in the first degree.
(2) Computer trespass in the second degree is a gross misdemeanor.



Electronic data service interference.

(1) A person is guilty of electronic data service interference if the person maliciously and without authorization causes the transmission of data, data program, or other electronic command that intentionally interrupts or suspends access to or use of a data network or data service.
(2) Electronic data service interference is a class C felony.



Spoofing.

(1) A person is guilty of spoofing if he or she, without authorization, knowingly initiates the transmission, display, or receipt of the identifying information of another organization or person for the purpose of gaining unauthorized access to electronic data, a data system, or a data network, and with the intent to commit another crime in violation of a state law not included in this chapter.
(2) Spoofing is a gross misdemeanor.



Electronic data tampering in the first degree.

(1) A person is guilty of electronic data tampering in the first degree if he or she maliciously and without authorization:
(a)(i) Alters data as it transmits between two data systems over an open or unsecure network; or
(ii) Introduces any malware into any electronic data, data system, or data network; and
(b)(i) Doing so is for the purpose of devising or executing any scheme to defraud, deceive, or extort, or commit any other crime in violation of a state law not included in this chapter, or of wrongfully controlling, gaining access to, or obtaining money, property, or electronic data; or
(ii) The electronic data, data system, or data network is maintained by a governmental [government] agency.
(2) Electronic data tampering in the first degree is a class C felony.



Electronic data tampering in the second degree.

(1) A person is guilty of electronic data tampering in the second degree if he or she maliciously and without authorization:
(a) Alters data as it transmits between two data systems over an open or unsecure network under circumstances not constituting the offense in the first degree; or
(b) Introduces any malware into any electronic data, data system, or data network under circumstances not constituting the offense in the first degree.
(2) Electronic data tampering in the second degree is a gross misdemeanor.



Electronic data theft.

(1) A person is guilty of electronic data theft if he or she intentionally, without authorization, and without reasonable grounds to believe that he or she has such authorization, obtains any electronic data with the intent to:
(a) Devise or execute any scheme to defraud, deceive, extort, or commit any other crime in violation of a state law not included in this chapter; or
(b) Wrongfully control, gain access to, or obtain money, property, or electronic data.
(2) Electronic data theft is a class C felony.



Commission of other crime.

A person who, in the commission of a crime under this chapter, commits any other crime may be punished for that other crime as well as for the crime under this chapter and may be prosecuted for each crime separately.