Hackers who break into computer systems and demand a ransom could face tougher penalties than initially proposed in a bill passing out of the Indiana General Assembly.
In addition, company owners who instruct employees to robocall customers could face charges. Currently, Indiana law allows only the person making the phone call to face charges.
But House Bill 1444, with both provisions, passed the Indiana House on Tuesday and heads to the governor for his signature.
The bill initially addressed hacking but a robocall provision was added in the Senate, said the bill’s author, Rep. Christopher Judy, R-Fort Wayne. Exempt organizations include newspapers, charitable groups, licensed real estate agents and licensed insurance agents.
In a ransomware attack, perpetrators use malware to encrypt files on infected systems and forces users to pay a ransom to obtain a decrypt key, or password, for the undamaged files. Payment is usually sought with the hard-to-trace cryptocurrency Bitcoin.
Under the bill, hackers could face a Level 5 felony if the ransom paid is between $750 and $50,000 and a Level 4 felony if the ransom is above $50,000. The maximum prison sentence for a Level 5 felony is 6 years and, for a Level 4 felony, 12 years.
Initially, the penalties were not as harsh.
But tracking and catching the culprits may prove to be difficult, officials say.
“There’s still some questions about it. How do we address this if the perpetrator’s overseas?” Judy said. “And one of the big questions is how do we identify these individuals that are sending that ransomware out? … But we will have something in place if we are able to.”
Indiana already has a law that makes unauthorized access of computers a misdemeanor crime of computer trespass.
The bill comes in the wake of attacks on municipal computer networks.
Last November, Madison County government records were held for ransom. A hacker was able to get into the computer system, encrypt files and demand a ransom.
The cyberattack affected property records, court documents and jail logs, along with other county government records. It delayed the online posting of Nov. 8 election results.
That same month, about 76,000 Howard County government files were encrypted in a ransomware attack.
Two emails, disguised as a FedEx message, were opened by county employees two days apart, one in a work email, the other a personal account. The emails told recipients that a package was undeliverable and provided an attachment for an invoice or certificate.
Upon recommendation from the insurance carrier, Madison County agreed to pay nearly $21,000 to gain back access. The payment was untraceable. But the attack reportedly cost the county nearly $200,000 to repair. The county began storing its file offsite.
Howard County did not pay since it used backup systems, which gave it nearly 100 percent recovery of its files.