Desco Federal Credit Union CEO Lee Powell was stunned: Neither the FBI nor his county prosecutor could charge a person caught hacking into his computer with a “serious crime.”
The disgruntled former employee didn’t get any customer data. The credit union’s security system caught the perpetrator. But without any monetary damages to claim, Powell was told there wasn’t much of a case.
“I asked whether attempted murder was a crime or if they waited for the person to be successful to prosecute,” Powell said. “He didn’t like that, but I was trying to make what I thought was a valid point.”
Ohio law has two existing offenses when it comes to attempted computer crimes: criminal mischief and unauthorized use of a computer. They’re what prosecutors call damage focused, which means the punishments hinge on monetary loss. For example, a hacker has to cause $10,000 worth of damages to be charged with a fourth-degree felony for criminal mischief.
“The way I look at it, there was an attempt to commit an attack,” Rep. Brian Baldridge, R-Winchester, said. “It’s like breaking into a house but getting caught before you stole anything.”
That’s why he introduced House Bill 116. The legislation would create a new set of computer-specific crimes like computer service interference, electronic data tampering, unauthorized data disclosure and computer trespass.
‘No disincentive’ to trying to steal data in Ohio
Baldridge sponsored a nearly identical bill in 2020. It sailed through the House but failed to get a vote in the Senate before the end of the year.
“To our knowledge, there is still no opposition to it,” Ohio Credit Union League’s Chief Advocacy Officer Emily Leite said. And the legal changes are more timely than ever given the rise in Ohioans working and shopping from home.
Thousands of organizations in 17 countries were hit by a coordinated ransomware attack in early July. The malicious code appears to have come from the REvil gang, a Russian-speaking ransomware syndicate.
Employees and consumers should educate themselves about all the different phishing scams hackers use to steal their data, Leite said, but the criminal code needs updating.
“There is no disincentive to trying to take the data,” Leite said.
In addition to prosecuting those caught trying to steal data, Leite’s been working with Ohio lawmakers on a privacy bill to set statewide standards for any business that stores customer information.
“We need a unified, national data security standard that is reasonable, that businesses can comply with, that protects all consumer data,” Leite said.
Both she and Baldridge expect HB 116 to pass fairly quickly after lawmakers return in September.
“It’s good common-sense legislation,” Powell said. “Every business should be supportive of it.”
Anna Staver is a reporter for the USA TODAY Network Ohio Bureau, which serves the Columbus Dispatch, Cincinnati Enquirer, Akron Beacon Journal and 18 other affiliated news organizations across Ohio.