Backers of House Bill 368, which now heads to the Senate, say the changes are needed because Ohio law right now only criminalizes successful computer hacks, not attempts.
Current state law also bases the severity of the offense based on the damages suffered by the victim, which bill proponents say is an outdated way to measure the harm done by a cyberattack or an attempted computer breach.
Computer attacks that come from other states or overseas are usually handled by the FBI or other national and international law-enforcement agencies. But sometimes the hackers are from Ohio – such as a case in which a disgruntled former credit-union employee tried to access his former employer’s records, said state Rep. Brian Baldridge, the Adams County Republican sponsoring the bill.
In addition, Baldridge told a House committee last fall, the FBI is often reluctant to spend time and money investigating unsuccessful computer attacks.
Right now, there are two offenses on the books in Ohio to cover computer crimes: criminal mischief and unauthorized use of a computer. HB 328 would add to – and partially replace – these offenses with several new felony-level offenses, including electronic data tampering and electronic data manipulation, electronic computer service interference, computer trespass, electronic data theft, and unauthorized data disclosure.
The bill would also allow victims of cybercrime to file a civil lawsuit seeking compensation from people convicted of at least one of those offenses. The legislation would protect “white hat” or ethical hackers who are paid by a company to test its computer firewall system, even if they mistakenly go beyond the scope of what they were hired to do.
State Rep. David Leland, a Columbus Democrat, joined Baldridge in speaking in favor of the legislation Wednesday on the House floor.
“It really corrects some glaring holes in our criminal statute related to cybersecurity,” Leland said.
In particular, Leland said, the proposed offenses would cover a recent attempt by an anonymous hacker to take down part of Ohio’s unemployment benefits website in which employers can report workers who didn’t return to work during the pandemic – resulting in those workers to lose their benefits.
While the state was able to thwart the attempt, it has led state officials to consider whether they will stop benefits to Ohioans who don’t return to work.
The House passed the legislation 93-1. The lone “no” vote was cast by state Rep. Tavia Galonski, an Akron Democrat.
©2020 The Plain Dealer, Cleveland, Distributed by Tribune Content Agency, LLC.