Statutes Text
Article - Criminal Law
§7–302.
(a) (1) In this section the following words have the meanings indicated.
(2) “Access” means to instruct, communicate with, store data in, retrieve or intercept data from, or otherwise use the resources of a computer program, computer system, or computer network.
(3) (i) “Aggregate amount” means a direct loss of property or services incurred by a victim.
(ii) “Aggregate amount” includes:
1. the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime; or
2. any actual reasonable expenditure incurred by the victim to verify whether a computer program, computer, computer system, or computer network was altered, acquired, damaged, deleted, disrupted, or destroyed by access in violation of this section.
(4) (i) “Computer” means an electronic, magnetic, optical, organic, or other data processing device or system that performs logical, arithmetic, memory, or storage functions.
(ii) “Computer” includes property, a data storage facility, or a communications facility that is directly related to or operated with a computer.
(iii) “Computer” does not include an automated typewriter, a typesetter, or a portable calculator.
(5) “Computer control language” means ordered statements that direct a computer to perform specific functions.
(6) “Computer database” means a representation of information, knowledge, facts, concepts, or instructions that:
(i) is intended for use in a computer, computer system, or computer network; and
(ii) 1. is being prepared or has been prepared in a formalized manner; or
2. is being produced or has been produced by a computer, computer system, or computer network.
(7) “Computer network” means the interconnection of one or more computers through:
(i) the use of a satellite, microwave, line, or other communication medium; and
(ii) terminals or a complex consisting of two or more interconnected computers regardless of whether the interconnection is continuously maintained.
(8) “Computer program” means an ordered set of instructions or statements that may interact with related data and, when executed in a computer system, causes a computer to perform specified functions.
(9) “Computer services” includes computer time, data processing, and storage functions.
(10) “Computer software” means a computer program, instruction, procedure, or associated document regarding the operation of a computer system.
(11) “Computer system” means one or more connected or unconnected computers, peripheral devices, computer software, data, or computer programs.
(12) “Ransomware” means a computer or data contaminant, encryption, or lock that:
(i) is placed or introduced without authorization into a computer, a computer network, or a computer system; and
(ii) restricts access by an authorized person to a computer, computer data, a computer network, or a computer system in a manner that results in the person responsible for the placement or introduction of the contaminant, encryption, or lock demanding payment of money or other consideration to remove the contaminant, encryption, or lock.
(b) This section does not preclude the applicability of any other provision of this Code.
(c) (1) A person may not intentionally, willfully, and without authorization:
(i) access, attempt to access, cause to be accessed, or exceed the person’s authorized access to all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or
(ii) copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed in violation of item (i) of this paragraph.
(2) A person may not commit an act prohibited by paragraph (1) of this subsection with the intent to:
(i) cause the malfunction or interrupt the operation of all or any part of a computer, computer network, computer control language, computer software, computer system, computer service, or computer data; or
(ii) alter, damage, or destroy all or any part of data or a computer program stored, maintained, or produced by a computer, computer network, computer software, computer system, computer service, or computer database.
(3) A person may not intentionally, willfully, and without authorization:
(i) possess, identify, or attempt to identify a valid access code; or
(ii) publicize or distribute a valid access code to an unauthorized person.
(4) A person may not commit an act prohibited under this subsection with the intent to interrupt or impair the functioning of:
(i) the State government;
(ii) a service, device, or system related to the production, transmission, delivery, or storage of electricity or natural gas in the State that is owned, operated, or controlled by a person other than a public service company, as defined in § 1–101 of the Public Utilities Article;
(iii) a service provided in the State by a public service company, as defined in § 1–101 of the Public Utilities Article;
(iv) a health care facility, as defined in § 18–338.1 of the Health – General Article; or
(v) a public school, as defined in § 1–101 of the Education Article.
(5) (i) This paragraph does not apply to a person who has a bona fide scientific, educational, governmental, testing, news, or other similar justification for possessing ransomware.
(ii) A person may not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into the computer, computer network, or computer system of another person without the authorization of the other person.
(d) (1) A person who violates subsection (c)(1) of this section is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding 3 years or a fine not exceeding $1,000 or both.
(2) A person who violates subsection (c)(2) or (3) of this section:
(i) if the aggregate amount of the loss is $10,000 or more, is guilty of a felony and on conviction is subject to imprisonment not exceeding 10 years or a fine not exceeding $10,000 or both; or
(ii) if the aggregate amount of the loss is less than $10,000, is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding 5 years or a fine not exceeding $5,000 or both.
(3) A person who violates subsection (c)(4) of this section:
(i) if the aggregate amount of the loss is $10,000 or more, is guilty of a felony and on conviction is subject to imprisonment not exceeding 10 years or a fine not exceeding $100,000 or both; or
(ii) if the aggregate amount of the loss is less than $10,000, is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding 5 years or a fine not exceeding $25,000 or both.
(4) A person who violates subsection (c)(5) of this section is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding 2 years or a fine not exceeding $5,000 or both.
(e) Access achieved in violation of this section under a single scheme or a continuing course of conduct may be considered as one violation.
(f) A court of competent jurisdiction may try a person prosecuted under this section in any county in this State where:
(1) the defendant performed the act; or
(2) the accessed computer is located.
(g) (1) A person who has suffered a specific and direct injury because of a violation of this section may bring a civil action in a court of competent jurisdiction.
(2) In an action under this subsection, the court may award actual damages and reasonable attorney’s fees and court costs.
(3) A conviction for an offense under this section is not a prerequisite for maintenance of an action under this subsection.