SB 415 — An Act amending Title 18 (Crimes and Offenses) of the Pennsylvania Consolidated Statutes, in computer offenses, providing for the offense of ransomware; and imposing duties on the Office of Administration.
Congress · introduced 2025-03-10
Latest action: — Referred to JUDICIARY, March 10, 2025
Sponsors
- Kristin Phillips-Hill (R, PA-28) — sponsor · 2025-03-10
- Wayne D. Fontana (D, PA-42) — cosponsor · 2025-03-10
- Daniel Laughlin (R, PA-49) — cosponsor · 2025-03-10
- Patrick J. Stefano (R, PA-32) — cosponsor · 2025-03-10
- Elder A. Vogel (R, PA-47) — cosponsor · 2025-03-10
- Cris Dush (R, PA-25) — cosponsor · 2025-03-10
- Doug Mastriano (R, PA-33) — cosponsor · 2025-03-10
Action timeline
- · senate — Referred to JUDICIARY, March 10, 2025
Text versions
No text versions on file yet — same ingest as the action timeline populates these. Each version has direct links to the XML / HTML / PDF at govinfo.gov.
Bill text
Printer's No. 0368 · 15,012 characters · source document
Read the full text
PRINTER'S NO. 368
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No. 415
Session of
2025
INTRODUCED BY PHILLIPS-HILL, FONTANA, LAUGHLIN, STEFANO, VOGEL,
DUSH AND MASTRIANO, MARCH 10, 2025
REFERRED TO JUDICIARY, MARCH 10, 2025
AN ACT
1 Amending Title 18 (Crimes and Offenses) of the Pennsylvania
2 Consolidated Statutes, in computer offenses, providing for
3 the offense of ransomware; and imposing duties on the Office
4 of Administration.
5 The General Assembly of the Commonwealth of Pennsylvania
6 hereby enacts as follows:
7 Section 1. Chapter 76 of Title 18 of the Pennsylvania
8 Consolidated Statutes is amended by adding a subchapter to read:
9 SUBCHAPTER F
10 RANSOMWARE
11 Sec.
12 7671. Purposes of subchapter.
13 7672. Definitions.
14 7673. Prohibited actions.
15 7674. (Reserved).
16 7675. Forfeiture.
17 7676. Limitation of time.
18 7677. Notification.
19 7678. Payments.
1 7679. Civil actions.
2 7680. Remedies not exclusive.
3 7681. Office of Administration.
4 § 7671. Purposes of subchapter.
5 This subchapter is intended to ensure that Commonwealth
6 agencies have strong capabilities in place to:
7 (1) Prohibit persons from engaging in ransomware attacks
8 and from extorting payments to resolve or prevent ransomware
9 attacks.
10 (2) Prevent and detect ransomware attacks.
11 (3) Restore systems and captured information quickly
12 that were disrupted or obtained through ransomware attacks.
13 (4) Provide timely public notification of ransomware
14 attacks.
15 (5) Pursue and prosecute perpetrators of ransomware
16 attacks.
17 § 7672. Definitions.
18 The following words and phrases when used in this subchapter
19 shall have the meanings given to them in this section unless the
20 context clearly indicates otherwise:
21 "Commonwealth agency." Any of the following:
22 (1) The Governor's Office.
23 (2) A department, board, commission, authority or other
24 agency of the Commonwealth that is subject to the policy
25 supervision and control of the Governor.
26 (3) The office of Lieutenant Governor.
27 (4) An independent department.
28 (5) An independent agency.
29 (6) The General Assembly or an agency of the General
30 Assembly.
20250SB0415PN0368 - 2 -
1 "Computer contaminant." A set of computer instructions that
2 is designed to modify, damage, destroy, record or transmit data
3 held by a computer, computer system or computer network without
4 the intent or permission of the owner of the data.
5 "Independent agency." A board, commission, authority or
6 other agency of the Commonwealth that is not subject to the
7 policy supervision and control of the Governor.
8 "Independent department." Any of the following:
9 (1) The Department of the Auditor General.
10 (2) The Treasury Department.
11 (3) The Office of Attorney General.
12 (4) A board or commission of an entity under paragraph
13 (1), (2) or (3).
14 "Managed service provider." A third-party company that
15 remotely manages a customer's information technology
16 infrastructure and end-user systems.
17 "Ransomware." As follows:
18 (1) A computer contaminant or lock placed or introduced
19 without authorization into a computer, computer system or
20 computer network that does any of the following:
21 (i) Restricts access by an authorized person to the
22 computer, computer system or computer network or to any
23 data held by the computer, computer system or computer
24 network, under circumstances in which the person
25 responsible for the placement or introduction of the
26 computer contaminant or lock demands payment of money or
27 other consideration to:
28 (A) remove the computer contaminant or lock;
29 (B) restore access to the computer, computer
30 system, computer network or data; or
20250SB0415PN0368 - 3 -
1 (C) otherwise remediate the impact of the
2 computer contaminant or lock.
3 (ii) Transforms data held by the computer, computer
4 system or computer network into a form in which the data
5 is rendered unreadable or unusable without the use of a
6 confidential process or key.
7 (2) The term does not include authentication required to
8 upgrade or access purchased content or the blocking of access
9 to subscription content in the case of nonpayment for the
10 access.
11 § 7673. Prohibited actions.
12 (a) Prohibition.--Except as provided in subsection (b), a
13 person may not, with the intent to extort money or other thing
14 of value from another person or a Commonwealth agency for the
15 purpose of removing a computer contaminant or lock, restoring
16 access to a computer, computer system, computer network or data
17 or otherwise remediating the impact of a computer contaminant or
18 lock:
19 (1) Knowingly possess ransomware.
20 (2) Use ransomware without the authorization of the
21 owner of the computer, computer system or computer network.
22 (3) Sell, transfer or develop ransomware.
23 (4) Threaten to use ransomware against another person or
24 a Commonwealth agency if the threat is:
25 (i) made in an express or implied manner; and
26 (ii) transmitted in person, by mail or through
27 facsimile, email, the Internet, a telecommunication
28 device or other electronic means.
29 (5) Induce another person to commit an act described in
30 paragraph (1), (2), (3) or (4).
20250SB0415PN0368 - 4 -
1 (b) Exception.--Subsection (a) does not apply to the use of
2 ransomware for research purposes by an authorized agent of the
3 Commonwealth or the Federal Government.
4 (c) Grading.--
5 (1) Except as provided in paragraph (2), the following
6 apply:
7 (i) An offense under this section constitutes a
8 misdemeanor of the second degree.
9 (ii) If the aggregate amount of money or other thing
10 of value involved is less than $10,000, the offense
11 constitutes a misdemeanor of the first degree.
12 (iii) If the aggregate amount of money or other
13 thing of value involved is $10,000 or more but less than
14 $100,000, the offense constitutes a felony of the third
15 degree.
16 (iv) If the aggregate amount of money or other thing
17 of value involved is $100,000 or more but less than
18 $500,000, the offense constitutes a felony of the second
19 degree.
20 (v) If the aggregate amount of money or other thing
21 of value involved is at least $500,000, the offense
22 constitutes a felony of the first degree.
23 (2) The grading of an offense under subsection (a)(1),
24 (2) or (3) shall be increased one degree if the commission of
25 the offense:
26 (i) is a second or subsequent offense;
27 (ii) involves the infliction of a physical injury;
28 or
29 (iii) involves a computer, computer system or
30 computer network, or any data held by the computer,
20250SB0415PN0368 - 5 -
1 computer system or computer network, of a court or agency
2 of the unified judicial system.
3 § 7674. (Reserved).
4 § 7675. Forfeiture.
5 (a) Authorization.--Any computer, computer system, computer
6 network, software or data that is used during the commission of
7 an offense under this subchapter or used as a repository for the
8 storage of software or data illegally obtained in violation of
9 this subchapter shall be subject to forfeiture.
10 (b) Procedures.--The forfeiture under this section shall be
11 conducted in accordance with 42 Pa.C.S. §§ 5803 (relating to
12 asset forfeiture), 5805 (relating to forfeiture procedure), 5806
13 (relating to motion for return of property), 5807 (relating to
14 restrictions on use), 5807.1 (relating to prohibition on
15 adoptive seizures) and 5808 (relating to exceptions).
16 § 7676. Limitation of time.
17 An action to prosecute an offense under this subchapter must
18 be commenced within three years from the date of discovery of
19 the commission of the offense.
20 § 7677. Notification.
21 (a) Managed service providers.--A managed service provider
22 of information technology in the service of a Commonwealth
23 agency shall notify an appropriate official of the Commonwealth
24 agency of the discovery of ransomware or receipt of a ransomware
25 demand within one hour of the discovery of ransomware or receipt
26 of the ransomware demand.
27 (b) Commonwealth agencies.--
28 (1) Within two hours of a Commonwealth agency's
29 discovery of ransomware or receipt of a ransomware demand,
30 the Commonwealth agency shall, as necessary and appropriate,
20250SB0415PN0368 - 6 -
1 notify the Pennsylvania State Police and the head of the
2 impacted agency of the discovery of ransomware or receipt of
3 a ransomware demand.
4 (2) If a Commonwealth agency or managed service provider
5 is in receipt of a ransomware demand, the Pennsylvania State
6 Police shall, within 24 hours of the notification by the
7 Commonwealth agency of the ransomware demand, notify an
8 appropriate official of the Federal Bureau of Investigation
9 of the ransomware demand.
10 § 7678. Payments.
11 (a) Public money.--After December 31, 2025, State and local
12 taxpayer money or other public money may not be used to pay an
13 extortion attempt involving ransomware.
14 (b) Insurance coverage.--Nothing in this section shall
15 prohibit a Commonwealth agency from expending public money for
16 the purposes of purchasing or maintaining insurance coverage for
17 ransomware attacks, including the payment of any deductible or
18 coinsurance by the Commonwealth agency that is required under
19 the terms of the insurance policy. The following apply:
20 (1) The Commonwealth agency may not use public money
21 designated for insurance coverage to pay an extortion attempt
22 involving ransomware.
23 (2) Subject to paragraph (1), public money designated
24 for insurance coverage may be used to pay costs associated
25 with:
26 (i) the recovery and restoration of systems and
27 captured information as a result of a ransomware attack;
28 (ii) public notification regarding a ransomware
29 attack;
30 (iii) identity theft protection for persons affected
20250SB0415PN0368 - 7 -
1 by a ransomware attack; and
2 (iv) other related expenses involving a ransomware
3 attack.
4 § 7679. Civil actions.
5 A person or Commonwealth agency that is a victim of an
6 offense under this subchapter may bring an action against a
7 person violating this subchapter to recover any one or more of
8 the following:
9 (1) Actual damages.
10 (2) Punitive damages.
11 (3) Reasonable attorney fees and other litigation costs
12 reasonably incurred.
13 § 7680. Remedies not exclusive.
14 The commencement of a criminal prosecution or civil action
15 under this subchapter shall not prohibit or limit the
16 commencement of a criminal prosecution or civil action under any
17 other law.
18 § 7681. Office of Administration.
19 (a) Study.--The Office of Administration shall study the
20 susceptibility, preparedness and ability to respond on the part
21 of Commonwealth agencies to ransomware attacks. In conducting
22 the study, the Office of Administration shall:
23 (1) Develop guidelines and best practices to prevent a
24 ransomware attack.
25 (2) Evaluate current data encryption and backup
26 strategies.
27 (3) Evaluate the availability of tools to monitor
28 unusual access requests, computer viruses and computer
29 network traffic.
30 (4) Develop guidelines for Commonwealth agencies on
20250SB0415PN0368 - 8 -
1 responding to a ransomware attack.
2 (5) Develop a coordinated law enforcement response
3 strategy that uses forensic investigative techniques to
4 identify the source of a ransomware attack.
5 (6) Provide recommendations on legislative or regulatory
6 action to protect Commonwealth agencies from a ransomware
7 attack.
8 (b) Reports.--The Office of Administration shall prepare and
9 transmit to the General Assembly a report by July 1 of each
10 year, which must include the following:
11 (1) The information specified under subsection (a),
12 including any updates on policies and procedures regarding
13 ransomware.
14 (2) The number of ransomware attacks against
15 Commonwealth agencies during the period covered by the
16 report, including:
17 (i) The nature and extent of the ransomware and
18 extortion attempts involving ransomware.
19 (ii) The effect of the ransomware attacks.
20 (3) Any other information that the Office of
21 Administration deems necessary or proper.
22 (c) Cooperation.--A Commonwealth agency shall cooperate with
23 the Office of Administration in providing information necessary
24 for the preparation of a report under this section.
25 Section 2. This act shall take effect in 60 days.
20250SB0415PN0368 - 9 -Connected on the graph
Outbound (1)
| date | type | to | amount | role | source |
|---|---|---|---|---|---|
| — | referred_to_committee | Pennsylvania Senate Judiciary Committee | — | pa-leg |
The full graph
Every typed relationship touching this entity — 1 edge across 1 category. Grouped by what the connection is; the heaviest few are shown, with a link to the full list.
Committees
→ Referred to committee 1 edge
Who matters
Members ranked by combined influence on this bill: role (sponsor 5 / cosponsor 1), capped speech count from the Congressional Record, and recorded-vote engagement.
| # | Member | Role | Speeches | Voted | Score |
|---|---|---|---|---|---|
| 1 | Kristin Phillips-Hill (R, state_upper PA-28) | sponsor | 0 | — | 5 |
| 2 | Cris Dush (R, state_upper PA-25) | cosponsor | 0 | — | 1 |
| 3 | Daniel Laughlin (R, state_upper PA-49) | cosponsor | 0 | — | 1 |
| 4 | Doug Mastriano (R, state_upper PA-33) | cosponsor | 0 | — | 1 |
| 5 | Elder A. Vogel (R, state_upper PA-47) | cosponsor | 0 | — | 1 |
| 6 | Patrick J. Stefano (R, state_upper PA-32) | cosponsor | 0 | — | 1 |
| 7 | Wayne D. Fontana (D, state_upper PA-42) | cosponsor | 0 | — | 1 |
Predicted vote
Aggregated from: actual roll-call votes (when present) → sponsor → cosponsor → party median (predicts YES when ≥25% of the caucus sponsored/cosponsored). Each row labels its confidence tier so you can see why a position was predicted.
0 predicted yes (0%) · 543 predicted no (100%) · 0 unknown (0%)
By party: · R: 0 yes / 277 no · D: 0 yes / 263 no · I: 0 yes / 3 no
Activity
Every typed-graph event involving this entity, newest first. Each row is one edge in the influence graph; click the date to jump to its provenance.
- 2026-05-20 · was referred to Pennsylvania Senate Judiciary Committee · pa-leg