Georgia Senate Passes Bill That Penalizes Unauthorized Pen-Tests

Share this…

A bill was passed yesterday by the state of Georgia that causes any unauthorized access to a computer to be considered “Unauthorized Computer Access” and “shall be punished for a misdemeanor of a high and aggravated nature”.  This bill amends the Georgia code, which originally only considered unauthorized access with malicious intent to be a crime, information security training analyst said.

georgia

The new bill, titled SB-315, was a Republican sponsored bill that passed with 42 votes of Yea, 7 of Nay, 6 who did not vote, and 1 who was excused. Of the Yea votes, 11 were Democrat senators. Only one Republican, Blake Tillery, voted against this bill.

This bill changes the original language of the Georgia code shown below, to language that states that any unauthorized access to a computer, regardless of intent, is considered a crime.

(b)  Computer Trespass.  Any person who uses a computer or computer network with knowledge that such use is without authority and with the intention of:

  • Deleting or in any way removing, either temporarily or permanently, any computer program or data from a computer or computer network;
  • Obstructing, interrupting, or in any way interfering with the use of a computer program or data; or
  • Altering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program, regardless of how long the alteration, damage, or malfunction persists shall be guilty of the crime of computer trespass.

The new language has raised a lot of concern among information security trainingresearchers who feel that it could cause Georgia businesses to be at greater risk of insecure servers and web sites. This is because information security training researchers would not be able to responsibly disclose problems to a Georgia based company without fear of legal repercussions.

georgia 1

To take it further, sites that perform automated analysis of servers could land themselves in trouble. For example, Shodan.io, a search engine for connected devices, could potentially face legal consequences when it scans servers located in Georgia.

georgia 2

These issues could have been resolved by adding language that protects the information security training professionals when they responsibly disclose vulnerabilities. Unfortunately, this heavy-handed approach may only lead to worse problems for Georgia business owners.