Section 715.9 - Ransomware prohibition1. A person shall not intentionally, willfully, and without authorization do any of the following:a. Access, attempt to access, cause to be accessed, or exceed the person's authorized access to all or a part of a computer network, computer control language, computer, computer software, computer system, or computer database.b. Copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed in violation of paragraph "a".2. A person shall not commit an act prohibited in subsection 1 with the intent to do any of the following: a. Cause the malfunction or interruption of the operation of all or any part of a computer, computer network, computer control language, computer software, computer system, computer service, or computer data.b. Alter, damage, or destroy all or any part of data or a computer program stored, maintained, or produced by a computer, computer network, computer software, computer system, computer service, or computer database.3. A person shall not intentionally, willfully, and without authorization do any of the following: a. Possess, identify, or attempt to identify a valid computer access code.b. Publicize or distribute a valid computer access code to an unauthorized person.4. A person shall not commit an act prohibited under this section with the intent to interrupt or impair the functioning of any of the following: b. A service, device, or system related to the production, transmission, delivery, or storage of electricity or natural gas in the state that is owned, operated, or controlled by a person other than a public utility as defined in chapter 476.c. A service provided in the state by a public utility as defined in section 476.1, subsection 2.d. A hospital or health care facility as defined in section 135C.1.e. A public elementary or secondary school, community college, or area education agency under the supervision of the department of education.f. A city, city utility, or city service.g. An authority as defined in section 330A.2.5. This section shall not apply to the use of ransomware for research purposes by a person who has a bona fide scientific, educational, governmental, testing, news, or other similar justification for possessing ransomware. However, a person shall not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into the computer, computer network, or computer system of another person without the authorization of the other person.6. A person who has suffered a specific and direct injury because of a violation of this section may bring a civil action in a court of competent jurisdiction. a. In an action under this subsection, the court may award actual damages, reasonable attorney fees, and court costs.b. A conviction for an offense under this section is not a prerequisite for the filing of a civil action.Added by 2023 Iowa, ch 77, s 7, eff. 7/1/2023.