| |
| |
| |
|
|
AN ACT
|
|
|
relating to the use of a computer for an unauthorized purpose; |
|
|
providing a civil penalty. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 324.002, Business & Commerce Code, as |
|
|
effective April 1, 2009, is amended by adding Subdivisions (1-a) |
|
|
and (9) to read as follows: |
|
|
(1-a) "Botnet" means a collection of two or more |
|
|
zombies. |
|
|
(9) "Zombie" means a computer that, without the |
|
|
knowledge and consent of the computer's owner or operator, has been |
|
|
compromised to give access or control to a program or person other |
|
|
than the computer's owner or operator. |
|
|
SECTION 2. Subsection (a), Section 324.003, Business & |
|
|
Commerce Code, as effective April 1, 2009, is amended to read as |
|
|
follows: |
|
|
(a) Section 324.052, other than Subdivision (1) of that |
|
|
section, and Sections 324.053(4), [and] 324.054, and 324.055 do not |
|
|
apply to a telecommunications carrier, cable operator, computer |
|
|
hardware or software provider, or provider of information service |
|
|
or interactive computer service that monitors or has interaction |
|
|
with a subscriber's Internet or other network connection or service |
|
|
or a protected computer for: |
|
|
(1) a network or computer security purpose; |
|
|
(2) diagnostics, technical support, or a repair |
|
|
purpose; |
|
|
(3) an authorized update of computer software or |
|
|
system firmware; |
|
|
(4) authorized remote system management; or |
|
|
(5) detection or prevention of unauthorized use of or |
|
|
fraudulent or other illegal activity in connection with a network, |
|
|
service, or computer software, including scanning for and removing |
|
|
software proscribed under this chapter. |
|
|
SECTION 3. Section 324.005, Business & Commerce Code, as |
|
|
effective April 1, 2009, is amended to read as follows: |
|
|
Sec. 324.005. KNOWING VIOLATION. A person knowingly |
|
|
violates Section 324.051, 324.052, [or] 324.053, or 324.055 if the |
|
|
person: |
|
|
(1) acts with actual knowledge of the facts that |
|
|
constitute the violation; or |
|
|
(2) consciously avoids information that would |
|
|
establish actual knowledge of those facts. |
|
|
SECTION 4. Subchapter B, Chapter 324, Business & Commerce |
|
|
Code, as effective April 1, 2009, is amended by adding Section |
|
|
324.055 to read as follows: |
|
|
Sec. 324.055. UNAUTHORIZED CREATION OF, ACCESS TO, OR USE |
|
|
OF ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) In this section: |
|
|
(1) "Internet service provider" means a person |
|
|
providing connectivity to the Internet or another wide area |
|
|
network. |
|
|
(2) "Person" has the meaning assigned by Section |
|
|
311.005, Government Code. |
|
|
(b) A person who is not the owner or operator of the computer |
|
|
may not knowingly cause or offer to cause a computer to become a |
|
|
zombie or part of a botnet. |
|
|
(c) A person may not knowingly create, have created, use, or |
|
|
offer to use a zombie or botnet to: |
|
|
(1) send an unsolicited commercial electronic mail |
|
|
message, as defined by Section 321.001; |
|
|
(2) send a signal to a computer system or network that |
|
|
causes a loss of service to users; |
|
|
(3) send data from a computer without authorization by |
|
|
the owner or operator of the computer; |
|
|
(4) forward computer software designed to damage or |
|
|
disrupt another computer or system; |
|
|
(5) collect personally identifiable information; or |
|
|
(6) perform an act for another purpose not authorized |
|
|
by the owner or operator of the computer. |
|
|
(d) A person may not: |
|
|
(1) purchase, rent, or otherwise gain control of a |
|
|
zombie or botnet created by another person; or |
|
|
(2) sell, lease, offer for sale or lease, or otherwise |
|
|
provide to another person access to or use of a zombie or botnet. |
|
|
(e) The following persons may bring a civil action against a |
|
|
person who violates this section: |
|
|
(1) a person who is acting as an Internet service |
|
|
provider and whose network is used to commit a violation under this |
|
|
section; or |
|
|
(2) a person who has incurred a loss or disruption of |
|
|
the conduct of the person's business, including for-profit or |
|
|
not-for-profit activities, as a result of the violation. |
|
|
(f) A person bringing an action under this section may, for |
|
|
each violation: |
|
|
(1) seek injunctive relief to restrain a violator from |
|
|
continuing the violation; |
|
|
(2) subject to Subsection (g), recover damages in an |
|
|
amount equal to the greater of: |
|
|
(A) actual damages arising from the violation; or |
|
|
(B) $100,000 for each zombie used to commit the |
|
|
violation; or |
|
|
(3) obtain both injunctive relief and damages. |
|
|
(g) The court may increase an award of damages, statutory or |
|
|
otherwise, in an action brought under this section to an amount not |
|
|
to exceed three times the applicable damages if the court finds that |
|
|
the violations have occurred with such a frequency as to constitute |
|
|
a pattern or practice. |
|
|
(h) A plaintiff who prevails in an action brought under this |
|
|
section is entitled to recover court costs and reasonable |
|
|
attorney's fees, reasonable fees of experts, and other reasonable |
|
|
costs of litigation. |
|
|
(i) A remedy authorized by this section is not exclusive but |
|
|
is in addition to any other procedure or remedy provided for by |
|
|
other statutory or common law. |
|
|
(j) Nothing in this section may be construed to impose |
|
|
liability on the following persons with respect to a violation of |
|
|
this section committed by another person: |
|
|
(1) an Internet service provider; |
|
|
(2) a provider of interactive computer service, as |
|
|
defined by Section 230, Communications Act of 1934 (47 U.S.C. |
|
|
Section 230); |
|
|
(3) a telecommunications provider, as defined by |
|
|
Section 51.002, Utilities Code; or |
|
|
(4) a video service provider or cable service |
|
|
provider, as defined by Section 66.002, Utilities Code. |
|
|
SECTION 5. Subsection (a), Section 324.101, Business & |
|
|
Commerce Code, as effective April 1, 2009, is amended to read as |
|
|
follows: |
|
|
(a) Any of the following persons, if adversely affected by |
|
|
the violation, may bring a civil action against a person who |
|
|
violates Section 324.051, 324.052, 324.053, or 324.054 [this
|
|
|
chapter]: |
|
|
(1) a provider of computer software; |
|
|
(2) an owner of a web page or trademark; |
|
|
(3) a telecommunications carrier; |
|
|
(4) a cable operator; or |
|
|
(5) an Internet service provider. |
|
|
SECTION 6. The changes in law made by this Act apply only to |
|
|
conduct that occurs on or after the effective date of this Act. |
|
|
Conduct that occurs before the effective date of this Act is |
|
|
governed by the law in effect at the time the conduct occurred, and |
|
|
that law is continued in effect for that purpose. |
|
|
SECTION 7. This Act takes effect September 1, 2009. |
|
|
|
|
|
|
| |
| |
| |
| |
______________________________ |
______________________________ |
| |
President of the Senate |
Speaker of the House |
| |
|
|
I hereby certify that S.B. No. 28 passed the Senate on |
|
|
April 14, 2009, by the following vote: Yeas 30, Nays 0; and that |
|
|
the Senate concurred in House amendments on May 28, 2009, by the |
|
|
following vote: Yeas 31, Nays 0. |
|
|
|
| |
| |
______________________________ |
| |
Secretary of the Senate |
| |
|
|
I hereby certify that S.B. No. 28 passed the House, with |
|
|
amendments, on May 19, 2009, by the following vote: Yeas 143, |
|
|
Nays 0, two present not voting. |
|
|
|
| |
| |
______________________________ |
| |
Chief Clerk of the House |
| |
|
|
|
| |
|
|
Approved: |
|
|
|
|
|
______________________________ |
|
|
Date |
|
|
|
|
|
|
|
|
______________________________ |
|
|
Governor |