BILL ANALYSIS C.S.H.B. 3373 By: Deshotel Technology, Economic Development & Workforce Committee Report (Substituted) BACKGROUND AND PURPOSE Under current law, computers are not prohibited from being used in a botnet. A botnet is a collection of compromised computers used to perpetuate cybercrime. Botnets are increasingly used by cybercriminals to send messages or software without a computer user's knowledge in order to make a computer resource unavailable to its intended users or to steal personally identifiable information. Electronic commerce is quickly becoming the next frontier of international business and is being threatened by the use of botnets. Symantec, a computer security company, reported observing an average of 57,000 bots (individually compromised machines also known as zombies) per day during the first half of 2006. During this period, Symantec discovered a total of 4.7 million computers actively being used in botnets. C.S.H.B. 3373 prohibits a person who is not the owner or operator of a computer from knowingly causing the computer to become a zombie or part of a botnet. The bill also prohibits a person from using a zombie or botnet for certain purposes. RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution. ANALYSIS C.S.H.B. 3373 amends the Business & Commerce Code to add provisions relating to botnets and zombies. The bill defines a "botnet" as a collection of two or more zombies and a "zombie" as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. The bill also defines "Internet service provider" and "person" for purposes of the bill's provisions. C.S.H.B. 3373 prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet. The bill prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet to: send an unsolicited commercial electronic mail message, as defined by law; send a signal to a computer system or network that causes a loss of service to users; send data from a computer without authorization by the owner or operator of the computer; forward computer software designed to damage or disrupt another computer or system; collect personally identifiable information; or perform an act for another purpose not authorized by the owner or operator of the computer. C.S.H.B. 3373 prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet. C.S.H.B. 3373 permits a civil action to be brought against a person who violates the bill's provisions by a person who is acting as an Internet service provider and whose network is used to commit a violation; a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit and not-for-profit activities, as a result of the violation; or the attorney general. The bill specifies that the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity. C.S.H.B. 3373 entitles a person bringing an action, for each violation, to obtain injunctive relief, damages, or both injunctive relief and damages. The bill prescribes the amount of damages as an amount equal to the greater of actual damages arising from the violation or $100,000 for each zombie used to commit the violation. The bill authorizes the court to increase an award of damages, statutory or otherwise, in an action to an amount not to exceed three times the applicable damages if the court finds that the violation has reoccurred with sufficient frequency to constitute a pattern or practice. The bill entitles a plaintiff who prevails in an action to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation. The bill declares that a remedy authorized by the bill's provisions is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law. C.S.H.B. 3373 excludes the bill's provisions from the authority of certain persons to bring a civil action against a person who violates a provision of the law relating to consumer protection against computer spyware. The bill makes its provisions inapplicable to a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service that monitors or has interaction with a subscriber's Internet or other network connection or service or a protected computer for certain purposes. The bill provides that a person knowingly violates the bill's provisions if the person acts with actual knowledge of the facts that constitute the violation or consciously avoids information that would establish actual knowledge of those facts. C.S.H.B. 3373 establishes that its provisions may not be construed to impose liability on an Internet service provider, a provider of interactive computer service, as defined by federal law, a telecommunications provider, as defined by the Utilities Code, or a video service provider or cable service provider, as defined by that code, with respect to a violation of these provisions by another person. EFFECTIVE DATE September 1, 2009. COMPARISON OF ORIGINAL AND SUBSTITUTE C.S.H.B. 3373 defines "botnet" as a collection of two or more zombies, rather than a collection of zombies as in the original. The substitute adds provisions not in the original to define "Internet service provider" and "person." The substitute prohibits a person from using a zombie or botnet to send a signal to a computer system or network that causes a loss of service to users, rather than using a zombie or botnet for an attack on a computer system or network as in the original. The substitute removes provisions from the original prohibiting a person from using a zombie or botnet to artificially add increments to a click counter by automatically clicking on an advertisement on an Internet website or to manipulate online polls or games. The substitute adds a provision not in the original to prohibit a person from using a zombie or botnet to send data from a computer without authorization by the owner or operator of the computer. C.S.H.B. 3373 removes a provision from the original prohibiting a person from providing substantial assistance or support to another person knowing that the other person is engaged in an act or practice that is a violation. The substitute authorizes a person who is acting as an Internet service provider and whose network is used to commit a violation to bring a civil action, whereas the original authorizes a person in business as an Internet service provider that is adversely affected by the violation to bring a civil action. The substitute authorizes a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, to bring a civil action, whereas the original authorizes a business organization that has incurred a loss or disruption of its business activities to bring a civil action. The substitute removes a provision from the original authorizing a person bringing an action to obtain $100,000 for each violation consisting of the same course of conduct or action, regardless of the number of times the conduct or act occurred. The substitute adds a provision not in the original to specify that, in bringing an action, the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity. C.S.H.B. 3373 adds a provision not in the original to specify that nothing in the substitute may be construed to impose liability on an Internet service provider, a provider of interactive computer service, a telecommunications provider, or a video service provider or cable service provider as defined by law.
BILL ANALYSIS
# BILL ANALYSIS
C.S.H.B. 3373
By: Deshotel
Technology, Economic Development & Workforce
Committee Report (Substituted)
C.S.H.B. 3373
By: Deshotel
Technology, Economic Development & Workforce
Committee Report (Substituted)
BACKGROUND AND PURPOSE Under current law, computers are not prohibited from being used in a botnet. A botnet is a collection of compromised computers used to perpetuate cybercrime. Botnets are increasingly used by cybercriminals to send messages or software without a computer user's knowledge in order to make a computer resource unavailable to its intended users or to steal personally identifiable information. Electronic commerce is quickly becoming the next frontier of international business and is being threatened by the use of botnets. Symantec, a computer security company, reported observing an average of 57,000 bots (individually compromised machines also known as zombies) per day during the first half of 2006. During this period, Symantec discovered a total of 4.7 million computers actively being used in botnets. C.S.H.B. 3373 prohibits a person who is not the owner or operator of a computer from knowingly causing the computer to become a zombie or part of a botnet. The bill also prohibits a person from using a zombie or botnet for certain purposes.
RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS C.S.H.B. 3373 amends the Business & Commerce Code to add provisions relating to botnets and zombies. The bill defines a "botnet" as a collection of two or more zombies and a "zombie" as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. The bill also defines "Internet service provider" and "person" for purposes of the bill's provisions. C.S.H.B. 3373 prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet. The bill prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet to: send an unsolicited commercial electronic mail message, as defined by law; send a signal to a computer system or network that causes a loss of service to users; send data from a computer without authorization by the owner or operator of the computer; forward computer software designed to damage or disrupt another computer or system; collect personally identifiable information; or perform an act for another purpose not authorized by the owner or operator of the computer. C.S.H.B. 3373 prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet. C.S.H.B. 3373 permits a civil action to be brought against a person who violates the bill's provisions by a person who is acting as an Internet service provider and whose network is used to commit a violation; a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit and not-for-profit activities, as a result of the violation; or the attorney general. The bill specifies that the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity. C.S.H.B. 3373 entitles a person bringing an action, for each violation, to obtain injunctive relief, damages, or both injunctive relief and damages. The bill prescribes the amount of damages as an amount equal to the greater of actual damages arising from the violation or $100,000 for each zombie used to commit the violation. The bill authorizes the court to increase an award of damages, statutory or otherwise, in an action to an amount not to exceed three times the applicable damages if the court finds that the violation has reoccurred with sufficient frequency to constitute a pattern or practice. The bill entitles a plaintiff who prevails in an action to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation. The bill declares that a remedy authorized by the bill's provisions is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law. C.S.H.B. 3373 excludes the bill's provisions from the authority of certain persons to bring a civil action against a person who violates a provision of the law relating to consumer protection against computer spyware. The bill makes its provisions inapplicable to a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service that monitors or has interaction with a subscriber's Internet or other network connection or service or a protected computer for certain purposes. The bill provides that a person knowingly violates the bill's provisions if the person acts with actual knowledge of the facts that constitute the violation or consciously avoids information that would establish actual knowledge of those facts. C.S.H.B. 3373 establishes that its provisions may not be construed to impose liability on an Internet service provider, a provider of interactive computer service, as defined by federal law, a telecommunications provider, as defined by the Utilities Code, or a video service provider or cable service provider, as defined by that code, with respect to a violation of these provisions by another person.
EFFECTIVE DATE September 1, 2009.
COMPARISON OF ORIGINAL AND SUBSTITUTE
C.S.H.B. 3373 defines "botnet" as a collection of two or more zombies, rather than a collection of zombies as in the original. The substitute adds provisions not in the original to define "Internet service provider" and "person." The substitute prohibits a person from using a zombie or botnet to send a signal to a computer system or network that causes a loss of service to users, rather than using a zombie or botnet for an attack on a computer system or network as in the original. The substitute removes provisions from the original prohibiting a person from using a zombie or botnet to artificially add increments to a click counter by automatically clicking on an advertisement on an Internet website or to manipulate online polls or games. The substitute adds a provision not in the original to prohibit a person from using a zombie or botnet to send data from a computer without authorization by the owner or operator of the computer. C.S.H.B. 3373 removes a provision from the original prohibiting a person from providing substantial assistance or support to another person knowing that the other person is engaged in an act or practice that is a violation. The substitute authorizes a person who is acting as an Internet service provider and whose network is used to commit a violation to bring a civil action, whereas the original authorizes a person in business as an Internet service provider that is adversely affected by the violation to bring a civil action. The substitute authorizes a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, to bring a civil action, whereas the original authorizes a business organization that has incurred a loss or disruption of its business activities to bring a civil action. The substitute removes a provision from the original authorizing a person bringing an action to obtain $100,000 for each violation consisting of the same course of conduct or action, regardless of the number of times the conduct or act occurred. The substitute adds a provision not in the original to specify that, in bringing an action, the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity. C.S.H.B. 3373 adds a provision not in the original to specify that nothing in the substitute may be construed to impose liability on an Internet service provider, a provider of interactive computer service, a telecommunications provider, or a video service provider or cable service provider as defined by law.
BACKGROUND AND PURPOSE
Under current law, computers are not prohibited from being used in a botnet. A botnet is a collection of compromised computers used to perpetuate cybercrime. Botnets are increasingly used by cybercriminals to send messages or software without a computer user's knowledge in order to make a computer resource unavailable to its intended users or to steal personally identifiable information. Electronic commerce is quickly becoming the next frontier of international business and is being threatened by the use of botnets. Symantec, a computer security company, reported observing an average of 57,000 bots (individually compromised machines also known as zombies) per day during the first half of 2006. During this period, Symantec discovered a total of 4.7 million computers actively being used in botnets.
C.S.H.B. 3373 prohibits a person who is not the owner or operator of a computer from knowingly causing the computer to become a zombie or part of a botnet. The bill also prohibits a person from using a zombie or botnet for certain purposes.
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS
C.S.H.B. 3373 amends the Business & Commerce Code to add provisions relating to botnets and zombies. The bill defines a "botnet" as a collection of two or more zombies and a "zombie" as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. The bill also defines "Internet service provider" and "person" for purposes of the bill's provisions.
C.S.H.B. 3373 prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet. The bill prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet to:
C.S.H.B. 3373 prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet.
C.S.H.B. 3373 permits a civil action to be brought against a person who violates the bill's provisions by a person who is acting as an Internet service provider and whose network is used to commit a violation; a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit and not-for-profit activities, as a result of the violation; or the attorney general. The bill specifies that the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity.
C.S.H.B. 3373 entitles a person bringing an action, for each violation, to obtain injunctive relief, damages, or both injunctive relief and damages. The bill prescribes the amount of damages as an amount equal to the greater of actual damages arising from the violation or $100,000 for each zombie used to commit the violation. The bill authorizes the court to increase an award of damages, statutory or otherwise, in an action to an amount not to exceed three times the applicable damages if the court finds that the violation has reoccurred with sufficient frequency to constitute a pattern or practice. The bill entitles a plaintiff who prevails in an action to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation. The bill declares that a remedy authorized by the bill's provisions is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law.
C.S.H.B. 3373 excludes the bill's provisions from the authority of certain persons to bring a civil action against a person who violates a provision of the law relating to consumer protection against computer spyware. The bill makes its provisions inapplicable to a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service that monitors or has interaction with a subscriber's Internet or other network connection or service or a protected computer for certain purposes. The bill provides that a person knowingly violates the bill's provisions if the person acts with actual knowledge of the facts that constitute the violation or consciously avoids information that would establish actual knowledge of those facts.
C.S.H.B. 3373 establishes that its provisions may not be construed to impose liability on an Internet service provider, a provider of interactive computer service, as defined by federal law, a telecommunications provider, as defined by the Utilities Code, or a video service provider or cable service provider, as defined by that code, with respect to a violation of these provisions by another person.
EFFECTIVE DATE
September 1, 2009.
COMPARISON OF ORIGINAL AND SUBSTITUTE
C.S.H.B. 3373 defines "botnet" as a collection of two or more zombies, rather than a collection of zombies as in the original. The substitute adds provisions not in the original to define "Internet service provider" and "person." The substitute prohibits a person from using a zombie or botnet to send a signal to a computer system or network that causes a loss of service to users, rather than using a zombie or botnet for an attack on a computer system or network as in the original. The substitute removes provisions from the original prohibiting a person from using a zombie or botnet to artificially add increments to a click counter by automatically clicking on an advertisement on an Internet website or to manipulate online polls or games. The substitute adds a provision not in the original to prohibit a person from using a zombie or botnet to send data from a computer without authorization by the owner or operator of the computer.
C.S.H.B. 3373 removes a provision from the original prohibiting a person from providing substantial assistance or support to another person knowing that the other person is engaged in an act or practice that is a violation. The substitute authorizes a person who is acting as an Internet service provider and whose network is used to commit a violation to bring a civil action, whereas the original authorizes a person in business as an Internet service provider that is adversely affected by the violation to bring a civil action. The substitute authorizes a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, to bring a civil action, whereas the original authorizes a business organization that has incurred a loss or disruption of its business activities to bring a civil action. The substitute removes a provision from the original authorizing a person bringing an action to obtain $100,000 for each violation consisting of the same course of conduct or action, regardless of the number of times the conduct or act occurred. The substitute adds a provision not in the original to specify that, in bringing an action, the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity.
C.S.H.B. 3373 adds a provision not in the original to specify that nothing in the substitute may be construed to impose liability on an Internet service provider, a provider of interactive computer service, a telecommunications provider, or a video service provider or cable service provider as defined by law.