By: Zaffirini S.B. No. 28
A BILL TO BE ENTITLED
AN ACT
relating to the use of a computer for an unauthorized purpose;
providing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 324.002, Business & Commerce Code, as
effective April 1, 2009, is amended by adding Subdivisions (1-a)
and (9) to read as follows:
(1-a) "Botnet" means a collection of zombies.
(9) "Zombie" means a computer that, without the
knowledge and consent of the computer's owner or operator, has been
compromised to give access or control to a program or person other
than the computer's owner or operator.
SECTION 2. Subsection (a), Section 324.003, Business &
Commerce Code, as effective April 1, 2009, is amended to read as
follows:
(a) Section 324.052, other than Subdivision (1) of that
section, and Sections 324.053(4), [and] 324.054, and 324.055 do not
apply to a telecommunications carrier, cable operator, computer
hardware or software provider, or provider of information service
or interactive computer service that monitors or has interaction
with a subscriber's Internet or other network connection or service
or a protected computer for:
(1) a network or computer security purpose;
(2) diagnostics, technical support, or a repair
purpose;
(3) an authorized update of computer software or
system firmware;
(4) authorized remote system management; or
(5) detection or prevention of unauthorized use of or
fraudulent or other illegal activity in connection with a network,
service, or computer software, including scanning for and removing
software proscribed under this chapter.
SECTION 3. Section 324.005, Business & Commerce Code, as
effective April 1, 2009, is amended to read as follows:
Sec. 324.005. KNOWING VIOLATION. A person knowingly
violates Section 324.051, 324.052, [or] 324.053, or 324.055 if the
person:
(1) acts with actual knowledge of the facts that
constitute the violation; or
(2) consciously avoids information that would
establish actual knowledge of those facts.
SECTION 4. Subchapter B, Chapter 324, Business & Commerce
Code, as effective April 1, 2009, is amended by adding Section
324.055 to read as follows:
Sec. 324.055. UNAUTHORIZED CREATION, ACCESS TO, OR USE OF
ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) A person other than the
owner or operator of the computer may not knowingly cause or offer
to cause a computer to become a zombie or part of a botnet.
(b) A person may not knowingly create, have created, use, or
offer to use a zombie or botnet:
(1) to send an unsolicited commercial electronic mail
message, as defined by Section 321.001;
(2) for an attack on a computer system or network that
causes a loss of service to users;
(3) to artificially add increments to a click counter
by automatically clicking on an advertisement on an Internet
website;
(4) to forward computer software designed to damage or
disrupt another computer or system;
(5) to collect personally identifiable information;
(6) to manipulate online polls or games; or
(7) for another purpose not authorized by the owner or
operator of the computer.
(c) A person may not:
(1) purchase, rent, or otherwise gain control of a
zombie or botnet created by another person; or
(2) sell, lease, offer for sale or lease, or otherwise
provide to another person access to or use of a zombie or botnet.
(d) A person may not provide substantial assistance or
support to another person knowing that the other person is engaged
in an act or practice that violates this section.
(e) Any of the following persons may bring a civil action
against a person who violates this section:
(1) a person in business as an Internet service
provider that is adversely affected by the violation;
(2) a business organization that has incurred a loss
or disruption of its business activities as a result of the
violation; or
(3) the attorney general.
(f) A person bringing an action under this section may
obtain:
(1) injunctive relief that restrains the violator from
continuing the violation;
(2) subject to Subsection (g), damages in an amount
equal to the greater of:
(A) actual damages arising from the violation;
(B) $100,000 for each violation consisting of the
same course of conduct or action, regardless of the number of times
the conduct or act occurred; or
(C) $100,000 for each zombie used to commit the
violation; or
(3) both injunctive relief and damages.
(g) The court may increase an award of damages, statutory or
otherwise, in an action brought under this section to an amount not
to exceed three times the applicable damages if the court finds that
the violation has reoccurred with sufficient frequency to
constitute a pattern or practice.
(h) A plaintiff who prevails in an action brought under this
section is entitled to recover court costs and reasonable
attorney's fees, reasonable fees of experts, and other reasonable
costs of litigation.
(i) A remedy authorized by this section is not exclusive but
is in addition to any other procedure or remedy provided for by
other statutory or common law.
(j) Nothing in this section may be construed to impose
liability on the following persons with respect to a violation of
this section committed by another person:
(1) an Internet service provider;
(2) a provider of interactive computer service, as
defined by Section 230, Communications Act of 1934 (47 U.S.C.
Section 230);
(3) a telecommunications provider, as defined by
Section 51.002, Utilities Code; or
(4) a video service provider or cable service
provider, as defined by Section 66.002, Utilities Code.
SECTION 5. Subsection (a), Section 324.101, Business &
Commerce Code, as effective April 1, 2009, is amended to read as
follows:
(a) Any of the following persons, if adversely affected by
the violation, may bring a civil action against a person who
violates a provision of this chapter other than Section 324.055:
(1) a provider of computer software;
(2) an owner of a web page or trademark;
(3) a telecommunications carrier;
(4) a cable operator; or
(5) an Internet service provider.
SECTION 6. The changes in law made by this Act apply only to
conduct that occurs on or after the effective date of this Act.
Conduct that occurs before the effective date of this Act is
governed by the law in effect at the time the conduct occurred, and
that law is continued in effect for that purpose.
SECTION 7. This Act takes effect September 1, 2009.