BILL ANALYSIS C.S.S.B. 28 By: Zaffirini Technology, Economic Development & Workforce Committee Report (Substituted) BACKGROUND AND PURPOSE Currently, the use of botnets is not prohibited under law. A bot is computer software that operates as an agent for a user or another computer program or that simulates a human activity. A botnet is a collection of compromised computers used to perpetuate cybercrime. S.B. 327, 79th Legislature, Regular Session, 2005, prohibited a person or entity from knowingly installing spyware, which allows a third party to read keystrokes, or providing computer software containing spyware to any computer in Texas, and provided civil penalties for knowingly installing spyware, as well as a cause of action for victims. C.S.S.B. 28 adds the use of botnets to the list of prohibited actions using a computer. The bill authorizes civil penalties for using a botnet, including a cause of action for a victim, and authorizes the attorney general to seek injunctive relief and actual damages with respect to a violation of the bill's provisions. RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution. ANALYSIS C.S.S.B. 28 amends the Business & Commerce Code to add provisions relating to botnets and zombies. The bill defines a "botnet" as a collection of two or more zombies and a "zombie" as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. The bill also defines "Internet service provider" and "person" for purposes of the bill's provisions. C.S.S.B. 28 prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet. The bill prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet to: send an unsolicited commercial electronic mail message, as defined by law; send a signal to a computer system or network that causes a loss of service to users; send data from a computer without authorization by the owner or operator of the computer; forward computer software designed to damage or disrupt another computer or system; collect personally identifiable information; or perform an act for another purpose not authorized by the owner or operator of the computer. C.S.S.B. 28 prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet. C.S.S.B. 28 permits a civil action to be brought against a person who violates the bill's provisions by a person who is acting as an Internet service provider and whose network is used to commit a violation; a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit and not-for-profit activities, as a result of the violation; or the attorney general. The bill specifies that the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity. C.S.S.B. 28 entitles a person bringing an action, for each violation, to obtain injunctive relief, damages, or both injunctive relief and damages. The bill prescribes the amount of damages as an amount equal to the greater of actual damages arising from the violation or $100,000 for each zombie used to commit the violation. The bill authorizes the court to increase an award of damages, statutory or otherwise, in an action to an amount not to exceed three times the applicable damages if the court finds that the violations have occurred with such a frequency as to constitute a pattern or practice. The bill entitles a plaintiff who prevails in an action to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation. The bill declares that a remedy authorized by the bill's provisions is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law. C.S.S.B. 28 establishes that its provisions may not be construed to impose liability on an Internet service provider, a provider of interactive computer service, as defined by federal law, a telecommunications provider, as defined by the Utilities Code, or a video service provider or cable service provider, as defined by that code, with respect to a violation of these provisions by another person. C.S.S.B. 28 authorizes a provider of computer software, an owner of a web page or trademark, a telecommunications carrier, a cable operator, or an Internet service provider to bring a civil suit against a person who violates certain provisions of the Consumer Protection Against Computer Spyware Act excluding a person who violates the bill's provisions, and makes conforming changes. The bill adds the bill's provisions to the law establishing exceptions to the applicability of that act. The bill adds the bill's provisions to the law establishing the criteria to engage in a knowing violation under that act. EFFECTIVE DATE September 1, 2009. COMPARISON OF ORIGINAL AND SUBSTITUTE C.S.S.B. 28 defines "botnet" as a collection of two or more zombies, rather than a collection of zombies as in the original. The substitute adds provisions not in the original to define "Internet service provider" and "person." The substitute prohibits a person from using a zombie or botnet to send a signal to a computer system or network that causes a loss of service to users, rather than using a zombie or botnet for an attack on a computer system or network as in the original. The substitute removes provisions included in the original prohibiting a person from using a zombie or botnet to artificially add increments to a click counter by automatically clicking on an advertisement on an Internet website or to manipulate online polls or games. The substitute adds a provision not in the original to prohibit a person from using a zombie or botnet to send data from a computer without authorization by the owner or operator of the computer. C.S.S.B. 28 removes a provision included in the original prohibiting a person from providing substantial assistance or support to another person knowing that the other person is engaged in an act or practice that is a violation. The substitute authorizes a person who is acting as an Internet service provider and whose network is used to commit a violation to bring a civil action, whereas the original authorizes a person in business as an Internet service provider that is adversely affected by the violation to bring a civil action. The substitute authorizes a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, to bring a civil action, whereas the original authorizes a business organization that has incurred a loss or disruption of its business activities to bring a civil action. C.S.S.B. 28 removes a provision included in the original authorizing a person bringing an action to obtain $100,000 for each violation consisting of the same course of conduct or action, regardless of the number of times the conduct or act occurred. The substitute differs from the original by authorizing a person to obtain injunctive relief and damages for each violation. The substitute adds a provision not in the original to specify that, in bringing an action, the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity.
BILL ANALYSIS
# BILL ANALYSIS
C.S.S.B. 28
By: Zaffirini
Technology, Economic Development & Workforce
Committee Report (Substituted)
C.S.S.B. 28
By: Zaffirini
Technology, Economic Development & Workforce
Committee Report (Substituted)
BACKGROUND AND PURPOSE Currently, the use of botnets is not prohibited under law. A bot is computer software that operates as an agent for a user or another computer program or that simulates a human activity. A botnet is a collection of compromised computers used to perpetuate cybercrime. S.B. 327, 79th Legislature, Regular Session, 2005, prohibited a person or entity from knowingly installing spyware, which allows a third party to read keystrokes, or providing computer software containing spyware to any computer in Texas, and provided civil penalties for knowingly installing spyware, as well as a cause of action for victims. C.S.S.B. 28 adds the use of botnets to the list of prohibited actions using a computer. The bill authorizes civil penalties for using a botnet, including a cause of action for a victim, and authorizes the attorney general to seek injunctive relief and actual damages with respect to a violation of the bill's provisions.
RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS C.S.S.B. 28 amends the Business & Commerce Code to add provisions relating to botnets and zombies. The bill defines a "botnet" as a collection of two or more zombies and a "zombie" as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. The bill also defines "Internet service provider" and "person" for purposes of the bill's provisions. C.S.S.B. 28 prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet. The bill prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet to: send an unsolicited commercial electronic mail message, as defined by law; send a signal to a computer system or network that causes a loss of service to users; send data from a computer without authorization by the owner or operator of the computer; forward computer software designed to damage or disrupt another computer or system; collect personally identifiable information; or perform an act for another purpose not authorized by the owner or operator of the computer. C.S.S.B. 28 prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet. C.S.S.B. 28 permits a civil action to be brought against a person who violates the bill's provisions by a person who is acting as an Internet service provider and whose network is used to commit a violation; a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit and not-for-profit activities, as a result of the violation; or the attorney general. The bill specifies that the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity. C.S.S.B. 28 entitles a person bringing an action, for each violation, to obtain injunctive relief, damages, or both injunctive relief and damages. The bill prescribes the amount of damages as an amount equal to the greater of actual damages arising from the violation or $100,000 for each zombie used to commit the violation. The bill authorizes the court to increase an award of damages, statutory or otherwise, in an action to an amount not to exceed three times the applicable damages if the court finds that the violations have occurred with such a frequency as to constitute a pattern or practice. The bill entitles a plaintiff who prevails in an action to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation. The bill declares that a remedy authorized by the bill's provisions is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law. C.S.S.B. 28 establishes that its provisions may not be construed to impose liability on an Internet service provider, a provider of interactive computer service, as defined by federal law, a telecommunications provider, as defined by the Utilities Code, or a video service provider or cable service provider, as defined by that code, with respect to a violation of these provisions by another person. C.S.S.B. 28 authorizes a provider of computer software, an owner of a web page or trademark, a telecommunications carrier, a cable operator, or an Internet service provider to bring a civil suit against a person who violates certain provisions of the Consumer Protection Against Computer Spyware Act excluding a person who violates the bill's provisions, and makes conforming changes. The bill adds the bill's provisions to the law establishing exceptions to the applicability of that act. The bill adds the bill's provisions to the law establishing the criteria to engage in a knowing violation under that act.
EFFECTIVE DATE September 1, 2009.
COMPARISON OF ORIGINAL AND SUBSTITUTE
C.S.S.B. 28 defines "botnet" as a collection of two or more zombies, rather than a collection of zombies as in the original. The substitute adds provisions not in the original to define "Internet service provider" and "person." The substitute prohibits a person from using a zombie or botnet to send a signal to a computer system or network that causes a loss of service to users, rather than using a zombie or botnet for an attack on a computer system or network as in the original. The substitute removes provisions included in the original prohibiting a person from using a zombie or botnet to artificially add increments to a click counter by automatically clicking on an advertisement on an Internet website or to manipulate online polls or games. The substitute adds a provision not in the original to prohibit a person from using a zombie or botnet to send data from a computer without authorization by the owner or operator of the computer. C.S.S.B. 28 removes a provision included in the original prohibiting a person from providing substantial assistance or support to another person knowing that the other person is engaged in an act or practice that is a violation. The substitute authorizes a person who is acting as an Internet service provider and whose network is used to commit a violation to bring a civil action, whereas the original authorizes a person in business as an Internet service provider that is adversely affected by the violation to bring a civil action. The substitute authorizes a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, to bring a civil action, whereas the original authorizes a business organization that has incurred a loss or disruption of its business activities to bring a civil action. C.S.S.B. 28 removes a provision included in the original authorizing a person bringing an action to obtain $100,000 for each violation consisting of the same course of conduct or action, regardless of the number of times the conduct or act occurred. The substitute differs from the original by authorizing a person to obtain injunctive relief and damages for each violation. The substitute adds a provision not in the original to specify that, in bringing an action, the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity.
BACKGROUND AND PURPOSE
Currently, the use of botnets is not prohibited under law. A bot is computer software that operates as an agent for a user or another computer program or that simulates a human activity. A botnet is a collection of compromised computers used to perpetuate cybercrime.
S.B. 327, 79th Legislature, Regular Session, 2005, prohibited a person or entity from knowingly installing spyware, which allows a third party to read keystrokes, or providing computer software containing spyware to any computer in Texas, and provided civil penalties for knowingly installing spyware, as well as a cause of action for victims.
C.S.S.B. 28 adds the use of botnets to the list of prohibited actions using a computer. The bill authorizes civil penalties for using a botnet, including a cause of action for a victim, and authorizes the attorney general to seek injunctive relief and actual damages with respect to a violation of the bill's provisions.
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS
C.S.S.B. 28 amends the Business & Commerce Code to add provisions relating to botnets and zombies. The bill defines a "botnet" as a collection of two or more zombies and a "zombie" as a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator. The bill also defines "Internet service provider" and "person" for purposes of the bill's provisions.
C.S.S.B. 28 prohibits a person who is not the owner or operator of a computer from knowingly causing or offering to cause the computer to become a zombie or part of a botnet. The bill prohibits a person from knowingly creating, having created, using, or offering to use a zombie or botnet to:
C.S.S.B. 28 prohibits a person from purchasing, renting, or otherwise gaining control of a zombie or botnet created by another person or selling, leasing, offering for sale or lease, or otherwise providing to another person access to or use of a zombie or botnet.
C.S.S.B. 28 permits a civil action to be brought against a person who violates the bill's provisions by a person who is acting as an Internet service provider and whose network is used to commit a violation; a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit and not-for-profit activities, as a result of the violation; or the attorney general. The bill specifies that the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity.
C.S.S.B. 28 entitles a person bringing an action, for each violation, to obtain injunctive relief, damages, or both injunctive relief and damages. The bill prescribes the amount of damages as an amount equal to the greater of actual damages arising from the violation or $100,000 for each zombie used to commit the violation. The bill authorizes the court to increase an award of damages, statutory or otherwise, in an action to an amount not to exceed three times the applicable damages if the court finds that the violations have occurred with such a frequency as to constitute a pattern or practice. The bill entitles a plaintiff who prevails in an action to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation. The bill declares that a remedy authorized by the bill's provisions is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law.
C.S.S.B. 28 establishes that its provisions may not be construed to impose liability on an Internet service provider, a provider of interactive computer service, as defined by federal law, a telecommunications provider, as defined by the Utilities Code, or a video service provider or cable service provider, as defined by that code, with respect to a violation of these provisions by another person.
C.S.S.B. 28 authorizes a provider of computer software, an owner of a web page or trademark, a telecommunications carrier, a cable operator, or an Internet service provider to bring a civil suit against a person who violates certain provisions of the Consumer Protection Against Computer Spyware Act excluding a person who violates the bill's provisions, and makes conforming changes. The bill adds the bill's provisions to the law establishing exceptions to the applicability of that act. The bill adds the bill's provisions to the law establishing the criteria to engage in a knowing violation under that act.
EFFECTIVE DATE
September 1, 2009.
COMPARISON OF ORIGINAL AND SUBSTITUTE
C.S.S.B. 28 defines "botnet" as a collection of two or more zombies, rather than a collection of zombies as in the original. The substitute adds provisions not in the original to define "Internet service provider" and "person." The substitute prohibits a person from using a zombie or botnet to send a signal to a computer system or network that causes a loss of service to users, rather than using a zombie or botnet for an attack on a computer system or network as in the original. The substitute removes provisions included in the original prohibiting a person from using a zombie or botnet to artificially add increments to a click counter by automatically clicking on an advertisement on an Internet website or to manipulate online polls or games. The substitute adds a provision not in the original to prohibit a person from using a zombie or botnet to send data from a computer without authorization by the owner or operator of the computer.
C.S.S.B. 28 removes a provision included in the original prohibiting a person from providing substantial assistance or support to another person knowing that the other person is engaged in an act or practice that is a violation. The substitute authorizes a person who is acting as an Internet service provider and whose network is used to commit a violation to bring a civil action, whereas the original authorizes a person in business as an Internet service provider that is adversely affected by the violation to bring a civil action. The substitute authorizes a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, to bring a civil action, whereas the original authorizes a business organization that has incurred a loss or disruption of its business activities to bring a civil action.
C.S.S.B. 28 removes a provision included in the original authorizing a person bringing an action to obtain $100,000 for each violation consisting of the same course of conduct or action, regardless of the number of times the conduct or act occurred. The substitute differs from the original by authorizing a person to obtain injunctive relief and damages for each violation. The substitute adds a provision not in the original to specify that, in bringing an action, the attorney general may seek only injunctive relief and actual damages, except in those instances in which the attorney general represents a governmental entity.