S.B. No. 28
AN ACT
relating to the use of a computer for an unauthorized purpose;
providing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 324.002, Business & Commerce Code, as
effective April 1, 2009, is amended by adding Subdivisions (1-a)
and (9) to read as follows:
(1-a) "Botnet" means a collection of two or more
zombies.
(9) "Zombie" means a computer that, without the
knowledge and consent of the computer's owner or operator, has been
compromised to give access or control to a program or person other
than the computer's owner or operator.
SECTION 2. Subsection (a), Section 324.003, Business &
Commerce Code, as effective April 1, 2009, is amended to read as
follows:
(a) Section 324.052, other than Subdivision (1) of that
section, and Sections 324.053(4), [and] 324.054, and 324.055 do not
apply to a telecommunications carrier, cable operator, computer
hardware or software provider, or provider of information service
or interactive computer service that monitors or has interaction
with a subscriber's Internet or other network connection or service
or a protected computer for:
(1) a network or computer security purpose;
(2) diagnostics, technical support, or a repair
purpose;
(3) an authorized update of computer software or
system firmware;
(4) authorized remote system management; or
(5) detection or prevention of unauthorized use of or
fraudulent or other illegal activity in connection with a network,
service, or computer software, including scanning for and removing
software proscribed under this chapter.
SECTION 3. Section 324.005, Business & Commerce Code, as
effective April 1, 2009, is amended to read as follows:
Sec. 324.005. KNOWING VIOLATION. A person knowingly
violates Section 324.051, 324.052, [or] 324.053, or 324.055 if the
person:
(1) acts with actual knowledge of the facts that
constitute the violation; or
(2) consciously avoids information that would
establish actual knowledge of those facts.
SECTION 4. Subchapter B, Chapter 324, Business & Commerce
Code, as effective April 1, 2009, is amended by adding Section
324.055 to read as follows:
Sec. 324.055. UNAUTHORIZED CREATION OF, ACCESS TO, OR USE
OF ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) In this section:
(1) "Internet service provider" means a person
providing connectivity to the Internet or another wide area
network.
(2) "Person" has the meaning assigned by Section
311.005, Government Code.
(b) A person who is not the owner or operator of the computer
may not knowingly cause or offer to cause a computer to become a
zombie or part of a botnet.
(c) A person may not knowingly create, have created, use, or
offer to use a zombie or botnet to:
(1) send an unsolicited commercial electronic mail
message, as defined by Section 321.001;
(2) send a signal to a computer system or network that
causes a loss of service to users;
(3) send data from a computer without authorization by
the owner or operator of the computer;
(4) forward computer software designed to damage or
disrupt another computer or system;
(5) collect personally identifiable information; or
(6) perform an act for another purpose not authorized
by the owner or operator of the computer.
(d) A person may not:
(1) purchase, rent, or otherwise gain control of a
zombie or botnet created by another person; or
(2) sell, lease, offer for sale or lease, or otherwise
provide to another person access to or use of a zombie or botnet.
(e) The following persons may bring a civil action against a
person who violates this section:
(1) a person who is acting as an Internet service
provider and whose network is used to commit a violation under this
section; or
(2) a person who has incurred a loss or disruption of
the conduct of the person's business, including for-profit or
not-for-profit activities, as a result of the violation.
(f) A person bringing an action under this section may, for
each violation:
(1) seek injunctive relief to restrain a violator from
continuing the violation;
(2) subject to Subsection (g), recover damages in an
amount equal to the greater of:
(A) actual damages arising from the violation; or
(B) $100,000 for each zombie used to commit the
violation; or
(3) obtain both injunctive relief and damages.
(g) The court may increase an award of damages, statutory or
otherwise, in an action brought under this section to an amount not
to exceed three times the applicable damages if the court finds that
the violations have occurred with such a frequency as to constitute
a pattern or practice.
(h) A plaintiff who prevails in an action brought under this
section is entitled to recover court costs and reasonable
attorney's fees, reasonable fees of experts, and other reasonable
costs of litigation.
(i) A remedy authorized by this section is not exclusive but
is in addition to any other procedure or remedy provided for by
other statutory or common law.
(j) Nothing in this section may be construed to impose
liability on the following persons with respect to a violation of
this section committed by another person:
(1) an Internet service provider;
(2) a provider of interactive computer service, as
defined by Section 230, Communications Act of 1934 (47 U.S.C.
Section 230);
(3) a telecommunications provider, as defined by
Section 51.002, Utilities Code; or
(4) a video service provider or cable service
provider, as defined by Section 66.002, Utilities Code.
SECTION 5. Subsection (a), Section 324.101, Business &
Commerce Code, as effective April 1, 2009, is amended to read as
follows:
(a) Any of the following persons, if adversely affected by
the violation, may bring a civil action against a person who
violates Section 324.051, 324.052, 324.053, or 324.054 [this
chapter]:
(1) a provider of computer software;
(2) an owner of a web page or trademark;
(3) a telecommunications carrier;
(4) a cable operator; or
(5) an Internet service provider.
SECTION 6. The changes in law made by this Act apply only to
conduct that occurs on or after the effective date of this Act.
Conduct that occurs before the effective date of this Act is
governed by the law in effect at the time the conduct occurred, and
that law is continued in effect for that purpose.
SECTION 7. This Act takes effect September 1, 2009.
______________________________ ______________________________
President of the Senate Speaker of the House
I hereby certify that S.B. No. 28 passed the Senate on
April 14, 2009, by the following vote: Yeas 30, Nays 0; and that
the Senate concurred in House amendments on May 28, 2009, by the
following vote: Yeas 31, Nays 0.
______________________________
Secretary of the Senate
I hereby certify that S.B. No. 28 passed the House, with
amendments, on May 19, 2009, by the following vote: Yeas 143,
Nays 0, two present not voting.
______________________________
Chief Clerk of the House
Approved:
______________________________
Date
______________________________
Governor