05 LC 28
2132
Senate
Bill 127
By: Senators Staton of the 18th, Shafer of the 48th, Rogers of the 21st, Williams of the 19th, Douglas of the 17th and others
By: Senators Staton of the 18th, Shafer of the 48th, Rogers of the 21st, Williams of the 19th, Douglas of the 17th and others
A
BILL TO BE ENTITLED
AN ACT
AN ACT
To
amend Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating
to forgery and fraudulent practices, so as to enact the "Georgia Computer
Security Act of 2005"; to provide a short title; to provide definitions; to
prohibit certain deceptive acts and practices with regard to computers; to
require certain notices be given prior to certain software or programs being
loaded onto certain computers; to require certain functions be available in
certain software; to provide for certain exceptions; to provide for civil and
criminal penalties; to provide for recovery of certain damages; to provide for
applicability; to provide for related matters; to amend Code Section 16_14_3 of
the Official Code of Georgia Annotated, relating to the "Georgia RICO (Racketeer
Influenced and Corrupt Organizations) Act," so as to add violations concerning
deceptive acts or practices to the list of predicate acts; to provide for
related matters; to repeal conflicting laws; and for other
purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
Chapter
9 of Title 16 of the Official Code of Georgia Annotated, relating to forgery and
fraudulent practices, is amended by adding a new Article 9 to read as
follows:
"ARTICLE
9
16_9_150.
This
chapter shall be known and may be cited as the 'Georgia Computer Security Act of
2005.'
16_9_151.
As
used in this chapter, the term:
(1)
'Computer' means an electronic, magnetic, optical, electrochemical, or other
high speed data processing device performing logical, arithmetic, or storage
functions, and includes any data storage facility or communications facility
directly related to or operating in conjunction with such device, but such term
does not include an automated typewriter or typesetter, a portable hand_held
calculator, or other similar device.
(2)
'Disable' means, with respect to an information collection program, to
permanently prevent such program from executing any of the functions described
in paragraph (3) of this Code section that such program is otherwise capable of
executing by removing, deleting, or disabling the program unless the owner of a
protected computer takes a subsequent affirmative action to enable the execution
of such functions.
(3)
'Information collection program' means computer software that:
(A)
Collects personally identifiable information and sends such information to a
person other than the owner or authorized user of the computer or uses such
information to deliver advertising to or display advertising on the computer;
or
(B)
Collects information regarding the webpages accessed using the computer and uses
such information to deliver advertising to or display advertising on the
computer.
(4)
'Internet' means collectively the myriad of computer and telecommunications
facilities, including equipment and operating software, which comprise the
interconnected world_wide network of networks that employ the Transmission
Control Protocol/Internet Protocol, or any predecessor or successor protocols to
such protocol, to communicate information of all kinds by wire or
radio.
(5)
'Personally identifiable information' means the following information, to the
extent only that such information allows a living individual to be identified
from that information:
(A)
First and last name of an individual;
(B)
A home or other physical address of an individual, including street name, name
of a city or town, and ZIP Code;
(C)
An electronic mail address;
(D)
A telephone number;
(E)
A social security number, tax identification number, passport number,
driver´s license number, or any other government issued identification
number;
(F)
A credit card number;
(G)
Any access code, password, or account number, other than an access code or
password transmitted by an owner or authorized user of a protected computer to
the intended recipient to register for, or log onto, a webpage or other Internet
service or a network connection or service of a subscriber that is protected by
an access code or password; and
(H)
Date of birth, birth certificate number, or place of birth of an individual,
except in the case of a date of birth transmitted or collected for the purpose
of compliance with the law.
(6)
'Protected computer'' means a computer which, at the time of an alleged
violation of this article involving that computer, is located within the
geographic boundaries of this state.
(7)
'Webpage' means a location, with respect to the World Wide Web, that has a
single uniform resource locator or another single location with respect to the
Internet.
16_9_152.
(a)
It shall be an unlawful deceptive act or practice for any person who is not the
owner or authorized user of a protected computer to engage in any of the
following acts or practices with respect to a protected computer:
(1)
Taking control of the computer by:
(A)
Utilizing such computer to send unsolicited information or material from the
protected computer to others;
(B)
Diverting the Internet browser of the computer, or similar program of the
computer used to access and navigate the Internet:
(i)
Without authorization of the owner or authorized user of the computer;
and
(ii)
Away from the site the user intended to view, to one or more other webpages,
such that the user is prevented from viewing the content at the intended
webpage, unless such diverting is otherwise authorized;
(C)
Accessing or using the modem or Internet connection or service for the computer
and thereby causing damage to the computer or causing the owner or authorized
user to incur unauthorized financial charges;
(D)
Using the computer as part of an activity performed by a group of computers that
causes damage to another computer; or
(E)
Delivering advertisements that a user of the computer cannot close without
turning off the computer or closing all sessions of the Internet browser for the
computer;
(2)
Modifying settings related to use of the computer or to the computer´s
access to or use of the Internet by altering:
(A)
The webpage that appears when the owner or authorized user launches an Internet
browser or similar program used to access and navigate the
Internet;
(B)
The default provider used to access or search the Internet, or other existing
Internet connections settings;
(C)
A list of bookmarks used by the computer to access webpages; or
(D)
Security or other settings of the computer that protect information about the
owner or authorized user for the purposes of causing damage or harm to the
computer or owner or user;
(3)
Collecting personally identifiable information through the use of a keystroke
logging function;
(4)
Inducing the owner or authorized user to install a computer software component
onto the computer, or preventing reasonable efforts to block the installation or
execution of, or to disable, a computer software component by:
(A)
Presenting the owner or authorized user with an option to decline installation
of a software component such that, when the option is selected by the owner or
authorized user, the installation nevertheless proceeds; or
(B)
Causing a computer software component that the owner or authorized user has
properly removed or disabled to reinstall or reactivate automatically on the
computer;
(5)
Misrepresenting that installing a separate software component or providing
log_in and password information is necessary for security or privacy reasons, or
that installing a separate software component is necessary to open, view, or
play a particular type of content;
(6)
Inducing the owner or authorized user to install or execute computer software by
misrepresenting the identity or authority of the person or entity providing the
computer software to the owner or user;
(7)
Inducing the owner or authorized user to provide personally identifiable,
password, or account information to another person:
(A)
By misrepresenting the identity of the person seeking the information;
or
(B)
Without the authority of the intended recipient of the information;
(8)
Removing, disabling, or rendering inoperative a security, antispyware, or
antivirus technology installed on the computer; or
(9)
Installing or executing on the computer one or more additional computer software
components with the intent of causing a person to use such components in a way
that violates any other provision of this chapter.
(b)
Except as otherwise provided in this Code section, it shall be unlawful for any
person:
(1)
To transmit to a protected computer, which is not owned by such person and for
which such person is not an authorized user, any information collection program,
unless:
(A)
Such information collection program provides notice in accordance with
subsection (c) of this Code section before execution of any of the information
collection functions of the program; and
(B)
Such information collection program includes the functions required under
subsection (d) of this Code section; or
(2)
To execute any information collection program installed on such a protected
computer unless:
(A)
Before execution of any of the information collection functions of the program,
the owner or an authorized user of the protected computer has consented to such
execution pursuant to notice in accordance with subsection (c) of this Code
section; and
(B)
Such information collection program includes the functions required under
subsection (d) of this Code section.
(c)(1)
Notice in accordance with this subsection with respect to an information
collection program is clear and conspicuous notice in plain language that meets
all of the following requirements:
(A)
The notice clearly distinguishes such notice from any other information visually
presented contemporaneously on the protected computer;
(B)
The notice contains one of the following statements, as applicable, or a
substantially similar statement:
(i)
With respect to an information collection program described in subparagraph (A)
of paragraph (3) of Code Section 16_9_151: 'This program will collect and
transmit information about you. Do you accept?';
(ii)
With respect to an information collection program described in subparagraph (B)
of paragraph (3) of Code Section 16_9_151: 'This program will collect
information about webpages you access and will use that information to display
advertising on your computer. Do you accept?'; or
(iii)
With respect to an information collection program that performs the actions
described in both subparagraphs (A) and (B) of paragraph (3) of Code Section
16_9_151: 'This program will collect and transmit information about you and your
computer use and will collect information about webpages you access and use that
information to display advertising on your computer. Do you
accept?';
(C)
The notice provides for the user:
(i)
To grant or deny consent referred to in subsection (b) of this Code section by
selecting an option to grant or deny such consent; and
(ii)
To abandon or cancel the transmission or execution referred to in subsection (b)
of this Code section without granting or denying such consent;
(D)
The notice provides an option for the user to select to display on the computer,
before granting or denying consent using the option required under subparagraph
(C) of this paragraph, a clear description of:
(i)
The types of information to be collected and sent, if any, by the information
collection program;
(ii)
The purpose for which such information is to be collected and sent;
and
(iii)
In the case of an information collection program that first executes any of the
information collection functions of the program together with the first
execution of other computer software, the identity of any such software that is
an information collection program; and
(E)
The notice provides for concurrent display of the information required under
subparagraphs (B) and (C) of this paragraph and the option required under
subparagraph (D) of this paragraph until the user:
(i)
Grants or denies consent using the option required under division (i) of
subparagraph (C) of this paragraph;
(ii)
Abandons or cancels the transmission or execution pursuant to division (ii) of
subparagraph (C) of this paragraph; or
(ii)
Selects the option required under subparagraph (D) of this
paragraph.
(2)
In the case in which multiple information collection programs are provided to
the protected computer together, or as part of a suite of functionally related
software, the notice requirements of subparagraphs (1) and (2) of subsection (b)
of this Code section may be met by providing, before execution of any of the
information collection functions of the programs, clear and conspicuous notice
in plain language in accordance with paragraph (1) of this subsection by
means of a single notice that applies to all such information collection
programs, except that such notice shall provide the option under subparagraph
(D) of paragraph (1) of this subsection with respect to each such information
collection program.
(3)
If an owner or authorized user has granted consent to execution of an
information collection program pursuant to a notice in accordance with this Code
section:
(A)
No subsequent such notice is required, except as provided in subparagraph (B) of
this paragraph; and
(B)
The person who transmitted the program shall provide another notice in
accordance with this subsection and obtain consent before such program may be
used to collect or send information of a type or for a purpose that is
materially different from, and outside the scope of, the type or purpose set
forth in the initial or any previous notice.
(d)
The functions required under this Code section to be included in an information
collection program that executes any information collection functions with
respect to a protected computer are as follows:
(1)
Disabling function. With respect to any information collection program, a
function of the program that allows a user of the program to remove the program
or disable operation of the program with respect to such protected computer by a
function that:
(A)
Is easily identifiable to a user of the computer; and
(B)
Can be performed without undue effort or knowledge by the user of the protected
computer; and
(2)
Identity function. With respect only to an information collection program that
uses information collected in the manner described in subparagraph (A) or (B) of
paragraph (3) of Code Section 16_9_151, a function of the program that provides
that each display of an advertisement directed or displayed using such
information when the owner or authorized user is accessing a webpage or online
location other than that of the provider of the software is accompanied by the
name of the information collection program, a logogram or trademark used for the
exclusive purpose of identifying the program, or a statement or other
information sufficient to clearly identify the program.
(e)
A telecommunications carrier, a provider of information service or interactive
computer service, a cable operator, or a provider of transmission capability
shall not be liable, criminally or civilly, under this Code section to the
extent that the carrier, operator, or provider:
(1)
Transmits, routes, hosts, stores, or provides connections for an information
collection program through a system or network controlled or operated by or for
the carrier, operator, or provider; or
(2)
Provides an information location tool, such as a directory, index, reference,
pointer, or hypertext link, through which the owner or user of a protected
computer locates an information collection program.
(f)
This Code section shall not apply to:
(1)
Any act taken by a law enforcement agent in the performance of official duties;
or
(2)
The transmission or execution of an information collection program in compliance
with a law enforcement, investigatory, national security, or regulatory agency
or department of the United States or any state in response to a request or
demand made under authority granted to that agency or department, including a
warrant issued under the Federal Rules of Criminal Procedure, an equivalent
state warrant, a court order, or other lawful process.
(g)
This Code section shall not apply to:
(1)
Any monitoring of or interaction with a subscriber´s Internet or other
network connection or service, or a protected computer, by a telecommunications
carrier, cable operator, computer hardware or software provider, or provider of
information service or interactive computer service, to the extent that such
monitoring or interaction is for network or computer security purposes,
diagnostics, technical support, or repair, or for the detection or prevention of
fraudulent activities; or
(2)
A discrete interaction with a protected computer by a provider of computer
software solely to determine whether the user of the computer is authorized to
use such software that occurs upon:
(A)
Initialization of the software; or
(B)
An affirmative request by the owner or authorized user for an update of,
addition to, or technical service for the software.
(h)
No provider of computer software or of interactive computer service may be held
liable, criminally or civilly, under this Code section on account of any action
voluntarily taken, or service provided, in good faith to remove or disable a
program used to violate this Code section that is installed on a computer of a
customer of such provider, if such provider notifies the customer and obtains
the consent of the customer before undertaking such action or providing such
service.
(i)
A manufacturer or retailer of computer equipment shall not be liable under this
Code section, criminally or civilly, to the extent that the manufacturer or
retailer is providing third_party branded software that is installed on the
equipment the manufacturer or retailer is manufacturing or selling.
16_9_153.
Any
person that violates the provisions of Code Section 16_9_152 shall be guilty of
a felony and, upon conviction thereof, shall be sentenced to imprisonment for
not less than one nor more than ten years or a fine of not more than $3 million,
or both.
16_9_154.
Any
person who suffers personal, property, or economic damages by reason of a
violation of Code Section 16_9_152 may initiate a civil action for and recover
the greater of:
(1)
Five thousand dollars plus expenses of litigation and reasonable attorney´s
fees;
(2)
Liquidated damages of $1,000.00 for each violation of Code Section 16_9_152 up
to a limit of $2 million per incident, plus expenses of litigation and
reasonable attorney´s fees; or
(3)
Actual damages, plus expenses of litigation and reasonable attorney´s
fees.
16_9_155.
The
provisions of this article shall not be construed to limit or preclude the
applicability of any other provision of criminal or civil law of this state
which presently applies or may in the future apply to any transaction or course
of conduct which violates Code Section 16_9_152 unless such provision is clearly
and irresolvably in conflict with the terms of this
article."
SECTION
2.
Code
Section 16_14_3 of the Official Code of Georgia Annotated, relating to
definitions relating to the "Georgia RICO (Racketeer Influenced and Corrupt
Organizations) Act," by striking the word "or" at the end of division
(9)(A)(xxxvii), by striking the period at the end of division (9)(A)(xxxviii)
and inserting in lieu thereof "; or", and by adding a new division (9)(A)(xxxix)
to read as follows:
"(xxxix)
Code Section 16_9_152, relating to deceptive acts or practices with regard to
protected
computers."
SECTION
3.
All
laws and parts of laws in conflict with this Act are repealed.