05 LC 28
2483S
The
House Committee on Science and Technology offers the following substitute to SB
127:
A
BILL TO BE ENTITLED
AN ACT
AN ACT
To
amend Chapter 9 of Title 16 of the Official Code of Georgia Annotated, relating
to forgery and fraudulent practices, so as to provide a short title; to provide
definitions; to prohibit certain conduct with regard to computers and computer
software; to provide for penalties for violations; to provide exceptions; to
provide for certain civil remedies for violations; to provide for preemption; to
provide for related matters; to provide an effective date; to repeal conflicting
laws; and for other purposes.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
SECTION
1.
Chapter
9 of Title 16 of the Official Code of Georgia Annotated, relating to forgery and
fraudulent practices, is amended by adding a new Article 9 to read as
follows:
"ARTICLE
9
16-9-150.
This
article shall be known and may be cited as the 'Georgia Computer Security Act of
2005.'
16-9-151.
As
used in this chapter, the term:
(1)
'Advertisement' means a communication, the primary purpose of which is the
commercial promotion of a commercial product or service, including content on an
Internet website operated for a commercial purpose.
(2)
'Authorized user,' with respect to a computer, means a person who owns or is
authorized by the owner or lessee to use the computer.
(3)
'Cause to be copied' means to distribute or transfer computer software or any
component thereof. Such term shall not include providing:
(A)
Transmission, routing, provision of intermediate temporary storage, or caching
of software;
(B)
A storage medium, such as a compact disk, website, or computer server, through
which the software was distributed by a third party; or
(C)
An information location tool, such as a directory, index, reference, pointer, or
hypertext link, through which the user of the computer located the
software.
(4)
'Computer software' means a sequence of instructions written in any programming
language that is executed on a computer. Such term shall not include a text or
data file, a web page, or a data component of a web page that is not executable
independently of the web page.
(5)
'Computer virus' means a computer program or other set of instructions that is
designed to degrade the performance of or disable a computer or computer network
and is designed to have the ability to replicate itself on other computers or
computer networks without the authorization of the owners of those computers or
computer networks.
(6)
'Consumer' means an individual who resides in this state and who uses the
computer in question primarily for personal, family, or household
purposes.
(7)
'Damage' means any significant impairment to the integrity or availability of
data, software, a system, or information.
(8)
'Execute,' when used with respect to computer software, means the performance of
the functions or the carrying out of the instructions of the computer
software.
(9)
'Intentionally deceptive' means any of the following:
(A)
By means of an intentionally and materially false or fraudulent
statement;
(B)
By means of a statement or description that intentionally omits or misrepresents
material information in order to deceive the consumer; or
(C)
By means of an intentional and material failure to provide any notice to an
authorized user regarding the download or installation of software in order to
deceive the consumer.
(10)
'Internet' means the global information system that is logically linked together
by a globally unique address space based on the Internet Protocol or its
subsequent extensions; that is able to support communications using the
Transmission Control Protocol/Internet Protocol suite, its subsequent
extensions, or other Internet Protocol compatible protocols; and that provides,
uses, or makes accessible, either publicly or privately, high level services
layered on the communications and related infrastructure described in this
paragraph.
(11)
'Person' means any individual, partnership, corporation, limited liability
company, or other organization, or any combination thereof.
(12)
'Personally identifiable information' means any of the following:
(A)
A first name or first initial in combination with a last name;
(B)
Credit or debit card numbers or other financial account numbers;
(C)
A password or personal identification number required to access an identified
financial account;
(D)
A social security number; or
(E)
Any of the following information in a form that personally identifies an
authorized user:
(i)
Account balances;
(ii)
Overdraft history;
(iii)
Payment history;
(iv)
A history of websites visited;
(v)
A home address;
(vi)
A work address; or
(vii)
A record of a purchase or purchases.
16-9-152.
(a)
It shall be illegal for a person or entity that is not an authorized user, as
defined in Code Section 16-9-151, of a computer in this state to knowingly,
willfully, or with conscious indifference or disregard cause computer software
to be copied onto such computer and use the software to do any of the
following:
(1)
Modify, through intentionally deceptive means, any of the following settings
related to the
computeŕs
access to, or use of, the Internet:
(A)
The page that appears when an authorized user launches an Internet browser or
similar software program used to access and navigate the Internet;
(B)
The default provider or web proxy the authorized user uses to access or search
the Internet; or
(C)
The authorized
useŕs
list of bookmarks used to access web pages;
(2)
Collect, through intentionally deceptive means, personally identifiable
information that meets any of the following criteria:
(A)
It is collected through the use of a keystroke-logging function that records all
keystrokes made by an authorized user who uses the computer and transfers that
information from the computer to another person;
(B)
It includes all or substantially all of the websites visited by an authorized
user, other than websites of the provider of the software, if the computer
software was installed in a manner designed to conceal from all authorized users
of the computer the fact that the software is being installed; or
(C)
It is a data element described in subparagraph (B), (C), or (D) of paragraph
(12) of Code Section 16-9-151, or in division (i) or (ii) of subparagraph (E) of
paragraph (12) of Code Section 16-9-151, that is extracted from the
consumeŕs
or business
entitýs
computer hard drive for a purpose wholly unrelated to any of the purposes of the
software or service described to an authorized user;
(3)
Prevent, without the authorization of an authorized user, through intentionally
deceptive means, an authorized
useŕs
reasonable efforts to block the installation of, or to disable, software, by
causing software that the authorized user has properly removed or disabled to
automatically reinstall or reactivate on the computer without the authorization
of an authorized user;
(4)
Intentionally misrepresent that software will be uninstalled or disabled by an
authorized
useŕs
action, with knowledge that the software will not be so uninstalled or disabled;
or
(5)
Through intentionally deceptive means, remove, disable, or render inoperative
security, antispyware, or antivirus software installed on the
computer.
(b)
Nothing in this Code section shall apply to any monitoring of, or interaction
with, a
useŕs
Internet or other network connection or service, or a protected computer, by a
telecommunications carrier, cable operator, computer hardware or software
provider, or provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical support, repair,
network management, network maintenance, authorized updates of software or
system firmware, authorized remote system management, or detection or prevention
of the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including scanning for
and removing software proscribed under this article.
16-9-153.
(a)
It shall be illegal for a person or entity that is not an authorized user, as
defined in Code Section 16-9-151, of a computer in this state to knowingly,
willfully, or with conscious indifference or disregard cause computer software
to be copied onto such computer and use the software to do any of the
following:
(1)
Take control of the
consumeŕs
or business
entitýs
computer by doing any of the following:
(A)
Transmitting or relaying commercial electronic mail or a computer virus from the
consumeŕs
or business
entitýs
computer, where the transmission or relaying is initiated by a person other than
the authorized user and without the authorization of an authorized
user;
(B)
Accessing or using the
consumeŕs
or business
entitýs
modem or Internet service for the purpose of causing damage to the
consumeŕs
or business
entitýs
computer or of causing an authorized user or a third party affected by such
conduct to incur financial charges for a service that is not authorized by an
authorized user;
(C)
Using the
consumeŕs
or business
entitýs
computer as part of an activity performed by a group of computers for the
purpose of causing damage to another computer, including, but not limited to,
launching a denial of service attack; or
(D)
Opening multiple, sequential, stand-alone advertisements in the
consumeŕs
or business
entitýs
Internet browser without the authorization of an authorized user and with
knowledge that a reasonable computer user cannot close the advertisements
without turning off the computer or closing the
consumeŕs
or business
entitýs
Internet browser;
(2)
Modify any of the following settings related to the
computeŕs
access to, or use of, the Internet:
(A)
An authorized
useŕs
security or other settings that protect information about the authorized user
for the purpose of stealing personal information of an authorized user;
or
(B)
The security settings of the computer for the purpose of causing damage to one
or more computers; or
(3)
Prevent, without the authorization of an authorized user, an authorized
useŕs
reasonable efforts to block the installation of, or to disable, software, by
doing any of the following:
(A)
Presenting the authorized user with an option to decline installation of
software with knowledge that, when the option is selected by the authorized
user, the installation nevertheless proceeds; or
(B)
Falsely representing that software has been disabled.
(b)
Nothing in this Code section shall apply to any monitoring of, or interaction
with, a
useŕs
Internet or other network connection or service, or a protected computer, by a
telecommunications carrier, cable operator, computer hardware or software
provider, or provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical support, repair,
network management, network maintenance, authorized updates of software or
system firmware, authorized remote system management, or detection or prevention
of the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including scanning for
and removing software proscribed under this article.
16-9-154.
(a)
It shall be illegal for a person or entity that is not an authorized user, as
defined in Code Section 16-9-151, of a computer in this state to do any of the
following with regard to such computer:
(1)
Induce an authorized user to install a software component onto the computer by
intentionally misrepresenting that installing software is necessary for security
or privacy reasons or in order to open, view, or play a particular type of
content; or
(2)
Deceptively causing the copying and execution on the computer of a computer
software component with the intent of causing an authorized user to use the
component in a way that violates any other provision of this Code
section.
(b)
Nothing in this Code section shall apply to any monitoring of, or interaction
with, a
useŕs
Internet or other network connection or service, or a protected computer, by a
telecommunications carrier, cable operator, computer hardware or software
provider, or provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical support, repair,
network management, network maintenance, authorized updates of software or
system firmware, authorized remote system management, or detection or prevention
of the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including scanning for
and removing software proscribed under this article.
16-9-155.
(a)
Any person who violates the provisions of paragraph (2) of Code Section
16-9-152, subparagraph (A), (B), or (C) of paragraph (1) of subsection (a) of
Code Section 16-9-153, or paragraph (2) of subsection (a) of Code Section
16-9-153 shall be guilty of a felony and, upon conviction thereof, shall be
sentenced to imprisonment for not less than one nor more than ten years or a
fine of not more than $3 million, or both.
(b)
The Attorney General may bring a civil action against any person violating this
article to enforce the penalties for the violation and may recover any or all of
the following:
(1)
A civil penalty of up to $100.00 per violation of this article, or up to
$100,000.00 for a pattern or practice of such violations;
(2)
Costs and reasonable
attorneýs
fees; and
(3)
An order to enjoin the violation.
(c)
In the case of a violation of subparagraph (B) of paragraph (1) of subsection
(a) of Code Section 16-9-153 that causes a telecommunications carrier to incur
costs for the origination, transport, or termination of a call triggered using
the modem of a customer of such telecommunications carrier as a result of such
violation, the telecommunications carrier may bring a civil action against the
violator to recover any or all of the following:
(1)
The charges such carrier is obligated to pay to another carrier or to an
information service provider as a result of the violation, including, but not
limited to, charges for the origination, transport or termination of the
call;
(2)
Costs of handling customer inquiries or complaints with respect to amounts
billed for such calls;
(3)
Costs and reasonable
attorneýs
fees; and
(4)
An order to enjoin the violation.
(d)
An Internet service provider or software company that expends resources in good
faith assisting consumers or business entities harmed by a violation of this
chapter, or a trademark owner whose mark is used to deceive consumers or
business entities in violation of this chapter, may enforce the violation and
may recover any or all of the following:
(1)(A)
Statutory damages of not more than $100.00 per violation of this article, or up
to $1 million for a pattern or practice of such violations;
(2)
Costs and reasonable
attorneýs
fees; and
(3)
An order to enjoin the violation.
16-9-156.
(a)
For the purposes of this Code section, the term 'employer' includes a business
entitýs
officers, directors, parent corporation, subsidiaries, affiliates, and other
corporate entities under common ownership or control within a business
enterprise. No employer may be held criminally or civilly liable under this
article as a result of any actions taken:
(1)
With respect to computer equipment used by its employees, contractors,
subcontractors, agents, leased employees, or other staff which the employer
owns, leases, or otherwise makes available or allows to be connected to the
employeŕs
network or other computer facilities; or
(2)
By employees, contractors, subcontractors, agents, leased employees, or other
staff who misuse an
employeŕs
computer equipment for an illegal purpose without the
employeŕs
knowledge, consent, or approval.
(b)
No person shall be held criminally or civilly liable under this article when its
protected computers have been used by unauthorized users to violate this article
or other laws without such
persońs
knowledge, consent, or approval.
(c)
A manufacturer or retailer of computer equipment shall not be liable under this
Code section, criminally or civilly, to the extent that the manufacturer or
retailer is providing third-party branded software that is installed on the
computer equipment that the manufacturer or retailer is manufacturing or
selling.
16-9-157.
The
General Assembly finds that this article is a matter of state-wide concern.
This article supersedes and preempts all rules, regulations, codes, ordinances,
and other laws adopted by any county, municipality, consolidated government, or
other local governmental agency regarding spyware and notices to consumers from
computer software providers regarding information
collection."
SECTION
2.
This
Act shall become effective upon its approval by the Governor or upon its
becoming law without such approval.
SECTION
3.
All
laws and parts of laws in conflict with this Act are repealed.