sb425_Committee_sub_LC_21_8711S

sb425_Committee_sub_LC_21_8711S_4.html

06 LC 21 8711S

The Senate Science and Technology Committee offered the following substitute to SB 425:

A BILL TO BE ENTITLED
AN ACT

To amend Article 9 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, the "Georgia Computer Security Act of 2005," so as to enact "The Georgia Child, Family, and School Communications Protection Act"; to provide a short title; to provide for definitions; to create a service to protect child, family, and school communications; to provide conditions for registration; to provide for a fee; to provide for procedures; to provide for verification from the contents of the service; to prohibit the transmission of certain messages; to provide for exceptions; to prohibit the release of certain information; to shield certain information from public inspection; to provide for a penalty; to provide for civil actions; to provide for related matters; to provide for an effective date; to repeal conflicting laws; and for other purposes.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:

SECTION 1.

Article 9 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, the "Georgia Computer Security Act of 2005," is amended by designating the existing portion of such article as Part 1 and by inserting at the end of such article the following:

∀Part 2

16-9-170.

This part shall be known and may be cited as the 'The Georgia Child, Family, and School Communications Protection Act.'

16-9-171.

As used in this part, the term:

(1) 'Contact point' means any electronic identification to which messages can be sent, including any of the following:

(A) An instant message identity;

(B) A wireless telephone, a personal digital assistant, a pager number, or any other similar wireless communication device;

(D) An electronic mail address; or

(E) Other electronic addresses subject to rules promulgated under this part by the department.

(2) 'Division' means the Division of Family and Children Services of the Department of Human Resources.

(3) 'Internet domain name' means a globally unique, hierarchical reference to an Internet host or service, assigned through centralized Internet authorities, comprising a series of character strings separated by periods, with the right-most string specifying the top of the hierarchy.

(4) 'Minor' means an individual under the age of 18 years.

(5) 'Person' means an individual, corporation, association, partnership, or any other legal entity.

(6) 'Service' means the Georgia Child, Family, and School Communications Protection Service created under Code Section 16-9-172.

16-9-172.

(a) The division shall establish and operate, or contract with a qualified third party to establish and operate, the Georgia Child, Family, and School Communications Protection Service. The division or a third party administrator shall establish procedures to prevent the use or disclosure of protected contact points as required under Code Section 16-9-174.

(b) A parent, guardian, individual, or an entity under subsection (d) of this Code section who is responsible for a contact point to which a minor may have access or which is used by a household in which a minor is present may register that contact point with the department under rules promulgated by the division. The division shall establish procedures to ensure that a registrant meets the requirements of this subsection.

(c) A registration under this Code section shall be for not more than three years. If the contact point is established for a specific minor, the registration expires when the minor reaches 18 years of age. A registration can be revoked or renewed by the registrant upon notification to the division.

(d) Schools and other institutions or entities primarily serving minor children may register one or more contact points with the division. An entity under this subsection may make one registration for all contact points of the entity, and the registration may include the entitýs Internet domain name under rules promulgated by the division.

(e) No fee or charge shall be assessed or incurred by a person registering a contact point under this part.

(f) The division shall establish a mechanism for senders to verify compliance with the service.

(g) A person desiring to send a message described in Code Section 16-9-173 shall pay the division a fee for access to the mechanism required under subsection (f) of this Code section. The fee required under this subsection shall be set by the division. The fee shall not exceed 1¢ per contact point. The mechanism to verify compliance under subsection (f) of this Code section and the fee required under this subsection shall be established under rules promulgated by the division.

(h) The service shall be fully operational not later than December 1, 2006.

16-9-173.

(a) Except as otherwise provided in this Code section, a person shall not send, cause to be sent, or conspire with a third party to send a message to a contact point that has been registered with the service for at least 30 calendar days if the primary purpose of the message is to advertise or induce the sale of a product or service that a minor is prohibited by law from purchasing, viewing, possessing, participating in, or otherwise receiving.

(b) A person desiring to send a message described in subsection (a) of this Code section shall use the mechanism created under subsection (f) of Code Section 16-9-172 to ensure compliance with this part.

(c) Senders that, in good faith, use the mechanism created under subsection (f) of Code Section 16-9-172 to remove all registered contact points at least every 30 days from their sending lists shall receive a safe harbor from criminal prosecution and civil actions under this part for inadvertent violations of this part during the period in which the mechanism was used.

(d) Except as otherwise provided in subsection (h) of this Code section, the consent to receive the message is not a defense to a violation of this Code section.

(e) A person does not violate this part because the person is an intermediary between the sender and recipient in the transmission of an electronic message that violates this part or unknowingly provides transmission of electronic messages over the persońs computer network or facilities that violate this part.

(f) The sending of a message described in subsection (a) of this Code section is prohibited only if it is otherwise a crime for the minor to purchase, view, possess, participate in, or otherwise receive the product or service.

(g) Senders shall be considered on notice of jurisdiction over contact points that have been registered for at least 30 days with the service. Sending a message to an address registered for at least 30 calendar days with the child, family, and school communication protection service shall subject the sender to the statés long arm jurisdiction.

(h) The sending of a message described in subsection (a) of this Code section shall not be prohibited if, prior to sending the message, the sender has obtained from an adult whose age the sender has verified a statement consenting to receive the message at a contact point which such adult has verified as being such adult́s contact point. To comply with this subsection, the sender shall:

(1) Verify that the person making the affirmative statement is of legal age by inspecting in a face-to-face meeting a valid photo identification issued by a governmental agency;

(2) Obtain a written consent form signed by the recipient stating that the recipient has consented to receive the type of message described in subsection (a) of this Code section. The sender shall retain the consent form on record and shall make it available as provided in paragraph (4) of this subsection;

(3) Include in all messages sent pursuant to this subsection a statement that the recipient may rescind his or her consent and provide an opportunity for the recipient to opt not to receive future messages; and

(4) Notify the division that the sender intends to send messages as provided in this subsection. The division may implement procedures to audit the sendeŕs records to verify that the sender is in compliance with this subsection.

16-9-174.

(a) A person shall not release to another person information concerning persons or provide access to contact points or other information contained on the service except as provided by this part.

(b) A person shall not sell or use the contents of the service for any reason other than to meet the requirements of this part.

(d) Records and documents of the service created under this part are not subject to public inspection pursuant to Article 4 of Chapter 18 of Title 50.

16-9-175.

A violation of this part shall be a computer crime and a felony punishable by incarceration up to five years or a fine not to exceed $200,000.00, or both. Each violation of this part shall constitute a separate offense.

16-9-176.

(a) A civil action based on a violation of this part may be brought:

(1) By an authorized individual or the registrant of the contact point on behalf of a minor who has received a message in violation of this part;

(2) By a person through whose facilities the message was transmitted in violation of this part; or

(3) By the Attorney General against a person who has violated this part.

(b) In each action brought under this Code section, the prevailing party may be awarded reasonable attorney fees.

(1) Actual damages, including reasonable attorney fees; or

(2) In lieu of actual damages, the lesser of $5,000.00 per each message received by a recipient or transmitted or $250,000.00 for each day that the violation occurs.

(d) It shall be an affirmative defense to a civil action based on a violation of this part brought by an individual who registered a contact point if the sender proves that the individual affirmatively, expressly, and directly consented, and did not subsequently revoke such consent, to receive messages from the particular sender to the registered contact point. Such consent shall not be a defense to a criminal or civil action brought by the Attorney General or by a person through whose facilities the message was transmitted in violation of this part.

(e) If the Attorney General has reason to believe that a person has violated this part, the Attorney General may investigate the business transactions of that person. The Attorney General may require that person to appear, at a reasonable time and place, to give information under oath and to produce such documents and evidence necessary to determine whether the person is in compliance with the requirements of this part.∀

SECTION 2.

Said article is further amended by striking in its entirety Code Section 16-9-150, relating to a short title, and inserting in lieu thereof the following:

∀16-9-150.

This article part shall be known and may be cited as the 'Georgia Computer Security Act of 2005.'∀

SECTION 3.

Said article is further amended by striking in its entirety Code Section 16-9-151, relating to definitions, and inserting in lieu thereof the following:

∀16-9-151.

As used in this chapter part, the term:

(1) 'Advertisement' means a communication, the primary purpose of which is the commercial promotion of a commercial product or service, including content on an Internet website operated for a commercial purpose.

(2) 'Authorized user' with respect to a computer, means a person who owns or is authorized by the owner or lessee to use the computer.

(3) 'Cause to be copied' means to distribute or transfer computer software or any component thereof. Such term shall not include providing:

(A) Transmission, routing, provision of intermediate temporary storage, or caching of software;

(B) A storage medium, such as a compact disk, website, or computer server, through which the software was distributed by a third party; or

(C) An information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the user of the computer located the software.

(4) 'Computer software' means a sequence of instructions written in any programming language that is executed on a computer. Such term shall not include a text or data file, a web page, or a data component of a web page that is not executable independently of the web page.

(5) 'Computer virus' means a computer program or other set of instructions that is designed to degrade the performance of or disable a computer or computer network and is designed to have the ability to replicate itself on other computers or computer networks without the authorization of the owners of those computers or computer networks.

(6) 'Consumer' means an individual who resides in this state and who uses the computer in question primarily for personal, family, or household purposes.

(7) 'Damage' means any significant impairment to the integrity or availability of data, software, a system, or information.

(8) 'Execute,' when used with respect to computer software, means the performance of the functions or the carrying out of the instructions of the computer software.

(9) 'Intentionally deceptive' means any of the following:

(A) By means of an intentionally and materially false or fraudulent statement;

(B) By means of a statement or description that intentionally omits or misrepresents material information in order to deceive the consumer; or

(C) By means of an intentional and material failure to provide any notice to an authorized user regarding the download or installation of software in order to deceive the consumer.

(10) 'Internet' means the global information system that is logically linked together by a globally unique address space based on the Internet Protocol or its subsequent extensions; that is able to support communications using the Transmission Control Protocol/Internet Protocol suite, its subsequent extensions, or other Internet Protocol compatible protocols; and that provides, uses, or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described in this paragraph.

(11) 'Person' means any individual, partnership, corporation, limited liability company, or other organization, or any combination thereof.

(12) 'Personally identifiable information' means any of the following:

(A) A first name or first initial in combination with a last name;

(B) Credit or debit card numbers or other financial account numbers;

(D) A social security number; or

(E) Any of the following information in a form that personally identifies an authorized user:

(i) Account balances;

(ii) Overdraft history;

(iii) Payment history;

(iv) A history of websites visited;

(v) A home address;

(vi) A work address; or

(vii) A record of a purchase or purchases.∀

SECTION 4.

Said article is further amended by striking in its entirety subsection (b) of Code Section 16-9-152, relating to spyware, browsers, hijacks, and other software prohibited, and inserting in lieu thereof the following:

∀(b) Nothing in this Code section shall apply to any monitoring of, or interaction with, a useŕs Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, network management, network maintenance, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this article part.∀

SECTION 5.

Said article is further amended by striking in its entirety subsection (b) of Code Section 16-9-153, relating to e-mail virus distribution, denial of service attacks, and other conduct prohibited, and inserting in lieu thereof the following:

SECTION 6.

Said article is further amended by striking in its entirety subsection (b) of Code Section 16-9-154, relating to inducement to install, copy, or execute software through misrepresentation prohibited, and inserting in lieu thereof the following:

SECTION 7.

Said article is further amended by striking in its entirety Code Section 16-9-155, relating to penalties, and inserting in lieu thereof the following:

∀16-9-155.

(a) Any person who violates the provisions of paragraph (2) of Code Section 16-9-152, subparagraph (A), (B), or (C) of paragraph (1) of subsection (a) (a)(1)(A), (a)(1)(B), or (a)(1)(C) of Code Section 16-9-153, or paragraph (2) of subsection (a) of Code Section 16-9-153 shall be guilty of a felony and, upon conviction thereof, shall be sentenced to imprisonment for not less than one nor more than ten years or a fine of not more than $3 million, or both.

(b) The Attorney General may bring a civil action against any person violating this article part to enforce the penalties for the violation and may recover any or all of the following:

(1) A civil penalty of up to $100.00 per violation of this article part, or up to $100,000.00 for a pattern or practice of such violations;

(2) Costs and reasonable attorneýs fees; and

(3) An order to enjoin the violation.

(c) In the case of a violation of subparagraph (B) of paragraph (1) of subsection (a) (a)(1)(B) of Code Section 16-9-153 that causes a telecommunications carrier to incur costs for the origination, transport, or termination of a call triggered using the modem of a customer of such telecommunications carrier as a result of such violation, the telecommunications carrier may bring a civil action against the violator to recover any or all of the following:

(1) The charges such carrier is obligated to pay to another carrier or to an information service provider as a result of the violation, including, but not limited to, charges for the origination, transport, or termination of the call;

(2) Costs of handling customer inquiries or complaints with respect to amounts billed for such calls;

(3) Costs and reasonable attorneýs fees; and

(4) An order to enjoin the violation.

(d) An Internet service provider or software company that expends resources in good faith assisting consumers or business entities harmed by a violation of this chapter, or a trademark owner whose mark is used to deceive consumers or business entities in violation of this chapter, may enforce the violation and may recover any or all of the following:

(1)(A) Statutory damages of not more than $100.00 per violation of this article part, or up to $1 million for a pattern or practice of such violations;

(2) Costs and reasonable attorneýs fees; and

(3) An order to enjoin the violation.∀

SECTION 8.

Said article is further amended by striking in its entirety Code Section 16-9-156, relating to exceptions, and inserting in lieu thereof the following:

∀(a) For the purposes of this Code section, the term 'employer' includes a business entitýs officers, directors, parent corporation, subsidiaries, affiliates, and other corporate entities under common ownership or control within a business enterprise. No employer may be held criminally or civilly liable under this article part as a result of any actions taken:

(1) With respect to computer equipment used by its employees, contractors, subcontractors, agents, leased employees, or other staff which the employer owns, leases, or otherwise makes available or allows to be connected to the employeŕs network or other computer facilities; or

(2) By employees, contractors, subcontractors, agents, leased employees, or other staff who misuse an employeŕs computer equipment for an illegal purpose without the employeŕs knowledge, consent, or approval.

(b) No person shall be held criminally or civilly liable under this article part when its protected computers have been used by unauthorized users to violate this article part or other laws without such persońs knowledge, consent, or approval.

(c) A manufacturer or retailer of computer equipment shall not be liable under this Code section, criminally or civilly, to the extent that the manufacturer or retailer is providing third-party branded software that is installed on the computer equipment that the manufacturer or retailer is manufacturing or selling.∀

SECTION 9.

Said article is further amended by striking in its entirety Code Section 16-9-157, relating to legislative findings and preemption, and inserting in lieu thereof the following:

∀16-9-157.

The General Assembly finds that this article part is a matter of state-wide concern. This article part supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by any county, municipality, consolidated government, or other local governmental agency regarding spyware and notices to consumers from computer software providers regarding information collection.∀

SECTION 10.

This Act shall become effective upon its approval by the Governor or upon its becoming law without such approval.

SECTION 11.

All laws and parts of laws in conflict with this Act are repealed.