PRINTER'S NO. 1431
No. 1036 Session of 2006
INTRODUCED BY CONTI, WONDERLING, CORMAN, ERICKSON, RAFFERTY,
GORDNER, BROWNE, COSTA, TARTAGLIONE, KITCHEN, EARLL, WOZNIAK,
ORIE, O'PAKE, REGOLA, LEMMOND, WAUGH, WENGER, STACK, ROBBINS
AND KASUNIC, JANUARY 3, 2006
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JANUARY 3, 2006
AN ACT
1 Amending Title 18 (Crimes and Offenses) of the Pennsylvania
2 Consolidated Statutes, providing for the offense of phishing.
3 The General Assembly of the Commonwealth of Pennsylvania
4 hereby enacts as follows:
5 Section 1. Chapter 76 of Title 18 of the Pennsylvania
6 Consolidated Statutes is amended by adding a subchapter to read:
7 SUBCHAPTER F
8 PHISHING
9 Sec.
10 7671. Scope of subchapter.
11 7672. Definitions.
12 7673. Phishing and pharming prohibitions.
13 7674. Nonapplicability.
14 7675. Criminal enforcement.
15 7676. Penalty.
16 7677. Civil relief.
17 § 7671. Scope of subchapter.
1 This subchapter deals with consumer protection against
2 phishing.
3 § 7672. Definitions.
4 The following words and phrases when used in this subchapter
5 shall have the meanings given to them in this section unless the
6 context clearly indicates otherwise:
7 "Electronic mail address." A destination, commonly expressed
8 as a string of characters, consisting of a unique user name or
9 mailbox, commonly referred to as the local part, and a reference
10 to an Internet domain, commonly referred to as the domain part,
11 whether or not displayed, to which an electronic mail message
12 can be sent or delivered.
13 "Electronic mail message." A message sent to a unique
14 electronic mail address.
15 "Initiate." To originate or transmit a message or to procure
16 the origination or transmission of a message. The term shall not
17 include actions that constitute routine conveyance of a message.
18 For purposes of this subchapter, more than one person may be
19 considered to have initiated a message.
20 "Internet." The combination of computer facilities and
21 electromagnetic transmission media and related equipment and
22 software, compromising the interconnected worldwide network of
23 computer networks that employ the Transmission Control
24 Protocol/Internet Protocol or any successor protocol to transmit
25 information.
26 "Internet information location tool." A service that refers
27 or links users to an online location. The term includes
28 directories, indices, references, pointers and hypertext links.
29 "Legitimate business." A business that is registered to do
30 business under the laws of any jurisdiction.
20060S1036B1431 - 2 -
1 "Procure." To intentionally pay or provide consideration to
2 or to induce another person to create an Internet website or
3 domain name.
4 "Recipient." An authorized user of the electronic mail
5 address to which a message was sent or delivered. If a recipient
6 of a commercial electronic mail message has one or more
7 electronic mail addresses in addition to the address to which
8 the message was sent or delivered, the recipient shall be
9 treated as a separate recipient with respect to each address. If
10 an electronic mail address is reassigned to a new user, the new
11 user shall not be treated as a recipient of any commercial
12 electronic mail message sent or delivered to that address before
13 it was reassigned.
14 "Sensitive personal information." Any of the following:
15 (1) A Social Security number.
16 (2) A driver's license number or state identification
17 card number.
18 (3) A financial account number, credit or debit card
19 number, in combination with any required security code,
20 access code or password that would permit access to an
21 individual's financial account.
22 § 7673. Phishing and pharming prohibitions.
23 (a) Communications.--It shall be unlawful for any person
24 with actual knowledge, with conscious avoidance of actual
25 knowledge or willfully to:
26 (1) make any communication presenting such communication
27 under false pretenses as being made by or on behalf of a
28 legitimate business without the authority or approval of the
29 legitimate business; and
30 (2) use that communication to induce, request or solicit
20060S1036B1431 - 3 -
1 any person to provide a password or account number issued by
2 the legitimate business or sensitive personal information.
3 (b) Electronic message.--A person or entity shall not, with
4 actual knowledge, with conscious avoidance of actual knowledge
5 or willfully, transmit an electronic mail message with the
6 intent to defraud or obtain a thing of value that:
7 (1) deceptively misrepresents itself as being sent by a
8 legitimate online business;
9 (2) includes an Internet information location tool that
10 refers or links users to an online location that falsely
11 purports to belong to or be associated with the legitimate
12 online business; and
13 (3) induces, requests or solicits a recipient of the
14 electronic mail message directly or indirectly to provide a
15 password or account number issued by the legitimate online
16 business or sensitive personal information with the intent to
17 defraud or obtain a thing of value.
18 (c) Software.--A person or entity shall not, with actual
19 knowledge, with conscious avoidance of actual knowledge or
20 willfully possess, sell or distribute any software program for
21 the purpose of facilitating any violation of subsection (a) or
22 (b).
23 (d) Information.--A person or entity shall not, with actual
24 knowledge, with conscious avoidance of actual knowledge or
25 willfully possess with intent to use in a fraudulent manner,
26 sell or distribute any account number, password or sensitive
27 personal information obtained in violation of subsection (a) or
28 (b).
29 (e) Conspiracy.--A person or entity shall not conspire with
30 any other person or attempt to engage in any act that violates
20060S1036B1431 - 4 -
1 any provision of this section.
2 § 7674. Nonapplicability.
3 No provider of an interactive computer service may be held
4 liable under any law of this Commonwealth or of one of its
5 political subdivisions for removing or disabling access to
6 content that resides on an Internet website or other online
7 location controlled or operated by the provider and that the
8 provider believes in good faith is used to engage in a violation
9 of this subchapter.
10 § 7675. Criminal enforcement.
11 (a) District attorneys.--A district attorney shall have
12 authority to investigate and to institute criminal proceedings
13 for any violations of this subchapter.
14 (b) Attorney General.--In addition to the authority
15 conferred upon the Attorney General under the act of October 15,
16 1980 (P.L.950, No.164), known as the Commonwealth Attorneys Act,
17 the Attorney General shall have the authority to investigate and
18 institute criminal proceedings for any violation of this
19 subchapter. A person charged with a violation of this subchapter
20 by the Attorney General shall not have standing to challenge the
21 authority of the Attorney General to investigate or prosecute
22 the case, and, if a challenge is made, the challenge shall be
23 dismissed and no relief shall be available in the courts of this
24 Commonwealth to the person making the challenge.
25 (c) Proceedings against persons outside this Commonwealth.--
26 In addition to powers conferred upon district attorneys and the
27 Attorney General in subsections (a) and (b), district attorneys
28 and the Attorney General shall have the authority to investigate
29 and initiate criminal proceedings against persons for violations
30 of this subchapter in accordance with 42 Pa.C.S. § 5322
20060S1036B1431 - 5 -
1 (relating to bases of personal jurisdiction over persons outside
2 this Commonwealth).
3 § 7676. Penalty.
4 Any person who violates any provision of this subchapter
5 commits a felony of the second degree and shall, upon
6 conviction, be sentenced to pay a fine of not more than $25,000
7 or to imprisonment for not less than one year nor more than ten
8 years, or both.
9 § 7677. Civil relief.
10 (a) Action.--Subject to the limitations prescribed in
11 subsection (f), the following permitted persons may bring a
12 civil action against a person who violates this subchapter:
13 (1) a person engaged in the business of providing
14 Internet access service to the public who is adversely
15 affected by the violation;
16 (2) an owner of a web page or trademark that is used
17 without authorization in the violation; or
18 (3) the Attorney General.
19 (b) Relief.--A permitted person bringing an action under
20 this section may:
21 (1) seek injunctive relief to restrain the violator from
22 continuing the violation;
23 (2) recover damages in an amount equal to the greater
24 of:
25 (i) actual damages arising from the violation;
26 (ii) $100,000 for each violation of the same nature;
27 or
28 (iii) both seek injunctive relief and recover
29 damages as provided by this subsection.
30 (c) Increase in damages.--The court may increase an award of
20060S1036B1431 - 6 -
1 actual damages in an action brought under this section to an
2 amount not to exceed three times the actual damages sustained if
3 the court finds that the violations have occurred with a
4 frequency as to constitute a pattern or practice.
5 (d) Attorney fees.--A permitted person who prevails in an
6 action filed under this section is entitled to recover
7 reasonable attorney fees and court costs.
8 (e) Nature of violations.--For purposes of this section,
9 violations are of the same nature if the violations consist of
10 the same course of conduct or action, regardless of the number
11 of times the conduct or act occurred.
12 (f) Unfair or deceptive trade practice.--A violation of this
13 subchapter shall be deemed to be an unfair or deceptive act or
14 practice in violation of the act of December 17, 1968 (P.L.1224,
15 No.387), known as the Unfair Trade Practices and Consumer
16 Protection Law. The Attorney General shall have exclusive
17 authority to bring an action under the Unfair Trade Practices
18 and Consumer Protection Law for a violation of this subchapter.
19 Section 2. This act shall take effect in 60 days.
K17L18MSP/20060S1036B1431 - 7 -