PRINTER'S NO. 1431
No. 1036 Session of 2006
INTRODUCED BY CONTI, WONDERLING, CORMAN, ERICKSON, RAFFERTY, GORDNER, BROWNE, COSTA, TARTAGLIONE, KITCHEN, EARLL, WOZNIAK, ORIE, O'PAKE, REGOLA, LEMMOND, WAUGH, WENGER, STACK, ROBBINS AND KASUNIC, JANUARY 3, 2006
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JANUARY 3, 2006
AN ACT 1 Amending Title 18 (Crimes and Offenses) of the Pennsylvania 2 Consolidated Statutes, providing for the offense of phishing. 3 The General Assembly of the Commonwealth of Pennsylvania 4 hereby enacts as follows: 5 Section 1. Chapter 76 of Title 18 of the Pennsylvania 6 Consolidated Statutes is amended by adding a subchapter to read: 7 SUBCHAPTER F 8 PHISHING 9 Sec. 10 7671. Scope of subchapter. 11 7672. Definitions. 12 7673. Phishing and pharming prohibitions. 13 7674. Nonapplicability. 14 7675. Criminal enforcement. 15 7676. Penalty. 16 7677. Civil relief. 17 § 7671. Scope of subchapter.
1 This subchapter deals with consumer protection against 2 phishing. 3 § 7672. Definitions. 4 The following words and phrases when used in this subchapter 5 shall have the meanings given to them in this section unless the 6 context clearly indicates otherwise: 7 "Electronic mail address." A destination, commonly expressed 8 as a string of characters, consisting of a unique user name or 9 mailbox, commonly referred to as the local part, and a reference 10 to an Internet domain, commonly referred to as the domain part, 11 whether or not displayed, to which an electronic mail message 12 can be sent or delivered. 13 "Electronic mail message." A message sent to a unique 14 electronic mail address. 15 "Initiate." To originate or transmit a message or to procure 16 the origination or transmission of a message. The term shall not 17 include actions that constitute routine conveyance of a message. 18 For purposes of this subchapter, more than one person may be 19 considered to have initiated a message. 20 "Internet." The combination of computer facilities and 21 electromagnetic transmission media and related equipment and 22 software, compromising the interconnected worldwide network of 23 computer networks that employ the Transmission Control 24 Protocol/Internet Protocol or any successor protocol to transmit 25 information. 26 "Internet information location tool." A service that refers 27 or links users to an online location. The term includes 28 directories, indices, references, pointers and hypertext links. 29 "Legitimate business." A business that is registered to do 30 business under the laws of any jurisdiction. 20060S1036B1431 - 2 -
1 "Procure." To intentionally pay or provide consideration to 2 or to induce another person to create an Internet website or 3 domain name. 4 "Recipient." An authorized user of the electronic mail 5 address to which a message was sent or delivered. If a recipient 6 of a commercial electronic mail message has one or more 7 electronic mail addresses in addition to the address to which 8 the message was sent or delivered, the recipient shall be 9 treated as a separate recipient with respect to each address. If 10 an electronic mail address is reassigned to a new user, the new 11 user shall not be treated as a recipient of any commercial 12 electronic mail message sent or delivered to that address before 13 it was reassigned. 14 "Sensitive personal information." Any of the following: 15 (1) A Social Security number. 16 (2) A driver's license number or state identification 17 card number. 18 (3) A financial account number, credit or debit card 19 number, in combination with any required security code, 20 access code or password that would permit access to an 21 individual's financial account. 22 § 7673. Phishing and pharming prohibitions. 23 (a) Communications.--It shall be unlawful for any person 24 with actual knowledge, with conscious avoidance of actual 25 knowledge or willfully to: 26 (1) make any communication presenting such communication 27 under false pretenses as being made by or on behalf of a 28 legitimate business without the authority or approval of the 29 legitimate business; and 30 (2) use that communication to induce, request or solicit 20060S1036B1431 - 3 -
1 any person to provide a password or account number issued by 2 the legitimate business or sensitive personal information. 3 (b) Electronic message.--A person or entity shall not, with 4 actual knowledge, with conscious avoidance of actual knowledge 5 or willfully, transmit an electronic mail message with the 6 intent to defraud or obtain a thing of value that: 7 (1) deceptively misrepresents itself as being sent by a 8 legitimate online business; 9 (2) includes an Internet information location tool that 10 refers or links users to an online location that falsely 11 purports to belong to or be associated with the legitimate 12 online business; and 13 (3) induces, requests or solicits a recipient of the 14 electronic mail message directly or indirectly to provide a 15 password or account number issued by the legitimate online 16 business or sensitive personal information with the intent to 17 defraud or obtain a thing of value. 18 (c) Software.--A person or entity shall not, with actual 19 knowledge, with conscious avoidance of actual knowledge or 20 willfully possess, sell or distribute any software program for 21 the purpose of facilitating any violation of subsection (a) or 22 (b). 23 (d) Information.--A person or entity shall not, with actual 24 knowledge, with conscious avoidance of actual knowledge or 25 willfully possess with intent to use in a fraudulent manner, 26 sell or distribute any account number, password or sensitive 27 personal information obtained in violation of subsection (a) or 28 (b). 29 (e) Conspiracy.--A person or entity shall not conspire with 30 any other person or attempt to engage in any act that violates 20060S1036B1431 - 4 -
1 any provision of this section. 2 § 7674. Nonapplicability. 3 No provider of an interactive computer service may be held 4 liable under any law of this Commonwealth or of one of its 5 political subdivisions for removing or disabling access to 6 content that resides on an Internet website or other online 7 location controlled or operated by the provider and that the 8 provider believes in good faith is used to engage in a violation 9 of this subchapter. 10 § 7675. Criminal enforcement. 11 (a) District attorneys.--A district attorney shall have 12 authority to investigate and to institute criminal proceedings 13 for any violations of this subchapter. 14 (b) Attorney General.--In addition to the authority 15 conferred upon the Attorney General under the act of October 15, 16 1980 (P.L.950, No.164), known as the Commonwealth Attorneys Act, 17 the Attorney General shall have the authority to investigate and 18 institute criminal proceedings for any violation of this 19 subchapter. A person charged with a violation of this subchapter 20 by the Attorney General shall not have standing to challenge the 21 authority of the Attorney General to investigate or prosecute 22 the case, and, if a challenge is made, the challenge shall be 23 dismissed and no relief shall be available in the courts of this 24 Commonwealth to the person making the challenge. 25 (c) Proceedings against persons outside this Commonwealth.-- 26 In addition to powers conferred upon district attorneys and the 27 Attorney General in subsections (a) and (b), district attorneys 28 and the Attorney General shall have the authority to investigate 29 and initiate criminal proceedings against persons for violations 30 of this subchapter in accordance with 42 Pa.C.S. § 5322 20060S1036B1431 - 5 -
1 (relating to bases of personal jurisdiction over persons outside 2 this Commonwealth). 3 § 7676. Penalty. 4 Any person who violates any provision of this subchapter 5 commits a felony of the second degree and shall, upon 6 conviction, be sentenced to pay a fine of not more than $25,000 7 or to imprisonment for not less than one year nor more than ten 8 years, or both. 9 § 7677. Civil relief. 10 (a) Action.--Subject to the limitations prescribed in 11 subsection (f), the following permitted persons may bring a 12 civil action against a person who violates this subchapter: 13 (1) a person engaged in the business of providing 14 Internet access service to the public who is adversely 15 affected by the violation; 16 (2) an owner of a web page or trademark that is used 17 without authorization in the violation; or 18 (3) the Attorney General. 19 (b) Relief.--A permitted person bringing an action under 20 this section may: 21 (1) seek injunctive relief to restrain the violator from 22 continuing the violation; 23 (2) recover damages in an amount equal to the greater 24 of: 25 (i) actual damages arising from the violation; 26 (ii) $100,000 for each violation of the same nature; 27 or 28 (iii) both seek injunctive relief and recover 29 damages as provided by this subsection. 30 (c) Increase in damages.--The court may increase an award of 20060S1036B1431 - 6 -
1 actual damages in an action brought under this section to an 2 amount not to exceed three times the actual damages sustained if 3 the court finds that the violations have occurred with a 4 frequency as to constitute a pattern or practice. 5 (d) Attorney fees.--A permitted person who prevails in an 6 action filed under this section is entitled to recover 7 reasonable attorney fees and court costs. 8 (e) Nature of violations.--For purposes of this section, 9 violations are of the same nature if the violations consist of 10 the same course of conduct or action, regardless of the number 11 of times the conduct or act occurred. 12 (f) Unfair or deceptive trade practice.--A violation of this 13 subchapter shall be deemed to be an unfair or deceptive act or 14 practice in violation of the act of December 17, 1968 (P.L.1224, 15 No.387), known as the Unfair Trade Practices and Consumer 16 Protection Law. The Attorney General shall have exclusive 17 authority to bring an action under the Unfair Trade Practices 18 and Consumer Protection Law for a violation of this subchapter. 19 Section 2. This act shall take effect in 60 days. K17L18MSP/20060S1036B1431 - 7 -