The Governator: Hasta La Vista, Phishers
Posted by Lance Koonce
On Friday, Governor Arnold Schwarzenegger signed California Senate Bill 355, the Anti-Phishing Act of 2005, which makes phishing schemes illegal in California. The legislation states that "[i]t shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."
Of great interest to corporations is a provision of the law that allows an entity that is "engaged in the business of providing Internet access service to the public, owns a Web page, or owns a trademark" to bring an action when the entity is "adversely affected" by a violation of the law. Presumably this means an indirect effect on a business, such as phishing attacks directed at its customers, may trigger liability. Notably, the entity can elect to seek either actual damages or $500,000, whichever is greater. Also, plaintiffs can ask a court for treble damages "in cases in which the defendant has engaged in a pattern and practice of violating" this law, and to seek prevailing party attorneys fees.
Contrast this with the law's provision allowing civil suit by an individual who does not have an internet business or a trademark (i.e., a consumer), under which the consumer can only bring an action against a person who has directly violated the law. Individuals may seek the greater of three times actual damages or $5000 per violation. The new law also permits an action by the Attorney General against phishers.
It will be interesting to see wether the availability of statutory damages will result in aggressive action by victims of phishing attacks: since virtually everyone with an email account has received phishing attempts, will the lure of $5000 turn average citizens (especially those skilled at tracking perpetrators online) into bounty hunters, as some have suggested?. Certainly businesses whose customers are targeted will find the $500,000 statutory amount a strong incentive for taking action.
Unlike many anti-spam acts that failed to bring things like comment spam within their ambit, the new California law appears to apply more broadly to types of phishing attacks that are not initiated through email: the "through the use of the Internet" language would appear to encompass activities such as pharming, DNS poisoning, and MMORPG phishing (mmorphishing?) as well.
Update: Commentary by Bruce Schneier on the new law here and here.
