BUSINESS AND COMMERCE CODE


TITLE 10. USE OF TELECOMMUNICATIONS


SUBTITLE B. ELECTRONIC COMMUNICATIONS


CHAPTER 324. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE


SUBCHAPTER A. GENERAL PROVISIONS


Sec. 324.001. SHORT TITLE. This chapter may be cited as the Consumer Protection Against Computer Spyware Act.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Sec. 324.002. DEFINITIONS. In this chapter:

(1) "Advertisement" means a communication that includes the promotion of a commercial product or service, including communication on an Internet website operated for a commercial purpose.

(1-a) "Botnet" means a collection of two or more zombies.

(2) "Computer software" means a sequence of instructions written in a programming language that is executed on a computer. The term does not include:

(A) a web page; or

(B) a data component of a web page that cannot be executed independently of that page.

(3) "Damage," with respect to a computer, means significant impairment to the integrity or availability of data, computer software, a system, or information.

(4) "Execute," with respect to computer software, means to perform a function or carry out instructions.

(5) "Keystroke-logging function" means a function of a computer software program that:

(A) records all keystrokes made by a person using a computer; and

(B) transfers that information from the computer to another person.

(6) "Owner or operator of a computer" means the owner or lessee of a computer or an individual using a computer with the authorization of the owner or lessee of the computer. The phrase "owner of a computer," with respect to a computer sold at retail, does not include a person who owned the computer before the date on which the computer was sold.

(7) "Person" means an individual, partnership, corporation, limited liability company, or other organization, or a combination of those organizations.

(8) "Personally identifiable information," with respect to an individual who is the owner or operator of a computer, means:

(A) a first name or first initial in combination with a last name;

(B) a home or other physical address, including street name;

(C) an electronic mail address;

(D) a credit or debit card number;

(E) a bank account number;

(F) a password or access code associated with a credit or debit card or bank account;

(G) a social security number, tax identification number, driver's license number, passport number, or other government-issued identification number; or

(H) any of the following information if the information alone or in combination with other information personally identifies the individual:

(i) account balances;

(ii) overdraft history; or

(iii) payment history.

(9) "Zombie" means a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch. 718 (S.B. 28), Sec. 1, eff. September 1, 2009.

Sec. 324.003. EXCEPTIONS TO APPLICABILITY OF CHAPTER. (a) Section 324.052, other than Subdivision (1) of that section, and Sections 324.053(4), 324.054, and 324.055 do not apply to a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service that monitors or has interaction with a subscriber's Internet or other network connection or service or a protected computer for:

(1) a network or computer security purpose;

(2) diagnostics, technical support, or a repair purpose;

(3) an authorized update of computer software or system firmware;

(4) authorized remote system management; or

(5) detection or prevention of unauthorized use of or fraudulent or other illegal activity in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.

(b) This chapter does not apply to:

(1) the use of a navigation device, any interaction with a navigation device, or the installation or use of computer software on a navigation device by a multichannel video programming distributor, as defined by 47 U.S.C. Section 522(13), or video programmer in connection with the provision of multichannel video programming or other services offered over a multichannel video programming system if the provision of the programming or other service is subject to 47 U.S.C. Section 338(i) or 551; or

(2) the collection or disclosure of subscriber information by a multichannel video programming distributor, as defined by 47 U.S.C. Section 522(13), or video programmer in connection with the provision of multichannel video programming or other services offered over a multichannel video programming system if the collection or disclosure of the information is subject to 47 U.S.C. Section 338(i) or 551.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch. 718 (S.B. 28), Sec. 2, eff. September 1, 2009.

Sec. 324.004. CAUSING COMPUTER SOFTWARE TO BE COPIED. For purposes of this chapter, a person causes computer software to be copied if the person distributes or transfers computer software or a component of computer software. Causing computer software to be copied does not include:

(1) transmitting or routing computer software or a component of the software;

(2) providing intermediate temporary storage or caching of software;

(3) providing a storage medium such as a compact disk;

(4) a website;

(5) the distribution of computer software by a third party through a computer server; or

(6) providing an information location tool, such as a directory, index, reference, pointer, or hypertext link, through which the user of a computer is able to locate computer software.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Sec. 324.005. KNOWING VIOLATION. A person knowingly violates Section 324.051, 324.052, 324.053, or 324.055 if the person:

(1) acts with actual knowledge of the facts that constitute the violation; or

(2) consciously avoids information that would establish actual knowledge of those facts.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch. 718 (S.B. 28), Sec. 3, eff. September 1, 2009.

Sec. 324.006. INTENTIONALLY DECEPTIVE MEANS. For purposes of this chapter, a person is considered to have acted through intentionally deceptive means if the person, with the intent to deceive the owner or operator of a computer:

(1) intentionally makes a materially false or fraudulent statement;

(2) intentionally makes a statement or uses a description that omits or misrepresents material information; or

(3) intentionally and materially fails to provide to the owner or operator any notice regarding the installation or execution of computer software.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

SUBCHAPTER B. PROHIBITED CONDUCT OR ACTIVITIES


Sec. 324.051. UNAUTHORIZED COLLECTION OR CULLING OF PERSONALLY IDENTIFIABLE INFORMATION. A person other than the owner or operator of the computer may not knowingly cause computer software to be copied to a computer in this state and use the software to:

(1) collect personally identifiable information through intentionally deceptive means:

(A) by using a keystroke-logging function; or

(B) in a manner that correlates that information with information regarding all or substantially all of the websites visited by the owner or operator of the computer, other than websites operated by the person collecting the information; or

(2) cull, through intentionally deceptive means, the following kinds of personally identifiable information from the consumer's computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an owner or operator of the computer:

(A) a credit or debit card number;

(B) a bank account number;

(C) a password or access code associated with a credit or debit card number or a bank account;

(D) a social security number;

(E) account balances; or

(F) overdraft history.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Sec. 324.052. UNAUTHORIZED ACCESS TO OR MODIFICATIONS OF COMPUTER SETTINGS; COMPUTER DAMAGE. A person other than the owner or operator of the computer may not knowingly cause computer software to be copied to a computer in this state and use the software to:

(1) modify, through intentionally deceptive means, a setting that controls:

(A) the page that appears when an Internet browser or a similar software program is launched to access and navigate the Internet;

(B) the default provider or web proxy used to access or search the Internet; or

(C) a list of bookmarks used to access web pages;

(2) take control of the computer by:

(A) accessing or using the computer's modem or Internet service to:

(i) cause damage to the computer;

(ii) cause the owner or operator of the computer to incur financial charges for a service the owner or operator did not previously authorize; or

(iii) cause a third party affected by the conduct to incur financial charges for a service the third party did not previously authorize; or

(B) opening, without the consent of the owner or operator of the computer, an advertisement that:

(i) is in the owner's or operator's Internet browser in a multiple, sequential, or stand-alone form; and

(ii) cannot be closed by an ordinarily reasonable person using the computer without closing the browser or shutting down the computer;

(3) modify settings on the computer that relate to access to or use of the Internet and protection of information for purposes of stealing personally identifiable information of the owner or operator of the computer; or

(4) modify security settings on the computer relating to access to or use of the Internet for purposes of causing damage to one or more computers.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Sec. 324.053. UNAUTHORIZED INTERFERENCE WITH INSTALLATION OR DISABLING OF COMPUTER SOFTWARE. A person other than the owner or operator of the computer may not knowingly cause computer software to be copied to a computer in this state and use the software to:

(1) prevent, through intentionally deceptive means, reasonable efforts of the owner or operator of the computer to block the installation or execution of or to disable computer software by causing computer software that the owner or operator has properly removed or disabled to automatically reinstall or reactivate on the computer;

(2) intentionally misrepresent to another that computer software will be uninstalled or disabled by the actions of the owner or operator of the computer;

(3) remove, disable, or render inoperative, through intentionally deceptive means, security, antispyware, or antivirus computer software installed on the computer;

(4) prevent reasonable efforts of the owner or operator to block the installation of or to disable computer software by:

(A) presenting the owner or operator with an option to decline the installation of software knowing that, when the option is selected, the installation process will continue to proceed; or

(B) misrepresenting that software has been disabled;

(5) change the name, location, or other designation of computer software to prevent the owner from locating and removing the software; or

(6) create randomized or intentionally deceptive file names or random or intentionally deceptive directory folders, formats, or registry entries to avoid detection and prevent the owner from removing computer software.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Sec. 324.054. OTHER PROHIBITED CONDUCT. A person other than the owner or operator of the computer may not:

(1) induce the owner or operator of a computer in this state to install a computer software component to the computer by intentionally misrepresenting the extent to which the installation is necessary:

(A) for security or privacy reasons;

(B) to open or view text; or

(C) to play a particular type of musical or other content; or

(2) copy and execute or cause the copying and execution of a computer software component to a computer in this state in a deceptive manner with the intent to cause the owner or operator of the computer to use the component in a manner that violates this chapter.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Sec. 324.055. UNAUTHORIZED CREATION OF, ACCESS TO, OR USE OF ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) In this section:

(1) "Internet service provider" means a person providing connectivity to the Internet or another wide area network.

(2) "Person" has the meaning assigned by Section 311.005, Government Code.

(b) A person who is not the owner or operator of the computer may not knowingly cause or offer to cause a computer to become a zombie or part of a botnet.

(c) A person may not knowingly create, have created, use, or offer to use a zombie or botnet to:

(1) send an unsolicited commercial electronic mail message, as defined by Section 321.001;

(2) send a signal to a computer system or network that causes a loss of service to users;

(3) send data from a computer without authorization by the owner or operator of the computer;

(4) forward computer software designed to damage or disrupt another computer or system;

(5) collect personally identifiable information; or

(6) perform an act for another purpose not authorized by the owner or operator of the computer.

(d) A person may not:

(1) purchase, rent, or otherwise gain control of a zombie or botnet created by another person; or

(2) sell, lease, offer for sale or lease, or otherwise provide to another person access to or use of a zombie or botnet.

(e) The following persons may bring a civil action against a person who violates this section:

(1) a person who is acting as an Internet service provider and whose network is used to commit a violation under this section; or

(2) a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, as a result of the violation.

(f) A person bringing an action under this section may, for each violation:

(1) seek injunctive relief to restrain a violator from continuing the violation;

(2) subject to Subsection (g), recover damages in an amount equal to the greater of:

(A) actual damages arising from the violation; or

(B) $100,000 for each zombie used to commit the violation; or

(3) obtain both injunctive relief and damages.

(g) The court may increase an award of damages, statutory or otherwise, in an action brought under this section to an amount not to exceed three times the applicable damages if the court finds that the violations have occurred with such a frequency as to constitute a pattern or practice.

(h) A plaintiff who prevails in an action brought under this section is entitled to recover court costs and reasonable attorney's fees, reasonable fees of experts, and other reasonable costs of litigation.

(i) A remedy authorized by this section is not exclusive but is in addition to any other procedure or remedy provided for by other statutory or common law.

(j) Nothing in this section may be construed to impose liability on the following persons with respect to a violation of this section committed by another person:

(1) an Internet service provider;

(2) a provider of interactive computer service, as defined by Section 230, Communications Act of 1934 (47 U.S.C. Section 230);

(3) a telecommunications provider, as defined by Section 51.002, Utilities Code; or

(4) a video service provider or cable service provider, as defined by Section 66.002, Utilities Code.

Added by Acts 2009, 81st Leg., R.S., Ch. 718 (S.B. 28), Sec. 4, eff. September 1, 2009.

SUBCHAPTER C. CIVIL REMEDIES


Sec. 324.101. PRIVATE ACTION. (a) Any of the following persons, if adversely affected by the violation, may bring a civil action against a person who violates Section 324.051, 324.052, 324.053, or 324.054:

(1) a provider of computer software;

(2) an owner of a web page or trademark;

(3) a telecommunications carrier;

(4) a cable operator; or

(5) an Internet service provider.

(b) Each separate violation of this chapter is an actionable violation.

(c) In addition to any other remedy provided by law and except as provided by Subsection (g), a person who brings an action under this section may obtain:

(1) injunctive relief that restrains the violator from continuing the violation;

(2) subject to Subsection (d), damages in an amount equal to the greater of:

(A) actual damages arising from the violation; or

(B) $100,000 for each violation of the same nature; or

(3) both injunctive relief and damages.

(d) The court may increase the amount of an award of actual damages in an action brought under Subsection (c) to an amount not to exceed three times the amount of actual damages sustained if the court finds that the violation has reoccurred with sufficient frequency to constitute a pattern or practice.

(e) A plaintiff who prevails in an action brought under Subsection (c) is entitled to recover reasonable attorney's fees and court costs.

(f) For purposes of Subsection (c), violations are of the same nature if the violations consist of the same course of conduct or action, regardless of the number of times the conduct or act occurred.

(g) If a violation of Section 324.052 causes a telecommunications carrier or cable operator to incur costs for the origination, transport, or termination of a call triggered using the modem of a customer of the telecommunications carrier or cable operator as a result of the violation, the telecommunications carrier or cable operator may in addition to any other remedy provided by law:

(1) apply to a court for an order to enjoin the violation;

(2) recover the charges the telecommunications carrier or cable operator is obligated to pay to a telecommunications carrier, a cable operator, another provider of transmission capability, or an information service provider as a result of the violation, including charges for the origination, transport, or termination of the call;

(3) recover the costs of handling customer inquiries or complaints with respect to amounts billed for calls as a result of the violation;

(4) recover other costs, including court costs, and reasonable attorney's fees; or

(5) both apply for injunctive relief and recover charges and other costs as provided by this subsection.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch. 718 (S.B. 28), Sec. 5, eff. September 1, 2009.

Sec. 324.102. CIVIL PENALTY; INJUNCTIVE RELIEF. (a) A person who violates this chapter is liable to this state for a civil penalty in an amount not to exceed $100,000 for each violation. The attorney general may bring an action to recover the civil penalty imposed by this subsection.

(b) If it appears to the attorney general that a person is engaging in, has engaged in, or is about to engage in conduct that violates this chapter, the attorney general may bring an action in the name of the state against the person to restrain the violation by a temporary restraining order or by a permanent or temporary injunction.

(c) The attorney general is entitled to recover reasonable expenses incurred in obtaining civil penalties or injunctive relief, or both, under this section, including reasonable attorney's fees and court costs.

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.