Search OpenLegislation Statutes

This entry was published on 2014-09-22
The selection dates indicate all change milestones for the entire volume, not just the location being viewed. Specifying a milestone date will retrieve the most recent version of the location before that date.
Anti-phishing act of 2006
General Business (GBS) CHAPTER 20, ARTICLE 26
§ 390-b. Anti-phishing act of 2006. 1. This section shall be known as
and may be cited as the "anti-phishing act of 2006".

2. For purposes of this section, the following terms shall have the
following meanings:

(a) The term "electronic message" means a message sent or posted to a
unique destination, commonly expressed as a string of characters,
consisting of a unique user name or mailbox (commonly referred to as the
"local part") and a reference to an internet domain (commonly referred
to as the "domain part"), whether or not displayed, to which an
electronic message can be sent, delivered or posted.

(b) The term "identifying information" means an individual's (1)
social security number; (2) driver's license number; (3) bank account
number; (4) credit or debit card number; (5) personal identification
number (PIN); (6) automated or electronic signature; (7) unique
biometric data; (8) account passwords; or (9) any other piece of
information that can be used to access an individual's financial
accounts or to obtain goods or services.

(c) The term "internet" means collectively the myriad of computer and
telecommunications facilities, including equipment and operating
software, which comprise the interconnected world-wide network of
networks that employ the transmission control protocol/internet
protocol, or any predecessor or successor protocols to such protocol, to
communicate information of all kinds by wire or radio.

(d) The term "web page" means a location, with respect to the world
wide web, that has a single uniform resource locator or other single
location with respect to the internet.

3. It is unlawful for any person, by means of a web page, electronic
message, or other use of the internet to solicit, request or collect
identifying information by deceptively representing himself or herself,
either directly or by implication, to be a business or a governmental
entity and doing so without the authority or approval of such business
or such governmental entity.

4. (a) The attorney general, or any person who either is engaged in
the business of providing internet access service to the public or owns
a web page or trademark and who is adversely affected by reason of a
violation of the provisions of subdivision three of this section, may
bring an action against a person who violates the provisions of
subdivision three of this section:

(1) to enjoin further violation of the provisions of subdivision three
of this section; and

(2) to recover the greater of:

(A) actual damages; or

(B) one thousand dollars for each instance in which identifying
information is solicited, requested or collected from a person in
violation of the provisions of subdivision three of this section.

(b) In an action under paragraph (a) of this subdivision, a court may:

(1) increase the damages up to three times the damages allowed by
paragraph (a) of this subdivision where the defendant has been found to
have engaged in a pattern and practice of violating the provisions of
subdivision three of this section; and

(2) award costs and reasonable attorney's fees to a prevailing party.

5. Nothing in this section shall in any way limit rights or remedies
which are otherwise available under law to the attorney general or any
other person authorized to bring an action under subdivision four of
this section.