CHAPTER 324. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE

BUSINESS AND COMMERCE CODE

TITLE 10. USE OF TELECOMMUNICATIONS

SUBTITLE B. ELECTRONIC COMMUNICATIONS

CHAPTER 324. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE

SUBCHAPTER A. GENERAL PROVISIONS

Sec. 324.001. SHORT TITLE. This chapter may be cited as the

Consumer Protection Against Computer Spyware Act.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Sec. 324.002. DEFINITIONS. In this chapter:

(1) "Advertisement" means a communication that includes the

promotion of a commercial product or service, including

communication on an Internet website operated for a commercial

purpose.

(1-a) "Botnet" means a collection of two or more zombies.

(2) "Computer software" means a sequence of instructions written

in a programming language that is executed on a computer. The

term does not include:

(A) a web page; or

(B) a data component of a web page that cannot be executed

independently of that page.

(3) "Damage," with respect to a computer, means significant

impairment to the integrity or availability of data, computer

software, a system, or information.

(4) "Execute," with respect to computer software, means to

perform a function or carry out instructions.

(5) "Keystroke-logging function" means a function of a computer

software program that:

(A) records all keystrokes made by a person using a computer;

and

(B) transfers that information from the computer to another

person.

(6) "Owner or operator of a computer" means the owner or lessee

of a computer or an individual using a computer with the

authorization of the owner or lessee of the computer. The phrase

"owner of a computer," with respect to a computer sold at retail,

does not include a person who owned the computer before the date

on which the computer was sold.

(7) "Person" means an individual, partnership, corporation,

limited liability company, or other organization, or a

combination of those organizations.

(8) "Personally identifiable information," with respect to an

individual who is the owner or operator of a computer, means:

(A) a first name or first initial in combination with a last

name;

(B) a home or other physical address, including street name;

(C) an electronic mail address;

(D) a credit or debit card number;

(E) a bank account number;

(F) a password or access code associated with a credit or debit

card or bank account;

(G) a social security number, tax identification number,

driver's license number, passport number, or other

government-issued identification number; or

(H) any of the following information if the information alone or

in combination with other information personally identifies the

individual:

(i) account balances;

(ii) overdraft history; or

(iii) payment history.

(9) "Zombie" means a computer that, without the knowledge and

consent of the computer's owner or operator, has been compromised

to give access or control to a program or person other than the

computer's owner or operator.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch.

718, Sec. 1, eff. September 1, 2009.

Sec. 324.003. EXCEPTIONS TO APPLICABILITY OF CHAPTER. (a)

Section 324.052, other than Subdivision (1) of that section, and

Sections 324.053(4), 324.054, and 324.055 do not apply to a

telecommunications carrier, cable operator, computer hardware or

software provider, or provider of information service or

interactive computer service that monitors or has interaction

with a subscriber's Internet or other network connection or

service or a protected computer for:

(1) a network or computer security purpose;

(2) diagnostics, technical support, or a repair purpose;

(3) an authorized update of computer software or system

firmware;

(4) authorized remote system management; or

(5) detection or prevention of unauthorized use of or fraudulent

or other illegal activity in connection with a network, service,

or computer software, including scanning for and removing

software proscribed under this chapter.

(b) This chapter does not apply to:

(1) the use of a navigation device, any interaction with a

navigation device, or the installation or use of computer

software on a navigation device by a multichannel video

programming distributor, as defined by 47 U.S.C. Section 522(13),

or video programmer in connection with the provision of

multichannel video programming or other services offered over a

multichannel video programming system if the provision of the

programming or other service is subject to 47 U.S.C. Section

338(i) or 551; or

(2) the collection or disclosure of subscriber information by a

multichannel video programming distributor, as defined by 47

U.S.C. Section 522(13), or video programmer in connection with

the provision of multichannel video programming or other services

offered over a multichannel video programming system if the

collection or disclosure of the information is subject to 47

U.S.C. Section 338(i) or 551.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch.

718, Sec. 2, eff. September 1, 2009.

Sec. 324.004. CAUSING COMPUTER SOFTWARE TO BE COPIED. For

purposes of this chapter, a person causes computer software to be

copied if the person distributes or transfers computer software

or a component of computer software. Causing computer software

to be copied does not include:

(1) transmitting or routing computer software or a component of

the software;

(2) providing intermediate temporary storage or caching of

software;

(3) providing a storage medium such as a compact disk;

(4) a website;

(5) the distribution of computer software by a third party

through a computer server; or

(6) providing an information location tool, such as a directory,

index, reference, pointer, or hypertext link, through which the

user of a computer is able to locate computer software.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Sec. 324.005. KNOWING VIOLATION. A person knowingly violates

Section 324.051, 324.052, 324.053, or 324.055 if the person:

(1) acts with actual knowledge of the facts that constitute the

violation; or

(2) consciously avoids information that would establish actual

knowledge of those facts.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch.

718, Sec. 3, eff. September 1, 2009.

Sec. 324.006. INTENTIONALLY DECEPTIVE MEANS. For purposes of

this chapter, a person is considered to have acted through

intentionally deceptive means if the person, with the intent to

deceive the owner or operator of a computer:

(1) intentionally makes a materially false or fraudulent

statement;

(2) intentionally makes a statement or uses a description that

omits or misrepresents material information; or

(3) intentionally and materially fails to provide to the owner

or operator any notice regarding the installation or execution of

computer software.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

SUBCHAPTER B. PROHIBITED CONDUCT OR ACTIVITIES

Sec. 324.051. UNAUTHORIZED COLLECTION OR CULLING OF PERSONALLY

IDENTIFIABLE INFORMATION. A person other than the owner or

operator of the computer may not knowingly cause computer

software to be copied to a computer in this state and use the

software to:

(1) collect personally identifiable information through

intentionally deceptive means:

(A) by using a keystroke-logging function; or

(B) in a manner that correlates that information with

information regarding all or substantially all of the websites

visited by the owner or operator of the computer, other than

websites operated by the person collecting the information; or

(2) cull, through intentionally deceptive means, the following

kinds of personally identifiable information from the consumer's

computer hard drive for a purpose wholly unrelated to any of the

purposes of the software or service described to an owner or

operator of the computer:

(A) a credit or debit card number;

(B) a bank account number;

(C) a password or access code associated with a credit or debit

card number or a bank account;

(D) a social security number;

(E) account balances; or

(F) overdraft history.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Sec. 324.052. UNAUTHORIZED ACCESS TO OR MODIFICATIONS OF

COMPUTER SETTINGS; COMPUTER DAMAGE. A person other than the

owner or operator of the computer may not knowingly cause

computer software to be copied to a computer in this state and

use the software to:

(1) modify, through intentionally deceptive means, a setting

that controls:

(A) the page that appears when an Internet browser or a similar

software program is launched to access and navigate the Internet;

(B) the default provider or web proxy used to access or search

the Internet; or

(C) a list of bookmarks used to access web pages;

(2) take control of the computer by:

(A) accessing or using the computer's modem or Internet service

to:

(i) cause damage to the computer;

(ii) cause the owner or operator of the computer to incur

financial charges for a service the owner or operator did not

previously authorize; or

(iii) cause a third party affected by the conduct to incur

financial charges for a service the third party did not

previously authorize; or

(B) opening, without the consent of the owner or operator of the

computer, an advertisement that:

(i) is in the owner's or operator's Internet browser in a

multiple, sequential, or stand-alone form; and

(ii) cannot be closed by an ordinarily reasonable person using

the computer without closing the browser or shutting down the

computer;

(3) modify settings on the computer that relate to access to or

use of the Internet and protection of information for purposes of

stealing personally identifiable information of the owner or

operator of the computer; or

(4) modify security settings on the computer relating to access

to or use of the Internet for purposes of causing damage to one

or more computers.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Sec. 324.053. UNAUTHORIZED INTERFERENCE WITH INSTALLATION OR

DISABLING OF COMPUTER SOFTWARE. A person other than the owner or

operator of the computer may not knowingly cause computer

software to be copied to a computer in this state and use the

software to:

(1) prevent, through intentionally deceptive means, reasonable

efforts of the owner or operator of the computer to block the

installation or execution of or to disable computer software by

causing computer software that the owner or operator has properly

removed or disabled to automatically reinstall or reactivate on

the computer;

(2) intentionally misrepresent to another that computer software

will be uninstalled or disabled by the actions of the owner or

operator of the computer;

(3) remove, disable, or render inoperative, through

intentionally deceptive means, security, antispyware, or

antivirus computer software installed on the computer;

(4) prevent reasonable efforts of the owner or operator to block

the installation of or to disable computer software by:

(A) presenting the owner or operator with an option to decline

the installation of software knowing that, when the option is

selected, the installation process will continue to proceed; or

(B) misrepresenting that software has been disabled;

(5) change the name, location, or other designation of computer

software to prevent the owner from locating and removing the

software; or

(6) create randomized or intentionally deceptive file names or

random or intentionally deceptive directory folders, formats, or

registry entries to avoid detection and prevent the owner from

removing computer software.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Sec. 324.054. OTHER PROHIBITED CONDUCT. A person other than the

owner or operator of the computer may not:

(1) induce the owner or operator of a computer in this state to

install a computer software component to the computer by

intentionally misrepresenting the extent to which the

installation is necessary:

(A) for security or privacy reasons;

(B) to open or view text; or

(C) to play a particular type of musical or other content; or

(2) copy and execute or cause the copying and execution of a

computer software component to a computer in this state in a

deceptive manner with the intent to cause the owner or operator

of the computer to use the component in a manner that violates

this chapter.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Sec. 324.055. UNAUTHORIZED CREATION OF, ACCESS TO, OR USE OF

ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) In this section:

(1) "Internet service provider" means a person providing

connectivity to the Internet or another wide area network.

(2) "Person" has the meaning assigned by Section 311.005,

Government Code.

(b) A person who is not the owner or operator of the computer

may not knowingly cause or offer to cause a computer to become a

zombie or part of a botnet.

(c) A person may not knowingly create, have created, use, or

offer to use a zombie or botnet to:

(1) send an unsolicited commercial electronic mail message, as

defined by Section 321.001;

(2) send a signal to a computer system or network that causes a

loss of service to users;

(3) send data from a computer without authorization by the owner

or operator of the computer;

(4) forward computer software designed to damage or disrupt

another computer or system;

(5) collect personally identifiable information; or

(6) perform an act for another purpose not authorized by the

owner or operator of the computer.

(d) A person may not:

(1) purchase, rent, or otherwise gain control of a zombie or

botnet created by another person; or

(2) sell, lease, offer for sale or lease, or otherwise provide

to another person access to or use of a zombie or botnet.

(e) The following persons may bring a civil action against a

person who violates this section:

(1) a person who is acting as an Internet service provider and

whose network is used to commit a violation under this section;

or

(2) a person who has incurred a loss or disruption of the

conduct of the person's business, including for-profit or

not-for-profit activities, as a result of the violation.

(f) A person bringing an action under this section may, for each

violation:

(1) seek injunctive relief to restrain a violator from

continuing the violation;

(2) subject to Subsection (g), recover damages in an amount

equal to the greater of:

(A) actual damages arising from the violation; or

(B) $100,000 for each zombie used to commit the violation; or

(3) obtain both injunctive relief and damages.

(g) The court may increase an award of damages, statutory or

otherwise, in an action brought under this section to an amount

not to exceed three times the applicable damages if the court

finds that the violations have occurred with such a frequency as

to constitute a pattern or practice.

(h) A plaintiff who prevails in an action brought under this

section is entitled to recover court costs and reasonable

attorney's fees, reasonable fees of experts, and other reasonable

costs of litigation.

(i) A remedy authorized by this section is not exclusive but is

in addition to any other procedure or remedy provided for by

other statutory or common law.

(j) Nothing in this section may be construed to impose liability

on the following persons with respect to a violation of this

section committed by another person:

(1) an Internet service provider;

(2) a provider of interactive computer service, as defined by

Section 230, Communications Act of 1934 (47 U.S.C. Section 230);

(3) a telecommunications provider, as defined by Section 51.002,

Utilities Code; or

(4) a video service provider or cable service provider, as

defined by Section 66.002, Utilities Code.

Added by Acts 2009, 81st Leg., R.S., Ch.

718, Sec. 4, eff. September 1, 2009.

SUBCHAPTER C. CIVIL REMEDIES

Sec. 324.101. PRIVATE ACTION. (a) Any of the following

persons, if adversely affected by the violation, may bring a

civil action against a person who violates Section 324.051,

324.052, 324.053, or 324.054:

(1) a provider of computer software;

(2) an owner of a web page or trademark;

(3) a telecommunications carrier;

(4) a cable operator; or

(5) an Internet service provider.

(b) Each separate violation of this chapter is an actionable

violation.

(c) In addition to any other remedy provided by law and except

as provided by Subsection (g), a person who brings an action

under this section may obtain:

(1) injunctive relief that restrains the violator from

continuing the violation;

(2) subject to Subsection (d), damages in an amount equal to the

greater of:

(A) actual damages arising from the violation; or

(B) $100,000 for each violation of the same nature; or

(3) both injunctive relief and damages.

(d) The court may increase the amount of an award of actual

damages in an action brought under Subsection (c) to an amount

not to exceed three times the amount of actual damages sustained

if the court finds that the violation has reoccurred with

sufficient frequency to constitute a pattern or practice.

(e) A plaintiff who prevails in an action brought under

Subsection (c) is entitled to recover reasonable attorney's fees

and court costs.

(f) For purposes of Subsection (c), violations are of the same

nature if the violations consist of the same course of conduct or

action, regardless of the number of times the conduct or act

occurred.

(g) If a violation of Section 324.052 causes a

telecommunications carrier or cable operator to incur costs for

the origination, transport, or termination of a call triggered

using the modem of a customer of the telecommunications carrier

or cable operator as a result of the violation, the

telecommunications carrier or cable operator may in addition to

any other remedy provided by law:

(1) apply to a court for an order to enjoin the violation;

(2) recover the charges the telecommunications carrier or cable

operator is obligated to pay to a telecommunications carrier, a

cable operator, another provider of transmission capability, or

an information service provider as a result of the violation,

including charges for the origination, transport, or termination

of the call;

(3) recover the costs of handling customer inquiries or

complaints with respect to amounts billed for calls as a result

of the violation;

(4) recover other costs, including court costs, and reasonable

attorney's fees; or

(5) both apply for injunctive relief and recover charges and

other costs as provided by this subsection.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.

Amended by:

Acts 2009, 81st Leg., R.S., Ch.

718, Sec. 5, eff. September 1, 2009.

Sec. 324.102. CIVIL PENALTY; INJUNCTIVE RELIEF. (a) A person

who violates this chapter is liable to this state for a civil

penalty in an amount not to exceed $100,000 for each violation.

The attorney general may bring an action to recover the civil

penalty imposed by this subsection.

(b) If it appears to the attorney general that a person is

engaging in, has engaged in, or is about to engage in conduct

that violates this chapter, the attorney general may bring an

action in the name of the state against the person to restrain

the violation by a temporary restraining order or by a permanent

or temporary injunction.

(c) The attorney general is entitled to recover reasonable

expenses incurred in obtaining civil penalties or injunctive

relief, or both, under this section, including reasonable

attorney's fees and court costs.

Added by Acts 2007, 80th Leg., R.S., Ch.

885, Sec. 2.01, eff. April 1, 2009.