CHAPTER 324. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE
BUSINESS AND COMMERCE CODE
TITLE 10. USE OF TELECOMMUNICATIONS
SUBTITLE B. ELECTRONIC COMMUNICATIONS
CHAPTER 324. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 324.001. SHORT TITLE. This chapter may be cited as the
Consumer Protection Against Computer Spyware Act.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 324.002. DEFINITIONS. In this chapter:
(1) "Advertisement" means a communication that includes the
promotion of a commercial product or service, including
communication on an Internet website operated for a commercial
purpose.
(1-a) "Botnet" means a collection of two or more zombies.
(2) "Computer software" means a sequence of instructions written
in a programming language that is executed on a computer. The
term does not include:
(A) a web page; or
(B) a data component of a web page that cannot be executed
independently of that page.
(3) "Damage," with respect to a computer, means significant
impairment to the integrity or availability of data, computer
software, a system, or information.
(4) "Execute," with respect to computer software, means to
perform a function or carry out instructions.
(5) "Keystroke-logging function" means a function of a computer
software program that:
(A) records all keystrokes made by a person using a computer;
and
(B) transfers that information from the computer to another
person.
(6) "Owner or operator of a computer" means the owner or lessee
of a computer or an individual using a computer with the
authorization of the owner or lessee of the computer. The phrase
"owner of a computer," with respect to a computer sold at retail,
does not include a person who owned the computer before the date
on which the computer was sold.
(7) "Person" means an individual, partnership, corporation,
limited liability company, or other organization, or a
combination of those organizations.
(8) "Personally identifiable information," with respect to an
individual who is the owner or operator of a computer, means:
(A) a first name or first initial in combination with a last
name;
(B) a home or other physical address, including street name;
(C) an electronic mail address;
(D) a credit or debit card number;
(E) a bank account number;
(F) a password or access code associated with a credit or debit
card or bank account;
(G) a social security number, tax identification number,
driver's license number, passport number, or other
government-issued identification number; or
(H) any of the following information if the information alone or
in combination with other information personally identifies the
individual:
(i) account balances;
(ii) overdraft history; or
(iii) payment history.
(9) "Zombie" means a computer that, without the knowledge and
consent of the computer's owner or operator, has been compromised
to give access or control to a program or person other than the
computer's owner or operator.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
718, Sec. 1, eff. September 1, 2009.
Sec. 324.003. EXCEPTIONS TO APPLICABILITY OF CHAPTER. (a)
Section 324.052, other than Subdivision (1) of that section, and
Sections 324.053(4), 324.054, and 324.055 do not apply to a
telecommunications carrier, cable operator, computer hardware or
software provider, or provider of information service or
interactive computer service that monitors or has interaction
with a subscriber's Internet or other network connection or
service or a protected computer for:
(1) a network or computer security purpose;
(2) diagnostics, technical support, or a repair purpose;
(3) an authorized update of computer software or system
firmware;
(4) authorized remote system management; or
(5) detection or prevention of unauthorized use of or fraudulent
or other illegal activity in connection with a network, service,
or computer software, including scanning for and removing
software proscribed under this chapter.
(b) This chapter does not apply to:
(1) the use of a navigation device, any interaction with a
navigation device, or the installation or use of computer
software on a navigation device by a multichannel video
programming distributor, as defined by 47 U.S.C. Section 522(13),
or video programmer in connection with the provision of
multichannel video programming or other services offered over a
multichannel video programming system if the provision of the
programming or other service is subject to 47 U.S.C. Section
338(i) or 551; or
(2) the collection or disclosure of subscriber information by a
multichannel video programming distributor, as defined by 47
U.S.C. Section 522(13), or video programmer in connection with
the provision of multichannel video programming or other services
offered over a multichannel video programming system if the
collection or disclosure of the information is subject to 47
U.S.C. Section 338(i) or 551.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
718, Sec. 2, eff. September 1, 2009.
Sec. 324.004. CAUSING COMPUTER SOFTWARE TO BE COPIED. For
purposes of this chapter, a person causes computer software to be
copied if the person distributes or transfers computer software
or a component of computer software. Causing computer software
to be copied does not include:
(1) transmitting or routing computer software or a component of
the software;
(2) providing intermediate temporary storage or caching of
software;
(3) providing a storage medium such as a compact disk;
(4) a website;
(5) the distribution of computer software by a third party
through a computer server; or
(6) providing an information location tool, such as a directory,
index, reference, pointer, or hypertext link, through which the
user of a computer is able to locate computer software.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 324.005. KNOWING VIOLATION. A person knowingly violates
Section 324.051, 324.052, 324.053, or 324.055 if the person:
(1) acts with actual knowledge of the facts that constitute the
violation; or
(2) consciously avoids information that would establish actual
knowledge of those facts.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
718, Sec. 3, eff. September 1, 2009.
Sec. 324.006. INTENTIONALLY DECEPTIVE MEANS. For purposes of
this chapter, a person is considered to have acted through
intentionally deceptive means if the person, with the intent to
deceive the owner or operator of a computer:
(1) intentionally makes a materially false or fraudulent
statement;
(2) intentionally makes a statement or uses a description that
omits or misrepresents material information; or
(3) intentionally and materially fails to provide to the owner
or operator any notice regarding the installation or execution of
computer software.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
SUBCHAPTER B. PROHIBITED CONDUCT OR ACTIVITIES
Sec. 324.051. UNAUTHORIZED COLLECTION OR CULLING OF PERSONALLY
IDENTIFIABLE INFORMATION. A person other than the owner or
operator of the computer may not knowingly cause computer
software to be copied to a computer in this state and use the
software to:
(1) collect personally identifiable information through
intentionally deceptive means:
(A) by using a keystroke-logging function; or
(B) in a manner that correlates that information with
information regarding all or substantially all of the websites
visited by the owner or operator of the computer, other than
websites operated by the person collecting the information; or
(2) cull, through intentionally deceptive means, the following
kinds of personally identifiable information from the consumer's
computer hard drive for a purpose wholly unrelated to any of the
purposes of the software or service described to an owner or
operator of the computer:
(A) a credit or debit card number;
(B) a bank account number;
(C) a password or access code associated with a credit or debit
card number or a bank account;
(D) a social security number;
(E) account balances; or
(F) overdraft history.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 324.052. UNAUTHORIZED ACCESS TO OR MODIFICATIONS OF
COMPUTER SETTINGS; COMPUTER DAMAGE. A person other than the
owner or operator of the computer may not knowingly cause
computer software to be copied to a computer in this state and
use the software to:
(1) modify, through intentionally deceptive means, a setting
that controls:
(A) the page that appears when an Internet browser or a similar
software program is launched to access and navigate the Internet;
(B) the default provider or web proxy used to access or search
the Internet; or
(C) a list of bookmarks used to access web pages;
(2) take control of the computer by:
(A) accessing or using the computer's modem or Internet service
to:
(i) cause damage to the computer;
(ii) cause the owner or operator of the computer to incur
financial charges for a service the owner or operator did not
previously authorize; or
(iii) cause a third party affected by the conduct to incur
financial charges for a service the third party did not
previously authorize; or
(B) opening, without the consent of the owner or operator of the
computer, an advertisement that:
(i) is in the owner's or operator's Internet browser in a
multiple, sequential, or stand-alone form; and
(ii) cannot be closed by an ordinarily reasonable person using
the computer without closing the browser or shutting down the
computer;
(3) modify settings on the computer that relate to access to or
use of the Internet and protection of information for purposes of
stealing personally identifiable information of the owner or
operator of the computer; or
(4) modify security settings on the computer relating to access
to or use of the Internet for purposes of causing damage to one
or more computers.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 324.053. UNAUTHORIZED INTERFERENCE WITH INSTALLATION OR
DISABLING OF COMPUTER SOFTWARE. A person other than the owner or
operator of the computer may not knowingly cause computer
software to be copied to a computer in this state and use the
software to:
(1) prevent, through intentionally deceptive means, reasonable
efforts of the owner or operator of the computer to block the
installation or execution of or to disable computer software by
causing computer software that the owner or operator has properly
removed or disabled to automatically reinstall or reactivate on
the computer;
(2) intentionally misrepresent to another that computer software
will be uninstalled or disabled by the actions of the owner or
operator of the computer;
(3) remove, disable, or render inoperative, through
intentionally deceptive means, security, antispyware, or
antivirus computer software installed on the computer;
(4) prevent reasonable efforts of the owner or operator to block
the installation of or to disable computer software by:
(A) presenting the owner or operator with an option to decline
the installation of software knowing that, when the option is
selected, the installation process will continue to proceed; or
(B) misrepresenting that software has been disabled;
(5) change the name, location, or other designation of computer
software to prevent the owner from locating and removing the
software; or
(6) create randomized or intentionally deceptive file names or
random or intentionally deceptive directory folders, formats, or
registry entries to avoid detection and prevent the owner from
removing computer software.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 324.054. OTHER PROHIBITED CONDUCT. A person other than the
owner or operator of the computer may not:
(1) induce the owner or operator of a computer in this state to
install a computer software component to the computer by
intentionally misrepresenting the extent to which the
installation is necessary:
(A) for security or privacy reasons;
(B) to open or view text; or
(C) to play a particular type of musical or other content; or
(2) copy and execute or cause the copying and execution of a
computer software component to a computer in this state in a
deceptive manner with the intent to cause the owner or operator
of the computer to use the component in a manner that violates
this chapter.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 324.055. UNAUTHORIZED CREATION OF, ACCESS TO, OR USE OF
ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) In this section:
(1) "Internet service provider" means a person providing
connectivity to the Internet or another wide area network.
(2) "Person" has the meaning assigned by Section 311.005,
Government Code.
(b) A person who is not the owner or operator of the computer
may not knowingly cause or offer to cause a computer to become a
zombie or part of a botnet.
(c) A person may not knowingly create, have created, use, or
offer to use a zombie or botnet to:
(1) send an unsolicited commercial electronic mail message, as
defined by Section 321.001;
(2) send a signal to a computer system or network that causes a
loss of service to users;
(3) send data from a computer without authorization by the owner
or operator of the computer;
(4) forward computer software designed to damage or disrupt
another computer or system;
(5) collect personally identifiable information; or
(6) perform an act for another purpose not authorized by the
owner or operator of the computer.
(d) A person may not:
(1) purchase, rent, or otherwise gain control of a zombie or
botnet created by another person; or
(2) sell, lease, offer for sale or lease, or otherwise provide
to another person access to or use of a zombie or botnet.
(e) The following persons may bring a civil action against a
person who violates this section:
(1) a person who is acting as an Internet service provider and
whose network is used to commit a violation under this section;
or
(2) a person who has incurred a loss or disruption of the
conduct of the person's business, including for-profit or
not-for-profit activities, as a result of the violation.
(f) A person bringing an action under this section may, for each
violation:
(1) seek injunctive relief to restrain a violator from
continuing the violation;
(2) subject to Subsection (g), recover damages in an amount
equal to the greater of:
(A) actual damages arising from the violation; or
(B) $100,000 for each zombie used to commit the violation; or
(3) obtain both injunctive relief and damages.
(g) The court may increase an award of damages, statutory or
otherwise, in an action brought under this section to an amount
not to exceed three times the applicable damages if the court
finds that the violations have occurred with such a frequency as
to constitute a pattern or practice.
(h) A plaintiff who prevails in an action brought under this
section is entitled to recover court costs and reasonable
attorney's fees, reasonable fees of experts, and other reasonable
costs of litigation.
(i) A remedy authorized by this section is not exclusive but is
in addition to any other procedure or remedy provided for by
other statutory or common law.
(j) Nothing in this section may be construed to impose liability
on the following persons with respect to a violation of this
section committed by another person:
(1) an Internet service provider;
(2) a provider of interactive computer service, as defined by
Section 230, Communications Act of 1934 (47 U.S.C. Section 230);
(3) a telecommunications provider, as defined by Section 51.002,
Utilities Code; or
(4) a video service provider or cable service provider, as
defined by Section 66.002, Utilities Code.
Added by Acts 2009, 81st Leg., R.S., Ch.
718, Sec. 4, eff. September 1, 2009.
SUBCHAPTER C. CIVIL REMEDIES
Sec. 324.101. PRIVATE ACTION. (a) Any of the following
persons, if adversely affected by the violation, may bring a
civil action against a person who violates Section 324.051,
324.052, 324.053, or 324.054:
(1) a provider of computer software;
(2) an owner of a web page or trademark;
(3) a telecommunications carrier;
(4) a cable operator; or
(5) an Internet service provider.
(b) Each separate violation of this chapter is an actionable
violation.
(c) In addition to any other remedy provided by law and except
as provided by Subsection (g), a person who brings an action
under this section may obtain:
(1) injunctive relief that restrains the violator from
continuing the violation;
(2) subject to Subsection (d), damages in an amount equal to the
greater of:
(A) actual damages arising from the violation; or
(B) $100,000 for each violation of the same nature; or
(3) both injunctive relief and damages.
(d) The court may increase the amount of an award of actual
damages in an action brought under Subsection (c) to an amount
not to exceed three times the amount of actual damages sustained
if the court finds that the violation has reoccurred with
sufficient frequency to constitute a pattern or practice.
(e) A plaintiff who prevails in an action brought under
Subsection (c) is entitled to recover reasonable attorney's fees
and court costs.
(f) For purposes of Subsection (c), violations are of the same
nature if the violations consist of the same course of conduct or
action, regardless of the number of times the conduct or act
occurred.
(g) If a violation of Section 324.052 causes a
telecommunications carrier or cable operator to incur costs for
the origination, transport, or termination of a call triggered
using the modem of a customer of the telecommunications carrier
or cable operator as a result of the violation, the
telecommunications carrier or cable operator may in addition to
any other remedy provided by law:
(1) apply to a court for an order to enjoin the violation;
(2) recover the charges the telecommunications carrier or cable
operator is obligated to pay to a telecommunications carrier, a
cable operator, another provider of transmission capability, or
an information service provider as a result of the violation,
including charges for the origination, transport, or termination
of the call;
(3) recover the costs of handling customer inquiries or
complaints with respect to amounts billed for calls as a result
of the violation;
(4) recover other costs, including court costs, and reasonable
attorney's fees; or
(5) both apply for injunctive relief and recover charges and
other costs as provided by this subsection.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
718, Sec. 5, eff. September 1, 2009.
Sec. 324.102. CIVIL PENALTY; INJUNCTIVE RELIEF. (a) A person
who violates this chapter is liable to this state for a civil
penalty in an amount not to exceed $100,000 for each violation.
The attorney general may bring an action to recover the civil
penalty imposed by this subsection.
(b) If it appears to the attorney general that a person is
engaging in, has engaged in, or is about to engage in conduct
that violates this chapter, the attorney general may bring an
action in the name of the state against the person to restrain
the violation by a temporary restraining order or by a permanent
or temporary injunction.
(c) The attorney general is entitled to recover reasonable
expenses incurred in obtaining civil penalties or injunctive
relief, or both, under this section, including reasonable
attorney's fees and court costs.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.