By: Zaffirini  S.B. No. 28
         (In the Senate - Filed November 10, 2008; February 10, 2009,
  read first time and referred to Committee on Business and Commerce;
  April 2, 2009, reported adversely, with favorable Committee
  Substitute by the following vote:  Yeas 9, Nays 0; April 2, 2009,
  sent to printer.)
 
  COMMITTEE SUBSTITUTE FOR S.B. No. 28 By:  Watson
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to the use of a computer for an unauthorized purpose;
  providing a civil penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 324.002, Business & Commerce Code, as
  effective April 1, 2009, is amended by adding Subdivisions (1-a)
  and (9) to read as follows:
               (1-a)  "Botnet" means a collection of zombies.
               (9)  "Zombie" means a computer that, without the
  knowledge and consent of the computer's owner or operator, has been
  compromised to give access or control to a program or person other
  than the computer's owner or operator.
         SECTION 2.  Subsection (a), Section 324.003, Business &
  Commerce Code, as effective April 1, 2009, is amended to read as
  follows:
         (a)  Section 324.052, other than Subdivision (1) of that
  section, and Sections 324.053(4), [and] 324.054, and 324.055 do not
  apply to a telecommunications carrier, cable operator, computer
  hardware or software provider, or provider of information service
  or interactive computer service that monitors or has interaction
  with a subscriber's Internet or other network connection or service
  or a protected computer for:
               (1)  a network or computer security purpose;
               (2)  diagnostics, technical support, or a repair
  purpose;
               (3)  an authorized update of computer software or
  system firmware;
               (4)  authorized remote system management; or
               (5)  detection or prevention of unauthorized use of or
  fraudulent or other illegal activity in connection with a network,
  service, or computer software, including scanning for and removing
  software proscribed under this chapter.
         SECTION 3.  Section 324.005, Business & Commerce Code, as
  effective April 1, 2009, is amended to read as follows:
         Sec. 324.005.  KNOWING VIOLATION.  A person knowingly
  violates Section 324.051, 324.052, [or] 324.053, or 324.055 if the
  person:
               (1)  acts with actual knowledge of the facts that
  constitute the violation; or
               (2)  consciously avoids information that would
  establish actual knowledge of those facts.
         SECTION 4.  Subchapter B, Chapter 324, Business & Commerce
  Code, as effective April 1, 2009, is amended by adding Section
  324.055 to read as follows:
         Sec. 324.055.  UNAUTHORIZED CREATION, ACCESS TO, OR USE OF
  ZOMBIES OR BOTNETS; PRIVATE ACTION. (a)  A person other than the
  owner or operator of the computer may not knowingly cause or offer
  to cause a computer to become a zombie or part of a botnet.
         (b)  A person may not knowingly create, have created, use, or
  offer to use a zombie or botnet:
               (1)  to send an unsolicited commercial electronic mail
  message, as defined by Section 321.001;
               (2)  for an attack on a computer system or network that
  causes a loss of service to users;
               (3)  to artificially add increments to a click counter
  by automatically clicking on an advertisement on an Internet
  website;
               (4)  to forward computer software designed to damage or
  disrupt another computer or system;
               (5)  to collect personally identifiable information;
               (6)  to manipulate online polls or games; or
               (7)  for another purpose not authorized by the owner or
  operator of the computer.
         (c)  A person may not:
               (1)  purchase, rent, or otherwise gain control of a
  zombie or botnet created by another person; or
               (2)  sell, lease, offer for sale or lease, or otherwise
  provide to another person access to or use of a zombie or botnet.
         (d)  A person may not provide substantial assistance or
  support to another person knowing that the other person is engaged
  in an act or practice that violates this section.
         (e)  Any of the following persons may bring a civil action
  against a person who violates this section:
               (1)  a person in business as an Internet service
  provider that is adversely affected by the violation;
               (2)  a business organization that has incurred a loss
  or disruption of its business activities as a result of the
  violation; or
               (3)  the attorney general.
         (f)  A person bringing an action under this section may
  obtain:
               (1)  injunctive relief that restrains the violator from
  continuing the violation;
               (2)  subject to Subsection (g), damages in an amount
  equal to the greater of:
                     (A)  actual damages arising from the violation;
                     (B)  $100,000 for each violation consisting of the
  same course of conduct or action, regardless of the number of times
  the conduct or act occurred; or
                     (C)  $100,000 for each zombie used to commit the
  violation; or
               (3)  both injunctive relief and damages.
         (g)  The court may increase an award of damages, statutory or
  otherwise, in an action brought under this section to an amount not
  to exceed three times the applicable damages if the court finds that
  the violation has reoccurred with sufficient frequency to
  constitute a pattern or practice.
         (h)  A plaintiff who prevails in an action brought under this
  section is entitled to recover court costs and reasonable
  attorney's fees, reasonable fees of experts, and other reasonable
  costs of litigation.
         (i)  A remedy authorized by this section is not exclusive but
  is in addition to any other procedure or remedy provided for by
  other statutory or common law.
         (j)  Nothing in this section may be construed to impose
  liability on the following persons with respect to a violation of
  this section committed by another person:
               (1)  an Internet service provider;
               (2)  a provider of interactive computer service, as
  defined by Section 230, Communications Act of 1934 (47 U.S.C.
  Section 230);
               (3)  a telecommunications provider, as defined by
  Section 51.002, Utilities Code; or
               (4)  a video service provider or cable service
  provider, as defined by Section 66.002, Utilities Code.
         SECTION 5.  Subsection (a), Section 324.101, Business &
  Commerce Code, as effective April 1, 2009, is amended to read as
  follows:
         (a)  Any of the following persons, if adversely affected by
  the violation, may bring a civil action against a person who
  violates a provision of this chapter other than Section 324.055:
               (1)  a provider of computer software;
               (2)  an owner of a web page or trademark;
               (3)  a telecommunications carrier;
               (4)  a cable operator; or
               (5)  an Internet service provider.
         SECTION 6.  The changes in law made by this Act apply only to
  conduct that occurs on or after the effective date of this Act.
  Conduct that occurs before the effective date of this Act is
  governed by the law in effect at the time the conduct occurred, and
  that law is continued in effect for that purpose.
         SECTION 7.  This Act takes effect September 1, 2009.
 
  * * * * *