Click the comments link on any story to see comments or add your own.
Subscribe to this blog
08 Oct 2005
Last week the governor signed into law SB 355, the Anti-Phishing Act of 2005. First, it specifically makes phishing illegal:
It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.
Then it creates some new civil actions. A business that gets phished can sue for $500,000, and an individual who falls for a phish (or more specifically, is adversely affected by a violation of the section quoted above) can sue for the greater of $5,000 or three times his losses, with either of those tripled if the defendent has engaged in a pattern of phishing. The state Attorney General and district attorneys can get injunctions and modest $2,500 penalties. Oddly, individual victims can also get injunctions but businesses can't.
Comment in the press has all been quite negative, it won't make any difference, maybe it'll make it worse as fraudsters try to get people to sign up for a non-existent state Do Not Phish list. I'm not sure I agree.
While it's true that phishing is already totally illegal, this law does two useful things. The first is to make phishing per se illegal. To convict someone of fraud, the state has to show that the perpetrator successfully defrauded someone, with actual losses. Under this law, if someone pretends to be, say, Wells Fargo, and tries to get people to send him account info, it's illegal whether or not anyone falls for it.
The other is that it allows civil rather as well as criminal action. Civil suits are vastly easier to bring than criminal ones. You can file it yourself rather than having to persuade the D.A. to put you on the list along with the murderers and rapists. The line to get a civil court trial is usually much shorter, and once you're there, the standard of proof for the judge or jury is preponderance of evidence, i.e., more likely than not, rather than the much stricter reasonable doubt. For individual suits, the $5,000 limit is in California the magic number that lets you sue in small claims court, where the fees are lower and no lawyer is needed (but you do have to sue where the defendant is.) There are some weaknesses in the law, like a business having prove that it was adversely affected by a phish if they can't identify people who lost money, but nothing a decent lawyer couldn't handle.
What this all says is that if a California business is phished, or a California resident falls for a phish, and they can identify the crook, which is possible more often than one might think particularly if the crook gets to the point of taking money out of someone's account, it's now cheap enough to take the crook to court that people might actually do it.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.