Florida Senate - 2009 CS for CS for SB 164
By the Committees on Judiciary; and Commerce; and Senator Ring
590-02987-09 2009164c2
1 A bill to be entitled
2 An act relating to offenses against computer users;
3 amending s. 815.03, F.S.; defining terms for purposes
4 of the Florida Computer Crimes Act; creating s.
5 815.051, F.S.; prohibiting a person who is not an
6 owner or operator of a computer from causing computer
7 software to be copied on a computer knowingly, with
8 conscious avoidance of actual knowledge, or willfully
9 and without authorization taking specified actions
10 with respect to a computer; creating s. 815.053, F.S.;
11 prohibiting a person who is not an owner or operator
12 of a computer from inducing an owner or operator to
13 install a computer software component onto the owner’s
14 or operator’s computer by deceptively misrepresenting
15 that installing computer software is necessary for
16 security or privacy reasons or by using deceptive
17 means to cause the execution of a computer software
18 component with the intent of causing the computer to
19 use the component in a harmful manner; creating s.
20 815.055, F.S.; providing exceptions; amending s.
21 815.06, F.S.; providing that a violation of the act is
22 a felony of the third degree; providing criminal
23 penalties; providing enhanced criminal penalties under
24 certain circumstances; authorizing the Department of
25 Legal Affairs or a state attorney to file a civil
26 action for injunctive relief against any person or
27 group to restrain prohibited activities; authorizing a
28 court to award court costs and attorney’s fees to the
29 prevailing party; permitting a court to impose a civil
30 penalty not to exceed a stated amount for each offense
31 against computer users; providing an effective date.
32
33 Be It Enacted by the Legislature of the State of Florida:
34
35 Section 1. Section 815.03, Florida Statutes, is amended to
36 read:
37 815.03 Definitions.—As used in this chapter, unless the
38 context clearly indicates otherwise:
39 (1) “Access” means to approach, instruct, communicate with,
40 store data in, retrieve data from, or otherwise make use of any
41 resources of a computer, computer system, or computer network.
42 (2) “Cause to be copied” means to distribute or transfer
43 computer software or any component thereof. The term does not
44 include:
45 (a) Transmission, routing, provision of intermediate
46 temporary storage, or caching of software;
47 (b) A storage or hosting medium, such as a compact disk,
48 website, or computer server through which the software was
49 distributed by a third party; or
50 (c) An information-location tool, such as a directory,
51 index, reference, pointer, or hypertext link, through which the
52 user of the computer locates software.
53 (3)(2) “Computer” means an internally programmed, automatic
54 device that performs data processing.
55 (4)(3) “Computer contaminant” means any set of computer
56 instructions designed to modify, damage, destroy, record, or
57 transmit information within a computer, computer system, or
58 computer network without the intent or permission of the owner
59 of the information. The term includes, but is not limited to, a
60 group of computer instructions commonly called viruses or worms
61 which are self-replicating or self-propagating and which are
62 designed to contaminate other computer programs or computer
63 data; consume computer resources; modify, destroy, record, or
64 transmit data; or in some other fashion usurp the normal
65 operation of the computer, computer system, or computer network.
66 (5)(4) “Computer network” means any system that provides
67 communications between one or more computer systems and its
68 input or output devices, including, but not limited to, display
69 terminals and printers that are connected by telecommunication
70 facilities.
71 (6)(5) “Computer program or computer software” means a set
72 of instructions or statements and related data which, when
73 executed in actual or modified form, cause a computer, computer
74 system, or computer network to perform specified functions.
75 “Computer software” means a sequence of instructions written in
76 any programming language that is executed on a computer.
77 “Computer software” does not include a data component of a web
78 page that is not executable independently of the web page.
79 (7)(6) “Computer services” include, but are not limited to,
80 computer time; data processing or storage functions; or other
81 uses of a computer, computer system, or computer network.
82 (8)(7) “Computer system” means a device or collection of
83 devices, including support devices, one or more of which contain
84 computer programs, electronic instructions, or input data and
85 output data, and which perform functions, including, but not
86 limited to, logic, arithmetic, data storage, retrieval,
87 communication, or control. The term does not include calculators
88 that are not programmable and that are not capable of being used
89 in conjunction with external files.
90 (9) “Computer virus” means a computer program or other set
91 of instructions designed to degrade the performance of or
92 disable a computer or computer network and designed to have the
93 ability to replicate itself on other computers or computer
94 networks without the authorization of the owners of those
95 computers or computer networks.
96 (10) “Damage” means any significant impairment to the
97 integrity or availability of data, software, a system, or
98 information.
99 (11)(8) “Data” means a representation of information,
100 knowledge, facts, concepts, computer software, computer
101 programs, or instructions. Data may be in any form, in storage
102 media or stored in the memory of the computer, or in transit or
103 presented on a display device.
104 (12) “Deceptive” means any of the following:
105 (a) A materially false or fraudulent statement.
106 (b) A statement or description that intentionally omits or
107 misrepresents material information in order to deceive an owner
108 or operator of a computer.
109 (c) A material failure to provide a notice to an owner or
110 operator regarding the installation or execution of computer
111 software for the purpose of deceiving the owner or operator.
112 (13) “Execute,” when used with respect to computer
113 software, means the performance of the functions or the carrying
114 out of the instructions of the computer software.
115 (14)(9) “Financial instrument” means any check, draft,
116 money order, certificate of deposit, letter of credit, bill of
117 exchange, credit card, or marketable security.
118 (15)(10) “Intellectual property” means data, including
119 programs.
120 (16) “Internet” means the global information system that is
121 logically linked together by a globally unique address space
122 based on the Internet protocol (IP), or its subsequent
123 extensions, that is able to support communications using the
124 transmission control protocol/Internet protocol (TCP/IP) suite,
125 or its subsequent extensions, or other IP-compatible protocols,
126 and that provides, uses, or makes accessible, publicly or
127 privately, high-level services layered on the communications and
128 related infrastructure described in this chapter.
129 (17) “Owner or operator” means the owner or lessee of a
130 computer, or a person using such computer with the owner or
131 lessee’s authorization, but does not include a person who owned
132 a computer before the first retail sale of the computer.
133 (18) “Message” means a graphical, text, voice, or audible
134 communication presented to an authorized user of a computer.
135 (19) “Person” means any individual, partnership,
136 corporation, limited liability company, or other organization,
137 or any combination thereof.
138 (20) “Personally identifiable information” means any of the
139 following information if it allows the entity holding the
140 information to identify the owner or operator of a computer:
141 (a) The first name or first initial in combination with the
142 last name.
143 (b) A home or other physical address including street name.
144 (c) Personal identification code in conjunction with a
145 password required to access an identified account, other than a
146 password, personal identification number, or other
147 identification number transmitted by an authorized user to the
148 issuer of the account or its agent.
149 (d) Social security number, tax identification number,
150 driver’s license number, passport number, or any other
151 government-issued identification number.
152 (e) Account balance, bank account number, or credit card
153 numbers, overdraft history, or payment history that personally
154 identifies an owner or operator of a computer.
155 (21)(11) “Property” means anything of value as defined in
156 s. 812.011 and includes, but is not limited to, financial
157 instruments, information, including electronically produced data
158 and computer software and programs in either machine-readable or
159 human-readable form, and any other tangible or intangible item
160 of value.
161 Section 2. Section 815.051, Florida Statutes, is created to
162 read:
163 815.051 Prohibitions; use of software.—A person who is not
164 an owner or operator of a computer may not cause computer
165 software to be copied on a computer knowingly, with conscious
166 avoidance of actual knowledge, or willfully, and without
167 authorization, or to use such software to do any of the
168 following:
169 (1) Modify, through deceptive means, settings of a computer
170 which control any of the following:
171 (a) The webpage that appears when an owner or operator
172 launches an Internet browser or similar computer software used
173 to access and navigate the Internet.
174 (b) The default provider or web proxy that an owner or
175 operator uses to access or search the Internet.
176 (c) An owner’s or an operator’s list of bookmarks used to
177 access web pages.
178 (2) Collect, through deceptive means, personally
179 identifiable information through any of the following means:
180 (a) The use of a keystroke-logging function that records
181 all or substantially all keystrokes made by an owner or operator
182 of a computer and transfers that information from the computer
183 to another person.
184 (b) In a manner that correlates personally identifiable
185 information with data regarding all or substantially all of the
186 websites visited by an owner or operator, other than websites
187 operated by the person providing the software, if the computer
188 software was installed in a manner designed to conceal from all
189 authorized users of the computer the fact that the software is
190 being installed.
191 (c) By extracting from the hard drive of an owner’s or an
192 operator’s computer, an owner’s or an operator’s personally
193 identifiable information for a purpose unrelated to any of the
194 purposes of the software or service described to an authorized
195 user.
196 (3) Prevent, through deceptive means, an owner’s or an
197 operator’s reasonable efforts to block the installation of or
198 execution of, or to disable, computer software by causing
199 computer software that the owner or operator has properly
200 removed or disabled to automatically reinstall or reactivate on
201 the computer without the authorization of an authorized user.
202 (4) Deceptively misrepresent that computer software will be
203 uninstalled or disabled by an owner’s or an operator’s action.
204 (5) Through deceptive means, remove, disable, or render
205 inoperative security, antispyware, or antivirus computer
206 software installed on an owner’s or an operator’s computer.
207 (6) Enable the use of an owner’s or an operator’s computer
208 to do any of the following:
209 (a) Access or use a modem or Internet service for the
210 purpose of causing damage to an owner’s or an operator’s
211 computer or causing an owner or operator, or a third party
212 affected by such conduct, to incur financial charges for a
213 service that the owner or operator did not authorize.
214 (b) Open multiple, sequential, or stand-alone messages in
215 an owner’s or an operator’s computer without the authorization
216 of an owner or operator and with knowledge that a reasonable
217 computer user could not close the messages without turning off
218 the computer or closing the software application in which the
219 messages appear; however, this paragraph does not apply to
220 communications originated by the computer’s operating system,
221 originated by a software application that the user chooses to
222 activate, originated by a service provider that the user chooses
223 to use, or presented for any of the purposes described in s.
224 815.06(7).
225 (c) Transmit or relay commercial electronic mail or a
226 computer virus from the computer, if the transmission or
227 relaying is initiated by a person other than the authorized user
228 and without the authorization of an authorized user.
229 (7) Use deceptive means to modify any of the following
230 settings related the computer’s access to, or use of, the
231 Internet:
232 (a) Settings that protect information about an owner or
233 operator for the purpose of obtaining personally identifiable
234 information of the owner or operator.
235 (b) Security settings for the purpose of causing damage to
236 a computer.
237 (c) Settings that protect the computer from the uses
238 identified in subsection (6).
239 (8) Use deceptive means to prevent, without the
240 authorization of an owner or operator, an owner’s or an
241 operator’s reasonable efforts to block the installation of, or
242 to disable, computer software by doing any of the following:
243 (a) Presenting the owner or operator with an option to
244 decline installation of computer software with knowledge that,
245 when the option is selected by the authorized user, the
246 installation nevertheless proceeds.
247 (b) Falsely representing that computer software has been
248 disabled.
249 (c) Requiring in a deceptive manner the user to access the
250 Internet to remove the software with knowledge or reckless
251 disregard of the fact that the software frequently operates in a
252 manner that prevents the user from accessing the Internet.
253 (d) Changing the name, location, or other designation
254 information of the software for the purpose of preventing an
255 authorized user from locating the software in order to remove
256 it.
257 (e) Using randomized or deceptive filenames, directory
258 folders, formats, or registry entries for the purpose of
259 avoiding detection and removal of the software by an authorized
260 user.
261 (f) Causing the installation of software in a particular
262 computer directory or computer memory for the purpose of evading
263 authorized users’ attempts to remove the software from the
264 computer.
265 (g) Requiring, without the authority of the owner of the
266 computer, that an authorized user obtain a special code or
267 download software from a third party in order to uninstall the
268 software.
269 Section 3. Section 815.053, Florida Statutes, is created to
270 read:
271 815.053 Other prohibitions.—A person who is not an owner or
272 operator of a computer may not do any of the following with
273 regard to the computer:
274 (1) Induce an owner or operator to install a computer
275 software component onto the owner’s or operator’s computer by
276 deceptively misrepresenting that installing computer software is
277 necessary for security or privacy reasons or in order to open,
278 view, or play a particular type of content.
279 (2) Using deceptive means to cause the execution of a
280 computer software component with the intent of causing the
281 computer to use such component in a manner that violates any
282 other provision of this chapter.
283 Section 4. Section 815.055, Florida Statutes, is created to
284 read:
285 815.055 Exceptions.—Sections 815.051 and 815.053 do not:
286 (1) Apply to the monitoring of, or interaction with, an
287 owner’s or an operator’s Internet or other network connection,
288 service, or computer by a telecommunications carrier, cable
289 operator, computer hardware or software provider, or provider of
290 information service or interactive computer service for purposes
291 of network or computer security, diagnostics, technical support,
292 maintenance, repair, network management, authorized updates of
293 computer software or system firmware, authorized remote system
294 management, or detection or prevention of the unauthorized use
295 of, or fraudulent or other illegal activities in connection
296 with, a network, service, or computer software, including
297 scanning for and removing computer software proscribed under
298 this chapter.
299 (2) Impose liability on any communications service
300 providers as defined in s. 202.11(2), commercial mobile service
301 providers, or providers of information services, including, but
302 not limited to, Internet access service providers and hosting
303 service providers, if they provide the transmission, storage, or
304 caching of electronic communications or messages of others or
305 provide other related telecommunications, commercial mobile
306 radio service, or information services used by others in
307 violation of this chapter. This exemption from liability is
308 consistent with and in addition to any liability exemption
309 provided under 47 U.S.C. s. 230.
310 (3) Prohibit or criminalize the use of software by parents
311 or guardians to monitor Internet or computer usage of their
312 minor children.
313
314 This section does not provide a defense to liability under the
315 common law or any other state or federal law, and may not be
316 construed to be an affirmative grant of authority to engage in
317 any of the activities listed in this section.
318 Section 5. Section 815.06, Florida Statutes, is amended to
319 read:
320 815.06 Offenses against computer users.—
321 (1) Whoever willfully, knowingly, and without
322 authorization:
323 (a) Accesses or causes to be accessed any computer,
324 computer system, or computer network;
325 (b) Disrupts or denies or causes the denial of computer
326 system services to an authorized user of such computer system
327 services, which, in whole or part, is owned by, under contract
328 to, or operated for, on behalf of, or in conjunction with
329 another;
330 (c) Destroys, takes, injures, or damages equipment or
331 supplies used or intended to be used in a computer, computer
332 system, or computer network;
333 (d) Destroys, injures, or damages any computer, computer
334 system, or computer network; or
335 (e) Violates s. 815.051 or s. 815.053; or
336 (f)(e) Introduces any computer contaminant into any
337 computer, computer system, or computer network,
338
339 commits an offense against computer users.
340 (2)(a) Except as provided in paragraphs (b) and (c),
341 whoever violates subsection (1) commits a felony of the third
342 degree, punishable as provided in s. 775.082, s. 775.083, or s.
343 775.084.
344 (b) Whoever violates subsection (1) and:
345 1. Damages a computer, computer equipment, computer
346 supplies, a computer system, or a computer network, and the
347 monetary damage or loss incurred as a result of the violation is
348 $5,000 or greater;
349 2. Commits the offense for the purpose of devising or
350 executing any scheme or artifice to defraud or obtain property;
351 or
352 3. Interrupts or impairs a governmental operation or public
353 communication, transportation, or supply of water, gas, or other
354 public service,
355
356 commits a felony of the second degree, punishable as provided in
357 s. 775.082, s. 775.083, or s. 775.084.
358 (c) Whoever violates subsection (1) and the violation
359 endangers human life commits a felony of the first degree,
360 punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
361 (3) Whoever willfully, knowingly, and without authorization
362 modifies equipment or supplies used or intended to be used in a
363 computer, computer system, or computer network commits a
364 misdemeanor of the first degree, punishable as provided in s.
365 775.082 or s. 775.083.
366 (4) The Department of Legal Affairs or a state attorney may
367 file a civil action on behalf of the people of this state for
368 injunctive relief against any person or group violating
369 subsection (1) to restrain the prohibited activity. The court
370 may award court costs and reasonable attorney’s fees to the
371 prevailing party. The court may also impose a civil penalty that
372 may not exceed $10,000 for each violation of subsection (1), and
373 the total penalties may not exceed $1 million per defendant.
374 (5)(4)(a) In addition to any other civil remedy available,
375 the owner or lessee of the computer, computer system, computer
376 network, computer program, computer equipment, computer
377 supplies, or computer data may bring a civil action against any
378 person convicted under this section for compensatory damages.
379 (b) In any action brought under this subsection, the court
380 may award reasonable attorney’s fees to the prevailing party.
381 (6)(5) Any computer, computer system, computer network,
382 computer software, or computer data owned by a defendant which
383 is used during the commission of any violation of this section
384 or any computer owned by the defendant which is used as a
385 repository for the storage of software or data obtained in
386 violation of this section is subject to forfeiture as provided
387 under ss. 932.701-932.704.
388 (7)(6) This section does not apply to any person who
389 accesses his or her employer’s computer system, computer
390 network, computer program, or computer data when acting within
391 the scope of his or her lawful employment.
392 (8)(7) For purposes of bringing a civil or criminal action
393 under this section, a person who causes, by any means, the
394 access to a computer, computer system, or computer network in
395 one jurisdiction from another jurisdiction is deemed to have
396 personally accessed the computer, computer system, or computer
397 network in both jurisdictions.
398 Section 6. This act shall take effect July 1, 2009.