SB3036 Engrossed LRB094 18891 LJB 54335 b

1     AN ACT concerning business.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Consumer Protection Against Computer Spyware Act.
 
6     Section 5. Definitions. In this Act:
7     "Advertisement" means a communication that includes the
8 promotion of a commercial product or service, including
9 communication on an Internet website operated for a commercial
10 purpose.
11     "Cause computer software to be copied" means to distribute
12 or transfer computer software or a component of computer
13 software. The term does not include:
14         (1) the transmission or routing of computer software or
15     a component of the software;
16         (2) the provision of intermediate temporary storage or
17     caching of software;
18         (3) the provision of a storage medium, such as a
19     compact disk;
20         (4) a website;
21         (5) the distribution of computer software by a third
22     party through a computer server; or
23         (6) the provision of an information location tool, such
24     as a directory, index, reference, pointer, or hypertext
25     link, through which the user of a computer is able to
26     locate computer software.
27     "Computer software" means a sequence of instructions
28 written in a programming language that is executed on a
29 computer. The term does not include:
30         (1) a web page; or
31         (2) a data component of a web page that cannot be
32     executed independently of that page.

 

 

SB3036 Engrossed - 2 - LRB094 18891 LJB 54335 b

1     "Damage" means, with respect to a computer, significant
2 impairment to the integrity or availability of data, computer
3 software, a system, or information.
4     "Execute" means, with respect to computer software, to
5 perform a function or carry out instructions.
6     "Keystroke-logging function" means a function of a
7 computer software program that records all keystrokes made by a
8 person using a computer and transfers that information from the
9 computer to another person.
10     "Owner or operator of a computer" means the owner or lessee
11 of a computer or an individual using a computer with the
12 authorization of the owner or lessee of the computer. "Owner or
13 operator of a computer" does not include the person who owned
14 the computer before the date on which the computer was sold if
15 a computer was sold at retail.
16     "Person" means any individual, partnership, corporation,
17 limited liability company, or other organization or a
18 combination of those organizations.
19     "Personally identifiable information", with respect to an
20 individual who is the owner or operator of a computer, means:
21         (1) the first name or first initial in combination with
22     the last name;
23         (2) a home or other physical address, including street
24     name;
25         (3) an electronic mail address;
26         (4) a credit or debit card number;
27         (5) a bank account number;
28         (6) a password or access code associated with a credit
29     or debit card or bank account;
30         (7) a social security number, tax identification
31     number, driver's license number, passport number, or other
32     government-issued identification number; or
33         (8) any of the following information if the information
34     alone or in combination with other information personally
35     identifies the individual:
36             (A) account balances;

 

 

SB3036 Engrossed - 3 - LRB094 18891 LJB 54335 b

1             (B) overdraft history; or
2             (C) payment history.
 
3     Section 10. Applicability of Act.
4     (a) Section 20, other than subdivision (1) of that Section,
5 and Sections 25 and 35 do not apply to a telecommunications
6 carrier, cable operator, computer hardware or software
7 provider, or provider of information service or interactive
8 computer service that monitors or has interaction with a
9 subscriber's Internet or other network connection or service or
10 a protected computer for the following:
11         (1) network or computer security purposes;
12         (2) diagnostics, technical support, or repair
13     purposes;
14         (3) authorized updates of computer software or system
15     firmware;
16         (4) authorized remote system management; or
17         (5) detection or prevention of unauthorized use of or
18     fraudulent or other illegal activities in connection with a
19     network, service, or computer software, including scanning
20     for and removing software proscribed under this Act.
21     (b) This Act does not apply to the following:
22         (1) the use of a navigation device, any interaction
23     with a navigation device, or the installation or use of
24     computer software on a navigation device by a multichannel
25     video programming distributor or video programmer in
26     connection with the provision of multichannel video
27     programming or other services offered over a multichannel
28     video programming system if the provision of the
29     programming or other service is subject to 47 U.S.C.
30     Section 338(i) or 551; or
31         (2) the collection or disclosure of subscriber
32     information by a multichannel video programming
33     distributor or video programmer in connection with the
34     provision of multichannel video programming or other
35     services offered over a multichannel video programming

 

 

SB3036 Engrossed - 4 - LRB094 18891 LJB 54335 b

1     system if the collection or disclosure of the information
2     is subject to 47 U.S.C. Section 338(i) or 551.
3     (c) In this Section, "multichannel video programming
4 distributor" has the meaning assigned by 47 U.S.C. Section
5 522(13).
6     (d) A manufacturer or retailer of computer equipment shall
7 not be liable under this Act to the extent that the
8 manufacturer or retailer is providing third-party branded
9 software loaded on the equipment they are manufacturing or
10 selling.
 
11     Section 15. Unauthorized collection or culling of
12 personally identifiable information. If a person is not the
13 owner or operator of the computer, the person may not knowingly
14 cause computer software to be copied to a computer in this
15 State and use the software to do any of the following:
16         (1) collect, through intentionally deceptive means:
17             (A) personally identifiable information by using a
18         keystroke-logging function; or
19             (B) personally identifiable information in a
20         manner that correlates that information with
21         information regarding all or substantially all of the
22         websites visited by the owner or operator of the
23         computer, other than websites operated by the person
24         collecting the information; or
25         (2) gather, through intentionally deceptive means, the
26     following kinds of personally identifiable information
27     from the consumer's computer hard drive for a purpose
28     wholly unrelated to any of the purposes of the software or
29     service described to an owner or operator of the computer:
30             (A) a credit or debit card number;
31             (B) a bank account number;
32             (C) a password or access code associated with a
33         credit or debit card number or a bank account;
34             (D) a social security number;
35             (E) account balances; or

 

 

SB3036 Engrossed - 5 - LRB094 18891 LJB 54335 b

1             (F) overdraft history.
 
2     Section 20. Unauthorized access to or modifications of
3 computer settings; computer damage. If a person is not the
4 owner or operator of the computer, the person may not knowingly
5 cause computer software to be copied to a computer in this
6 State and use the software to do any of the following:
7         (1) Modify, through intentionally deceptive means, a
8     setting that controls:
9             (A) the page that appears when an Internet browser
10         or a similar software program is launched to access and
11         navigate the Internet;
12             (B) the default provider or web proxy used to
13         access or search the Internet; or
14             (C) a list of bookmarks used to access web pages.
15         (2) Take control of the computer by:
16             (A) accessing or using the computer's modem or
17         Internet service to:
18                 (i) cause damage to the computer;
19                 (ii) cause the owner or operator of the
20             computer to incur financial charges for a service
21             not previously authorized by the owner or
22             operator; or
23                 (iii) cause a third party affected by the
24             conduct to incur financial charges for a service
25             not previously authorized by the third party; or
26             (B) opening, without the consent of the owner or
27         operator of the computer, an advertisement that:
28                 (i) is in the owner's or operator's Internet
29             browser in a multiple, sequential, or stand-alone
30             form; and
31                 (ii) cannot be closed by an ordinarily
32             reasonable person using the computer without
33             closing the browser or shutting down the computer.
34         (3) Modify settings on the computer that relate to
35     access to or use of the Internet and protection of

 

 

SB3036 Engrossed - 6 - LRB094 18891 LJB 54335 b

1     information for purposes of stealing personally
2     identifiable information of the owner or operator of the
3     computer.
4         (4) Modify security settings on the computer relating
5     to access to or use of the Internet for purposes of causing
6     damage to one or more computers.
 
7     Section 25. Unauthorized interference with installation or
8 disabling of computer software. If a person is not the owner or
9 operator of the computer, the person may not knowingly cause
10 computer software to be copied to a computer in this State and
11 use the software to do any of the following:
12         (1) Prevent, through intentionally deceptive means,
13     reasonable efforts of the owner or operator of the computer
14     to block the installation or execution of or to disable
15     computer software by causing computer software that the
16     owner or operator has properly removed or disabled to
17     automatically reinstall or reactivate on the computer.
18         (2) Intentionally misrepresent to another that
19     computer software will be uninstalled or disabled by the
20     actions of the owner or operator of the computer.
21         (3) Remove, disable, or render inoperative, through
22     intentionally deceptive means, security, antispyware, or
23     antivirus computer software installed on the computer.
24         (4) Prevent the owner's or operator's reasonable
25     efforts to block the installation of or to disable computer
26     software by:
27             (A) presenting the owner or operator with an option
28         to decline the installation of software knowing that,
29         when the option is selected, the installation process
30         will continue to proceed; or
31             (B) misrepresenting that software has been
32         disabled.
33         (5) Change the name, location, or other designation of
34     computer software to prevent the owner from locating and
35     removing the software.

 

 

SB3036 Engrossed - 7 - LRB094 18891 LJB 54335 b

1         (6) Create randomized or intentionally deceptive file
2     names or random or intentionally deceptive directory
3     folders, formats, or registry entries to avoid detection
4     and prevent the owner from removing computer software.
 
5     Section 30. Knowing violation. A person knowingly violates
6 Section 15, 20, or 25 if the person does either of the
7 following:
8         (1) acts with actual knowledge of the facts that
9     constitute the violation; or
10         (2) consciously avoids information that would
11     establish actual knowledge of those facts.
 
12     Section 35. Other prohibited conduct. If a person is not
13 the owner or operator of the computer, the person may not do
14 any of the following:
15         (1) induce the owner or operator of a computer in this
16     State to install a computer software component to the
17     computer by intentionally misrepresenting the extent to
18     which the installation is necessary for security or privacy
19     reasons, to open or view text, or to play a particular type
20     of musical or other content; or
21         (2) copy and execute or cause the copying and execution
22     of a computer software component to a computer in this
23     State in a deceptive manner with the intent of causing the
24     owner or operator of the computer to use the component in a
25     manner that violates this Act.
 
26     Section 40. Deceptive act or omission. For purposes of this
27 Act, a person is considered to have acted through intentionally
28 deceptive means if the person, with the intent to deceive an
29 owner or operator of a computer does any of the following:
30         (1) intentionally makes a materially false or
31     fraudulent statement;
32         (2) intentionally makes a statement or uses a
33     description that omits or misrepresents material

 

 

SB3036 Engrossed - 8 - LRB094 18891 LJB 54335 b

1     information; or
2         (3) intentionally and materially fails to provide to
3     the owner or operator any notice regarding the installation
4     or execution of computer software.
 
5     Section 45. Civil remedy.
6     (a) The following persons, if adversely affected by the
7 violation, may bring a civil action against a person who
8 violates this Act:
9         (1) a provider of computer hardware or software;
10         (2) an owner of a web page or trademark;
11         (3) a telecommunications carrier;
12         (4) a cable operator; or
13         (5) an Internet service provider.
14     (b) In addition to any other remedy provided by law and
15 except as provided by subsection (g) of this Section, a person
16 bringing an action under this Section may:
17         (1) seek injunctive relief to restrain the violator
18     from continuing the violation;
19         (2) recover damages in an amount equal to the greater
20     of:
21             (A) actual damages arising from the violation; or
22             (B) $100,000 for each violation of the same nature;
23         or
24         (3) both seek injunctive relief and recover damages as
25     provided by this subsection (b).
26     (c) The circuit court may increase an award of actual
27 damages in an action brought under subsection (b) to an amount
28 not to exceed 3 times the actual damages sustained if the court
29 finds that the violations have occurred with a frequency as to
30 constitute a pattern or practice.
31     (d) A plaintiff who prevails in an action filed under
32 subsection (b) is entitled to recover reasonable attorney's
33 fees and court costs.
34     (e) Each separate violation of this Act is an actionable
35 violation.

 

 

SB3036 Engrossed - 9 - LRB094 18891 LJB 54335 b

1     (f) For purposes of subsection (b), violations are of the
2 same nature if the violations consist of the same course of
3 conduct or action, regardless of the number of times the
4 conduct or act occurred.
5     (g) In the case of a violation of Section 20 that causes a
6 telecommunications carrier or cable operator to incur costs for
7 the origination, transportation, or termination of a call
8 triggered using the modem of a customer of the
9 telecommunications carrier or cable operator as a result of the
10 violation and in addition to any other remedy provided by law,
11 a telecommunications carrier or cable operator bringing an
12 action under this Section may:
13         (1) apply to a court for an order to enjoin the
14     violation;
15         (2) recover the charges the telecommunications carrier
16     or cable operator is obligated to pay to a
17     telecommunications carrier, a cable operator, an other
18     provider of transmission capability, or an information
19     service provider as a result of the violation, including
20     charges for the origination, transportation, or
21     termination of the call;
22         (3) recover the costs of handling customer inquiries or
23     complaints with respect to amounts billed for calls as a
24     result of the violation;
25         (4) recover other costs, including court costs, and
26     reasonable attorney's fees; or
27         (5) both apply for injunctive relief and recover
28     charges and other costs as provided by this subsection (g).
 
29     Section 50. Civil penalty; injunction.
30     (a) A person who violates this Act is liable to the State
31 for a civil penalty in an amount not to exceed $100,000 for
32 each violation. The Attorney General may bring suit to recover
33 the civil penalty imposed by this subsection (a).
34     (b) If it appears to the Attorney General that a person is
35 engaging in, has engaged in, or is about to engage in conduct

 

 

SB3036 Engrossed - 10 - LRB094 18891 LJB 54335 b

1 that violates this Act, the Attorney General may bring an
2 action in the name of this State against the person to restrain
3 the violation by a temporary restraining order or a permanent
4 or temporary injunction.
5     (c) The Attorney General is entitled to recover reasonable
6 expenses incurred in obtaining injunctive relief, civil
7 penalties, or both under this Section, including reasonable
8 attorney's fees and court costs.