NCSLnet: ASI/AFI Meeting / Del. Plum's Remarks

Spamming: State Legislative Update
Sponsored by the Communications and Information Policy Committee
The National Conference of State Legislatures
Assembly on State Issues, Spring Meeting
Jacksonville, Florida
Saturday, April 10, 1999 / 3:15 p.m-4:15 p.m.
Omni Jacksonville - Florida Ballroom, Salon C

Kenneth R. Plum
Virginia House of Delegates, 36^th District
Chairman, Joint Commission on Technology and Science
Co-chairman, House Committee on Science and Technology
kenplum@aol.com
Virginia General Assembly
Joint Commission on Technology and Science

Virginia's New Anti-Spamming Law-House Bill 1668

House Bill 1668 was signed by the Governor on March 29, 1999, as Chapter 904 of the 1999 Acts of Assembly. The purpose of the bill is to curb a practice known as "spamming," which is broadly defined as sending false, misleading, or unsolicited electronic mail to unsuspecting recipients. Over the past few years, the frustration of consumers and electronic mail service providers has grown proportionately to the intensity and quantity of spam. In July 1998, the Federal Trade Commission released the list of "Dirty Dozen Spam Scams." Culled from a sampling of 250,000 junk e-mail messages forwarded by consumers to the FTC, the list included business opportunity scams, making money by sending spam, chain letters, work-at-home schemes, health and diet scams, easy money promises, getting something free offers, investment opportunities, cable descrambler kits, guaranteed loans or credit on easy terms, credit repair scams, and vacation prize promotions. In an August 1998 press release, America Online reported that 30 percent of the estimated 30 million electronic mail messages that go through AOL daily are spam. House Bill 1668 is designed to relieve consumers and electronic mail service providers from bearing the burden of advertising costs which have been unfairly shifted to them by unscrupulous spammers.

As recommended by the Joint Commission on Technology and Science, introduced House Bill 1668, which I patroned, did not criminalize spam. The original bill created two new statutory causes of civil action: (1) for persons who receive false or misleading commercial electronic mail and (2) for persons who receive unsolicited commercial electronic mail. In the case of false or misleading electronic mail, the original bill would have permitted recipients to sue to enjoin further violations and to recover the greater of (i) actual damages sustained, together with costs and reasonable attorneys' fees, or (ii) $500 per occurrence not to exceed one million dollars. Internet service providers would have been permitted to sue for injunctive relief and to recover the greater of (i) actual damages sustained, together with costs and reasonable attorneys' fees, or (ii) $1,000 per occurrence not to exceed two million dollars. In the case of unsolicited electronic mail, the original bill would have permitted recipients to sue to enjoin further violations and to recover the greater of (i) actual damages sustained, together with costs and reasonable attorneys' fees, or (ii) $500 per occurrence not to exceed one million dollars. If the unsolicited electronic mail was received after the recipient had declined to receive further electronic mail, the original bill would have permitted him to recover $1,000 per occurrence not to exceed two million dollars. The original bill relieved persons who "transmit or cause the transmission" of unsolicited electronic mail from liability if the recipient consented to the receipt of the electronic mail or the electronic mail was readily identifiable as promotional, and other procedures outlined in the bill were followed.

Two other anti-spam bills-House Bill 1714 (Chapter 905 of the 1999 Acts of Assembly) and Senate Bill 881 (Chapter 886 of the 1999 Acts of Assembly)-were introduced during the 1999 Session. The genesis of these identical measures was a recommendation of the Governor's Blue Ribbon Commission on Information Technology made in early December 1998. As introduced, these bills implemented the Administration's view that spam should be criminalized. The legislation would have redefined "computer services" for the purposes of the Virginia Computer Crimes Act to include Internet service providers' networks and facilities located in Virginia. The bills also would have added the following to the list of those acts constituting use "without authority" or "computer trespass" under the Virginia Computer Crimes Act: (i) using an Internet service e-mail system offered by a Virginia-based Internet service provider in contravention of the authority granted by or in violation of the policies set by the Internet service provider; (ii) falsifying e-mail header information in connection with, or becoming a subscriber of an Internet service provider in order to obtain e-mail addresses for the purpose of, the transmission of unsolicited bulk e-mail; and (iii) selling or distributing software which makes possible the transmission of false e-mail with the intent to facilitate the transmission of false e-mail. House Bills 1714 and Senate Bill 881 would have provided for statutory damages of at least $500 per violation or actual damages, whichever is greater, for civil actions brought pursuant to the Virginia Computer Crimes Act, which that act has always provided for.

The legislative process being what it is, none of these three bills as passed by the General Assembly looks very much like it did in its introduced version. House Bill 1668, House Bill 1714, and Senate Bill 881 are now identical to each other. There has been much ballyhoo in the press and elsewhere that the measures outlaw spam in Virginia. I'm here to tell you that is only partly true. The bills outlaw SOME spam-now defined as "unsolicited bulk electronic mail"-but not all of it. If you'll permit me, I'd like to walk you through how Virginia's new anti-spam law works.

PLEASE REFER TO ENROLLED HOUSE BILL 1668 ATTACHED.

Page 1, Lines 46-48: This new language amends Virginia's long-arm statute to provide that using a computer or computer network located in Virginia constitutes an act in Virginia for purposes of obtaining personal jurisdiction over an out-of-state spammer. The definitions of the terms "use" and "computer network" in the long-arm statute are tied to those provided in the Virginia Computer Crimes Act.

Page 2, Lines 28-29: These amendments expand the definition of "computer services" in the Virginia Computer Crimes Act.

Page 2, Lines 34-36: This new language provides a definition for "electronic mail service provider" in the Virginia Computer Crimes Act.

Page 3, Lines 7-11: This new language expands the definition of "without authority" in the Virginia Computer Crimes Act to include uses in contravention of an electronic mail service provider's policies. Electronic mail sent by an organization to its members is specifically excluded from consideration as unsolicited bulk electronic mail in this section.

Page 3, Lines 24-26: This new language adds the seventh method by which a person can commit the crime of computer trespass in Virginia, i.e., by falsifying or forging electronic mail transmission information in connection with unsolicited bulk electronic mail. Like the other six methods of committing a computer trespass, this method is punishable as a Class 3 misdemeanor, which is a fine up to $500.

Page 3, Lines 27-34: This new language also makes it the crime of computer trespass in Virginia to knowingly sell, give, distribute, or possess software whose principal purpose is to facilitate unsolicited bulk electronic mail.

Page 3, Lines 43-46: Within the Virginia Computer Crimes Act, this new language is intended to relieve electronic mail service providers from liability for actions they take to prevent unsolicited bulk email.

Page 3, Lines 51-54 and continuing on Page 4, Lines 1-2: This new language in the civil relief section of the Virginia Computer Crimes Act provides civil relief to an injured person, other than an electronic mail service provider, for actual damages or the lesser of $10 for each unsolicited bulk electronic mail message or $25,000 per day. The section provides that the injured person shall not have a cause of action against an electronic mail service provider which merely transmits the electronic mail message. This is the section under which an injured consumer make seek civil relief.

Page 4, Lines 3-6: This new language in the civil relief section of the Virginia Computer Crimes Act provides civil relief to an injured electronic mail service provider for actual damages or the greater of $10 for each unsolicited bulk electronic mail message or $25,000 per day.

Page 4, Lines 15-16: This new language in the civil relief section of the Virginia Computer Crimes Act cross-references Virginia's long-arm statute to help ensure the establishment of personal jurisdiction over spammers in Virginia's courts.

If you are contemplating anti-spamming legislation in your state, let me suggest a few issues for your consideration:

Should spamming be criminalized? Should only civil relief be provided? Or, should a combination of both civil and criminal relief be provided, as Virginia has done?
Should spammers be held strictly liable for spam in civil actions? In Virginia, we chose to require that the erstwhile plaintiff-be it a consumer or an electronic mail service provider-must sustain an injury arising from the transmission of unsolicited bulk electronic mail to proceed with his case. In other words, if there is no injury, there is no civil case.
Where should anti-spamming legislation be housed in your state's code? In Virginia, our Computer Crimes Act provided a convenient structure and organization. In other states, your consumer protection laws may provide the best placement for anti-spamming measures.
How does an anti-spamming law effectively establish jurisdiction over an out-of-state spammer? Despite our best efforts to draft Virginia's statute as tightly as we could on that issue, I expect jurisdictional challenges to be raised by out-of-state spammers in both civil and criminal cases.
Is it better to purposefully leave "bulk" as an undefined term in an anti-spamming statute or to set some arbitrary number that establishes a bright line for the courts? There are three reasons why we chose to leave "bulk" undefined:

"Bulk" for a large electronic mail service provider like America Online may be a much larger number of electronic mail messages than for Joe's Internet Service. For all practical purposes, "bulk" is probably reached at the point when injury occurs-e.g., servers crash or service is interrupted or stopped. Theoretically, the number of electronic mail messages that define that point is different for every electronic mail service provider and becomes a question of fact for the court.
Once a number-like 10,000-is inserted into the statute, spammers will send out 9,999 messages.
"Bulk" appears as an undefined term throughout the Code of Virginia, especially in the commercial code provisions.

What is the best way to deal with damages? Damages must be set high enough to deter spammers and not be just another cost of doing business, yet not be so high that collection is impractical. To strike a balance between these competing policies, Virginia's innovative approach is to cap damages at $25,000 per day or $10 per message. Injured plaintiffs who are not electronic mail service providers-like individual consumers-can recover the lesser of those sums or actual damages, whichever is greater. Injured electronic mail service providers can recover the greater of those sums, or actual damages.

I'd be happy to answer any questions. Thank you.

Information Policy, Technology, and Communications
ASI Communications and Information Policy Committee
Y2K Home

Visits to this page.