• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

2005 State Legislation Relating to "Phishing*"

As of December 27, 2005

Phishing is a scam where fraudsters send spam or popup messages to lure personal or financial information from unsuspecting victims.  (See OnGuardOnline.gov for practical tips from the federal government and private industry to help guard against Internet fraud).

Summary: Bills were introduced in at least 15 states in 2005; enacted in at least 10 states.

ARIZONA
S.B. 1447
04/18/05 Signed by Governor, Chapter 114
Prohibits the solicitation of an individual’s identifying information via a web page or e-mail by a person representing they are an on-line business who has not been approved to do so by the business they are representing and establishes civil penalties and damages.

ARKANSAS
H.B. 2904
04/15/05 Signed by Governor, Act 2255
Prohibits specified uses of computer spyware; prohibits phishing, brand spoofing or carding. 

CALIFORNIA
S.B. 355
09/30/05 Signed by Governor, Chapter 437
Makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be an online business without the approval or authority of the online business. The bill would enact certain civil remedies.

COLORADO
H.B. 1347
06/01/05 Signed by Governor
Concerns criminal penalties for the use of electronic devices for the purpose of identity theft.

FLORIDA
S.B. 2162
05/06/05 Senate. Died in Committee on Commerce and Consumer Services; 05/06/05 Legislature adjourned
Prohibits a person or business entity from using Internet to solicit, request, or take any action to induce computer user to provide personal identification  information by fraudulently representing that person or business is  on-line business; prohibits business entity or person who is not authorized user of computer from committing certain specified deceptive acts or practices that involve computer.

HAWAII
S.B. 1170
05/19/2005 Signed by Governor, Act 65
Establishes a Hawaii anti-phishing task force to curtail electronic commerce-based criminal activities. Requires the task force to submit a report and make recommendations prior to the 2006 regular session.

MASSACHUSETTS
S.B. 192
01/26/05 S Referred to the committee on Consumer Protection and Professional Licensure
Amends the identity theft law to include attempts to solicit or obtain from another person personal identifying information by false pretense; trick, scheme or artifice to intentionally deceive or mislead another person in a material manner; or by willfully making a materially false, fictitious or deceptive statement or communication, whether by oral, written, electronic mail, internet site or any other means, with the intent to defraud.

MINNESOTA
H.F. 1
06/02/05, Signed by Governor, Chapter 136
Prohibits a person, with intent to obtain another's identity, from using false pretense in an e-mail, Web page, or any other Internet communication. This offense is punishable by five years imprisonment and/or a $10,000 fine. In prosecution under this section, it is not a defense that the person did not obtain or use another's identity, nor is it a defense that the crime did not result in a loss to any person.

H.F. 243
01/13/05 Referred to House Committee Public Safety Policy and Finance; 05/23/05 Legislature adjourned
Prohibits using a false pretense in an e-mail to obtain the identity of another. Imposes penalties.

S.F. 336
03/03/05 Referred to House Committee on Public Safety; 05/23/05 Legislature adjourned
Prohibits using a false pretense in an e-mail to obtain the identity of another. Imposes penalties.

S.F. 2273
05/04/05 Substituted as H.F. 1
Relates to criminal justice; appropriates money for the courts, public defenders, public safety, corrections, and other criminal justice agencies; establishes funding, modifying, and regulating public safety, criminal justice, judiciary, law enforcement, corrections, crime victims, and CriMNet policies, programs, duties, activities, or practices.

NEW MEXICO
S.B. 720
04/07/05 Signed by Governor, Chapter 296
Amends the existing identity theft statute to include the new crime of obtaining identity by electronic fraud. Obtaining information by electronic fraud (commonly known as phishing) is defined as using an e-mail web site or other means of electronic communication to obtain personal information by false pretenses. This new crime is a fourth degree felony. This act also adds a section giving a civil remedy for victims of ID theft or fraud.

NEW YORK
A.B. 8025 / S.B. 5370
06/21/05 Passed Assembly; 06/24/2005 Recommitted to Rules
Enacts the Anti-Phishing Act of 2005, prohibiting the misuse of the internet to obtain identifying information by misrepresenting oneself as an online business; authorizes the Attorney General, internet service providers, and those owning a web page or trademark, who are adversely affected by such conduct to bring an action for injunctive relief and damages.

PENNSYLVANIA
H.B. 2292
12/05/05 Referred to Commerce
Provides for the protection of consumers from phishing and for criminal and civil enforcement.

RHODE ISLAND
H.B. 6232
05/12/05 Passed House; 05/18/2005 Referred to Senate Judiciary; 07/01/05 Legislature adjourned
Provides protection to consumers from electronic mail fraud.

TEXAS
H.B. 1098
06/17/2005 Signed by Governor, Chapter 544
Relating to using the Internet to obtain identifying information of another person for a fraudulent purpose; providing penalties.

VIRGINIA
H.B. 2471
03/26/05 Signed by Governor, Chapter 827
Adds as a new Class 6 felony using a computer to fraudulently gather identifying information of another (phishing), unless the information is sold or distributed to another or the information is used in the commission of another crime, in which case it is a Class 5 felony.

H.B. 2304
01/31/05 House: Incorporated by C. J. (H.B. 2631-Bell—Tabled)
Legislature's regular session adjourned
Computer crimes; phishing; penalty.  Makes it a Class 6 felony to fraudulently obtain, record, or access from a computer the following identifying information of another: (i) social security number; (ii) driver's license number; (iii) bank account numbers; (iv) credit or debit card numbers; (v) personal identification numbers (PIN); (vi) electronic identification codes; (vii) automated or electronic signatures; (viii) biometric data; (ix) fingerprints; (x) passwords; or (xi) any other numbers or information that can be used to access a person's financial resources, obtain identification, act as identification, or obtain goods or services. Any person who sells or distributes such information or uses it to commit another crime is guilty of a Class 5 felony.

H.B. 2631
04/04/05 Signed by Governor, Chapter 837
Revises provisions in the Virginia Computer Crimes Act relating to computer fraud and redefines computer invasion of privacy by including the unauthorized gathering of identifying information and punishes subsequent offenses and transferring the information to another or use of the information in the commission of another crime as a Class 6 felony. Currently, the offense is punishable as a Class 1 misdemeanor. Additionally, the fraudulent gathering of such information is punished as a Class 6 felony, a new crime, and transferring the information to another or use of the information in the commission of another crime is a Class 5 felony.

S.B. 1147
03/26/05 Signed by Governor, Chapter 760
Computer crimes; phishing; penalty.  Makes it a Class 6 felony to fraudulently obtain, record, or access from a computer the following identifying information of another: (i) social security number; (ii) driver's license number; (iii) bank account numbers; (iv) credit or debit card numbers; (v) personal identification numbers (PIN); (vi) electronic identification codes; (vii) automated or electronic signatures; (viii) biometric data; (ix) fingerprints; (x) passwords; or (xi) any other numbers or information that can be used to access a person's financial resources, obtain identification, act as identification, or obtain goods or services. Any person who sells or distributes such information or uses it to commit another crime is guilty of a Class 5 felony.

S.B. 1163
3/26/05 Signed by Governor, Chapter 761
Updates the Virginia Computer Crimes Act to include recommendations made by the 2004 joint study on Computer Crimes by the Joint Commission on Technology and Science and Virginia State Crime Commission.  Modernizes definitions of "computer", "using a computer" and "without authority" to comport with changing technology.  Revises provisions regarding computer trespass, a Class 1 misdemeanor, unless the damage to the property of another is $1,000 ($2,500 under current law) or more, in which case it is a Class 6 felony.  Provisions regarding computer invasion of privacy are rewritten to include unauthorized gathering of identifying information and Class 6 penalties added for persons with previous convictions, selling or distributing the information to another or using the information in the commission of another crime.  Adds as a new Class 6 felony using a computer to fraudulently gather identifying information of another (phishing), unless the information is sold or distributed to another or the information is used in the commission of another crime, in which case it is a Class 5 felony. Statute of limitation and venue provisions are relocated in the Code.

WASHINGTON
HB 1888
5/10/05 Signed by Governor, Chapter 378
Provides that no person may solicit, request, or take any action to induce another person to provide personally identifying information by means of a web page, electronic mail message, or otherwise using the internet by representing oneself, either directly or by implication, to be a business or individual without the authority or approval of such business or individual.  Provides that damages to a consumer resulting from the practices prohibited by this act are up to five hundred dollars per violation, or actual damages, whichever is greater.

* Represents only legislation that specifically addresses "phishing."  Additional states may be considering legislation that addresses fraudulent or deceptive actions involving the Internet and e-mail or identity theft legislation that could apply to phishing schemes. 

 Return to Electronic/Internet Privacy: State Actions