N.Y.
General Business Law Section 390-B
Anti-phishing act of 2006
1.
This section shall be known as and may be cited as the “anti-phishing act of 2006”.2.
For purposes of this section, the following terms shall have the following meanings:(a)
The term “electronic message” means a message sent or posted to a unique destination, commonly expressed as a string of characters, consisting of a unique user name or mailbox (commonly referred to as the “local part”) and a reference to an internet domain (commonly referred to as the “domain part”), whether or not displayed, to which an electronic message can be sent, delivered or posted.(b)
The term “identifying information” means an individual’s (1) social security number;(2)
driver’s license number;(3)
bank account number;(4)
credit or debit card number;(5)
personal identification number (PIN);(6)
automated or electronic signature;(7)
unique biometric data;(8)
account passwords; or(9)
any other piece of information that can be used to access an individual’s financial accounts or to obtain goods or services.(c)
The term “internet” means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the transmission control protocol/internet protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.(d)
The term “web page” means a location, with respect to the world wide web, that has a single uniform resource locator or other single location with respect to the internet.3.
It is unlawful for any person, by means of a web page, electronic message, or other use of the internet to solicit, request or collect identifying information by deceptively representing himself or herself, either directly or by implication, to be a business or a governmental entity and doing so without the authority or approval of such business or such governmental entity.4.
(a) The attorney general, or any person who either is engaged in the business of providing internet access service to the public or owns a web page or trademark and who is adversely affected by reason of a violation of the provisions of subdivision three of this section, may bring an action against a person who violates the provisions of subdivision three of this section:(1)
to enjoin further violation of the provisions of subdivision three of this section; and(2)
to recover the greater of: (A) actual damages; or (B) one thousand dollars for each instance in which identifying information is solicited, requested or collected from a person in violation of the provisions of subdivision three of this section.(b)
In an action under paragraph (a) of this subdivision, a court may:(1)
increase the damages up to three times the damages allowed by paragraph (a) of this subdivision where the defendant has been found to have engaged in a pattern and practice of violating the provisions of subdivision three of this section; and(2)
award costs and reasonable attorney’s fees to a prevailing party.5.
Nothing in this section shall in any way limit rights or remedies which are otherwise available under law to the attorney general or any other person authorized to bring an action under subdivision four of this section.
Source:
Section 390-B — Anti-phishing act of 2006, https://www.nysenate.gov/legislation/laws/GBS/390-B
(updated Sep. 22, 2014; accessed Oct. 26, 2024).