Internet crime laws have not kept up with the technological advances. However, according to the Infosec Institute, California led the way in 2005 by being the first state to pass an anti-phishing law.

Now, 22 other states and Guam have similar laws, although as yet, there is no federal law addressing this specific online activity.

What is phishing?

According to California penal code, it refers to specific activities on the internet using targeting emails or webpages. The activity refers to contacting a person and inducing him or her to give identifying information to another who presents the request as if from a business, although without actually having any authority from the company to request the information. If a single action targets many people, it is still considered just one violation.

What is considered identifying information?

A person’s Social Security number is naturally at the top of this list. It could also include unique biometric information such as fingerprints and other physical characteristics. Other information that may be gathered by phishing includes:

  • Bank account, credit card or debit card numbers
  • Account passwords or personal identification numbers
  • Electronic or automated signatures
  • Driver’s license numbers

What are the penalties for a phishing offense?

If a person who provides internet service, or owns a trademark or webpage, presses charges against someone for a violation of the state’s phishing law, he or she may either seek $500,000 or actual damages, whichever is more. An individual may recover up to $5,000. The attorney general or district attorney may also file a lawsuit, and the result could be a civil penalty of as much as $2,500. However, a judge may decide that a person has demonstrated a pattern of this activity and could increase the damages to three times the original recovery amount. The defendant could also be required to pay the plaintiff’s attorney and court fees.