California’s Anti-Phishing Law of 2005

Citation: California’s Anti-Phishing Law of 2005, Cal. Bus. & Prof. Code §§22948-22948.3.

The State of California enacted the first U.S. law making Internet phishing a criminal offense. Under California’s Anti-Phishing Law of 2005, victims of such schemes can seek recovery of their actual damages or $500,000 for each violation, whichever is greater. The law targets any attempt to “solicit, request, or take any action to induce another person” to divulge via “a Web page, electronic mail message or any other electronic means” any personal information, “by representing itself to be a business without the approval or authority of the business.”

The law protects such sensitive data as bank account numbers, driver’s license records, and Social Security numbers. It covers a broad range of electronic means of communication including electronic signatures, account passwords, unique biometric data and “any other piece of information that can be used to access an individual’s financial accounts or to obtain goods or services.”

One of the early criticisms of the law was that since the perpetrators are often outside of California, or even outside the United States, it may prove ineffective in deterring the phishing, which tends to be far more global in nature.