California’s governor signed a new anti-phishing bill into law on September 30, 2005. The law “makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business” (quoted from Information Week). This law establishes a general rule for penalties in phishing cases: the government can fine convicted phishers for up to $2,500 per violation, while victims can either pursue actual damages or up to $500,000 per violation (whichever is greater).
Phishing is still a growing problem, according to an earlier PC World article and groups such as the Anti-Phishing Working Group. Gartner research indicates that, “between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million” (quoted from a CSO Online discussion). Clearly phishing is a growing and very real problem, but it remains to be seen whether legislative efforts like the new CA law will have any substantial effect. A PC World article notes that the new law may have a symbolic effect in raising awareness of the issue, and could have real impact starting with the first few phishers that are actually convicted and fined under the law’s provisions.