California has passed the country's first antiphishing law, making this form of identity theft punishable by thousands of dollars in fines.
The law, entitled the Anti-Phishing Act of 2005, was proposed by state Senator Kevin Murray, and was signed into law on Friday. It is the first such antiphishing legislation to be enacted in the U.S., according to backers of the bill.
"It's something that adds another tool in the quiver for consumers and businesses to reduce this kind of really bad behavior," said Michael Wendy, a spokesman for the Computing Technology Industry Association, an IT trade association that has supported the law.
Phishing victims are typically sent fraudulent e-mail designed to trick them into revealing personal information, like bank account numbers, user names and passwords.
Under the Anti-Phishing Act, these victims may seek to recover either the cost of the damages they have suffered or US$500,000, whichever is greater; government prosecutors can also seek penalties of up to $2,500 per phishing violation.
While it already may have been possible to prosecute phishers under antifraud laws, the new legislation will make it easier for victims and government to go after phishers, Wendy said.
It may also serve to inspire other legislation, perhaps even at the federal level, he said. "You can't discourage the symbolic purpose of this," he added. "It's a statement to these guys that this is not acceptable behavior."
The new law is unlikely to cut down on phishing, however, at least in the short term, according to Jordan Ritter, chief technology officer with antispam software vendor Cloudmark (Profile, Products, Articles) Inc. However, if the law is held up in court and actually serves to help victims recover damages, phishers may take note, he said.
Ritter agreed that the Anti-Phishing Act also may serve a symbolic purpose. "Anything that raises people's awareness and improves people's education on the extent of the problem... is going to improve things," he said.
Phishing attacks have been on the rise. Research firm Gartner Inc. estimates that 73 million U.S. Internet users received phishing e-mails during the 12 months ended May 2005, up 28 percent from the previous year.