(A version of this article appears in Bright Ideas, Spring, 2005, a publication of the Intellectual Property Law Section of the New York State Bar Association as the “Message From The Chair”)

by: Richard L. Ravin, Esq.*

We must all be on guard for “phishers” who will assume the identity of a trusted or a legitimate entity and then ask the victim to divulge personal identifiable information. The term “phisher” applies to a cyber con artist who casts a wide “fishing net” in the form of spam, in the hopes of catching a small percentage of victims (not to be confused with the term “pisher”, which is a Yiddish word meaning “a young squirt” or someone of no consequence).

In a typical phishing scam, an e-mail directs the recipient to visit a Web site where he or she is urged to update personal information due to some fictitious problem. The recipient is asked to provide various personal information such as user names, passwords, credit card account numbers, bank account numbers, or Social Security numbers that the legitimate organization would already have. These bogus Web sites have the “look and feel” of the authentic Web site. The bogus Web site is created and designed exclusively for the purpose of stealing the personal identifiable information of its victims. In order to pull off the scam, the phisher uses the trademarks of legitimate organizations to fool its victims. Phishing is also known as brand or trademark “spoofing”.

Phishers often make the links in their e-mails appear to be pointing to legitimate URLs, but the actual URL (appearing in the Web browser after clicking on the link) may in fact be slightly different than the legitimate URL, such as “www.msnbilling.com” in a phishing scam against MSN, or “www.paypalsys.com” in a spoof against PayPal. e-Bay, one of the more popular phishing targets, has recently announced that it is working to fix a software bug that permits phishers to use an e-Bay URL to trick people into visiting a fraudulent Web site. Apart from the use of e-mail, phishers can also cast their “phishing nets” via viruses and worms, which cause pop-up ads asking for personal data.

Besides the obvious Lanham Act violations which may be associated with such conduct ” such as false designation of origin (§43(a)), infringement of a registered mark (§ 32(1)), and anticybersquatting (§43(d)), [1] or equivalent state law unfair competition claims ” other causes of action may also be available. These claims could arise under the Computer Fraud and Abuse Act (CFAA) [2] and the CAN-SPAM Act. [3] The CFAA, however, requires jumping through hoops when used in this context, as its focus is on the unauthorized access to a “protected computer”, not the obtaining and using of personal identifiable information. A “protected computer” is one used in interstate or foreign commerce or communication, such as a computer connected to the Internet. [4] The CFAA also requires $5,000 in loss of use or damages as to each “protected computer”. [5]

The CAN-SPAM Act, while prohibiting false and misleading use of e-mail header information (in the “from” field, [6] for instance), limits the right of civil private enforcement to only an “Internet access service”. [7] Otherwise, enforcement is left to a multitude of federal and state agencies and authorities, such as the Federal Trade Commission, which have the right to bring civil and criminal actions against violators. [8]

Depending on the facts and circumstances involved, other claims, such as copyright infringement, may be applicable, if content is copied and is otherwise protectable under copyright law. Contributory or vicarious copyright liability against the Web hosting entity may also be available. The Gramm Leach Bliley Act (GLBA) would apply to any “pretexting” ” the practice of obtaining personal financial information through false pretenses. [9] Various other causes of action may apply, including common law fraud, state consumer fraud or unfair business practices laws, and, in certain circumstances, perhaps trespass to chattels.

The Federal Trade Commission estimates that 3.2 million Americans fall victim to identity theft every year ” people who are financially defrauded or even charged with crimes as a result of someone else’s assuming their identities. Recently, ChoicePoint, a Georgia-based information service that compiles data on millions of citizens, was duped into reportedly giving as many as 140,000 personal and financial records of consumers to individuals posing as legitimate ChoicePoint customers ” at least one defendant sent ChoicePoint applications from fax machines at Kinko’s. Lexis Nexis was recently victimized when one of its databases was hacked, resulting in the theft of digital dossiers containing the names, addresses, Social Security, and driver’s license numbers of up to 32,000 individuals.

Congress has not yet passed legislation expressly dealing with the theft of personal identifiable information, although there is a federal penal statute making it a crime to knowingly transfer or use, without lawful authority, “a means of identification of another person” with the intent to commit or aid or abet a felony. [10] There is no federal law which addresses the obligation of companies, generally, to prohibit the unauthorized disclosure of digital records containing personal identifiable information. Some U.S. Senators have vowed to push for such legislation in the current session. Such laws may require notifications to customers when their records have been compromised and prohibit the sale or display of Social Security numbers without the holder’s consent.

It remains to be seen if such legislation would create any private right of action against companies who lawfully maintain the personal identifiable information of others, and what standards would apply in the event of a breach of security or the unauthorized accessing of these databases. It should be noted that neither the GLBLA (with respect to “Personal Identifiable Information” maintained by banks, securities firms, and insurance companies [11]), nor the Health Insurance Portability and Accountability Act (HIPAA) (with respect to “Individually Identifiable Health Information” maintained by health care providers [12]) permit any private right of action against such organizations for unauthorized or wrongful disclosure under these statutes. Thus, based on the track record of Congress in this area, it would not be surprising if any resulting anti-identity theft legislation were to foreclose the injured consumer from bringing an action against a company for a violation of its statutory duty to prevent the unauthorized or wrongful disclosure of personal identifiable information.

*Richard L. Ravin is a member of Hartman & Winnicki, P.C., and head of the firm’s Internet and Intellectual Property Law Group, with offices in Paramus New Jersey and New York City. He is Chair of the New York State Bar Association’s Intellectual Property Section, and past (founding) Co-Chair of the Internet Law Committee of the Section. His Web site is www.ravin.com, and e-mail address is: rick@ravin.com.
__________________________

1. Lanham Act, 15 U.S.C. §1125(a), §1114(1), and §1125(d)
2. Computer Fraud and Abuse Act, 18 U.S.C. §1030.
3. CAN-SPAM Act, 15 U.S.C. §7701 et seq.
4. Computer Fraud and Abuse Act, 18 U.S.C. §1030(e)(2)(B).
5. Computer Fraud and Abuse Act, 18 U.S.C. §1030(a)(4) and (5).
6. CAN-SPAM Act, 15 U.S.C. §7704(a)(1).
7. CAN-SPAM Act, 15 U.S.C. §7706(g).
8. CAN-SPAM Act, 15 U.S.C. §7706(a) through (f).
9. Gramm Leach Bliley Act, 15 U.S.C. §§ 6821 through 6827.
10. 18 U.S.C. §1028(a)(7).
11. Gramm Leach Bliley Act, 15 U.S.C. §6805.
12. Health Insurance Portability and Accountability Act, 42 U.S.C. §1320d-6; University of Colorado Hospital v. Denver Publishing Co. 320 F.Supp. 2d 1142 (D. Col. 2004).

© 2005 Richard L. Ravin. All Rights Reserved.

DISCLAIMER: http://ravin.com/disclaimer/.