[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5318 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 5318

To amend title 18, United States Code, to better assure cyber-security, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              May 9, 2006

  Mr. Sensenbrenner (for himself, Mr. Coble, Mr. Smith of Texas, Mr. 
  Feeney, Mr. Schiff, and Ms. Pryce of Ohio) introduced the following 
       bill; which was referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
To amend title 18, United States Code, to better assure cyber-security, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber-Security Enhancement and 
Consumer Data Protection Act of 2006''.

SEC. 2. PERSONAL ELECTRONIC RECORDS.

    Section 1030(a)(2) of title 18, United States Code, is amended--
            (1) by striking``or'' at the end of subparagraph (B); and
            (2) by adding at the end the following:
                    ``(D) a means of identification (as defined in 
                section 1028(d)) from a protected computer; or
                    ``(E) the capability to gain access to or remotely 
                control without authorization, a protected computer.''.

SEC. 3. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR CRIMINAL 
              PENALTIES.

    (a) Broadening of Scope.--Section 1030(e)(2)(B) of title 18, United 
States Code, is amended by inserting ``or affecting'' after ``which is 
used in''.
    (b) Elimination of Requirement of an Interstate or Foreign 
Communication for Certain Offenses Involving Protected Computers.--
Section 1030(a)(2)(C) of title 18, United States Code, is amended by 
striking ``if the conduct involved an interstate or foreign 
communication''.

SEC. 4. RICO PREDICATES.

    Section 1961(1)(B) of title 18, United States Code, is amended by 
inserting ``section 1030 (relating to fraud and related activity in 
connection with computers),'' before ``section 1084''.

SEC. 5. CYBER-EXTORTION.

    Section 1030(a)(7) of title 18, United States Code, is amended by 
inserting ``, or to access without authorization or exceed authorized 
access to a protected computer'' after ``cause damage to a protected 
computer''.

SEC. 6. CONSPIRACY TO COMMIT CYBER-CRIMES.

    Section 1030(b) of title 18, United States Code, is amended by 
inserting ``or conspires'' after ``attempts''.

SEC. 7. NOTICE TO LAW ENFORCEMENT.

    (a) Criminal Penalty for Failure to Notify Law Enforcement.--
Chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:
``Sec. 1039. Concealment of security breaches involving personal 
              information
    ``(a) Offense.--Whoever owns or possesses data in electronic form 
containing a means of identification (as defined in section 1028), 
having knowledge of a major security breach of the system containing 
such data maintained by such person, and knowingly fails to provide 
notice of such breach to the United States Secret Service or Federal 
Bureau of Investigation, with the intent to prevent, obstruct, or 
impede a lawful investigation of such breach, and if such breach causes 
a significant risk of identity theft, shall be fined under this title, 
imprisoned not more than 5 years, or both.
    ``(b) Definition.--As used in this section, the term `major 
security breach' means any security breach--
            ``(1) whereby personal information pertaining to 10,000 or 
        more individuals is, or is resonably believed to have been 
        acquired;
            ``(2) involving databases owned by the Federal Government; 
        or
            ``(3) involving primarily data in electronic form 
        containing personal information of employees or contractors of 
        the Federal Government involved in National security matters or 
        law enforcement.''.
    (b) Rulemaking.--Within 180 days after the date of enactment of 
this act, the Attorney General and Secretary of Homeland Security shall 
jointly promulgate rules and regulations, after adequate notice and an 
opportunity for comment, as are reasonably necessary, governing the 
form, content, and timing of the notices required pursuant to section 
1039 of title 18, U.S.C. Such rules and regulations shall require 
that--
            (1) such notice be provided to the United States Secret 
        Service or Federal Bureau of Investigation before any notice of 
        a breach is made to consumers under State or Federal law, and 
        within 14 days of discovery of the breach;
            (2) if the United States Secret Service or Federal Bureau 
        of Investigation determines that any notice required to be made 
        to consumers under State or Federal law would impede or 
        compromise a criminal investigation or national security, the 
        United States Secret Service or Federal Bureau of Investigation 
        shall direct in writing within 7 days that such notice shall be 
        delayed for 30 days, or until the United States Secret Service 
        or Federal Bureau of Investigation determines that such notice 
        will not impede or compromise a criminal investigation or 
        national security; and
            (3) the United States Secret Service shall notify the 
        Federal Bureau of Investigation, if the United States Secret 
        Service determines that such breach may involve espionage, 
        foreign counterintelligence, information protected against 
        unauthorized disclosure for reasons of national defense or 
        foreign relations, or Restricted Data (as that term is defined 
        in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 
        2014(y))), except for offenses affecting the duties of the 
        United States Secret Service under section 3056(a) of title 18, 
        United States Code.
    (c) Immunity From Lawsuit.--No cause of action shall lie in any 
court against any law enforcement entity or any person who notifies law 
enforcement of a security breach pursuant to this section for any 
penalty, prohibition, or damages relating to the delay of notification 
for law enforcement purposes under this Act.
    (d) Civil Penalty for Failure to Notify.--Whoever knowingly fails 
to give a notice required under section 1039 of title 18, United States 
Code, shall be subject to a civil penalty of not more than $50,000 for 
each day of such failure, but not more than $1,000,000.
    (e) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following new item:

``1039.  Concealment of security breaches involving personal 
                            information.''.

SEC. 8. PENALTIES FOR SECTION 1030 VIOLATIONS.

    Subsection (c) of section 1030 of title 18, United States Code, is 
amended to read as follows:
    ``(c)(1) The punishment for an offense under subsection (a) or (b) 
is a fine under this title or imprisonment for not more than 30 years, 
or both.
    ``(2) The court, in imposing sentence for an offense under 
subsection (a) or (b), shall, in addition to any other sentence imposed 
and irrespective of any provision of State law, order that the person 
forfeit to the United States--
            ``(A) the person's interest in any personal property that 
        was used or intended to be used to commit or to facilitate the 
        commission of such violation; and
            ``(B) any property, real or personal, constituting or 
        derived from, any proceeds the person obtained, directly or 
        indirectly, as a result of such violation.''.

SEC. 9. DIRECTIVE TO SENTENCING COMMISSION.

    (a) Directive.--Pursuant to its authority under section 994(p) of 
title 28, United States Code, and in accordance with this section, the 
United States Sentencing Commission shall forthwith review its 
guidelines and policy statements applicable to persons convicted of 
offenses under sections 1028, 1028A, 1030, 1030A, 2511 and 2701 of 
title 18, United States Code and any other relevant provisions of law, 
in order to reflect the intent of Congress that such penalties be 
increased in comparison to those currently provided by such guidelines 
and policy statements.
    (b) Requirements.--In determining its guidelines and policy 
statements on the appropriate sentence for the crimes enumerated in 
paragraph (a), the Commission shall consider the extent to which the 
guidelines and policy statements may or may not account for the 
following factors in order to create an effective deterrent to computer 
crime and the theft or misuse of personally identifiable data--
            (1) the level of sophistication and planning involved in 
        such offense;
            (2) whether such offense was committed for purpose of 
        commercial advantage or private financial benefit;
            (3) the potential and actual loss resulting from the 
        offense;
            (4) whether the defendant acted with intent to cause either 
        physical or property harm in committing the offense;
            (5) the extent to which the offense violated the privacy 
        rights of individuals;
            (6) the effect of the offense upon the operations of a 
        government agency of the United States, or of a State or local 
        government;
            (7) whether the offense involved a computer used by the 
        government in furtherance of national defense, national 
        security or the administration of justice;
            (8) whether the offense was intended to, or had the effect 
        of significantly interfering with or disrupting a critical 
        infrastructure;
            (9) whether the offense was intended to, or had the effect 
        of creating a threat to public health or safety, injury to any 
        person, or death; and
            (10) whether the defendant purposefully involved a juvenile 
        in the commission of the offense to avoid punishment.
    (c) Additional Requirements.--In carrying out this section, the 
Commission shall--
            (1) assure reasonable consistency with other relevant 
        directives and with other sentencing guidelines;
            (2) account for any additional aggravating or mitigating 
        circumstances that might justify exceptions to the generally 
        applicable sentencing ranges;
            (3) make any conforming changes to the sentencing 
        guidelines; and
            (4) assure that the guidelines adequately meet the purposes 
        of sentencing as set forth in section 3553(a)(2) of title 18, 
        United States Code.

SEC. 10. ADDITIONAL FUNDING FOR RESOURCES TO INVESTIGATE AND PROSECUTE 
              CRIMINAL ACTIVITY INVOLVING COMPUTERS.

    (a) Additional Funding for Resources.--
            (1) Authorization.--In addition to amounts otherwise 
        authorized for resources to investigate and prosecute criminal 
        activity involving computers, there are authorized to be 
        appropriated for each of the fiscal years 2007 through 2011--
                    (A) $10,000,000 to the Director of the United 
                States Secret Service;
                    (B) $10,000,000 to the Attorney General for the 
                Criminal Division of the Department of Justice; and
                    (C) $10,000,000 to the Director of the Federal 
                Bureau of Investigation.
            (2) Availability.--Any amounts appropriated under paragraph 
        (1) shall remain available until expended.
    (b) Use of Additional Funding.--Funds made available under 
subsection (a) shall be used by the director of the United States 
Secret Service, the Director of the Federal Bureau of Investigation, 
and the Attorney General, for the United States Secret Service, the 
Federal Bureau of Investigation, and the criminal division of the 
Department of Justice, respectively, to--
            (1) hire and train law enforcement officers to--
                    (A) investigate crimes committed through the use of 
                computers and other information technology, including 
                through the use of the Internet; and
                    (B) assist in the prosecution of such crimes; and
            (2) procure advanced tools of forensic science to 
        investigate, prosecute, and study such crimes.
                                 <all>