[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4175 Introduced in House (IH)]







110th CONGRESS
  1st Session
                                H. R. 4175

To amend title 18, United States Code, with respect to data privacy and 
                   security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           November 14, 2007

 Mr. Conyers (for himself, Mr. Smith of Texas, Mr. Scott of Virginia, 
 Mr. Forbes, Ms. Linda T. Sanchez of California, Mr. Davis of Alabama, 
and Ms. Jackson-Lee of Texas) introduced the following bill; which was 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
To amend title 18, United States Code, with respect to data privacy and 
                   security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    (a) Short Title.--This Act may be cited as the ``Privacy and 
Cybercrime Enforcement Act of 2007''.
    (b) Table of Contents.--The title of contents for this Act is as 
follows:

Sec. 1. Short title.
 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity.
Sec. 102. Failure to provide notice of security breaches involving 
                            sensitive personally identifiable 
                            information.
Sec. 103. Use of full interstate and foreign commerce power for 
                            criminal penalties.
Sec. 104. Cyber-extortion.
Sec. 105. Conspiracy to commit cyber-crimes.
Sec. 106. Penalties for section 1030 violations.
Sec. 107. Additional funding for resources to investigate and prosecute 
                            criminal activity involving computers.
Sec. 108. Criminal restitution.
Sec. 109. Review and amendment of Federal sentencing guidelines related 
                            to fraudulent access to or misuse of 
                            digitized or electronic personally 
                            identifiable information.
     TITLE II--NON-CRIMINAL PRIVACY ENFORCEMENT AND PRIVACY IMPACT 
                               STATEMENTS

Sec. 201. Enforcement by Attorney General and State authorities.
Sec. 202. Coordination of State and Federal efforts.
Sec. 203. Requirement that agency rulemaking take into consideration 
                            impacts on individual privacy.
  TITLE III--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT TO COMBAT 
     FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY 
                        IDENTIFIABLE INFORMATION

Sec. 301. Grants for State and local law enforcement.
Sec. 302. Authorization of appropriations.
          TITLE IV--NATIONAL WHITE COLLAR CRIME CENTER GRANTS

Sec. 401. Authorization and Expansion of National White Collar Crime 
                            Center.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. ORGANIZED CRIMINAL ACTIVITY.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030 (relating to certain frauds and related 
activities in connection with computers)''.

SEC. 102. FAILURE TO PROVIDE NOTICE OF SECURITY BREACHES INVOLVING 
              SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1040. Failure to provide notice of security breaches involving 
              sensitive personally identifiable information
    ``(a) Whoever, having a covered obligation to provide notice of a 
security breach involving sensitive personally identifiable 
information, knowingly fails to do so, shall be fined under this title 
or imprisoned not more than 5 years, or both.
    ``(b) As used in this section--
            ``(1) the term `covered obligation', with respect to 
        providing notice of a security breach, means an obligation 
        under Federal law or, if the breach is in or affects interstate 
        or foreign commerce, under State law;
            ``(2) the term `sensitive personally identifiable 
        information' means any electronic or digital information that 
        includes--
                    ``(A) an individual's first and last name, or first 
                initial and last name, or address or phone number in 
                combination with any 1 of the following data elements 
                where the data elements are not protected by a 
                technology protection measure that renders the data 
                element indecipherable--
                            ``(i) a nontruncated social security 
                        number, driver's license number, state resident 
                        identification number, passport number, or 
                        alien registration number;
                            ``(ii) both of the following--
                                    ``(I) mother's maiden name, if 
                                identified as such; and
                                    ``(II) month, day, and year of 
                                birth; and
                            ``(iii) unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image; or
                    ``(B) a financial account number or credit or debit 
                card number in combination with any security code, 
                access code or password that is required for an 
                individual to obtain credit, withdraw funds, or engage 
                in a financial transaction by means of such number;
            ``(3) the term `security breach' means a compromise of the 
        security, confidentiality, or integrity of computerized data 
        that there is reason to believe has resulted in improper access 
        to sensitive personally identifiable information; and
            ``(4) the term `improper access' means access without 
        authorization or in excess of authorization.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1040. Concealment of security breaches involving personally 
                            identifiable information.''.
    (c) Obligation To Report.--
            (1) In general.--A person who owns or possesses data in 
        electronic form containing a means of identification and has 
        knowledge of a major security breach of the system containing 
        such data maintained by such person, must provide prompt notice 
        of such breach to the United States Secret Service or Federal 
        Bureau of Investigation.
            (2) Publication of list of notifications.--The Secret 
        Service and the Federal Bureau of Investigation shall annually 
        publish in the Federal Register a list of all notifications 
        submitted the previous calendar year and the identity of each 
        entity with respect to which the major security breach 
        occurred.
            (3) Definition.--In this subsection--
                    (A) the term ``major security breach'' means any 
                security breach involving--
                            (i) means of identification pertaining to 
                        10,000 or more individuals is, or is reasonably 
                        believed to have been acquired;
                            (ii) databases owned by the Federal 
                        Government; or
                            (iii) means of identification of Federal 
                        Government employees or contractors involved in 
                        national security matters or law enforcement; 
                        and
                    (B) the term ``means of identification'' has the 
                meaning given that term in section 1028 of title 18, 
                United States Code.

SEC. 103. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR 
              CRIMINAL PENALTIES.

    (a) Broadening of Scope.--Section 1030(e)(2)(B) of title 18, United 
States Code, is amended by inserting ``or affecting'' after ``which is 
used in''.
    (b) Elimination of Requirement of an Interstate or Foreign 
Communication for Certain Offenses Involving Protected Computers.--
Section 1030(a)(2)(C) of title 18, United States Code, is amended by 
striking ``if the conduct involved an interstate or foreign 
communication''.

SEC. 104. CYBER-EXTORTION.

    Section 1030(a)(7) of title 18, United States Code, is amended by 
inserting ``, or to access without authorization or exceed authorized 
access to a protected computer'' after ``cause damage to a protected 
computer''.

SEC. 105. CONSPIRACY TO COMMIT CYBER-CRIMES.

    Section 1030(b) of title 18, United States Code, is amended by 
inserting ``or conspires'' after ``attempts''.

SEC. 106. PENALTIES FOR SECTION 1030 VIOLATIONS.

    Subsection (c) of section 1030 of title 18, United States Code, is 
amended to read as follows:
    ``(c)(1) The punishment for an offense under subsection (a) or (b) 
is a fine under this title or imprisonment for not more than 20 years, 
or both, but if the offender in the course of a violation of subsection 
(a)(5)(A)(i) knowingly or recklessly causes or attempts to cause death, 
such offender shall be fined under this title or imprisoned for any 
term of years or for life, or both.
    ``(2) The court, in imposing sentence for an offense under 
subsection (a) or (b), may, in addition to any other sentence imposed 
and irrespective of any provision of State law, order that the person 
forfeit to the United States--
            ``(A) the person's interest in any personal property that 
        was used or intended to be used to commit or to facilitate the 
        commission of the offense; and
            ``(B) any property, real or personal, constituting or 
        derived from, any proceeds the person obtained, directly or 
        indirectly, as a result of the offense.''.

SEC. 107. ADDITIONAL FUNDING FOR RESOURCES TO INVESTIGATE AND PROSECUTE 
              CRIMINAL ACTIVITY INVOLVING COMPUTERS.

    (a) Additional Funding for Resources.--
            (1) Authorization.--In addition to amounts otherwise 
        authorized for resources to investigate and prosecute criminal 
        activity involving computers, there are authorized to be 
        appropriated for each of the fiscal years 2008 through 2012--
                    (A) $10,000,000 to the Director of the United 
                States Secret Service;
                    (B) $10,000,000 to the Attorney General for the 
                Criminal Division of the Department of Justice; and
                    (C) $10,000,000 to the Director of the Federal 
                Bureau of Investigation.
            (2) Availability.--Any amounts appropriated under paragraph 
        (1) shall remain available until expended.
    (b) Use of Additional Funding.--Funds made available under 
subsection (a) shall be used by the Director of the United States 
Secret Service, the Director of the Federal Bureau of Investigation, 
and the Attorney General, for the United States Secret Service, the 
Federal Bureau of Investigation, and the criminal division of the 
Department of Justice, respectively, to--
            (1) hire and train law enforcement officers to--
                    (A) investigate crimes committed through the use of 
                computers and other information technology, including 
                through the use of the Internet; and
                    (B) assist in the prosecution of such crimes; and
            (2) procure advanced tools of forensic science to 
        investigate, prosecute, and study such crimes.

SEC. 108. CRIMINAL RESTITUTION.

    Section 3663(b) of title 18, United States Code, is amended--
            (1) by striking ``and'' at the end of paragraph (4);
            (2) by striking the period at the end of paragraph (5) and 
        inserting ``; and'' and
            (3) by adding at the end the following:
            ``(6) in the case of an offense under section 1028(a)(7), 
        1028A(a), or 1030(a)(2), pay an amount equal to the value of 
        the victim's time reasonably spent to remediate actual harm 
        resulting from the offense.''.

SEC. 109. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED 
              TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR 
              ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.

    The United States Sentencing Commission, pursuant to its authority 
under section 994 of title 28, United States Code, and in accordance 
with this section, shall review and, if appropriate, amend the Federal 
sentencing guidelines (including its policy statements) applicable to 
persons convicted of using fraud to access, or misuse of, digitized or 
electronic personally identifiable information, including identity 
theft or any offense under--
            (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
        title 18, United States Code; and
            (2) any other relevant provision.

     TITLE II--NON-CRIMINAL PRIVACY ENFORCEMENT AND PRIVACY IMPACT 
                               STATEMENTS

SEC. 201. ENFORCEMENT BY ATTORNEY GENERAL AND STATE AUTHORITIES.

    (a) Definition of ``Authorized Entity''.--As used in this section, 
the term ``authorized entity'' means the Attorney General, with respect 
to any conduct constituting a violation of a Federal law enacted after 
the date of the enactment of this Act relating to data security and 
engaged in by a business entity, and a State Attorney General with 
respect to that conduct to the extent the conduct adversely affects an 
interest of the residents of a State.
    (b) Civil Penalty.--
            (1) Generally.--An authorized entity may in a civil action 
        obtain a civil penalty of not more than $500,000 from any 
        business entity that engages in conduct constituting a 
        violation of a Federal law enacted after the date of the 
        enactment of this Act relating to data security.
            (2) Special rule for intentional violation.--If the 
        violation described in subsection (a) is intentional, the 
        maximum civil penalty is $1,000,000.
    (c) Injunctive Relief.--An authorized entity may, in a civil action 
against a business entity that has engaged, or is engaged, in any 
conduct constituting a violation of a Federal law enacted after the 
date of the enactment of this Act relating data security, obtain an 
order--
            (1) enjoining such act or practice; or
            (2) enforcing compliance with that law.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this section do not affect any other rights and remedies 
available under Federal or State law.

SEC. 202. COORDINATION OF STATE AND FEDERAL EFFORTS.

    (a) Notice.--
            (1) In general.--A State consumer protection attorney may 
        not bring an action under section 201, until the attorney 
        general of the State involved provides to the Attorney General 
        of the United States--
                    (A) written notice of the action; and
                    (B) a copy of the complaint for the action.
            (2) Exception.--Paragraph (1) does not apply with respect 
        to the filing of an action by an attorney general of a State 
        under this section if the State attorney general determines 
        that it is not feasible to provide the notice described in such 
        subparagraph before the filing of the action, in such a case 
        the State attorney general shall provide notice and a copy of 
        the complaint to the Attorney General at the time the State 
        attorney general files the action.
    (b) Federal Proceedings.--The Attorney General may--
            (1) move to stay any non Federal action under section 201, 
        pending the final disposition of a pending Federal action under 
        that section;
            (2) initiate an action in an appropriate United States 
        district court and move to consolidate all pending actions 
        under section 201, including State actions, in that court; and
            (3) intervene in a State action under section 201.
    (c) Pending Proceedings.--If the Attorney General institutes a 
proceeding or action for a violation of a Federal law enacted after the 
date of the enactment of this Act relating data security, no authority 
of a State may, during the pendency of such proceeding or action, bring 
an action under this section against any defendant named in such 
criminal proceeding or a civil action against any defendant for any 
violation that is alleged in that proceeding or action.
    (d) Definition.--As used in this section, the term ``State consumer 
protection attorney'' means the attorney general of a State or any 
State or local law enforcement agency authorized by the State attorney 
general or by State statute to prosecute violations of consumer 
protection law.

SEC. 203. REQUIREMENT THAT AGENCY RULEMAKING TAKE INTO CONSIDERATION 
              IMPACTS ON INDIVIDUAL PRIVACY.

    (a) In General.--Title 5, United States Code, is amended by adding 
after section 553 the following new section:
``Sec. 553a. Privacy impact assessment in rulemaking
    ``(a) Initial Privacy Impact Assessment.--
            ``(1) In general.--Whenever an agency is required by 
        section 553 of this title, or any other law, to publish a 
        general notice of proposed rulemaking for a proposed rule, or 
        publishes a notice of proposed rulemaking for an interpretative 
        rule involving the internal revenue laws of the United States, 
        and such rule or proposed rulemaking pertains to the 
        collection, maintenance, use, or disclosure of personally 
        identifiable information from 10 or more individuals, other 
        than agencies, instrumentalities, or employees of the Federal 
        government, the agency shall prepare and make available for 
        public comment an initial privacy impact assessment that 
        describes the impact of the proposed rule on the privacy of 
        individuals. Such assessment or a summary thereof shall be 
        signed by the senior agency official with primary 
        responsibility for privacy policy and be published in the 
        Federal Register at the time of the publication of a general 
        notice of proposed rulemaking for the rule.
            ``(2) Contents.--Each initial privacy impact assessment 
        required under this subsection shall contain the following:
                    ``(A) A description and analysis of the extent to 
                which the proposed rule will impact the privacy 
                interests of individuals, including the extent to which 
                the proposed rule--
                            ``(i) provides notice of the collection of 
                        personally identifiable information, and 
                        specifies what personally identifiable 
                        information is to be collected and how it is to 
                        be collected, maintained, used, and disclosed;
                            ``(ii) allows access to such information by 
                        the person to whom the personally identifiable 
                        information pertains and provides an 
                        opportunity to correct inaccuracies;
                            ``(iii) prevents such information, which is 
                        collected for one purpose, from being used for 
                        another purpose; and
                            ``(iv) provides security for such 
                        information, including the provision of written 
                        notice to any individual, within 14 days of the 
                        date of compromise, whose privacy interests are 
                        compromised by the unauthorized release of 
                        personally identifiable information as a result 
                        of a breach of security at or by the agency.
                    ``(B) A description of any significant alternatives 
                to the proposed rule which accomplish the stated 
                objectives of applicable statutes and which minimize 
                any significant privacy impact of the proposed rule on 
                individuals.
    ``(b) Final Privacy Impact Assessment.--
            ``(1) In general.--Whenever an agency promulgates a final 
        rule under section 553 of this title, after being required by 
        that section or any other law to publish a general notice of 
        proposed rulemaking, or promulgates a final interpretative rule 
        involving the internal revenue laws of the United States, and 
        such rule or proposed rulemaking pertains to the collection, 
        maintenance, use, or disclosure of personally identifiable 
        information from 10 or more individuals, other than agencies, 
        instrumentalities, or employees of the Federal government, the 
        agency shall prepare a final privacy impact assessment, signed 
        by the senior agency official with primary responsibility for 
        privacy policy.
            ``(2) Contents.--Each final privacy impact assessment 
        required under this subsection shall contain the following:
                    ``(A) A description and analysis of the extent to 
                which the final rule will impact the privacy interests 
                of individuals, including the extent to which such 
                rule--
                            ``(i) provides notice of the collection of 
                        personally identifiable information, and 
                        specifies what personally identifiable 
                        information is to be collected and how it is to 
                        be collected, maintained, used, and disclosed;
                            ``(ii) allows access to such information by 
                        the person to whom the personally identifiable 
                        information pertains and provides an 
                        opportunity to correct inaccuracies;
                            ``(iii) prevents such information, which is 
                        collected for one purpose, from being used for 
                        another purpose; and
                            ``(iv) provides security for such 
                        information, including the provision of written 
                        notice to any individual, within 14 days of the 
                        date of compromise, whose privacy interests are 
                        compromised by the unauthorized release of 
                        personally identifiable information as a result 
                        of a breach of security at or by the agency.
                    ``(B) A summary of any significant issues raised by 
                the public comments in response to the initial privacy 
                impact assessment, a summary of the analysis of the 
                agency of such issues, and a statement of any changes 
                made in such rule as a result of such issues.
                    ``(C) A description of the steps the agency has 
                taken to minimize the significant privacy impact on 
                individuals consistent with the stated objectives of 
                applicable statutes, including a statement of the 
                factual, policy, and legal reasons for selecting the 
                alternative adopted in the final rule and why each one 
                of the other significant alternatives to the rule 
                considered by the agency which affect the privacy 
                interests of individuals was rejected.
            ``(3) Availability to public.--The agency shall make copies 
        of the final privacy impact assessment available to members of 
        the public and shall publish in the Federal Register such 
        assessment or a summary thereof.
    ``(c) Waivers.--
            ``(1) Emergencies.--An agency head may waive or delay the 
        completion of some or all of the requirements of subsections 
        (a) and (b) to the same extent as the agency head may, under 
        section 608, waive or delay the completion of some or all of 
        the requirements of sections 603 and 604, respectively.
            ``(2) National security.--An agency head may, for national 
        security reasons, or to protect from disclosure classified 
        information, confidential commercial information, or 
        information the disclosure of which may adversely affect a law 
        enforcement effort, waive or delay the completion of some or 
        all of the following requirements:
                    ``(A) The requirement of subsection (a)(1) to make 
                an assessment available for public comment, provided 
                that such assessment is made available, in classified 
                form, to the Committees on the Judiciary of the House 
                of Representatives and the Senate, in lieu of making 
                such assessment available to the public.
                    ``(B) The requirement of subsection (a)(1) to have 
                an assessment or summary thereof published in the 
                Federal Register, provided that such assessment or 
                summary is made available, in classified form, to the 
                Committees on the Judiciary of the House of 
                Representatives and the Senate, in lieu of publishing 
                such assessment or summary in the Federal Register.
                    ``(C) The requirements of subsection (b)(3), 
                provided that the final privacy impact assessment is 
                made available, in classified form, to the Committees 
                on the Judiciary of the House of Representatives and 
                the Senate, in lieu of making such assessment available 
                to the public and publishing such assessment in the 
                Federal Register.
    ``(d) Procedures for Gathering Comments.--When any rule is 
promulgated which may have a significant privacy impact on individuals, 
or a privacy impact on a substantial number of individuals, the head of 
the agency promulgating the rule or the official of the agency with 
statutory responsibility for the promulgation of the rule shall assure 
that individuals have been given an opportunity to participate in the 
rulemaking for the rule through techniques such as--
            ``(1) the inclusion in an advance notice of proposed 
        rulemaking, if issued, of a statement that the proposed rule 
        may have a significant privacy impact on individuals, or a 
        privacy impact on a substantial number of individuals;
            ``(2) the publication of a general notice of proposed 
        rulemaking in publications of national circulation likely to be 
        obtained by individuals;
            ``(3) the direct notification of interested individuals;
            ``(4) the conduct of open conferences or public hearings 
        concerning the rule for individuals, including soliciting and 
        receiving comments over computer networks; and
            ``(5) the adoption or modification of agency procedural 
        rules to reduce the cost or complexity of participation in the 
        rulemaking by individuals.
    ``(e) Periodic Review of Rules.--
            ``(1) In general.--Each agency shall carry out a periodic 
        review of the rules promulgated by the agency that have a 
        significant privacy impact on individuals, or a privacy impact 
        on a substantial number of individuals. Under such periodic 
        review, the agency shall determine, for each such rule, whether 
        the rule can be amended or rescinded in a manner that minimizes 
        any such impact while remaining in accordance with applicable 
        statutes. For each such determination, the agency shall 
        consider the following factors:
                    ``(A) The continued need for the rule.
                    ``(B) The nature of complaints or comments received 
                from the public concerning the rule.
                    ``(C) The complexity of the rule.
                    ``(D) The extent to which the rule overlaps, 
                duplicates, or conflicts with other Federal rules, and, 
                to the extent feasible, with State and local 
                governmental rules.
                    ``(E) The length of time since the rule was last 
                reviewed under this subsection.
                    ``(F) The degree to which technology, economic 
                conditions, or other factors have changed in the area 
                affected by the rule since the rule was last reviewed 
                under this subsection.
            ``(2) Plan required.--Each agency shall carry out the 
        periodic review required by paragraph (1) in accordance with a 
        plan published by such agency in the Federal Register. Each 
        such plan shall provide for the review under this subsection of 
        each rule promulgated by the agency not later than 10 years 
        after the date on which such rule was published as the final 
        rule and, thereafter, not later than 10 years after the date on 
        which such rule was last reviewed under this subsection. The 
        agency may amend such plan at any time by publishing the 
        revision in the Federal Register.
            ``(3) Annual publication.--Each year, each agency shall 
        publish in the Federal Register a list of the rules to be 
        reviewed by such agency under this subsection during the 
        following year. The list shall include a brief description of 
        each such rule and the need for and legal basis of such rule 
        and shall invite public comment upon the determination to be 
        made under this subsection with respect to such rule.
    ``(f) Judicial Review.--
            ``(1) In general.--For any rule subject to this section, an 
        individual who is adversely affected or aggrieved by final 
        agency action is entitled to judicial review of agency 
        compliance with the requirements of subsections (b) and (c) in 
        accordance with chapter 7. Agency compliance with subsection 
        (d) shall be judicially reviewable in connection with judicial 
        review of subsection (b).
            ``(2) Jurisdiction.--Each court having jurisdiction to 
        review such rule for compliance with section 553, or under any 
        other provision of law, shall have jurisdiction to review any 
        claims of noncompliance with subsections (b) and (c) in 
        accordance with chapter 7. Agency compliance with subsection 
        (d) shall be judicially reviewable in connection with judicial 
        review of subsection (b).
            ``(3) Limitations.--
                    ``(A) An individual may seek such review during the 
                period beginning on the date of final agency action and 
                ending 1 year later, except that where a provision of 
                law requires that an action challenging a final agency 
                action be commenced before the expiration of 1 year, 
                such lesser period shall apply to an action for 
                judicial review under this subsection.
                    ``(B) In the case where an agency delays the 
                issuance of a final privacy impact assessment pursuant 
                to subsection (c), an action for judicial review under 
                this section shall be filed not later than--
                            ``(i) 1 year after the date the assessment 
                        is made available to the public; or
                            ``(ii) where a provision of law requires 
                        that an action challenging a final agency 
                        regulation be commenced before the expiration 
                        of the 1-year period, the number of days 
                        specified in such provision of law that is 
                        after the date the assessment is made available 
                        to the public.
            ``(4) Relief.--In granting any relief in an action under 
        this subsection, the court shall order the agency to take 
        corrective action consistent with this section and chapter 7, 
        and may--
                    ``(A) remand the rule to the agency; and
                    ``(B) defer the enforcement of the rule against 
                individuals, unless the court finds that continued 
                enforcement of the rule is in the public interest.
            ``(5) Rule of construction.--Nothing in this subsection 
        limits the authority of any court to stay the effective date of 
        any rule or provision thereof under any other provision of law 
        or to grant any other relief in addition to the requirements of 
        this subsection.
            ``(6) Record of agency action.--In an action for the 
        judicial review of a rule, the privacy impact assessment for 
        such rule, including an assessment prepared or corrected 
        pursuant to paragraph (4), shall constitute part of the entire 
        record of agency action in connection with such review.
            ``(7) Exclusivity.--Compliance or noncompliance by an 
        agency with the provisions of this section shall be subject to 
        judicial review only in accordance with this subsection.
            ``(8) Savings clause.--Nothing in this subsection bars 
        judicial review of any other impact statement or similar 
        assessment required by any other law if judicial review of such 
        statement or assessment is otherwise permitted by law.
    ``(g) Definition.--For purposes of this section, the term 
`personally identifiable information' means information that can be 
used to identify an individual, including such individual's name, 
address, telephone number, photograph, social security number or other 
identifying information. It includes information about such 
individual's medical or financial condition.''.
    (b) Periodic Review Transition Provisions.--
            (1) Initial plan.--For each agency, the plan required by 
        subsection (e) of section 553a of title 5, United States Code 
        (as added by subsection (a)), shall be published not later than 
        180 days after the date of the enactment of this Act.
            (2) Review period.--In the case of a rule promulgated by an 
        agency before the date of the enactment of this Act, such plan 
        shall provide for the periodic review of such rule before the 
        expiration of the 10-year period beginning on the date of the 
        enactment of this Act. For any such rule, the head of the 
        agency may provide for a 1-year extension of such period if the 
        head of the agency, before the expiration of the period, 
        certifies in a statement published in the Federal Register that 
        reviewing such rule before the expiration of the period is not 
        feasible. The head of the agency may provide for additional 1-
        year extensions of the period pursuant to the preceding 
        sentence, but in no event may the period exceed 15 years.
    (c) Congressional Review.--Section 801(a)(1)(B) of title 5, United 
States Code, is amended--
            (1) by redesignating clauses (iii) and (iv) as clauses (iv) 
        and (v), respectively; and
            (2) by inserting after clause (ii) the following new 
        clause:
            ``(iii) the agency's actions relevant to section 553a;''.
    (d) Clerical Amendment.--The table of sections at the beginning of 
chapter 5 of title 5, United States Code, is amended by adding after 
the item relating to section 553 the following new item:

``553a. Privacy impact assessment in rulemaking.''.

  TITLE III--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT TO COMBAT 
     FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY 
                        IDENTIFIABLE INFORMATION

SEC. 301. GRANTS FOR STATE AND LOCAL LAW ENFORCEMENT.

    (a) In General.--Subject to the availability of amounts provided in 
advance in appropriations Acts, the Assistant Attorney General for the 
Office of Justice Programs of the Department of Justice may award 
grants to States to establish and develop programs to increase and 
enhance enforcement against crimes related to fraudulent, unauthorized, 
or other criminal use of personally identifiable information.
    (b) Application.--To be eligible for a grant under subsection (a), 
a State shall submit an application to the Assistant Attorney General 
for the Office of Justice Programs of the Department of Justice at such 
time, in such manner, and containing such information, including as 
described in subsection (d), as the Assistant Attorney General may 
require.
    (c) Use of Grant Amounts.--A grant awarded to a State under 
subsection (a) shall be used by a State, in conjunction with units of 
local government within that State, State and local courts, other 
States, or combinations thereof, to establish and develop programs to--
            (1) assist State and local law enforcement agencies in 
        enforcing State and local criminal laws relating to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;
            (2) assist State and local law enforcement agencies in 
        educating the public to prevent and identify crimes involving 
        the fraudulent, unauthorized, or other criminal use of 
        personally identifiable information;
            (3) educate and train State and local law enforcement 
        officers and prosecutors to conduct investigations and forensic 
        analyses of evidence and prosecutions of crimes involving the 
        fraudulent, unauthorized, or other criminal use of personally 
        identifiable information;
            (4) assist State and local law enforcement officers and 
        prosecutors in acquiring computer and other equipment to 
        conduct investigations and forensic analysis of evidence of 
        crimes involving the fraudulent, unauthorized, or other 
        criminal use of personally identifiable information; and
            (5) facilitate and promote the sharing of Federal law 
        enforcement expertise and information about the investigation, 
        analysis, and prosecution of crimes involving the fraudulent, 
        unauthorized, or other criminal use of personally identifiable 
        information with State and local law enforcement officers and 
        prosecutors, including the use of multi-jurisdictional task 
        forces.
    (d) Assurances and Eligibility.--To be eligible to receive a grant 
under subsection (a), a State shall provide assurances to the Attorney 
General that the State--
            (1) has in effect laws that penalize crimes involving the 
        fraudulent, unauthorized, or other criminal use of personally 
        identifiable information, such as penal laws prohibiting--
                    (A) fraudulent schemes executed to obtain 
                personally identifiable information;
                    (B) schemes executed to sell or use fraudulently 
                obtained personally identifiable information; and
                    (C) online sales of personally identifiable 
                information obtained fraudulently or by other illegal 
                means;
            (2) will provide an assessment of the resource needs of the 
        State and units of local government within that State, 
        including criminal justice resources being devoted to the 
        investigation and enforcement of laws related to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;
            (3) will develop a plan for coordinating the programs 
        funded under this section with other federally funded technical 
        assistant and training programs, including directly funded 
        local programs such as the Local Law Enforcement Block Grant 
        program (described under the heading ``Violent Crime Reduction 
        Programs, State and Local Law Enforcement Assistance'' of the 
        Departments of Commerce, Justice, and State, the Judiciary, and 
        Related Agencies Appropriations Act, 1998 (Public Law 105-
        119)); and
            (4) will submit to the Assistant Attorney General for the 
        Office of Justice Programs of the Department of Justice 
        applicable reports in accordance with subsection (f).
    (e) Matching Funds.--The Federal share of a grant received under 
this section may not exceed 90 percent of the total cost of a program 
or proposal funded under this section unless the Attorney General 
waives, wholly or in part, the requirements of this subsection.
    (f) Reports.--For each year that a State receives a grant under 
subsection (a) for a program, the State shall submit to the Assistant 
Attorney General for the Office of Justice Programs of the Department 
of Justice a report on the results, including the effectiveness, of 
such program during such year.

SEC. 302. AUTHORIZATION OF APPROPRIATIONS.

    (a) In General.--There is authorized to be appropriated to carry 
out this title $25,000,000 for each of fiscal years 2008 through 2010.
    (b) Limitations.--Of the amount made available to carry out this 
title in any fiscal year not more than 3 percent may be used by the 
Attorney General for salaries and administrative expenses.
    (c) Minimum Amount.--Unless all eligible applications submitted by 
a State or units of local government within a State for a grant under 
this title have been funded, the State, together with grantees within 
the State (other than Indian tribes), shall be allocated in each fiscal 
year under this title not less than 0.75 percent of the total amount 
appropriated in the fiscal year for grants pursuant to this title, 
except that the United States Virgin Islands, American Samoa, Guam, and 
the Northern Mariana Islands each shall be allocated 0.25 percent.
    (d) Grants to Indian Tribes.--Notwithstanding any other provision 
of this title, the Attorney General may use amounts made available 
under this title to make grants to Indian tribes for use in accordance 
with this title.

          TITLE IV--NATIONAL WHITE COLLAR CRIME CENTER GRANTS

SEC. 401. AUTHORIZATION AND EXPANSION OF NATIONAL WHITE COLLAR CRIME 
              CENTER.

    (a) In General.--Title I of the Omnibus Crime Control and Safe 
Streets Act of 1968 (42 U.S.C. 3711 et seq.) is amended--
            (1) by redesignating part X, as added by section 623 of 
        Public Law 109-248, as part JJ; and
            (2) by adding at the end the following new part:

          ``PART KK--NATIONAL WHITE COLLAR CRIME CENTER GRANTS

``SEC. 3021. ESTABLISHMENT OF GRANTS PROGRAM.

    ``(a) Authorization.--The Director of the Bureau of Justice 
Assistance is authorized to make grants and enter into contracts with 
State and local criminal justice agencies and nonprofit organizations 
for the purpose of improving the identification, investigation, and 
prosecution of certain criminal activities.
    ``(b) Certain Criminal Activities Defined.--For purposes of this 
part, the term `certain criminal activity' means a criminal conspiracy 
or activity or a terrorist conspiracy or activity that spans 
jurisdictional boundaries, including the following:
            ``(1) Terrorism.
            ``(2) Economic crime.
            ``(3) High-tech crime, also known as cyber crime or 
        computer crime, including internet-based crime against children 
        and child pornography.
    ``(c) Criminal Justice Agency Defined.--For purposes of this part, 
the term `criminal justice agency', with respect to a State or a unit 
of local government within such State, includes a law enforcement 
agency, a State regulatory body with criminal investigative authority, 
and a State or local prosecution office to the extent that such agency, 
body, or office, respectively, is involved in the prevention, 
investigation, and prosecution of certain criminal activities.

``SEC. 3022. AUTHORIZED PROGRAMS.

    ``Grants and contracts awarded under this part may be made only for 
the following programs, with respect to the prevention, investigation, 
and prosecution of certain criminal activities:
            ``(1) Programs to provide a nationwide support system for 
        State and local criminal justice agencies.
            ``(2) Programs to assist State and local criminal justice 
        agencies to develop, establish, and maintain intelligence-
        focused policing strategies and related information sharing.
            ``(3) Programs to provide training and investigative 
        support services to State and local criminal justice agencies 
        to provide such agencies with skills and resources needed to 
        investigate and prosecute such criminal activities and related 
        criminal activities.
            ``(4) Programs to provide research support, to establish 
        partnerships, and to provide other resources to aid State and 
        local criminal justice agencies to prevent, investigate, and 
        prosecute such criminal activities and related problems.
            ``(5) Programs to provide information and research to the 
        general public to facilitate the prevention of such criminal 
        activities.
            ``(6) Programs to establish National training and research 
        centers regionally, including within Virginia, Texas, and 
        Michigan, to provide training and research services for State 
        and local criminal justice agencies.
            ``(7) Any other programs specified by the Attorney General 
        as furthering the purposes of this part.

``SEC. 3023. APPLICATION.

    ``To be eligible for an award of a grant or contract under this 
part, an entity shall submit to the Director of the Bureau of Justice 
Assistance an application in such form and manner, and containing such 
information, as required by the Director.

``SEC. 3024. RULES AND REGULATIONS.

    ``Not later than 180 days after the date of the enactment of this 
part, the Director of the Bureau of Justice Assistance shall promulgate 
such rules and regulations as are necessary to carry out the this part, 
including rules and regulations for submitting and reviewing 
applications under section 3023.''.
    (b) Authorization of Appropriation.--Section 1001(a) of such Act 
(42 U.S.C. 3793) is amended by adding at the end the following new 
paragraph:
            ``(26) There is authorized to be appropriated to carry out 
        part KK--
                    ``(A) $25,000,000 for fiscal year 2008;
                    ``(B) $28,000,000 for fiscal year 2009;
                    ``(C) $31,000,000 for fiscal year 2010;
                    ``(D) $34,000,000 for fiscal year 2011;
                    ``(E) $37,000,000 for fiscal year 2012; and
                    ``(F) $40,000,000 for fiscal year 2013.''.
                                 <all>