[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 836 Introduced in House (IH)]







110th CONGRESS
  1st Session
                                H. R. 836

To amend title 18, United States Code, to better assure cyber-security, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            February 6, 2007

Mr. Smith of Texas (for himself, Mr. Forbes, Mr. Gallegly, Mr. Chabot, 
    Mr. Coble, Mr. Franks of Arizona, Mr. Goodlatte, and Mr. Pence) 
 introduced the following bill; which was referred to the Committee on 
                             the Judiciary

_______________________________________________________________________

                                 A BILL


 
To amend title 18, United States Code, to better assure cyber-security, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber-Security Enhancement and 
Consumer Data Protection Act of 2007''.

SEC. 2. PERSONAL ELECTRONIC RECORDS.

    Section 1030(a)(2) of title 18, United States Code, is amended--
            (1) by striking ``or'' at the end of subparagraph (B); and
            (2) by adding at the end the following:
                    ``(D) a means of identification (as defined in 
                section 1028(d)) from a protected computer; or
                    ``(E) the capability to gain access to or remotely 
                control a protected computer.''.

SEC. 3. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR CRIMINAL 
              PENALTIES.

    (a) Broadening of Scope.--Section 1030(e)(2)(B) of title 18, United 
States Code, is amended by inserting ``or affecting'' after ``which is 
used in''.
    (b) Elimination of Requirement of an Interstate or Foreign 
Communication for Certain Offenses Involving Protected Computers.--
Section 1030(a)(2)(C) of title 18, United States Code, is amended by 
striking ``if the conduct involved an interstate or foreign 
communication''.

SEC. 4. RICO PREDICATES.

    Section 1961(1)(B) of title 18, United States Code, is amended by 
inserting ``section 1030 (relating to fraud and related activity in 
connection with computers),'' before ``section 1084''.

SEC. 5. CYBER-EXTORTION.

    Section 1030(a)(7) of title 18, United States Code, is amended by 
inserting ``, or to access without authorization or exceed authorized 
access to a protected computer'' after ``cause damage to a protected 
computer''.

SEC. 6. CONSPIRACY TO COMMIT CYBER-CRIMES.

    Section 1030(b) of title 18, United States Code, is amended by 
inserting ``or conspires'' after ``attempts''.

SEC. 7. NOTICE TO LAW ENFORCEMENT.

    (a) Criminal Penalty for Failure To Notify Law Enforcement.--
Chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:
``Sec. 1039. Concealment of security breaches involving personal 
              information
    ``(a) Offense.--Whoever owns or possesses data in electronic form 
containing a means of identification (as defined in section 1028), 
having knowledge of a major security breach of the system containing 
such data maintained by such person, and knowingly fails to provide 
notice of such breach to the United States Secret Service or Federal 
Bureau of Investigation, with the intent to prevent, obstruct, or 
impede a lawful investigation of such breach, shall be fined under this 
title, imprisoned not more than 5 years, or both.
    ``(b) Definitions.--As used in this section--
            ``(1) Major security breach.--The term `major security 
        breach' means any security breach--
                    ``(A) whereby means of identification pertaining to 
                10,000 or more individuals is, or is reasonably 
                believed to have been acquired, and such acquisition 
                causes a significant risk of identity theft;
                    ``(B) involving databases owned by the Federal 
                Government; or
                    ``(C) involving primarily data in electronic form 
                containing means of identification of Federal 
                Government employees or contractors involved in 
                national security matters or law enforcement.
            ``(2) Significant risk of identity theft.--
                    ``(A) In general.--The term `significant risk of 
                identity theft' means such risk that a reasonable 
                person would conclude, after a reasonable opportunity 
                to investigate, that it is more probable than not that 
                identity theft has occurred or will occur as a result 
                of the breach.
                    ``(B) Presumption.--If the data in electronic form 
                containing a means of identification involved in a 
                suspected breach has been encrypted, redacted, requires 
                technology to use or access the data that is not 
                commercially available, or has otherwise been rendered 
                unusable, then there shall be a presumption that the 
                breach has not caused a significant risk of identity 
                theft. Such presumption may be rebutted by facts 
                demonstrating that the encryption code has been or is 
                reasonably likely to be compromised, that the entity 
                that acquired the data is believed to possess the 
                technology to access it, or the owner or possessor of 
                the data is or reasonably should be aware of an unusual 
                pattern of misuse of the data that indicates fraud or 
                identity theft.''.
    (b) Rulemaking.--Within 180 days after the date of enactment of 
this Act, the Attorney General and Secretary of Homeland Security shall 
jointly promulgate rules and regulations, after adequate notice and an 
opportunity for comment, as are reasonably necessary, governing the 
form, content, and timing of the notices required pursuant to section 
1039 of title 18, United States Code. Such rules and regulations shall 
not require the deployment or use of specific products or technologies, 
including any specific computer hardware or software, to protect 
against a security breach. Such rules and regulations shall require 
that--
            (1) such notice be provided to the United States Secret 
        Service or Federal Bureau of Investigation before any notice of 
        a breach is made to consumers under State or Federal law, and 
        within 14 days of discovery of the breach;
            (2) if the United States Secret Service or Federal Bureau 
        of Investigation determines that any notice required to be made 
        to consumers under State or Federal law would impede or 
        compromise a criminal investigation or national security, the 
        United States Secret Service or Federal Bureau of Investigation 
        shall direct in writing within 7 days that such notice shall be 
        delayed for 30 days, or until the United States Secret Service 
        or Federal Bureau of Investigation determines that such notice 
        will not impede or compromise a criminal investigation or 
        national security;
            (3) the United States Secret Service shall notify the 
        Federal Bureau of Investigation, if the United States Secret 
        Service determines that such breach may involve espionage, 
        foreign counterintelligence, information protected against 
        unauthorized disclosure for reasons of national defense or 
        foreign relations, or Restricted Data (as that term is defined 
        in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 
        2014(y))), except for offenses affecting the duties of the 
        United States Secret Service under section 3056(a) of title 18, 
        United States Code; and
            (4) the United States Secret Service or Federal Bureau of 
        Investigation notify the Attorney General in each State 
        affected by the breach, if the United States Secret Service or 
        Federal Bureau of Investigation declines to pursue a criminal 
        investigation, or as deemed necessary and appropriate.
    (c) Immunity From Lawsuit.--No cause of action shall lie in any 
court against any law enforcement entity or any person who notifies law 
enforcement of a security breach pursuant to this section for any 
penalty, prohibition, or damages relating to the delay of notification 
for law enforcement purposes under this Act.
    (d) Civil Penalty for Failure To Notify.--Whoever knowingly fails 
to give a notice required under section 1039 of title 18, United States 
Code, shall be subject to a civil penalty of not more than $50,000 for 
each day of such failure, but not more than $1,000,000.
    (e) Relation to State Laws.--
            (1) In general.--The requirement to notify law enforcement 
        under this section shall supersede any other notice to law 
        enforcement required under State law.
            (2) Exception for state consumer notice laws.--The notice 
        required to law enforcement under this section shall be in 
        addition to any notice to consumers required under State or 
        Federal law following the discovery of a security breach. 
        Nothing in this section annuls, alters, affects or exempts any 
        person from complying with the laws of any State with respect 
        to notice to consumers of a security breach, except as provided 
        by subsections (b) and (c).
    (f) Duty of Federal Agencies and Departments.--An agency or 
department of the Federal Government which would be required to give 
notice of a major security breach under section 1039 of title 18, 
United States Code, if that agency or department were a person, shall 
notify the United States Secret Service or Federal Bureau of 
Investigation of the breach in the same time and manner as a person 
subject to that section. The rulemaking authority under subsection (b) 
shall include the authority to make rules for notice under this 
subsection of a major security breach.
    (g) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following new item:

``1039. Concealment of security breaches involving personal 
                            information.''.

SEC. 8. PENALTIES FOR SECTION 1030 VIOLATIONS.

    Subsection (c) of section 1030 of title 18, United States Code, is 
amended to read as follows:
    ``(c)(1) The punishment for an offense under subsection (a) or (b) 
is a fine under this title or imprisonment for not more than 30 years, 
or both.
    ``(2) The court, in imposing sentence for an offense under 
subsection (a) or (b), shall, in addition to any other sentence imposed 
and irrespective of any provision of State law, order that the person 
forfeit to the United States--
            ``(A) the person's interest in any personal property that 
        was used or intended to be used to commit or to facilitate the 
        commission of such violation; and
            ``(B) any property, real or personal, constituting or 
        derived from, any proceeds the person obtained, directly or 
        indirectly, as a result of such violation.''.

SEC. 9. DIRECTIVE TO SENTENCING COMMISSION.

    (a) Directive.--Pursuant to its authority under section 994(p) of 
title 28, United States Code, and in accordance with this section, the 
United States Sentencing Commission shall forthwith review its 
guidelines and policy statements applicable to persons convicted of 
offenses under sections 1028, 1028A, 1030, 1030A, 2511 and 2701 of 
title 18, United States Code and any other relevant provisions of law, 
in order to reflect the intent of Congress that such penalties be 
increased in comparison to those currently provided by such guidelines 
and policy statements.
    (b) Requirements.--In determining its guidelines and policy 
statements on the appropriate sentence for the crimes enumerated in 
paragraph (a), the Commission shall consider the extent to which the 
guidelines and policy statements may or may not account for the 
following factors in order to create an effective deterrent to computer 
crime and the theft or misuse of personally identifiable data--
            (1) the level of sophistication and planning involved in 
        such offense;
            (2) whether such offense was committed for purpose of 
        commercial advantage or private financial benefit;
            (3) the potential and actual loss resulting from the 
        offense;
            (4) whether the defendant acted with intent to cause either 
        physical or property harm in committing the offense;
            (5) the extent to which the offense violated the privacy 
        rights of individuals;
            (6) the effect of the offense upon the operations of a 
        government agency of the United States, or of a State or local 
        government;
            (7) whether the offense involved a computer used by the 
        government in furtherance of national defense, national 
        security or the administration of justice;
            (8) whether the offense was intended to, or had the effect 
        of significantly interfering with or disrupting a critical 
        infrastructure;
            (9) whether the offense was intended to, or had the effect 
        of creating a threat to public health or safety, injury to any 
        person, or death; and
            (10) whether the defendant purposefully involved a juvenile 
        in the commission of the offense to avoid punishment.
    (c) Additional Requirements.--In carrying out this section, the 
Commission shall--
            (1) assure reasonable consistency with other relevant 
        directives and with other sentencing guidelines;
            (2) account for any additional aggravating or mitigating 
        circumstances that might justify exceptions to the generally 
        applicable sentencing ranges;
            (3) make any conforming changes to the sentencing 
        guidelines; and
            (4) assure that the guidelines adequately meet the purposes 
        of sentencing as set forth in section 3553(a)(2) of title 18, 
        United States Code.

SEC. 10. DAMAGE TO PROTECTED COMPUTERS.

    (a) Section 1030(a)(5)(B) of title 18, United States Code, is 
amended--
            (1) by striking ``or'' at the end of clause (iv);
            (2) by inserting ``or'' at the end of clause (v); and
            (3) by adding at the end the following:
                            ``(vi) damage affecting ten or more 
                        protected computers during any 1-year 
                        period.''.
    (b) Section 1030(g) of title 18, United States Code, is amended by 
striking ``or'' after ``(iv),'' and inserting ``, or (vi)'' after 
``(v)''.
    (c) Section 2332b(g)(5)(B)(i) of title 18, United States Code, is 
amended by striking ``(v) (relating to protection of computers)'' and 
inserting ``(vi) (relating to the protection of computers)''.

SEC. 11. ADDITIONAL FUNDING FOR RESOURCES TO INVESTIGATE AND PROSECUTE 
              CRIMINAL ACTIVITY INVOLVING COMPUTERS.

    (a) Additional Funding for Resources.--
            (1) Authorization.--In addition to amounts otherwise 
        authorized for resources to investigate and prosecute criminal 
        activity involving computers, there are authorized to be 
        appropriated for each of the fiscal years 2007 through 2011--
                    (A) $10,000,000 to the Director of the United 
                States Secret Service;
                    (B) $10,000,000 to the Attorney General for the 
                Criminal Division of the Department of Justice; and
                    (C) $10,000,000 to the Director of the Federal 
                Bureau of Investigation.
            (2) Availability.--Any amounts appropriated under paragraph 
        (1) shall remain available until expended.
    (b) Use of Additional Funding.--Funds made available under 
subsection (a) shall be used by the Director of the United States 
Secret Service, the Director of the Federal Bureau of Investigation, 
and the Attorney General, for the United States Secret Service, the 
Federal Bureau of Investigation, and the criminal division of the 
Department of Justice, respectively, to--
            (1) hire and train law enforcement officers to--
                    (A) investigate crimes committed through the use of 
                computers and other information technology, including 
                through the use of the Internet; and
                    (B) assist in the prosecution of such crimes; and
            (2) procure advanced tools of forensic science to 
        investigate, prosecute, and study such crimes.
                                 <all>