


110 HR 836 IH: To amend title 18, United States Code, to better assure

U.S. House of Representatives
2007-02-06
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		1st Session
		H. R. 836
		IN THE HOUSE OF REPRESENTATIVES
		
			February 6, 2007
			Mr. Smith of Texas
			 (for himself, Mr. Forbes,
			 Mr. Gallegly,
			 Mr. Chabot,
			 Mr. Coble,
			 Mr. Franks of Arizona,
			 Mr. Goodlatte, and
			 Mr. Pence) introduced the following
			 bill; which was referred to the Committee
			 on the Judiciary
		
		A BILL
		To amend title 18, United States Code, to better assure
		  cyber-security, and for other purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Cyber-Security Enhancement and Consumer Data Protection Act of
			 2007.
		2.Personal
			 electronic recordsSection
			 1030(a)(2) of title 18, United States Code, is amended—
			(1)by striking
			 or at the end of subparagraph (B); and
			(2)by adding at the
			 end the following:
				
					(D)a means of
				identification (as defined in section 1028(d)) from a protected computer;
				or
					(E)the capability to
				gain access to or remotely control a protected
				computer.
					.
			3.Use of full
			 interstate and foreign commerce power for criminal penalties
			(a)Broadening of
			 ScopeSection 1030(e)(2)(B) of title 18, United States Code, is
			 amended by inserting or affecting after which is used
			 in.
			(b)Elimination of
			 Requirement of an Interstate or Foreign Communication for Certain Offenses
			 Involving Protected ComputersSection 1030(a)(2)(C) of title 18,
			 United States Code, is amended by striking if the conduct involved an
			 interstate or foreign communication.
			4.Rico
			 predicatesSection 1961(1)(B)
			 of title 18, United States Code, is amended by inserting section 1030
			 (relating to fraud and related activity in connection with computers),
			 before section 1084.
		5.Cyber-extortionSection 1030(a)(7) of title 18, United
			 States Code, is amended by inserting , or to access without
			 authorization or exceed authorized access to a protected computer after
			 cause damage to a protected computer.
		6.Conspiracy to
			 commit cyber-crimesSection
			 1030(b) of title 18, United States Code, is amended by inserting or
			 conspires after attempts.
		7.Notice to law
			 enforcement
			(a)Criminal Penalty
			 for Failure To Notify Law EnforcementChapter 47 of title 18,
			 United States Code, is amended by adding at the end the following:
				
					1039.Concealment of
				security breaches involving personal information
						(a)OffenseWhoever
				owns or possesses data in electronic form containing a means of identification
				(as defined in section 1028), having knowledge of a major security breach of
				the system containing such data maintained by such person, and knowingly fails
				to provide notice of such breach to the United States Secret Service or Federal
				Bureau of Investigation, with the intent to prevent, obstruct, or impede a
				lawful investigation of such breach, shall be fined under this title,
				imprisoned not more than 5 years, or both.
						(b)DefinitionsAs
				used in this section—
							(1)Major security
				breachThe term major security breach means any
				security breach—
								(A)whereby means of
				identification pertaining to 10,000 or more individuals is, or is reasonably
				believed to have been acquired, and such acquisition causes a significant risk
				of identity theft;
								(B)involving
				databases owned by the Federal Government; or
								(C)involving
				primarily data in electronic form containing means of identification of Federal
				Government employees or contractors involved in national security matters or
				law enforcement.
								(2)Significant risk
				of identity theft
								(A)In
				generalThe term significant risk of identity theft
				means such risk that a reasonable person would conclude, after a reasonable
				opportunity to investigate, that it is more probable than not that identity
				theft has occurred or will occur as a result of the breach.
								(B)PresumptionIf
				the data in electronic form containing a means of identification involved in a
				suspected breach has been encrypted, redacted, requires technology to use or
				access the data that is not commercially available, or has otherwise been
				rendered unusable, then there shall be a presumption that the breach has not
				caused a significant risk of identity theft. Such presumption may be rebutted
				by facts demonstrating that the encryption code has been or is reasonably
				likely to be compromised, that the entity that acquired the data is believed to
				possess the technology to access it, or the owner or possessor of the data is
				or reasonably should be aware of an unusual pattern of misuse of the data that
				indicates fraud or identity
				theft.
								.
			(b)RulemakingWithin
			 180 days after the date of enactment of this Act, the Attorney General and
			 Secretary of Homeland Security shall jointly promulgate rules and regulations,
			 after adequate notice and an opportunity for comment, as are reasonably
			 necessary, governing the form, content, and timing of the notices required
			 pursuant to section 1039 of title 18, United States Code. Such rules and
			 regulations shall not require the deployment or use of specific products or
			 technologies, including any specific computer hardware or software, to protect
			 against a security breach. Such rules and regulations shall require
			 that—
				(1)such notice be
			 provided to the United States Secret Service or Federal Bureau of Investigation
			 before any notice of a breach is made to consumers under State or Federal law,
			 and within 14 days of discovery of the breach;
				(2)if the United
			 States Secret Service or Federal Bureau of Investigation determines that any
			 notice required to be made to consumers under State or Federal law would impede
			 or compromise a criminal investigation or national security, the United States
			 Secret Service or Federal Bureau of Investigation shall direct in writing
			 within 7 days that such notice shall be delayed for 30 days, or until the
			 United States Secret Service or Federal Bureau of Investigation determines that
			 such notice will not impede or compromise a criminal investigation or national
			 security;
				(3)the United States
			 Secret Service shall notify the Federal Bureau of Investigation, if the United
			 States Secret Service determines that such breach may involve espionage,
			 foreign counterintelligence, information protected against unauthorized
			 disclosure for reasons of national defense or foreign relations, or Restricted
			 Data (as that term is defined in section 11y of the
			 Atomic Energy Act of 1954 (42 U.S.C.
			 2014(y))), except for offenses affecting the duties of the United States Secret
			 Service under section 3056(a) of title 18, United States Code; and
				(4)the United States
			 Secret Service or Federal Bureau of Investigation notify the Attorney General
			 in each State affected by the breach, if the United States Secret Service or
			 Federal Bureau of Investigation declines to pursue a criminal investigation, or
			 as deemed necessary and appropriate.
				(c)Immunity From
			 LawsuitNo cause of action shall lie in any court against any law
			 enforcement entity or any person who notifies law enforcement of a security
			 breach pursuant to this section for any penalty, prohibition, or damages
			 relating to the delay of notification for law enforcement purposes under this
			 Act.
			(d)Civil Penalty
			 for Failure To NotifyWhoever knowingly fails to give a notice
			 required under section 1039 of title 18, United States Code, shall be subject
			 to a civil penalty of not more than $50,000 for each day of such failure, but
			 not more than $1,000,000.
			(e)Relation to
			 State Laws
				(1)In
			 generalThe requirement to notify law enforcement under this
			 section shall supersede any other notice to law enforcement required under
			 State law.
				(2)Exception for
			 state consumer notice lawsThe notice required to law enforcement
			 under this section shall be in addition to any notice to consumers required
			 under State or Federal law following the discovery of a security breach.
			 Nothing in this section annuls, alters, affects or exempts any person from
			 complying with the laws of any State with respect to notice to consumers of a
			 security breach, except as provided by subsections (b) and (c).
				(f)Duty of Federal
			 Agencies and DepartmentsAn agency or department of the Federal
			 Government which would be required to give notice of a major security breach
			 under section 1039 of title 18, United States Code, if that agency or
			 department were a person, shall notify the United States Secret Service or
			 Federal Bureau of Investigation of the breach in the same time and manner as a
			 person subject to that section. The rulemaking authority under subsection (b)
			 shall include the authority to make rules for notice under this subsection of a
			 major security breach.
			(g)Clerical
			 AmendmentThe table of sections at the beginning of chapter 47 of
			 title 18, United States Code, is amended by adding at the end the following new
			 item:
				
					
						1039. Concealment of security breaches
				involving personal
				information.
					
					.
			8.Penalties for
			 section 1030 violationsSubsection (c) of section 1030 of title 18,
			 United States Code, is amended to read as follows:
			
				(c)(1)The punishment for an
				offense under subsection (a) or (b) is a fine under this title or imprisonment
				for not more than 30 years, or both.
					(2)The court, in imposing sentence for
				an offense under subsection (a) or (b), shall, in addition to any other
				sentence imposed and irrespective of any provision of State law, order that the
				person forfeit to the United States—
						(A)the person’s interest in any personal
				property that was used or intended to be used to commit or to facilitate the
				commission of such violation; and
						(B)any property, real or personal,
				constituting or derived from, any proceeds the person obtained, directly or
				indirectly, as a result of such
				violation.
						.
		9.Directive to
			 sentencing Commission
			(a)DirectivePursuant
			 to its authority under section 994(p) of title 28, United States Code, and in
			 accordance with this section, the United States Sentencing Commission shall
			 forthwith review its guidelines and policy statements applicable to persons
			 convicted of offenses under sections 1028, 1028A, 1030, 1030A, 2511 and 2701 of
			 title 18, United States Code and any other relevant provisions of law, in order
			 to reflect the intent of Congress that such penalties be increased in
			 comparison to those currently provided by such guidelines and policy
			 statements.
			(b)RequirementsIn
			 determining its guidelines and policy statements on the appropriate sentence
			 for the crimes enumerated in paragraph (a), the Commission shall consider the
			 extent to which the guidelines and policy statements may or may not account for
			 the following factors in order to create an effective deterrent to computer
			 crime and the theft or misuse of personally identifiable data—
				(1)the level of
			 sophistication and planning involved in such offense;
				(2)whether such
			 offense was committed for purpose of commercial advantage or private financial
			 benefit;
				(3)the potential and
			 actual loss resulting from the offense;
				(4)whether the
			 defendant acted with intent to cause either physical or property harm in
			 committing the offense;
				(5)the extent to
			 which the offense violated the privacy rights of individuals;
				(6)the effect of the
			 offense upon the operations of a government agency of the United States, or of
			 a State or local government;
				(7)whether the offense
			 involved a computer used by the government in furtherance of national defense,
			 national security or the administration of justice;
				(8)whether the
			 offense was intended to, or had the effect of significantly interfering with or
			 disrupting a critical infrastructure;
				(9)whether the
			 offense was intended to, or had the effect of creating a threat to public
			 health or safety, injury to any person, or death; and
				(10)whether the
			 defendant purposefully involved a juvenile in the commission of the offense to
			 avoid punishment.
				(c)Additional
			 RequirementsIn carrying out this section, the Commission
			 shall—
				(1)assure reasonable
			 consistency with other relevant directives and with other sentencing
			 guidelines;
				(2)account for any
			 additional aggravating or mitigating circumstances that might justify
			 exceptions to the generally applicable sentencing ranges;
				(3)make any
			 conforming changes to the sentencing guidelines; and
				(4)assure that the
			 guidelines adequately meet the purposes of sentencing as set forth in section
			 3553(a)(2) of title 18, United States Code.
				10.Damage to
			 protected computers
			(a)Section
			 1030(a)(5)(B) of title 18, United States Code, is amended—
				(1)by striking
			 or at the end of clause (iv);
				(2)by inserting
			 or at the end of clause (v); and
				(3)by adding at the
			 end the following:
					
						(vi)damage affecting
				ten or more protected computers during any 1-year
				period.
						.
				(b)Section 1030(g) of
			 title 18, United States Code, is amended by striking or after
			 (iv), and inserting , or (vi) after
			 (v).
			(c)Section
			 2332b(g)(5)(B)(i) of title 18, United States Code, is amended by striking
			 (v) (relating to protection of computers) and inserting
			 (vi) (relating to the protection of computers).
			11.Additional
			 funding for resources to investigate and prosecute criminal activity involving
			 computers
			(a)Additional
			 Funding for Resources
				(1)AuthorizationIn
			 addition to amounts otherwise authorized for resources to investigate and
			 prosecute criminal activity involving computers, there are authorized to be
			 appropriated for each of the fiscal years 2007 through 2011—
					(A)$10,000,000 to the
			 Director of the United States Secret Service;
					(B)$10,000,000 to the
			 Attorney General for the Criminal Division of the Department of Justice;
			 and
					(C)$10,000,000 to the
			 Director of the Federal Bureau of Investigation.
					(2)AvailabilityAny
			 amounts appropriated under paragraph (1) shall remain available until
			 expended.
				(b)Use of Additional
			 FundingFunds made available under subsection (a) shall be used
			 by the Director of the United States Secret Service, the Director of the
			 Federal Bureau of Investigation, and the Attorney General, for the United
			 States Secret Service, the Federal Bureau of Investigation, and the criminal
			 division of the Department of Justice, respectively, to—
				(1)hire and train law
			 enforcement officers to—
					(A)investigate crimes
			 committed through the use of computers and other information technology,
			 including through the use of the Internet; and
					(B)assist in the
			 prosecution of such crimes; and
					(2)procure advanced
			 tools of forensic science to investigate, prosecute, and study such
			 crimes.
				
