
	
		II
		Calendar No. 324
		112th CONGRESS
		2d Session
		S. 2111
		IN THE SENATE OF THE UNITED STATES
		
			February 15, 2012
			Mr. Leahy introduced the
			 following bill; which was read the first time
		
		
			February 16, 2012
			Read the second time and placed on the
			 calendar
		
		A BILL
		To enhance punishment for identity theft and other
		  violations of data privacy and security.
	
	
		1.Short titleThis Act may be cited as the
			 Cyber Crime Protection Security
			 Act.
		2.Organized
			 criminal activity in connection with unauthorized access to personally
			 identifiable informationSection 1961(1) of title 18, United States
			 Code, is amended by inserting section 1030 (relating to fraud and
			 related activity in connection with computers) if the act is a felony,
			 before section 1084.
		3.Penalties for
			 fraud and related activity in connection with computersSection 1030(c) of title 18, United States
			 Code, is amended to read as follows:
			
				(c)The punishment
				for an offense under subsection (a) or (b) of this section is—
					(1)a fine under this
				title or imprisonment for not more than 20 years, or both, in the case of an
				offense under subsection (a)(1) of this section;
					(2)(A)except as provided in
				subparagraph (B), a fine under this title or imprisonment for not more than 3
				years, or both, in the case of an offense under subsection (a)(2); or
						(B)a fine under this title or
				imprisonment for not more than ten years, or both, in the case of an offense
				under paragraph (a)(2) of this section, if—
							(i)the offense was committed for
				purposes of commercial advantage or private financial gain;
							(ii)the offense was committed in the
				furtherance of any criminal or tortious act in violation of the Constitution or
				laws of the United States, or of any State; or
							(iii)the value of the information
				obtained, or that would have been obtained if the offense was completed,
				exceeds $5,000;
							(3)a fine under this
				title or imprisonment for not more than 1 year, or both, in the case of an
				offense under subsection (a)(3) of this section;
					(4)a fine under this
				title or imprisonment of not more than 20 years, or both, in the case of an
				offense under subsection (a)(4) of this section;
					(5)(A)except as provided in
				subparagraph (D), a fine under this title, imprisonment for not more than 20
				years, or both, in the case of an offense under subsection (a)(5)(A) of this
				section, if the offense caused—
							(i)loss to 1 or more persons during
				any 1-year period (and, for purposes of an investigation, prosecution, or other
				proceeding brought by the United States only, loss resulting from a related
				course of conduct affecting 1 or more other protected computers) aggregating at
				least $5,000 in value;
							(ii)the modification or impairment, or
				potential modification or impairment, of the medical examination, diagnosis,
				treatment, or care of 1 or more individuals;
							(iii)physical injury to any
				person;
							(iv)a threat to public health or
				safety;
							(v)damage affecting a computer used
				by, or on behalf of, an entity of the United States Government in furtherance
				of the administration of justice, national defense, or national security;
				or
							(vi)damage affecting 10 or more
				protected computers during any 1-year period;
							(B)a fine under this title, imprisonment
				for not more than 10 years, or both, in the case of an offense under subsection
				(a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of
				subparagraph (A) of this subsection;
						(C)if the offender attempts to cause or
				knowingly or recklessly causes death from conduct in violation of subsection
				(a)(5)(A), a fine under this title, imprisonment for any term of years or for
				life, or both; or
						(D)a fine under this title, imprisonment
				for not more than 1 year, or both, for any other offense under subsection
				(a)(5);
						(6)a fine under this
				title or imprisonment for not more than 10 years, or both, in the case of an
				offense under subsection (a)(6) of this section; or
					(7)a fine under this
				title or imprisonment for not more than 10 years, or both, in the case of an
				offense under subsection (a)(7) of this
				section..
					.
		4.Trafficking in
			 passwordsSection 1030(a) of
			 title 18, United States Code, is amended by striking paragraph (6) and
			 inserting the following:
			
				(6)knowingly and
				with intent to defraud traffics (as defined in section 1029) in—
					(A)any password or
				similar information or means of access through which a protected computer as
				defined in subparagraphs (A) and (B) of subsection (e)(2) may be accessed
				without authorization; or
					(B)any means of
				access through which a protected computer as defined in subsection (e)(2)(A)
				may be accessed without
				authorization.
					.
		5.Conspiracy and
			 attempted computer fraud offensesSection 1030(b) of title 18, United States
			 Code, is amended by inserting for the completed offense after
			 punished as provided.
		6.Criminal and
			 civil forfeiture for fraud and related activity in connection with
			 computersSection 1030 of
			 title 18, United States Code, is amended by striking subsections (i) and (j)
			 and inserting the following:
			
				(i)Criminal
				forfeiture
					(1)The court, in
				imposing sentence on any person convicted of a violation of this section, or
				convicted of conspiracy to violate this section, shall order, in addition to
				any other sentence imposed and irrespective of any provision of State law, that
				such person forfeit to the United States—
						(A)such person's
				interest in any property, real or personal, that was used, or intended to be
				used, to commit or facilitate the commission of such violation; and
						(B)any property,
				real or personal, constituting or derived from any gross proceeds, or any
				property traceable to such property, that such person obtained, directly or
				indirectly, as a result of such violation.
						(2)The criminal
				forfeiture of property under this subsection, including any seizure and
				disposition of the property, and any related judicial or administrative
				proceeding, shall be governed by the provisions of section 413 of the
				Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853),
				except subsection (d) of that section.
					(j)Civil
				forfeiture
					(1)The following
				shall be subject to forfeiture to the United States and no property right, real
				or personal, shall exist in them:
						(A)Any property,
				real or personal, that was used, or intended to be used, to commit or
				facilitate the commission of any violation of this section, or a conspiracy to
				violate this section.
						(B)Any property,
				real or personal, constituting or derived from any gross proceeds obtained
				directly or indirectly, or any property traceable to such property, as a result
				of the commission of any violation of this section, or a conspiracy to violate
				this section.
						(2)Seizures and
				forfeitures under this subsection shall be governed by the provisions in
				chapter 46 of title 18, United States Code, relating to civil forfeitures,
				except that such duties as are imposed on the Secretary of the Treasury under
				the customs laws described in section 981(d) of title 18, United States Code,
				shall be performed by such officers, agents and other persons as may be
				designated for that purpose by the Secretary of Homeland Security or the
				Attorney
				General.
					.
		7.Damage to
			 critical infrastructure computers
			(a)In
			 generalChapter 47 of title 18, United States Code, is amended by
			 inserting after section 1030 the following:
				
					1030A.Aggravated
				damage to a critical infrastructure computer
						(a)DefinitionsIn
				this section—
							(1)the terms
				computer and damage have the meanings given such
				terms in section 1030; and
							(2)the term
				critical infrastructure computer means a computer that manages or
				controls systems or assets vital to national defense, national security,
				national economic security, public health or safety, or any combination of
				those matters, whether publicly or privately owned or operated,
				including—
								(A)gas and oil
				production, storage, and delivery systems;
								(B)water supply
				systems;
								(C)telecommunication
				networks;
								(D)electrical power
				delivery systems;
								(E)finance and
				banking systems;
								(F)emergency
				services;
								(G)transportation
				systems and services; and
								(H)government
				operations that provide essential services to the public.
								(b)OffenseIt
				shall be unlawful to, during and in relation to a felony violation of section
				1030, intentionally cause or attempt to cause damage to a critical
				infrastructure computer, and such damage results in (or, in the case of an
				attempt, would, if completed have resulted in) the substantial
				impairment—
							(1)of the operation
				of the critical infrastructure computer; or
							(2)of the critical
				infrastructure associated with the computer.
							(c)PenaltyAny
				person who violates subsection (b) shall be fined under this title, imprisoned
				for not less than 3 years nor more than 20 years, or both.
						(d)Consecutive
				sentenceNotwithstanding any other provision of law—
							(1)a court shall not
				place on probation any person convicted of a violation of this section;
							(2)except as
				provided in paragraph (4), no term of imprisonment imposed on a person under
				this section shall run concurrently with any other term of imprisonment,
				including any term of imprisonment imposed on the person under any other
				provision of law, including any term of imprisonment imposed for the felony
				violation section 1030;
							(3)in determining
				any term of imprisonment to be imposed for a felony violation of section 1030,
				a court shall not in any way reduce the term to be imposed for such crime so as
				to compensate for, or otherwise take into account, any separate term of
				imprisonment imposed or to be imposed for a violation of this section;
				and
							(4)a term of
				imprisonment imposed on a person for a violation of this section may, in the
				discretion of the court, run concurrently, in whole or in part, only with
				another term of imprisonment that is imposed by the court at the same time on
				that person for an additional violation of this section, provided that such
				discretion shall be exercised in accordance with any applicable guidelines and
				policy statements issued by the United States Sentencing Commission pursuant to
				section 994 of title
				28.
							.
			(b)Technical and
			 conforming amendmentThe table of sections for chapter 47 of
			 title 18, United States Code, is amended by inserting after the item relating
			 to section 1030 the following:
				
					
						Sec. 1030A. Aggravated damage to a critical infrastructure
				computer.
					
					.
			8.Limitation on
			 actions involving unauthorized useSection 1030(e)(6) of title 18, United
			 States Code, is amended by striking alter; and inserting
			 alter, but does not include access in violation of a contractual
			 obligation or agreement, such as an acceptable use policy or terms of service
			 agreement, with an Internet service provider, Internet website, or
			 non-government employer, if such violation constitutes the sole basis for
			 determining that access to a protected computer is
			 unauthorized;.
		
	
		February 16, 2012
		Read the second time and placed on the
		  calendar
	
