[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]


 
             PRIVACY AND CYBERCRIME ENFORCEMENT ACT OF 2007

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON CRIME, TERRORISM,
                         AND HOMELAND SECURITY

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                                   ON

                               H.R. 4175

                               __________

                           DECEMBER 18, 2007

                               __________

                           Serial No. 110-128

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov


                     U.S. GOVERNMENT PRINTING OFFICE
39-708 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

                       COMMITTEE ON THE JUDICIARY

                 JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California         LAMAR SMITH, Texas
RICK BOUCHER, Virginia               F. JAMES SENSENBRENNER, Jr., 
JERROLD NADLER, New York                 Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia  HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina       ELTON GALLEGLY, California
ZOE LOFGREN, California              BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas            STEVE CHABOT, Ohio
MAXINE WATERS, California            DANIEL E. LUNGREN, California
WILLIAM D. DELAHUNT, Massachusetts   CHRIS CANNON, Utah
ROBERT WEXLER, Florida               RIC KELLER, Florida
LINDA T. SANCHEZ, California         DARRELL ISSA, California
STEVE COHEN, Tennessee               MIKE PENCE, Indiana
HANK JOHNSON, Georgia                J. RANDY FORBES, Virginia
BETTY SUTTON, Ohio                   STEVE KING, Iowa
LUIS V. GUTIERREZ, Illinois          TOM FEENEY, Florida
BRAD SHERMAN, California             TRENT FRANKS, Arizona
TAMMY BALDWIN, Wisconsin             LOUIE GOHMERT, Texas
ANTHONY D. WEINER, New York          JIM JORDAN, Ohio
ADAM B. SCHIFF, California
ARTUR DAVIS, Alabama
DEBBIE WASSERMAN SCHULTZ, Florida
KEITH ELLISON, Minnesota

            Perry Apelbaum, Staff Director and Chief Counsel
                 Joseph Gibson, Minority Chief Counsel
                                 ------                                

        Subcommittee on Crime, Terrorism, and Homeland Security

             ROBERT C. ``BOBBY'' SCOTT, Virginia, Chairman

MAXINE WATERS, California            LOUIE GOHMERT, Texas
WILLIAM D. DELAHUNT, Massachusetts   J. RANDY FORGES, Virginia
JERROLD NADLER, New York             F. JAMES SENSENBRENNER, Jr., 
HANK JOHNSON, Georgia                Wisconsin
ANTHONY D. WEINER, New York          HOWARD COBLE, North Carolina
SHEILA JACKSON LEE, Texas            STEVE CHABOT, Ohio
ARTUR DAVIS, Alabama                 DANIEL E. LUNGREN, California
TAMMY BALDWIN, Wisconsin
BETTY SUTTON, Ohio

                      Bobby Vassar, Chief Counsel

                    Michael Volkov, Minority Counsel


                            C O N T E N T S

                              ----------                              

                           DECEMBER 18, 2007

                                                                   Page

                            TEXT OF THE BILL

H.R. 4175, the ``Privacy and Cybercrime Enforcement Act of 2007''     3

                           OPENING STATEMENT

The Honorable Robert C. ``Bobby'' Scott, a Representative in 
  Congress from the State of Virginia, and Chairman, Subcommittee 
  on Crime, Terrorism, and Homeland Security.....................     1
The Honorable Louie Gohmert, a Representative in Congress from 
  the State of Texas, and Ranking Member, Subcommittee on Crime, 
  Terrorism, and Homeland Security...............................    13

                               WITNESSES

Mr. Andrew Lourie, acting Principal Deputy Assistant Attorney 
  General and Chief of Staff to the Criminal Division, U.S. 
  Department of Justice, Washington, DC
  Oral Testimony.................................................    20
  Prepared Statement.............................................    22
Mr. Craig Magaw, Special Agent, Criminal Investigative Division, 
  U.S. Secret Service, U.S. Department of Homeland Security, 
  Washington, DC
  Oral Testimony.................................................    43
  Prepared Statement.............................................    44
Mr. Joel Winston, Associate Director, Division of Privacy and 
  Identity Protection, Bureau of Consumer Protection, Federal 
  Trade Commission, Washington, DC
  Oral Testimony.................................................    48
  Prepared Statement.............................................    50
Ms. Jaimee Napp, Executive Director, Identity Theft Action 
  Council of Nebraska, OMAHA, NE
  Oral Testimony.................................................    71
  Prepared Statement.............................................    72
Mr. Robert W. Holleyman, II, President and CEO, Business Software 
  Alliance, Washington, DC
  Oral Testimony.................................................    76
  Prepared Statement.............................................    79
Ms. Lillie Coney, Associate Director, Electronic Privacy 
  Information Center, Washington, DC
  Oral Testimony.................................................    85
  Prepared Statement.............................................    87

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Prepared Statement of the Honorable Louie Gohmert, a 
  Representative in Congress from the State of Texas, and Ranking 
  Member, Subcommittee on Crime, Terrorism, and Homeland Security    14
Prepared Statement of the Honorable John Conyers, Jr., a 
  Representative in Congress from the State of Michigan, and 
  Chairman, Committee on the Judiciary...........................    16

                                APPENDIX

Material Submitted for the Hearing Record........................   113


             PRIVACY AND CYBERCRIME ENFORCEMENT ACT OF 2007

                              ----------                              


                       TUESDAY, DECEMBER 18, 2007

              House of Representatives,    
              Subcommittee on Crime, Terrorism,    
                              and Homeland Security
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 3 p.m., in 
room 2141, Rayburn House Office Building, the Honorable Robert 
C. ``Bobby'' Scott (Chairman of the Subcommittee) presiding.
    Present: Representatives Scott, Jackson Lee, Gohmert, 
Coble, Chabot, Lungren and Conyers (ex officio).
    Staff Present: Bobby Vassar, Subcommittee Chief Counsel; 
Ameer Gopalani, Majority Counsel; Michael Volkov, Minority 
Counsel; and Veronica Eligan, Majority Professional Staff 
Member.
    Mr. Scott. I am pleased to welcome you to the hearing of 
the Subcommittee on Crime, Terrorism, and Homeland Security on 
H.R. 4175, the ``Privacy and Cybercrime Enforcement Act of 
2007.''
    I would like to thank the Chairman of the full Committee, 
Mr. Conyers, for introducing the bill with bipartisan support. 
The bill was introduced at the time by the Chairman and Ranking 
Member of the Committee and the Subcommittee, and I am pleased 
to have been working with Mr. Conyers in drafting it to provide 
effective tools for Federal prosecutors and State and local law 
enforcement agencies to combat identity theft and other 
cybercrimes.
    The Act takes several important steps to protect American 
consumers from the dangers of identity theft. First, our bill 
provides for the victims of identity theft, provides them with 
the ability to seek restitution in Federal court for the loss 
of time and money spent restoring their credit. Under current 
law, restitution to the victims is only available to recover 
the direct financial cost of identity theft offenses, such as 
recovering funds from unauthorized credit card charges.
    But many identity theft victims incur other indirect costs, 
such as loss of wages due to time taken off from work to 
resolve credit disputes. Our bill amends the present law to 
make it clear that restitution orders may include an amount 
equal to the value of the victim's time spent addressing the 
actual or intended harm of the identity theft.
    Second, the bill addresses urgent needs for agencies and 
companies to provide appropriate notification when they 
experience major breaches. The problem of data breaches remains 
a persistent and dangerous threat to Americans' privacy. For 
example, in 2006, there was a disclosure that a company had 
suffered a major computer breach involving up to 45 million 
credit and debit card records. While the company knew about the 
breach, none of its customers were told about it until a month 
later. And we are all aware of the identity theft from 26 
million of our veterans and active duty personnel from the 
Department of Veterans' Affairs last year.
    Although up to 39 States have laws pertaining to data 
breaches, there is no Federal standard or regulation to provide 
notice. Our bill would require rapid notice of breaches to the 
FBI and Secret Service, and this notice is critical to the 
successful investigation and prosecution of any criminal 
activity associated with the breach. The FBI and Secret Service 
would then publish the list of reported breaches in the Federal 
Register so the public would be aware of where and to what 
extent major data breaches are occurring.
    Finally, the bill makes it a crime punishable by up to 5 
years in prison for knowingly failing to report major breaches 
to the appropriate authorities.
    Lastly, this bill provides much needed tools to Federal and 
State law enforcement agents. The bill adds Section 1030 to the 
Computer Fraud and Abuse Act to the RICO statute which will 
provide the Department of Justice with a much-needed tool to 
investigate and prosecute organized crime syndicates which use 
sophisticated cyber schemes to commit criminal acts.
    The bill also authorizes $25 million for each of the fiscal 
years from 2008 to 2010 to establish State grant programs with 
enforcement of cybercrimes. State and local law enforcement 
resources need to be strengthened to attack the low lying 
identity theft that Federal prosecutors fail to go after.
    We heard the last Congress had a Subcommittee hearing about 
the incident involving Senator Dominici where some $800 in 
merchandise was charged to a stolen credit card. We found that 
the crime was not being prosecuted.
    So thieves are left with the knowledge that if they don't 
steal too much, they can do so with impunity. The credit card 
company will cancel the debt, write off the loss, and there 
will be no criminal investigation, and so the thieves can keep 
the bounty of their crimes without worrying about prosecution.
    I believe that the Secret Service working in partnership 
with State law enforcement could quickly reverse this 
expectation that thieves have in this front. H.R. 4175 is a 
comprehensive bill. It not only deals with the need to provide 
law enforcement notice to law enforcement when innocent 
consumers have their data briefed, it also deals with the 
underlying problems of lack of accountability to deter crimes 
from occurring in the first place.
    Our privacy in cybercrimes lag behind both capabilities of 
our technology and the sophistication of identity thieves, and 
this legislation will close that gap.
    [The text of the bill, H.R. 4175, follows:]

HR 4175 IH  ___________________________________________________

                                                                      I
110th CONGRESS
    1st Session

                                H. R. 4175

To amend title 18, United States Code, with respect to data privacy and 
    security, and for other purposes.
                               __________

                    IN THE HOUSE OF REPRESENTATIVES
                           November 14, 2007
Mr. Conyers (for himself, Mr. Smith of Texas, Mr. Scott of Virginia, 
    Mr. Forbes, Ms. Linda T. Sanchez of California, Mr. Davis of 
    Alabama, and Ms. Jackson-Lee of Texas) introduced the following 
    bill; which was referred to the Committee on the Judiciary
                               __________

                                 A BILL

To amend title 18, United States Code, with respect to data privacy and 
    security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    (a) Short Title.--This Act may be cited as the ``Privacy and 
Cybercrime Enforcement Act of 2007''.
    (b) Table of Contents.--The title of contents for this Act is as 
follows:

    Sec. 1. Short title.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

    Sec. 101. Organized criminal activity.
    Sec. 102. Failure to provide notice of security breaches involving 
sensitive personally identifiable information.
    Sec. 103. Use of full interstate and foreign commerce power for 
criminal penalties.
    Sec. 104. Cyber-extortion.
    Sec. 105. Conspiracy to commit cyber-crimes.
    Sec. 106. Penalties for section 1030 violations.
    Sec. 107. Additional funding for resources to investigate and 
prosecute criminal activity involving computers.
    Sec. 108. Criminal restitution.
    Sec. 109. Review and amendment of Federal sentencing guidelines 
related to fraudulent access to or misuse of digitized or electronic 
personally identifiable information.

     TITLE II--NON-CRIMINAL PRIVACY ENFORCEMENT AND PRIVACY IMPACT 
                               STATEMENTS

    Sec. 201. Enforcement by Attorney General and State authorities.
    Sec. 202. Coordination of State and Federal efforts.
    Sec. 203. Requirement that agency rulemaking take into 
consideration impacts on individual privacy.

  TITLE III--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT TO COMBAT 
     FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY 
                        IDENTIFIABLE INFORMATION

    Sec. 301. Grants for State and local law enforcement.
    Sec. 302. Authorization of appropriations.

          TITLE IV--NATIONAL WHITE COLLAR CRIME CENTER GRANTS

    Sec. 401. Authorization and Expansion of National White Collar 
Crime Center.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. ORGANIZED CRIMINAL ACTIVITY.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030 (relating to certain frauds and related 
activities in connection with computers)''.

SEC. 102. FAILURE TO PROVIDE NOTICE OF SECURITY BREACHES INVOLVING 
                    SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:

``Sec. 1040. Failure to provide notice of security breaches involving 
                    sensitive personally identifiable information

    ``(a) Whoever, having a covered obligation to provide notice of a 
security breach involving sensitive personally identifiable 
information, knowingly fails to do so, shall be fined under this title 
or imprisoned not more than 5 years, or both.
    ``(b) As used in this section--
            ``(1) the term `covered obligation', with respect to 
        providing notice of a security breach, means an obligation 
        under Federal law or, if the breach is in or affects interstate 
        or foreign commerce, under State law;
            ``(2) the term `sensitive personally identifiable 
        information' means any electronic or digital information that 
        includes--
                    ``(A) an individual's first and last name, or first 
                initial and last name, or address or phone number in 
                combination with any 1 of the following data elements 
                where the data elements are not protected by a 
                technology protection measure that renders the data 
                element indecipherable--
                            ``(i) a nontruncated social security 
                        number, driver's license number, state resident 
                        identification number, passport number, or 
                        alien registration number;
                            ``(ii) both of the following--
                                    ``(I) mother's maiden name, if 
                                identified as such; and
                                    ``(II) month, day, and year of 
                                birth; and
                            ``(iii) unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image; or
                    ``(B) a financial account number or credit or debit 
                card number in combination with any security code, 
                access code or password that is required for an 
                individual to obtain credit, withdraw funds, or engage 
                in a financial transaction by means of such number;
            ``(3) the term `security breach' means a compromise of the 
        security, confidentiality, or integrity of computerized data 
        that there is reason to believe has resulted in improper access 
        to sensitive personally identifiable information; and
            ``(4) the term `improper access' means access without 
        authorization or in excess of authorization.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

    ``1040. Concealment of security breaches involving personally 
identifiable information.''.
    (c) Obligation To Report.--
            (1) In general.--A person who owns or possesses data in 
        electronic form containing a means of identification and has 
        knowledge of a major security breach of the system containing 
        such data maintained by such person, must provide prompt notice 
        of such breach to the United States Secret Service or Federal 
        Bureau of Investigation.
            (2) Publication of list of notifications.--The Secret 
        Service and the Federal Bureau of Investigation shall annually 
        publish in the Federal Register a list of all notifications 
        submitted the previous calendar year and the identity of each 
        entity with respect to which the major security breach 
        occurred.
            (3) Definition.--In this subsection--
                    (A) the term ``major security breach'' means any 
                security breach involving--
                            (i) means of identification pertaining to 
                        10,000 or more individuals is, or is reasonably 
                        believed to have been acquired;
                            (ii) databases owned by the Federal 
                        Government; or
                            (iii) means of identification of Federal 
                        Government employees or contractors involved in 
                        national security matters or law enforcement; 
                        and
                    (B) the term ``means of identification'' has the 
                meaning given that term in section 1028 of title 18, 
                United States Code.

SEC. 103. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR 
                    CRIMINAL PENALTIES.

    (a) Broadening of Scope.--Section 1030(e)(2)(B) of title 18, United 
States Code, is amended by inserting ``or affecting'' after ``which is 
used in''.
    (b) Elimination of Requirement of an Interstate or Foreign 
Communication for Certain Offenses Involving Protected Computers.--
Section 1030(a)(2)(C) of title 18, United States Code, is amended by 
striking ``if the conduct involved an interstate or foreign 
communication''.

SEC. 104. CYBER-EXTORTION.

    Section 1030(a)(7) of title 18, United States Code, is amended by 
inserting ``, or to access without authorization or exceed authorized 
access to a protected computer'' after ``cause damage to a protected 
computer''.

SEC. 105. CONSPIRACY TO COMMIT CYBER-CRIMES.

    Section 1030(b) of title 18, United States Code, is amended by 
inserting ``or conspires'' after ``attempts''.

SEC. 106. PENALTIES FOR SECTION 1030 VIOLATIONS.

    Subsection (c) of section 1030 of title 18, United States Code, is 
amended to read as follows:
    ``(c)(1) The punishment for an offense under subsection (a) or (b) 
is a fine under this title or imprisonment for not more than 20 years, 
or both, but if the offender in the course of a violation of subsection 
(a)(5)(A)(i) knowingly or recklessly causes or attempts to cause death, 
such offender shall be fined under this title or imprisoned for any 
term of years or for life, or both.
    ``(2) The court, in imposing sentence for an offense under 
subsection (a) or (b), may, in addition to any other sentence imposed 
and irrespective of any provision of State law, order that the person 
forfeit to the United States--
            ``(A) the person's interest in any personal property that 
        was used or intended to be used to commit or to facilitate the 
        commission of the offense; and
            ``(B) any property, real or personal, constituting or 
        derived from, any proceeds the person obtained, directly or 
        indirectly, as a result of the offense.''.

SEC. 107. ADDITIONAL FUNDING FOR RESOURCES TO INVESTIGATE AND PROSECUTE 
                    CRIMINAL ACTIVITY INVOLVING COMPUTERS.

    (a) Additional Funding for Resources.--
            (1) Authorization.--In addition to amounts otherwise 
        authorized for resources to investigate and prosecute criminal 
        activity involving computers, there are authorized to be 
        appropriated for each of the fiscal years 2008 through 2012--
                    (A) $10,000,000 to the Director of the United 
                States Secret Service;
                    (B) $10,000,000 to the Attorney General for the 
                Criminal Division of the Department of Justice; and
                    (C) $10,000,000 to the Director of the Federal 
                Bureau of Investigation.
            (2) Availability.--Any amounts appropriated under paragraph 
        (1) shall remain available until expended.
    (b) Use of Additional Funding.--Funds made available under 
subsection (a) shall be used by the Director of the United States 
Secret Service, the Director of the Federal Bureau of Investigation, 
and the Attorney General, for the United States Secret Service, the 
Federal Bureau of Investigation, and the criminal division of the 
Department of Justice, respectively, to--
            (1) hire and train law enforcement officers to--
                    (A) investigate crimes committed through the use of 
                computers and other information technology, including 
                through the use of the Internet; and
                    (B) assist in the prosecution of such crimes; and
            (2) procure advanced tools of forensic science to 
        investigate, prosecute, and study such crimes.

SEC. 108. CRIMINAL RESTITUTION.

    Section 3663(b) of title 18, United States Code, is amended--
            (1) by striking ``and'' at the end of paragraph (4);
            (2) by striking the period at the end of paragraph (5) and 
        inserting ``; and'' and
            (3) by adding at the end the following:
            ``(6) in the case of an offense under section 1028(a)(7), 
        1028A(a), or 1030(a)(2), pay an amount equal to the value of 
        the victim's time reasonably spent to remediate actual harm 
        resulting from the offense.''.

SEC. 109. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED 
                    TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR 
                    ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.

    The United States Sentencing Commission, pursuant to its authority 
under section 994 of title 28, United States Code, and in accordance 
with this section, shall review and, if appropriate, amend the Federal 
sentencing guidelines (including its policy statements) applicable to 
persons convicted of using fraud to access, or misuse of, digitized or 
electronic personally identifiable information, including identity 
theft or any offense under--
            (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
        title 18, United States Code; and
            (2) any other relevant provision.

     TITLE II--NON-CRIMINAL PRIVACY ENFORCEMENT AND PRIVACY IMPACT 
                               STATEMENTS

SEC. 201. ENFORCEMENT BY ATTORNEY GENERAL AND STATE AUTHORITIES.

    (a) Definition of ``Authorized Entity''.--As used in this section, 
the term ``authorized entity'' means the Attorney General, with respect 
to any conduct constituting a violation of a Federal law enacted after 
the date of the enactment of this Act relating to data security and 
engaged in by a business entity, and a State Attorney General with 
respect to that conduct to the extent the conduct adversely affects an 
interest of the residents of a State.
    (b) Civil Penalty.--
            (1) Generally.--An authorized entity may in a civil action 
        obtain a civil penalty of not more than $500,000 from any 
        business entity that engages in conduct constituting a 
        violation of a Federal law enacted after the date of the 
        enactment of this Act relating to data security.
            (2) Special rule for intentional violation.--If the 
        violation described in subsection (a) is intentional, the 
        maximum civil penalty is $1,000,000.
    (c) Injunctive Relief.--An authorized entity may, in a civil action 
against a business entity that has engaged, or is engaged, in any 
conduct constituting a violation of a Federal law enacted after the 
date of the enactment of this Act relating data security, obtain an 
order--
            (1) enjoining such act or practice; or
            (2) enforcing compliance with that law.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this section do not affect any other rights and remedies 
available under Federal or State law.

SEC. 202. COORDINATION OF STATE AND FEDERAL EFFORTS.

    (a) Notice.--
            (1) In general.--A State consumer protection attorney may 
        not bring an action under section 201, until the attorney 
        general of the State involved provides to the Attorney General 
        of the United States--
                    (A) written notice of the action; and
                    (B) a copy of the complaint for the action.
            (2) Exception.--Paragraph (1) does not apply with respect 
        to the filing of an action by an attorney general of a State 
        under this section if the State attorney general determines 
        that it is not feasible to provide the notice described in such 
        subparagraph before the filing of the action, in such a case 
        the State attorney general shall provide notice and a copy of 
        the complaint to the Attorney General at the time the State 
        attorney general files the action.
    (b) Federal Proceedings.--The Attorney General may--
            (1) move to stay any non Federal action under section 201, 
        pending the final disposition of a pending Federal action under 
        that section;
            (2) initiate an action in an appropriate United States 
        district court and move to consolidate all pending actions 
        under section 201, including State actions, in that court; and
            (3) intervene in a State action under section 201.
    (c) Pending Proceedings.--If the Attorney General institutes a 
proceeding or action for a violation of a Federal law enacted after the 
date of the enactment of this Act relating data security, no authority 
of a State may, during the pendency of such proceeding or action, bring 
an action under this section against any defendant named in such 
criminal proceeding or a civil action against any defendant for any 
violation that is alleged in that proceeding or action.
    (d) Definition.--As used in this section, the term ``State consumer 
protection attorney'' means the attorney general of a State or any 
State or local law enforcement agency authorized by the State attorney 
general or by State statute to prosecute violations of consumer 
protection law.

SEC. 203. REQUIREMENT THAT AGENCY RULEMAKING TAKE INTO CONSIDERATION 
                    IMPACTS ON INDIVIDUAL PRIVACY.

    (a) In General.--Title 5, United States Code, is amended by adding 
after section 553 the following new section:

``Sec. 553a. Privacy impact assessment in rulemaking

    ``(a) Initial Privacy Impact Assessment.--
            ``(1) In general.--Whenever an agency is required by 
        section 553 of this title, or any other law, to publish a 
        general notice of proposed rulemaking for a proposed rule, or 
        publishes a notice of proposed rulemaking for an interpretative 
        rule involving the internal revenue laws of the United States, 
        and such rule or proposed rulemaking pertains to the 
        collection, maintenance, use, or disclosure of personally 
        identifiable information from 10 or more individuals, other 
        than agencies, instrumentalities, or employees of the Federal 
        government, the agency shall prepare and make available for 
        public comment an initial privacy impact assessment that 
        describes the impact of the proposed rule on the privacy of 
        individuals. Such assessment or a summary thereof shall be 
        signed by the senior agency official with primary 
        responsibility for privacy policy and be published in the 
        Federal Register at the time of the publication of a general 
        notice of proposed rulemaking for the rule.
            ``(2) Contents.--Each initial privacy impact assessment 
        required under this subsection shall contain the following:
                    ``(A) A description and analysis of the extent to 
                which the proposed rule will impact the privacy 
                interests of individuals, including the extent to which 
                the proposed rule--
                            ``(i) provides notice of the collection of 
                        personally identifiable information, and 
                        specifies what personally identifiable 
                        information is to be collected and how it is to 
                        be collected, maintained, used, and disclosed;
                            ``(ii) allows access to such information by 
                        the person to whom the personally identifiable 
                        information pertains and provides an 
                        opportunity to correct inaccuracies;
                            ``(iii) prevents such information, which is 
                        collected for one purpose, from being used for 
                        another purpose; and
                            ``(iv) provides security for such 
                        information, including the provision of written 
                        notice to any individual, within 14 days of the 
                        date of compromise, whose privacy interests are 
                        compromised by the unauthorized release of 
                        personally identifiable information as a result 
                        of a breach of security at or by the agency.
                    ``(B) A description of any significant alternatives 
                to the proposed rule which accomplish the stated 
                objectives of applicable statutes and which minimize 
                any significant privacy impact of the proposed rule on 
                individuals.
    ``(b) Final Privacy Impact Assessment.--
            ``(1) In general.--Whenever an agency promulgates a final 
        rule under section 553 of this title, after being required by 
        that section or any other law to publish a general notice of 
        proposed rulemaking, or promulgates a final interpretative rule 
        involving the internal revenue laws of the United States, and 
        such rule or proposed rulemaking pertains to the collection, 
        maintenance, use, or disclosure of personally identifiable 
        information from 10 or more individuals, other than agencies, 
        instrumentalities, or employees of the Federal government, the 
        agency shall prepare a final privacy impact assessment, signed 
        by the senior agency official with primary responsibility for 
        privacy policy.
            ``(2) Contents.--Each final privacy impact assessment 
        required under this subsection shall contain the following:
                    ``(A) A description and analysis of the extent to 
                which the final rule will impact the privacy interests 
                of individuals, including the extent to which such 
                rule--
                            ``(i) provides notice of the collection of 
                        personally identifiable information, and 
                        specifies what personally identifiable 
                        information is to be collected and how it is to 
                        be collected, maintained, used, and disclosed;
                            ``(ii) allows access to such information by 
                        the person to whom the personally identifiable 
                        information pertains and provides an 
                        opportunity to correct inaccuracies;
                            ``(iii) prevents such information, which is 
                        collected for one purpose, from being used for 
                        another purpose; and
                            ``(iv) provides security for such 
                        information, including the provision of written 
                        notice to any individual, within 14 days of the 
                        date of compromise, whose privacy interests are 
                        compromised by the unauthorized release of 
                        personally identifiable information as a result 
                        of a breach of security at or by the agency.
                    ``(B) A summary of any significant issues raised by 
                the public comments in response to the initial privacy 
                impact assessment, a summary of the analysis of the 
                agency of such issues, and a statement of any changes 
                made in such rule as a result of such issues.
                    ``(C) A description of the steps the agency has 
                taken to minimize the significant privacy impact on 
                individuals consistent with the stated objectives of 
                applicable statutes, including a statement of the 
                factual, policy, and legal reasons for selecting the 
                alternative adopted in the final rule and why each one 
                of the other significant alternatives to the rule 
                considered by the agency which affect the privacy 
                interests of individuals was rejected.
            ``(3) Availability to public.--The agency shall make copies 
        of the final privacy impact assessment available to members of 
        the public and shall publish in the Federal Register such 
        assessment or a summary thereof.
    ``(c) Waivers.--
            ``(1) Emergencies.--An agency head may waive or delay the 
        completion of some or all of the requirements of subsections 
        (a) and (b) to the same extent as the agency head may, under 
        section 608, waive or delay the completion of some or all of 
        the requirements of sections 603 and 604, respectively.
            ``(2) National security.--An agency head may, for national 
        security reasons, or to protect from disclosure classified 
        information, confidential commercial information, or 
        information the disclosure of which may adversely affect a law 
        enforcement effort, waive or delay the completion of some or 
        all of the following requirements:
                    ``(A) The requirement of subsection (a)(1) to make 
                an assessment available for public comment, provided 
                that such assessment is made available, in classified 
                form, to the Committees on the Judiciary of the House 
                of Representatives and the Senate, in lieu of making 
                such assessment available to the public.
                    ``(B) The requirement of subsection (a)(1) to have 
                an assessment or summary thereof published in the 
                Federal Register, provided that such assessment or 
                summary is made available, in classified form, to the 
                Committees on the Judiciary of the House of 
                Representatives and the Senate, in lieu of publishing 
                such assessment or summary in the Federal Register.
                    ``(C) The requirements of subsection (b)(3), 
                provided that the final privacy impact assessment is 
                made available, in classified form, to the Committees 
                on the Judiciary of the House of Representatives and 
                the Senate, in lieu of making such assessment available 
                to the public and publishing such assessment in the 
                Federal Register.
    ``(d) Procedures for Gathering Comments.--When any rule is 
promulgated which may have a significant privacy impact on individuals, 
or a privacy impact on a substantial number of individuals, the head of 
the agency promulgating the rule or the official of the agency with 
statutory responsibility for the promulgation of the rule shall assure 
that individuals have been given an opportunity to participate in the 
rulemaking for the rule through techniques such as--
            ``(1) the inclusion in an advance notice of proposed 
        rulemaking, if issued, of a statement that the proposed rule 
        may have a significant privacy impact on individuals, or a 
        privacy impact on a substantial number of individuals;
            ``(2) the publication of a general notice of proposed 
        rulemaking in publications of national circulation likely to be 
        obtained by individuals;
            ``(3) the direct notification of interested individuals;
            ``(4) the conduct of open conferences or public hearings 
        concerning the rule for individuals, including soliciting and 
        receiving comments over computer networks; and
            ``(5) the adoption or modification of agency procedural 
        rules to reduce the cost or complexity of participation in the 
        rulemaking by individuals.
    ``(e) Periodic Review of Rules.--
            ``(1) In general.--Each agency shall carry out a periodic 
        review of the rules promulgated by the agency that have a 
        significant privacy impact on individuals, or a privacy impact 
        on a substantial number of individuals. Under such periodic 
        review, the agency shall determine, for each such rule, whether 
        the rule can be amended or rescinded in a manner that minimizes 
        any such impact while remaining in accordance with applicable 
        statutes. For each such determination, the agency shall 
        consider the following factors:
                    ``(A) The continued need for the rule.
                    ``(B) The nature of complaints or comments received 
                from the public concerning the rule.
                    ``(C) The complexity of the rule.
                    ``(D) The extent to which the rule overlaps, 
                duplicates, or conflicts with other Federal rules, and, 
                to the extent feasible, with State and local 
                governmental rules.
                    ``(E) The length of time since the rule was last 
                reviewed under this subsection.
                    ``(F) The degree to which technology, economic 
                conditions, or other factors have changed in the area 
                affected by the rule since the rule was last reviewed 
                under this subsection.
            ``(2) Plan required.--Each agency shall carry out the 
        periodic review required by paragraph (1) in accordance with a 
        plan published by such agency in the Federal Register. Each 
        such plan shall provide for the review under this subsection of 
        each rule promulgated by the agency not later than 10 years 
        after the date on which such rule was published as the final 
        rule and, thereafter, not later than 10 years after the date on 
        which such rule was last reviewed under this subsection. The 
        agency may amend such plan at any time by publishing the 
        revision in the Federal Register.
            ``(3) Annual publication.--Each year, each agency shall 
        publish in the Federal Register a list of the rules to be 
        reviewed by such agency under this subsection during the 
        following year. The list shall include a brief description of 
        each such rule and the need for and legal basis of such rule 
        and shall invite public comment upon the determination to be 
        made under this subsection with respect to such rule.
    ``(f) Judicial Review.--
            ``(1) In general.--For any rule subject to this section, an 
        individual who is adversely affected or aggrieved by final 
        agency action is entitled to judicial review of agency 
        compliance with the requirements of subsections (b) and (c) in 
        accordance with chapter 7. Agency compliance with subsection 
        (d) shall be judicially reviewable in connection with judicial 
        review of subsection (b).
            ``(2) Jurisdiction.--Each court having jurisdiction to 
        review such rule for compliance with section 553, or under any 
        other provision of law, shall have jurisdiction to review any 
        claims of noncompliance with subsections (b) and (c) in 
        accordance with chapter 7. Agency compliance with subsection 
        (d) shall be judicially reviewable in connection with judicial 
        review of subsection (b).
            ``(3) Limitations.--
                    ``(A) An individual may seek such review during the 
                period beginning on the date of final agency action and 
                ending 1 year later, except that where a provision of 
                law requires that an action challenging a final agency 
                action be commenced before the expiration of 1 year, 
                such lesser period shall apply to an action for 
                judicial review under this subsection.
                    ``(B) In the case where an agency delays the 
                issuance of a final privacy impact assessment pursuant 
                to subsection (c), an action for judicial review under 
                this section shall be filed not later than--
                            ``(i) 1 year after the date the assessment 
                        is made available to the public; or
                            ``(ii) where a provision of law requires 
                        that an action challenging a final agency 
                        regulation be commenced before the expiration 
                        of the 1-year period, the number of days 
                        specified in such provision of law that is 
                        after the date the assessment is made available 
                        to the public.
            ``(4) Relief.--In granting any relief in an action under 
        this subsection, the court shall order the agency to take 
        corrective action consistent with this section and chapter 7, 
        and may--
                    ``(A) remand the rule to the agency; and
                    ``(B) defer the enforcement of the rule against 
                individuals, unless the court finds that continued 
                enforcement of the rule is in the public interest.
            ``(5) Rule of construction.--Nothing in this subsection 
        limits the authority of any court to stay the effective date of 
        any rule or provision thereof under any other provision of law 
        or to grant any other relief in addition to the requirements of 
        this subsection.
            ``(6) Record of agency action.--In an action for the 
        judicial review of a rule, the privacy impact assessment for 
        such rule, including an assessment prepared or corrected 
        pursuant to paragraph (4), shall constitute part of the entire 
        record of agency action in connection with such review.
            ``(7) Exclusivity.--Compliance or noncompliance by an 
        agency with the provisions of this section shall be subject to 
        judicial review only in accordance with this subsection.
            ``(8) Savings clause.--Nothing in this subsection bars 
        judicial review of any other impact statement or similar 
        assessment required by any other law if judicial review of such 
        statement or assessment is otherwise permitted by law.
    ``(g) Definition.--For purposes of this section, the term 
`personally identifiable information' means information that can be 
used to identify an individual, including such individual's name, 
address, telephone number, photograph, social security number or other 
identifying information. It includes information about such 
individual's medical or financial condition.''.
    (b) Periodic Review Transition Provisions.--
            (1) Initial plan.--For each agency, the plan required by 
        subsection (e) of section 553a of title 5, United States Code 
        (as added by subsection (a)), shall be published not later than 
        180 days after the date of the enactment of this Act.
            (2) Review period.--In the case of a rule promulgated by an 
        agency before the date of the enactment of this Act, such plan 
        shall provide for the periodic review of such rule before the 
        expiration of the 10-year period beginning on the date of the 
        enactment of this Act. For any such rule, the head of the 
        agency may provide for a 1-year extension of such period if the 
        head of the agency, before the expiration of the period, 
        certifies in a statement published in the Federal Register that 
        reviewing such rule before the expiration of the period is not 
        feasible. The head of the agency may provide for additional 1-
        year extensions of the period pursuant to the preceding 
        sentence, but in no event may the period exceed 15 years.
    (c) Congressional Review.--Section 801(a)(1)(B) of title 5, United 
States Code, is amended--
            (1) by redesignating clauses (iii) and (iv) as clauses (iv) 
        and (v), respectively; and
            (2) by inserting after clause (ii) the following new 
        clause:
            ``(iii) the agency's actions relevant to section 553a;''.
    (d) Clerical Amendment.--The table of sections at the beginning of 
chapter 5 of title 5, United States Code, is amended by adding after 
the item relating to section 553 the following new item:

    ``553a. Privacy impact assessment in rulemaking.''.

  TITLE III--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT TO COMBAT 
     FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY 
                        IDENTIFIABLE INFORMATION

SEC. 301. GRANTS FOR STATE AND LOCAL LAW ENFORCEMENT.

    (a) In General.--Subject to the availability of amounts provided in 
advance in appropriations Acts, the Assistant Attorney General for the 
Office of Justice Programs of the Department of Justice may award 
grants to States to establish and develop programs to increase and 
enhance enforcement against crimes related to fraudulent, unauthorized, 
or other criminal use of personally identifiable information.
    (b) Application.--To be eligible for a grant under subsection (a), 
a State shall submit an application to the Assistant Attorney General 
for the Office of Justice Programs of the Department of Justice at such 
time, in such manner, and containing such information, including as 
described in subsection (d), as the Assistant Attorney General may 
require.
    (c) Use of Grant Amounts.--A grant awarded to a State under 
subsection (a) shall be used by a State, in conjunction with units of 
local government within that State, State and local courts, other 
States, or combinations thereof, to establish and develop programs to--
            (1) assist State and local law enforcement agencies in 
        enforcing State and local criminal laws relating to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;
            (2) assist State and local law enforcement agencies in 
        educating the public to prevent and identify crimes involving 
        the fraudulent, unauthorized, or other criminal use of 
        personally identifiable information;
            (3) educate and train State and local law enforcement 
        officers and prosecutors to conduct investigations and forensic 
        analyses of evidence and prosecutions of crimes involving the 
        fraudulent, unauthorized, or other criminal use of personally 
        identifiable information;
            (4) assist State and local law enforcement officers and 
        prosecutors in acquiring computer and other equipment to 
        conduct investigations and forensic analysis of evidence of 
        crimes involving the fraudulent, unauthorized, or other 
        criminal use of personally identifiable information; and
            (5) facilitate and promote the sharing of Federal law 
        enforcement expertise and information about the investigation, 
        analysis, and prosecution of crimes involving the fraudulent, 
        unauthorized, or other criminal use of personally identifiable 
        information with State and local law enforcement officers and 
        prosecutors, including the use of multi-jurisdictional task 
        forces.
    (d) Assurances and Eligibility.--To be eligible to receive a grant 
under subsection (a), a State shall provide assurances to the Attorney 
General that the State--
            (1) has in effect laws that penalize crimes involving the 
        fraudulent, unauthorized, or other criminal use of personally 
        identifiable information, such as penal laws prohibiting--
                    (A) fraudulent schemes executed to obtain 
                personally identifiable information;
                    (B) schemes executed to sell or use fraudulently 
                obtained personally identifiable information; and
                    (C) online sales of personally identifiable 
                information obtained fraudulently or by other illegal 
                means;
            (2) will provide an assessment of the resource needs of the 
        State and units of local government within that State, 
        including criminal justice resources being devoted to the 
        investigation and enforcement of laws related to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;
            (3) will develop a plan for coordinating the programs 
        funded under this section with other federally funded technical 
        assistant and training programs, including directly funded 
        local programs such as the Local Law Enforcement Block Grant 
        program (described under the heading ``Violent Crime Reduction 
        Programs, State and Local Law Enforcement Assistance'' of the 
        Departments of Commerce, Justice, and State, the Judiciary, and 
        Related Agencies Appropriations Act, 1998 (Public Law 105-
        119)); and
            (4) will submit to the Assistant Attorney General for the 
        Office of Justice Programs of the Department of Justice 
        applicable reports in accordance with subsection (f).
    (e) Matching Funds.--The Federal share of a grant received under 
this section may not exceed 90 percent of the total cost of a program 
or proposal funded under this section unless the Attorney General 
waives, wholly or in part, the requirements of this subsection.
    (f) Reports.--For each year that a State receives a grant under 
subsection (a) for a program, the State shall submit to the Assistant 
Attorney General for the Office of Justice Programs of the Department 
of Justice a report on the results, including the effectiveness, of 
such program during such year.

SEC. 302. AUTHORIZATION OF APPROPRIATIONS.

    (a) In General.--There is authorized to be appropriated to carry 
out this title $25,000,000 for each of fiscal years 2008 through 2010.
    (b) Limitations.--Of the amount made available to carry out this 
title in any fiscal year not more than 3 percent may be used by the 
Attorney General for salaries and administrative expenses.
    (c) Minimum Amount.--Unless all eligible applications submitted by 
a State or units of local government within a State for a grant under 
this title have been funded, the State, together with grantees within 
the State (other than Indian tribes), shall be allocated in each fiscal 
year under this title not less than 0.75 percent of the total amount 
appropriated in the fiscal year for grants pursuant to this title, 
except that the United States Virgin Islands, American Samoa, Guam, and 
the Northern Mariana Islands each shall be allocated 0.25 percent.
    (d) Grants to Indian Tribes.--Notwithstanding any other provision 
of this title, the Attorney General may use amounts made available 
under this title to make grants to Indian tribes for use in accordance 
with this title.

          TITLE IV--NATIONAL WHITE COLLAR CRIME CENTER GRANTS

SEC. 401. AUTHORIZATION AND EXPANSION OF NATIONAL WHITE COLLAR CRIME 
                    CENTER.

    (a) In General.--Title I of the Omnibus Crime Control and Safe 
Streets Act of 1968 (42 U.S.C. 3711 et seq.) is amended--
            (1) by redesignating part X, as added by section 623 of 
        Public Law 109-248, as part JJ; and
            (2) by adding at the end the following new part:

          ``PART KK--NATIONAL WHITE COLLAR CRIME CENTER GRANTS

``SEC. 3021. ESTABLISHMENT OF GRANTS PROGRAM.

    ``(a) Authorization.--The Director of the Bureau of Justice 
Assistance is authorized to make grants and enter into contracts with 
State and local criminal justice agencies and nonprofit organizations 
for the purpose of improving the identification, investigation, and 
prosecution of certain criminal activities.
    ``(b) Certain Criminal Activities Defined.--For purposes of this 
part, the term `certain criminal activity' means a criminal conspiracy 
or activity or a terrorist conspiracy or activity that spans 
jurisdictional boundaries, including the following:
            ``(1) Terrorism.
            ``(2) Economic crime.
            ``(3) High-tech crime, also known as cyber crime or 
        computer crime, including internet-based crime against children 
        and child pornography.
    ``(c) Criminal Justice Agency Defined.--For purposes of this part, 
the term `criminal justice agency', with respect to a State or a unit 
of local government within such State, includes a law enforcement 
agency, a State regulatory body with criminal investigative authority, 
and a State or local prosecution office to the extent that such agency, 
body, or office, respectively, is involved in the prevention, 
investigation, and prosecution of certain criminal activities.

``SEC. 3022. AUTHORIZED PROGRAMS.

    ``Grants and contracts awarded under this part may be made only for 
the following programs, with respect to the prevention, investigation, 
and prosecution of certain criminal activities:
            ``(1) Programs to provide a nationwide support system for 
        State and local criminal justice agencies.
            ``(2) Programs to assist State and local criminal justice 
        agencies to develop, establish, and maintain intelligence-
        focused policing strategies and related information sharing.
            ``(3) Programs to provide training and investigative 
        support services to State and local criminal justice agencies 
        to provide such agencies with skills and resources needed to 
        investigate and prosecute such criminal activities and related 
        criminal activities.
            ``(4) Programs to provide research support, to establish 
        partnerships, and to provide other resources to aid State and 
        local criminal justice agencies to prevent, investigate, and 
        prosecute such criminal activities and related problems.
            ``(5) Programs to provide information and research to the 
        general public to facilitate the prevention of such criminal 
        activities.
            ``(6) Programs to establish National training and research 
        centers regionally, including within Virginia, Texas, and 
        Michigan, to provide training and research services for State 
        and local criminal justice agencies.
            ``(7) Any other programs specified by the Attorney General 
        as furthering the purposes of this part.

``SEC. 3023. APPLICATION.

    ``To be eligible for an award of a grant or contract under this 
part, an entity shall submit to the Director of the Bureau of Justice 
Assistance an application in such form and manner, and containing such 
information, as required by the Director.

``SEC. 3024. RULES AND REGULATIONS.

    ``Not later than 180 days after the date of the enactment of this 
part, the Director of the Bureau of Justice Assistance shall promulgate 
such rules and regulations as are necessary to carry out the this part, 
including rules and regulations for submitting and reviewing 
applications under section 3023.''.
    (b) Authorization of Appropriation.--Section 1001(a) of such Act 
(42 U.S.C. 3793) is amended by adding at the end the following new 
paragraph:
            ``(26) There is authorized to be appropriated to carry out 
        part KK--
                    ``(A) $25,000,000 for fiscal year 2008;
                    ``(B) $28,000,000 for fiscal year 2009;
                    ``(C) $31,000,000 for fiscal year 2010;
                    ``(D) $34,000,000 for fiscal year 2011;
                    ``(E) $37,000,000 for fiscal year 2012; and
                    ``(F) $40,000,000 for fiscal year 2013.''.
                                 



    Mr. Scott. It is now my pleasure to recognize our new 
Ranking Member of the Subcommittee, the gentleman from Texas, 
Judge Gohmert.
    Mr. Gohmert. Thank you, Chairman Scott. Thank you to the 
witnesses. I stayed until 1:30, when it was apparent we were 
going to be a while, and I ran over to the Capitol, but because 
the hour is so much later, I have an opening statement, but I 
would ask unanimous consent simply to submit it for the record. 
Unless you all want me to read my opening statement, I will. 
But otherwise, we will submit that.
    H.R. 4175 was introduced by Chairman Conyers, Ranking 
Member Smith, Subcommittee Member Scott and then-Ranking Member 
Forbes. A bipartisan proposal, I think, represents a good first 
step in tackling the difficult problem of identity theft and 
cybercrime.
    And so I will look forward to hearing the witnesses and 
working with my colleagues on this important piece of 
legislation.
    And with that, I guess hearing no objection----
    Mr. Scott. Without objection, the statement is entered into 
the record.
    [The prepared statement of Mr. Gohmert follows:]
Prepared Statement of the Honorable Louie Gohmert, a Representative in 
 Congress from the State of Texas, and Ranking Member, Subcommittee on 
                Crime, Terrorism, and Homeland Security


    Mr. Scott. The gentleman from Michigan.
    Mr. Conyers. Thank you. And as the one that is guilty for 
holding you up so long, I won't--I will not give you my 
statement, and I will put it in the record and add that the 
privacy in the Cybercrime Enforcement Act is a strong 
bipartisan measure that I believe will help combat the growing 
threat of identity theft and other cybercrimes. This balanced 
bill protects the privacy rights of consumers, the interest of 
businesses and the legitimate needs of law enforcement.
    And I would like to emphasize that I look forward to the 
passage of a crime law but not at the expense of the 
substantive issues involved, including requiring much needed 
notices for security breaches.
    I am aware of the passage of S. 2168 in the Senate, but our 
bill is more comprehensive, and we need to examine it before 
making hasty decisions that impact consumers for years to come.
    Thank you very much, Mr. Chairman, for your patience and 
forbearance.
    [The prepared statement of Chairman Conyers follows:]

Prepared Statement of the Honorable John Conyers, Jr., a Representative 
in Congress from the State of Michigan, and Chairman, Committee on the 
                               Judiciary







    Mr. Scott. Thank you, Mr. Chairman.
    The gentleman from North Carolina.
    Mr. Coble. In view of the belated hour, I waive my opening 
statement and join you in welcoming our panel.
    Mr. Scott. And without objection, other Members will be 
allowed to include opening statements in the record at this 
point.
    I want to thank the witnesses for your patience. Sometimes 
because of votes and things, the schedule just goes array, and 
we appreciate your patience in remaining with us.
    We have a distinguished panel of witnesses here today to 
help us consider important issues that are here before us.
    The first witness is Andrew Lourie, who was the acting 
Principal Deputy Assistant Attorney General and chief of staff 
of the Criminal Division at the Department of Justice. He is 
currently serving a detail from the U.S. Attorney's Office from 
the Southern District of Florida where, for the past 5 years, 
he has served as Managing Assistant U.S. Attorney in the West 
Palm Beach office. He served two prior details at the 
Department, both as chief of the Public Integrity Section.
    The next witness is Greg Magaw, a special agent in charge 
of the United States Secret Service. He provides guidance in 
determining the investigative focus of the division which 
provides direction to all Secret Service field offices. He is a 
20-year veteran of the Secret Service, native of Columbus, 
Ohio. He received his Bachelor of Arts degree from the 
University of Maryland and masters degree in the field of 
management from Johns Hopkins.
    Next will be Joel Winton, the associate director of the 
Division of Privacy and Identity Protection at the Federal 
Trade Commission's Bureau of Consumer Protection. That division 
has responsibility over consumer privacy and data security 
issues, identity theft and credit reporting matters. Mr. 
Winston is currently serving on the Federal Government's 
Identity Theft Task Force, which was created by the President 
in March 2006. Mr. Winston received his undergraduate and law 
degrees from the University of Michigan.
    Next will be Jaimee Napp, executive director of the 
Identity Theft Action Council of Nebraska. He founded the 
council in 2006--excuse me, she founded the council in 2006 to 
use her journey as an identity theft victim to help others. The 
council is the first nonprofit organization dedicated solely to 
identity theft issues assisting victims in Nebraska. She 
received her bachelors of journalism from the University of 
Nebraska at Lincoln.
    Next will be Robert Holleyman, president, CEO, of the 
Business Software Alliance. Mr. Holleyman has headed the 
alliance since 1990, overseeing operations in more than 85 
countries. He is widely known for his work on policy related 
issues affecting the technology industry, including 
intellectual property laws, cyber security, international trade 
and electronic commerce. He earned his bachelor of arts degree 
in Political Science at Trinity University in Texas and his 
juris doctorate from Louisiana State University in Baton Rouge.
    Finally, we have Lillie Coney, associate director of the 
Electronic Privacy Information Center in Washington, D.C. She 
serves as the coordinator for the Privacy Coalition. The 
Privacy Coalition has over 40 organizations and affiliates who 
share a commitment to freedom and privacy rights. She has 
testified before the Department of Homeland Security, the 
Department of Homeland Security's Data Privacy and Integrity 
Advisory Committee, on domestic surveillance.
    Now each of our witnesses' written statements will be made 
part of the record and all of those statements in their 
entirety. I would ask each witness to summarize his or her 
testimony in 5 minutes or less. And to help you stay within 
that time, there is a timing device on your table that will 
start green and go to yellow when you have 1 minute left and 
then finally to red when your time has expired.
    We will begin with--and unfortunately, we are expecting a 
vote any minute now so we will go as far as we can, break for a 
vote and then come right back.
    Mr. Lourie.

 TESTIMONY OF ANDREW LOURIE, ACTING PRINCIPAL DEPUTY ASSISTANT 
 ATTORNEY GENERAL AND CHIEF OF STAFF TO THE CRIMINAL DIVISION, 
           U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC

    Mr. Lourie. Thank you. Good afternoon, Chairman Scott, 
Ranking Member Gohmert and Members of the Subcommittee.
    It is a pleasure to appear before you today to testify 
about the Department of Justice's commitment to combatting 
computer crime and identity theft, and about the important 
legislation this Subcommittee is considering to address these 
threats.
    As information technology increasingly pervades every 
aspect of our society, the opportunity for criminals to take 
advantage of it was also increased.
    One result has been the rise of identity theft. The 
Department of Justice is dedicated to aggressively pursuing all 
forms of cybercrime and identity theft. However, shortcomings 
in existing law have, at times, inhibited its ability to do so. 
The Privacy and Cyber Crime Act of 2007 would address several 
of these shortcomings and provide important tools to promote 
law enforcement's efforts.
    The act includes many provisions also recommended in the 
strategic plan released earlier this year by the President's 
Identity Theft Task Force. The Department is pleased to see the 
depth of the common ground that we share in these key issues. 
In particular, the Department applauds the amendments in the 
act that would ensure that victims receive fair restitution for 
the time spent to remediate the harm resulting from identity 
theft offenses.
    Similarly, the Department supports the provisions of the 
act that enhance our ability to prosecute the theft of 
sensitive information from computers, close loopholes in the 
cyber extortion statute and enable us to bring computer crime 
charges against criminal conspiracies and organized criminal 
groups.
    In addition to these many positive aspects, the Department 
would like to provide some suggestions that would strengthen 
the bill.
    First, we strongly encourage the Committee to consider 
amending 18 USC, section 1030(a)(5), to close a loophole and 
appropriately penalize the use of malicious spyware, botnets 
and keyloggers. Current law criminalizes actions that cause 
damage to computers by impairing the integrity or ability of 
data or computer systems. Absent special circumstances, 
however, the conduct must cause loss exceeding $5,000 to 
constitute a Federal crime. Many identity thieves obtain 
personal information by installing malicious software on 
numerous individual computers. Whether or not the programs 
succeed in stealing information, they harm the integrity of the 
computer and data. However, it is often difficult or impossible 
to measure the loss to each computer owner or to prove that the 
many small losses together exceed $5,000.
    Two amendments could remedy this situation. First, Congress 
could amend section 1030(a)(5) to make it a misdemeanor offense 
to damage a protected computer and cause less than $5,000 in 
loss. Whether or not the Committee considers that amendment, we 
strongly recommend adding a provision to the act that would 
make it a Federal felony to damage 10 or more protected 
computers regardless of loss.
    Let me turn now to Section 102 of the bill, the provision 
that requires victims of major executive breaches to provide 
notice to law enforcement. The bill defines a major security 
breach as a breach that involves the means of identification 
pertaining to 10,000 or more individuals. This threshold is too 
high. To give the numbers some context, the theft of as few as 
1,000 credit card numbers is, under the current sentencing 
guidelines, presumed to involve a minimum loss of $500,000. We 
therefore recommend that the threshold for major security 
breach be reduced.
    The definition should also be amended to include any breach 
where there may be a threat to national security or risk of 
significant monetary loss without regard to the number of 
records affected.
    I would also like to mention Section 106, which contains a 
useful provision on the forfeiture of the instrumentalities and 
proceeds of cybercrime. We support the addition of a forfeiture 
provision. We suggest, however, that the act explicitly allow 
for both civil and criminal forfeiture and spell out the 
appropriate procedures. Language to accomplish these changes 
and other technical suggestions to improve the forfeiture 
procedures is included with the written testimony I have 
submitted to the Subcommittee.
    In conclusion, the Department would like to emphasize that 
law enforcement can continue to fulfill its role in addressing 
the growing threats of computer crime and identify theft if we 
have the appropriate laws and appropriate resources. The 
Privacy in Cyber Crime Act of 2007 addresses many of those 
needs by closing loopholes in existing cybercrime statutes, 
improving our ability to prosecute criminal groups and 
providing much needed resources. We believe the act will be an 
important tool in the fight against cybercrime.
    Mr. Chairman, this concludes my remarks.
    [The prepared statement of Mr. Lourie follows:]

                  Prepared Statement of Andrew Lourie











































    Mr. Scott. Thank you.
    Mr. Magaw.

TESTIMONY OF CRAIG MAGAW, SPECIAL AGENT, CRIMINAL INVESTIGATIVE 
  DIVISION, U.S. SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND 
                    SECURITY, WASHINGTON, DC

    Mr. Magaw. Good afternoon, Chairman Scott and distinguished 
Members of the Subcommittee. I would like to thank you for the 
opportunity to address the Subcommittee on the subject of 
identity crime and the roll of the Secret Service in these 
investigations.
    While the Secret Service perhaps is best known for 
protecting our Nation's leaders, we also investigate a wide 
array of financial crimes and work to safeguard our Nation's 
critical financial infrastructure.
    With the passage of legislation in 1984 and 1986, the 
Secret Service was authorized to investigate access device 
fraud, and we were given parallel authority with other law 
enforcement agencies in identity crimes and computer fraud 
cases. Through our financial and electronic crime 
investigations, the Secret Service has developed a particular 
expertise in the area of identity theft, false identification 
fraud, access device fraud, bank fraud and computer fraud.
    In fiscal year 2007, agents of the Secret Service arrested 
over 4,300 suspects for identity theft crimes. These suspects 
were responsible for approximately $690 million in actual fraud 
loss to American consumers and American institutions.
    The Secret Service has observed a marked increase in 
identity theft and cybercrime. Criminals continue to seek new 
methods to compromise victims' personal financial information. 
The recent trend observed by law enforcement is the use of 
computers and the Internet to launch cyber attacks targeting 
citizens and financial institutions.
    Cyber criminals have become proficient at stealing victims' 
personal information through the use of phishing e-mails, 
account takeovers, malicious software, hacking attack and 
network intrusions resulting in data breach.
    This stolen information is often sold in bulk quantities 
through illicit Web sites on the Internet. Criminal groups 
involved in identity theft and cybercrimes routinely operate in 
a multi-jurisdictional environment. By working closely with 
Federal, State, and local law enforcement representatives, as 
well as international police agencies, we are able to provide a 
comprehensive network of intelligence sharing, resource sharing 
and technical expertise that bridge jurisdictional boundaries. 
This partnership approach to law enforcement is vital to our 
criminal investigative mission.
    The Secret Service has established a national network of 
financial crimes task forces and electronic crime task forces 
in cities across the United States. These task forces leverage 
the combined resources of local, State, and Federal law 
enforcement partners as well as technical experts from the 
academic community and private industry in an organized effort 
to combat threats to our financial payment system and critical 
infrastructure.
    Collaboration between law enforcement and private sector is 
critical to our preventative approach to identity theft and 
cybercrime.
    We also build partners with the academic community to 
ensure that law enforcement is on the cutting edge of 
technology by leveraging research and development capabilities 
of teaching institutions and technical colleges. The Secret 
Service appreciates the Subcommittee's work to enhance the 
penalties and broaden investigative jurisdictions associated 
with identity theft and cybercrime.
    H.R. 4175 addresses many of the issues I have discussed 
today concerning these offenses. H.R. 4175 expands the 
definition of cybercrime; requires data or brokers to notify 
law enforcement authorities of major security breaches; and 
increases penalties for identity theft and other violations of 
data privacy and security. The Secret Service looks forward to 
working closely with Congress as they address identity crime 
legislation.
    As I have highlighted in my written statement, the Secret 
Service has implemented a number of initiatives pertaining to 
identity crimes. We have dedicated enormous resources to 
increase public awareness, provide training to law enforcement 
partners and improve investigative techniques. We will continue 
to aggressively investigate identity theft offenders to protect 
consumers. The Secret Service is committed to our mission to 
safeguard the Nation's critical and financial infrastructure.
    This concludes my prepared remarks. Thank you again for the 
opportunity to testify on behalf of the Secret Service.
    [The prepared statement of Mr. Magaw follows:]

                   Prepared Statement of Craig Magaw

    Good afternoon, Chairman Scott, Ranking Member Gohmert and 
distinguished members of the subcommittee. I would like to thank you 
for the opportunity to address this subcommittee on the subject of 
identity crime and the role of the U.S. Secret Service in these 
investigations.
    While the Secret Service is perhaps best known for protecting our 
nation's leaders, we also investigate a wide variety of financial 
crimes. In our role of protecting the nation's critical infrastructure 
and financial payment systems, the Secret Service has a long history of 
protecting American consumers and the financial industry from fraud. 
With the passage of legislation in 1984, the Secret Service was 
provided authority for the investigation of access device fraud, 
including credit and debit card fraud, and parallel authority with 
other law enforcement agencies in identity crime cases. In recent 
years, the combination of the information revolution and the effects of 
globalization have caused the investigative mission of the Secret 
Service to evolve.
    Through our work in the areas of financial and electronic crime, 
the Secret Service has developed particular expertise in the 
investigation of identity theft, false identification fraud, credit 
card fraud, debit card fraud, check fraud, bank fraud, cyber crime, and 
computer intrusions. In Fiscal Year 2007, agents assigned to Secret 
Service offices across the United States arrested over 4,300 suspects 
for identity theft crimes. These suspects were responsible for 
approximately $690 million in actual fraud loss to individuals and 
financial institutions.
    These criminals seek the personal identifiers generally required to 
obtain goods and services on credit, such as Social Security numbers, 
names, and dates of birth. Identity crimes also involve the theft or 
misuse of an individual's financial identifiers such as credit card 
numbers, bank account numbers, and personal identification numbers.
    The Secret Service has observed a marked increase in identity theft 
and access device fraud. Criminals continue to seek new methods of 
compromising victims' personal and financial information. In the 1980's 
and 1990's, criminals obtained stolen personal and financial 
information through traditional means such as, theft of mail, theft of 
trash from businesses or victims, home and vehicle burglaries, and 
theft of a victim's wallet or purse. While these low-tech methods of 
theft remain popular, criminal activity has evolved to new methods of 
obtaining large quantities of stolen information.
    The recent trend observed by law enforcement is the use of 
computers and the Internet to launch cyber attacks targeting citizens 
and financial institutions. Cyber criminals have become adept at 
stealing victims' personal information through the use of phishing 
emails, account takeovers, malicious software, hacking attacks, and 
network intrusions resulting in data breaches.
    The Secret Service continues to see a considerable volume of access 
device fraud, usually in the form of criminal exploitation of stolen 
credit card data. Of particular concern are those incidents in which 
large quantities of credit card and related personal data are stolen 
through electronic intrusions into the networked systems of major 
retailers or the systems of credit card processors. A considerable 
portion of this type of electronic theft appears to be attributable to 
organized groups, many of them based abroad, who pursue both the 
intrusions, as well as the subsequent exploitation of the stolen data. 
Stolen credit card data is often trafficked in units that include more 
than just the card number and expiration date. ``Full-info cards'' 
include such additional information as complete name and address 
information of the cardholder, mother's maiden name, date of birth, 
Social Security number, PIN, and other personal information that allows 
additional criminal exploitation of the account. Another marked trend 
observed in 2007, has been the rise in volume of trafficking in card 
track data together with PINs; this data allows a criminal to 
manufacture a fully functional counterfeit card and execute ATM 
withdrawals or other PIN-enabled transactions against the account.
    This stolen information is often sold in bulk quantities on various 
illicit Internet carding portals. These portals, or ``carding 
websites,'' can be likened to online bazaars where the criminal element 
converges to conduct their business. The websites vary in size, from a 
few dozen members, to some of the more popular sites which boast 
memberships of approximately 8,000 users. Within these portals, there 
are separate forums which are moderated by notorious members of the 
carding community. Members can meet online and discuss specific topics 
of interest. Criminal purveyors buy, sell, and trade malicious 
software, spamming services, credit, debit, and ATM card data, personal 
identification data, bank account information, hacking services and 
other contraband.
    In addition to the exploitation of credit and debit card accounts, 
many of the more sophisticated online criminal networks are now 
actively exploiting compromised online financial accounts. Criminals 
who gain access to victim accounts using online systems then execute 
fraudulent electronic banking transfers or sell the information to 
other criminals. The desire to exploit online bank accounts has led to 
the explosive growth of phishing, as well as the recent wave of 
``malware'' or ``crimeware,'' malicious software designed specifically 
to harvest account login information from the computers of infected 
victims. The technical sophistication of the illicit services readily 
available continues to grow. For example, the online fraud networks are 
increasingly leveraging the technical capabilities of ``botnets'' (i.e. 
networks of thousands of infected computers which can be controlled by 
a criminal from a central location) for financial attacks ranging in 
nature from the hosting of phishing and other malicious websites to the 
launching of widespread attacks against the online authentication 
systems of U.S. financial institutions.
    The information revolution of the 1990's has turned our personal 
and financial information into a valuable commodity, whether it is 
being collected and brokered by a legitimate company or stolen by an 
identity thief. This information is no longer only an instrument used 
to facilitate a financial crime; it is now the primary target of 
criminals. Consequently, private citizens as well as corporations and 
financial institutions must take appropriate measures to secure 
sensitive personally identifiable information. This information is 
particularly vulnerable when it is stored on personal computers or 
disclosed over Internet and email connections. Consumers must adhere to 
comprehensive computer security practices.
    Today, hundreds of companies specialize in data mining, data 
warehousing, and information brokerage. This wealth of available 
personal information creates a target-rich environment for today's 
sophisticated criminals. However, businesses can provide a first line 
of defense against identity crime by safeguarding the information they 
collect. Such efforts can significantly limit the opportunities for 
identity crime. Furthermore, the prompt reporting by data brokers of 
major security breaches involving sensitive personally identifiable 
information to the proper authorities would ensure a thorough 
investigation is conducted.
    Globalization has made commerce easy and convenient for 
corporations and consumers. Financial institutions and systems are 
accessible worldwide. Today's cyber criminals have adapted to this new 
means of global trade and exploit our dependence on information 
technology. With the explosion of Internet accessibility world-wide, 
the criminal element has modified their fraudulent schemes to a new, 
more anonymous and constantly evolving cyber arena. Having been the 
target of many of these crimes, the financial sector has some of the 
most sophisticated security and authentication mechanisms and are 
constantly evolving their practices to counter this criminal activity 
Likewise, the Secret Service has modified its investigative techniques 
to keep pace with emerging technologies.
    Criminal groups involved in identity crimes routinely operate in a 
multi-jurisdictional environment. This creates problems for local law 
enforcement agencies that generally act as the first responders. By 
working closely with other federal, state, and local law enforcement 
representatives, as well as international police agencies, the Secret 
Service is able to provide a comprehensive network of intelligence 
sharing, resource sharing, and technical expertise that bridges 
jurisdictional boundaries. This partnership approach to law enforcement 
is vital to our criminal investigative mission.
    The Secret Service's expertise is enhanced through partnerships and 
identity theft task forces to assist in the national effort to 
safeguard personal and financial information. These partnerships with 
other law enforcement agencies and industry representatives perform a 
crucial role in protecting the financial infrastructure and economic 
stability of the United States by leveraging the technical expertise 
and investigative experience of partner agencies.
    The Secret Service has established unique partnerships with state, 
local, and other federal law enforcement agencies through years of 
collaboration on our investigative and protective endeavors. These 
partnerships enabled the Secret Service to establish a national network 
of Financial Crimes Task Forces (FCTFs) to combine the resources of the 
private sector and other law enforcement agencies in an organized 
effort to combat threats to our financial payment systems and critical 
infrastructures. The Secret Service currently maintains 29 FCTFs 
located in metropolitan regions across the country. While our FCTFs do 
not focus exclusively on identity crime, we recognize that stolen 
identifiers are often a central component of other financial crimes. 
Consequently, our task forces devote considerable time and resources to 
the issue of identity crime.
    The Secret Service has always employed a proactive, rather than 
reactive, approach to combating crime. In 1996, the Secret Service 
established the New York Electronic Crimes Task Force (ECTF) to combine 
the resources of academia, the private sector, and local, state, and 
federal law enforcement agencies to combat computer-based threats to 
our financial payment systems and critical infrastructures. The USA 
PATRIOT Act of 2001, P.L. 107-56, recognized the effectiveness of the 
New York ECTF and mandated that the Secret Service establish a 
nationwide network of ECTFs to prevent, detect, and investigate various 
forms of electronic crimes, including potential terrorist attacks 
against critical infrastructure and financial payment systems.
    ECTFs leverage combined resources in an organized effort to combat 
threats to our financial payment systems and critical infrastructures. 
Partnerships between law enforcement and the private sector are 
critical to the success of the ECTF's ``focus on prevention'' approach. 
Our ECTFs collaborate with private sector technical experts in an 
effort to protect their system networks and critical information by 
encouraging the development of business continuity plans and routine 
risk management assessments of their electronic infrastructure. Greater 
ECTF liaison with the business community provides rapid access to law 
enforcement and vital technical expertise during incidents of malicious 
cyber crimes. The ECTFs also focus on partnerships with academia to 
ensure that law enforcement is on the cutting edge of technology by 
leveraging the research and development capabilities of teaching 
institutions and technical colleges.
    These resources allow ECTFs to identify and address potential cyber 
vulnerabilities before the criminal element exploits them. This 
proactive approach has successfully prevented cyber attacks that 
otherwise would have resulted in large-scale financial losses to U.S. 
based companies or disruptions of critical infrastructures.
    The Secret Service task force models open the lines of 
communication and encourage the unlimited exchange of information 
between federal, state, and local law enforcement. Currently, the 
Secret Service maintains 24 ECTFs in major metropolitan regions across 
the United States.
    Another important goal of the Secret Service is to raise awareness 
of issues related to identity theft and financial crimes, both in the 
law enforcement community and the general public. The Secret Service 
has worked to educate consumers and provide training to law enforcement 
personnel through a variety of programs and initiatives. Agents from 
local field offices routinely provide community outreach seminars and 
public awareness training on the subjects of identity theft and 
computer fraud. Agents often address these topics when speaking to 
school groups, civic organizations, and staff meetings involving 
businesses or financial institutions.
    Additionally, the Secret Service provides recurring identity theft 
training to state and local police departments. This training includes 
formal and informal classes which occur at police roll calls, field 
office sponsored seminars, police academies, and other various 
settings. Currently, the Secret Service provides formal computer 
training to state and local police departments to allow officers to act 
as ``first responders'' in cyber crimes investigations. Officers are 
trained in basic electronic crimes investigations, network intrusion 
investigations, and computer forensics.
    The Secret Service currently participates in a joint effort with 
the Department of Justice, the U.S. Postal Inspection Service, the 
Federal Trade Commission (FTC), the International Association of Chiefs 
of Police (IACP), and the American Association of Motor Vehicle 
Administrators to host identity crime training for law enforcement 
officers. In the last three years, Identity Crime Training Seminars 
have been held in approximately 20 cities nationwide. These training 
seminars are focused on providing local and state law enforcement 
officers with tools and resources that they can immediately put into 
use in their investigations of identity crime.
    The Secret Service has also assigned a special agent to the FTC as 
a liaison to support all aspects of the Commission's program to 
encourage the use of the Identity Theft Data Clearinghouse as a law 
enforcement tool. The FTC has done an excellent job of providing people 
with the information and assistance they need in order to take the 
steps necessary to correct their credit records, as well as undertaking 
a variety of consumer awareness initiatives regarding identity theft.
    Additionally, the Secret Service is committed to providing our law 
enforcement partners with publications and guides to assist them in 
combating identity theft and cyber crime. As criminals increasingly use 
computers and electronic storage devices, these items become important 
pieces of evidence. To ensure proper investigation and successful 
prosecution, officers need specific instructions pertaining to the 
seizure and analysis of electronic evidence. To provide this essential 
knowledge, the Secret Service published the ``Best Practices Guide for 
Seizing Electronic Evidence'' which is designed as a pocket guide for 
the police officers and detectives acting as first responders. This 
guide assists law enforcement officers in recognizing, protecting, 
seizing, and searching electronic devices in accordance with applicable 
statutes and policies. This guide has been updated as appropriate, and 
it is currently issued in its third edition.
    The Secret Service also cooperated with several of our task force 
partners to produce the interactive, computer-based training program 
known as ``Forward Edge.'' Forward Edge is a CD-ROM that provides law 
enforcement and corporate investigative personnel with practical 
training in the recognition and seizure of electronic storage items. 
This year we completed an updated version of this training tool and 
just released ``Forward Edge II.''
    In addition, the Secret Service produced an Identity Crime Video/
CD-ROM which contains over 50 investigative and victim assistance 
resources that local and state law enforcement officers can use when 
combating identity crime. This CD-ROM also contains a short identity 
crime video that can be shown to police officers at their roll call 
meetings which discusses why identity crime is important, what other 
departments are doing to combat identity crime, and what tools and 
resources are available to officers. The Identity Crime CD-ROM is an 
interactive resource guide that was made in collaboration with the U.S. 
Postal Inspection Service, the FTC and the IACP.
    To date, approximately 50,000 Identity Crime CD-ROMs have been 
distributed to law enforcement departments and agencies across the 
United States. We have distributed over 400,000 Best Practices Guides 
and over 50,000 Forward Edge training CD-ROMs to local and federal law 
enforcement officers nationwide.
    In conclusion, I would like to reiterate that identity theft is an 
evolving threat. Law enforcement agencies must be able to adapt to 
emerging technologies and criminal methods. The Secret Service is 
pleased that Congress is considering legislation that recognizes the 
magnitude of these issues and the constantly changing nature of these 
crimes. To effectively fight this crime, our criminal statutes must be 
amended to safeguard sensitive personally identifiable information and 
to afford law enforcement the appropriate resources to investigate data 
breaches.
    The Secret Service appreciates the Subcommittee's work to enhance 
penalties and broaden investigative jurisdictions associated with 
identity theft and cyber crime. H.R. 4175 addresses many of the issues 
I have discussed in this statement concerning these offenses. H.R. 4175 
expands the definition of cyber crime, requires data brokers to notify 
law enforcement authorities of major security breaches, and increases 
penalties for identity theft and other violations of data privacy and 
security. The Secret Service looks forward to working closely with 
Congress as they address identity crime legislation.
    As I have highlighted in my statement, the Secret Service has 
implemented a number of initiatives pertaining to identity crimes. We 
have dedicated enormous resources to increase awareness, educate the 
public, provide training for law enforcement partners, and improve 
investigative techniques. We will continue to aggressively investigate 
identity theft offenders to protect consumers. The Secret Service is 
committed to our mission of safeguarding the nation's critical 
infrastructure and financial payment systems.
    Chairman Scott, Ranking Member Gohmert, this concludes my prepared 
statement. Thank you again for this opportunity to testify on behalf of 
the Secret Service. I will be pleased to answer any questions at this 
time.

    Mr. Scott. Thank you.
    Mr. Winston.

  TESTIMONY OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF 
PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, 
            FEDERAL TRADE COMMISSION, WASHINGTON, DC

    Mr. Winston. Thank you, Chairman Scott, Ranking Member 
Gohmert and Members of the Subcommittee. I appreciate the 
opportunity to testify today about these critical issues of 
privacy and identity theft.
    As the Federal Trade Commission's recently issued national 
survey shows, identity theft continues to afflict millions of 
Americans every year with losses in the billions of dollars. 
But beyond these real and substantial direct costs, this crime 
harms our economic system by threatening consumer confidence. 
Many polls show that the level of consumer anxiety about 
identity theft is extremely high.
    The FTC plays a lead role in the battle against identity 
theft through its law enforcement efforts; its work on the 
President's task force; its extensive consumer and business 
education; and its assistance to criminal law enforcement 
partners.
    One way to stop identity theft is to keep sensitive 
information out of the hands of thieves by ensuring that 
businesses protect the information they collect. Reports of the 
latest data breaches appear almost daily and continue to shake 
consumer confidence. Of course, not all data breaches lead to 
identity theft, but some do, causing real damage to affected 
consumers.
    The Commission uses its authority under several Federal 
laws to take action against businesses that fail to reasonably 
protect sensitive consumer information. Since 2001, the FTC has 
brought 15 data security cases, including our most recent case 
announced this morning against a mortgage company that threw 
sensitive consumer loan files into publicly accessible 
dumpsters.
    In addition to its enforcement efforts, the Commission has 
played a lead role in the President's Identity Theft Task 
Force. The task force's strategic plan recommended 31 
initiatives to reduce the incidence and impact of identity 
theft. The recommendations focus on, first, prevention, making 
it more difficult for criminals to steal data or to misuse data 
they do manage to steal. Second, victim assistance, helping 
consumers recover from identity theft. And, third, deterrence: 
Strengthening the tools that we have to catch and punish the 
criminals. Most of these 31 recommendations have been or are in 
the process of being implemented.
    With respect to prevention, the FTC has developed and 
distributed highly successful business and consumer guidance on 
data security. Materials include a very popular data security 
guide for businesses, which now comes with an online tutorial. 
And the Commission staff will be holding a series of regional 
data security seminars across the country beginning next year.
    On the consumer side, the Commission launched last year a 
multimedia campaign titled, Deter, Detect, Defend. Here is a 
copy of the package. It includes brochures and training kits. 
And the Commission sponsors a multimedia Web site, OnGuard 
Online, which has information for consumers on basic computer 
security. Since its launch, this Web site has attracted over 
4.3 million visits.
    Despite our best efforts to improve data security, however, 
there is no foolproof way to stop data theft. For that reason, 
it is critical that we do whatever we can to make the data less 
useful for thieves.
    As recommended by the task force, the Commission conducted 
two public workshops this year relating to the issue of 
consumer authentication. By creating better ways to verify 
consumers' identities when they open new accounts or when they 
access existing accounts, we can make it more difficult for 
criminals to use stolen data.
    Regulations recently issued by the FTC and the Federal bank 
regulatory agencies, under the FACT Act, provide another tool 
in the battle to prevent identity theft. These rules require 
all businesses that hold consumer accounts to establish an 
identity theft prevention program.
    With regard to victim assistance, the Commission has 
continued its role as a central repository for identity theft 
information. Between 15,000 and 20,000 consumers contact us 
each week for information on how to guard against identity 
theft, or to obtain help on recovery from it. Consumers who 
contact us receive step-by-step advice. At the same time, the 
information these consumers give us is entered into our 
clearinghouse and is made available to over 1,700 law 
enforcement agencies for use in law enforcement.
    We are also partnering with other agencies to provide 
training for local law enforcement across the country. And we 
have developed and posted a universal police report identity 
theft victims can complete online, print and take to law 
enforcement for verification. With this report, victims have 
access to a number of rights, including the right to place a 7-
year fraud alert on their credit file.
    To summarize, identity theft is one of the most important 
consumer protection issues of our time and must be attacked 
from every angle. The Commission will continue to place a high 
priority on preventing this crime and helping victims to 
recover.
    We look forward to continuing our work with Congress in 
this effort. I would be happy to answer any questions you may 
have.
    [The prepared statement of Mr. Winston follows:]

                   Prepared Statement of Joel Winston











































    Mr. Scott. Thank you.
    We have about 10 minutes before we have to be on the floor. 
So we will take your testimony, and then we will come back as 
soon as we can.
    Ms. Napp.

 TESTIMONY OF JAIMEE NAPP, EXECUTIVE DIRECTOR, IDENTITY THEFT 
             ACTION COUNCIL OF NEBRASKA, OMAHA, NE

    Ms. Napp. Thank you, Chairman Scott and Members of the 
Subcommittee.
    Thank you for this opportunity to share my story today and 
for your leadership and interest in this issue.
    My name is Jaimee Napp, and I am the executive director of 
the Identity Theft Action Council of Nebraska, a proud mother 
of a 7-year-old, and I am also an identity theft victim. Today 
I will speak about my own personal experience and offer support 
for the Privacy and Cybercrime Enforcement Act of 2007 but also 
will provide some additional suggestions on what can be done.
    I have regrets in my life, and one of them was taking a 
particular part-time job and handing over my Social Security 
number to my employer.
    In May 2005, my personal information, including my name, 
birth date and Social Security number were stolen and used to 
apply for four credit cards.
    The perpetrator turned out to be a manager at my former 
employer who stole my information from employee records. She 
was arrested in October of 2005 and charged with criminal 
impersonation, a felony, for stealing my identity. She served 5 
months in county jail only because she couldn't make bail, and 
then she was ordered to go undergo drug treatment for 
methamphetamine addiction.
    My perpetrator pleaded guilty on the felony charge in 
October of 2007 and was ordered to drug court, which is a 
program for nonviolent offenders with substance abuse problems. 
At drug court graduation in January 2008, a total of four 
felonies will be wiped clean from her criminal record like they 
never existed after only a year and a half of drug treatment.
    I have lost more than a nine-digit number from a piece of 
paper. This number happens to be the key to my financial past, 
present and future, even though no one assigns monetary value 
to a Social Security value number.
    When I became a victim of identity theft, I was not 
prepared for the overwhelming feeling of helplessness. And I 
was stunned at how quickly destruction came and how easy it was 
for my perpetrator to open credit cards.
    What I experienced was a deep sense of loss, including the 
sense of who I am, my entire core belief system, friends who 
didn't understand what I was going through and a sense of 
safety.
    The worry and uncertainty caused me to change my physical 
appearance and intensely watch for strange people or cars 
following me.
    In April 2006, the trauma started to affect my personal 
life working for a different employer. Because the original 
theft happened in the workplace, I started to become very 
uncomfortable and wasn't able to function at a normal level 
with my coworkers nor did I feel like I could trust management 
or my employer.
    Shortly thereafter, the stress became too much to hide or 
control. It started showing itself physically through my 
inability to sleep and increased paranoia, cloudy vision and 
forgetfulness. In May 2006, I sought counseling and was 
officially diagnosed with post-traumatic stress disorder. I am 
not a victim of a violent physical crime, but I certainly feel 
like someone who is.
    My reality is that I will never be in total control of how 
and when my Social Security will be used for the rest of my 
life. I must always have my guard up.
    My story does not end with heartache. It ends with hope. I 
had a choice to make. I could either forget, let this crime 
ruin my life, or create change. And the choice was easy.
    I founded a nonprofit organization in 2006 called the 
Identity Theft Action Council of Nebraska, and we educate 
consumers about identity theft and provide victim resources.
    I support tougher penalties and greater victim restitution 
included in this bill but would also like to offer a few 
suggestions.
    Criminal penalties and tools for law enforcement are only 
part of the solution. To more fully address the problem, 
Congress should require mandatory notification when personal 
information is breached and require mandatory data security 
requirements for business and government, and also provide 
consumers with affordable, easy-to-use security freeze rights.
    This is the first time I have spoken publicly about the 
depths of my pain with my crime, and I thank you for this 
opportunity. But my story only represents one person out of the 
millions of Americans who become victims each year.
    I would like to thank you again for this opportunity, and I 
would be happy to answer any questions.
    [The prepared statement of Ms. Napp follows:]

                   Prepared Statement of Jaimee Napp

    Chairman Conyers and members of the Subcommittee, thank you for 
this opportunity to share my story today and for your leadership and 
interest in this important issue. Today I will speak about my own 
personal experience with identity theft, offer support for the Privacy 
and Cybercrime Enforcement Act of 2007 and provide additional 
suggestions on what can be done to prevent identity theft. I hope my 
words will give you a glimpse into what real people--real victims of 
identity theft--are facing today and the depth of their suffering.
    No one actively seeks out opportunities to tell the world about the 
most vulnerable time in his or her life, but I speak today out of 
necessity. It is time for change--for new protections for victims and 
new tools to prevent ID theft--and time for identity theft victims to 
become visible to make that happen.

                        HOW I BECAME VICTIMIZED:

    I have regrets in my life as many people do. One of them was taking 
a part-time job in 2004 and handing over my social security number to 
my employer. It is an experience no one ever dreams could change your 
life in such a drastic way. Unfortunately for my family and me, this 
choice came with consequences for which I will pay for the rest of my 
life. Because of this one innocent exchange of information with my 
employer, I became a victim of identity theft.
    In May 2005 my personal information, including my name, birth date 
and social security number, was stolen and used to apply for four 
credit cards over the Internet. The perpetrator was a manager at my 
former employer who stole my information from employee records. I 
trusted my employer to keep these pieces of information safe and my 
employer had failed me.
    The perpetrator was not working in position that should have had 
access to employee's personal information. But the file cabinet where 
my information and that of twenty-three other employees was not kept 
locked as corporate security policy stated it should be. My employer 
also failed to complete a background check on the perpetrator, 
something also required by corporate policy. A background check would 
have shown my manager's criminal record contained forgery and theft-by-
deception felony arrests.

    HOW I DISCOVERED THE THEFT AND WHAT HAPPENED TO THE PREPETRATOR:

    I am considered lucky because I was alerted to the crime soon after 
it occurred. One of the credit card companies called me to verify 
information on the application I had submitted. There was just one 
problem. I never submitted an application. After many hours digging for 
clues on my credit reports, I found three other credit cards that had 
been applied for in my name.
    I'm a member of a very small group of identity theft victims who 
have experienced the arrest and prosecution of their perpetrator. My 
perpetrator was arrested in October 2005 and charged with criminal 
impersonation--a felony--for stealing my identity. But the journey from 
investigation, arrest and charges was not an easy road. I had to fight 
everyday for seven months for someone to listen to me, pay attention to 
me and to acknowledge me.
    There wasn't a day that I didn't want to give up and let the 
perpetrator win, but something kept me going. I believe the arrest and 
prosecution of my perpetrator only happened because of my sheer 
determination. Most victims give up because the feeling of helplessness 
is overwhelming. Identity theft victims are largely invisible to law 
enforcement and the judicial system. We are seen as victims of property 
crime and many times not seen as victims at all.
    My imposter served five months in county jail before going to court 
and being ordered to undergo drug treatment for Methamphetamine 
addiction. Then for over a year and a half, I waited.
    Finally in October 2007 the plea hearing for the case was held. My 
perpetrator pleaded guilty to felony criminal impersonation for 
stealing my identity and was ordered to drug court. For the past year 
and a half, my perpetrator was participating in the drug court program 
for three additional felony charges.
    In January 2008, my perpetrator will graduate from drug court and 
all four felonies will be wiped clean from her criminal record, like 
they never existed. As I watch this happen, I stand before the court 
invisible.

                      IMPACT ON ME AND MY FAMILY:

    On that day over two years ago I lost more than a nine-digit number 
from a piece of paper. No one assigns monetary value to a social 
security number even though it is the key to my financial past, present 
and future.
    Identity theft feels a lot like having your home being robbed. A 
burglar goes through all your possessions and belongings and takes 
items you cannot replace. But before they leave, they steal the front 
door. Now what? Do you get a new door, change your locks, increase 
security around your home or move if you don't feel safe? As an 
identity theft victim none of these are options. You are helpless. 
Imagine what it would be like to try to sleep at night without a front 
door protecting your family from the night. It's a scary proposition. 
Your choices would be to either stand guard twenty-four hours a day or 
give up. Most identity theft victims give up.
    I consider myself an educated woman and capable of handling a lot 
of what life throws at me. When I became a victim of identity theft, I 
was not prepared for the overwhelming feeling of helplessness. There 
was literally nothing I could do but watch as my strong credit score, 
the result of years of hard work and sacrifice for my family's future 
hopes and dreams, was destroyed in a matter of moments. I am a young 
person and what flashed before my eyes was my dream house which I 
didn't live in yet, trips of a lifetime I dreamed of taking with my 
family and my eventual retirement. I was stunned at how quickly 
destruction came and how easy it was for my perpetrator to execute.
    What I experienced was a deep sense of loss of:

          A sense of who I am

          How I am portrayed to society

          My core belief system

          My internal intuition

          My love of hobbies

          My ability to express feelings and emotion

          Friends who didn't understand what I was going 
        through

          My safety and security

    I had no idea how much information my perpetrator and their friends 
knew about me, but had to assume it was everything contained in my 
initial job application--name, address, social security number, 
education, references, phone numbers, previous work experience, birth 
date and email. The worry and uncertainty caused me to change my 
physical appearance, watch for strange cars around my home, watch for 
people or cars following me. I even went to my local police department 
to request mug shots of my perpetrator's friends so I could identify 
them if I was attacked.
    In April 2006, this trauma started to affect my professional life 
while I was working for a different employer. Because the original 
theft happened at work, I started to become very uncomfortable in the 
workplace. I was not able to function at a normal level with co-workers 
nor could I trust management and my employer.
    Shortly thereafter, the stress became too much to hide or control. 
It started showing itself physically. They included, cloudy vision; 
forgetfulness; increased heart rate; increasing paranoia; agitation; 
and inability to sleep
    In May 2006, I sought counseling and was officially diagnosed with 
Posttraumatic Stress Disorder--a definition adapted from the DSM-IV 
(American Psychiatric Association) as being exposed to a traumatic 
event, re-experiencing the event, persistently avoiding things or 
events, called triggers, associated with the trauma, persistent 
symptoms of physical arousal, symptoms that last more than a month. 
Because of these symptoms, there is significant impairment and distress 
in social, occupational or other important areas of functioning.
    I understand this may be difficult to comprehend. I fought the 
diagnosis, too. I'm not a soldier returning home from war; I'm not an 
assault victim; and I'm not a battered woman. I'm not a victim of 
violent physical crime, but I feel like someone who is. What I've 
learned is that no one can determine how a crime victim responds to the 
trauma of any type of crime.
    For a year I could not sleep through the night. I was awakened by 
every car door I heard in the street, every gust of wind and every 
sound of the night. I had increasing nightmares and became isolated. I 
numbed emotions and was paralyzed with irrational fear.
    My counselor, in collaboration with another psychologist, 
determined that my trauma triggers and crime scene were associated with 
the workplace. Even though my current work place was different, certain 
elements were constant. I was subjected to my trauma everyday, all day 
and it became clear I needed a break.
    My doctors determined I needed to be removed from the situation in 
order to learn how to cope, grieve for what I have lost, and respond to 
feelings in order to return as a productive worker. Their official 
diagnosis stated I needed three months away from work to complete this 
task. Because this time off could not be arranged with my employer, I 
left the job. Since then I have not been employed full-time by any 
company and my family continues to suffer from my lost wages.
    Identity theft is a cycle of victimization that can last for years. 
I do believe I will be victimized again in my lifetime. There's nothing 
stopping my perpetrator from harming me again. There is no protection 
order I can request from law enforcement that will keep me safe. My 
reality is that I will never be in total control over how or when my 
social security number is used for the rest of my life.
    For me, the damage was increased by the deliberateness of the 
perpetrator, whom I knew from a six-month working relationship and the 
indifference of law enforcement, the judicial system, my former 
employer, my current employer, the credit bureaus, and creditors. To be 
clear, I do not place blame on these entities. They appear uneducated 
about the harms they subject consumers to by either using lax security 
or by simply doing nothing at all. As I note below, more must be done 
to ensure that those who hold our financial futures in their hands are 
held accountable for their failure to meet their responsibilities.

                    HOW I TRANSFORMED MY EXPERIENCE:

    My story does not end with heartache. It ends with hope. Early in 
my journey I asked myself a lot of questions. Why isn't someone helping 
me? Why is this so difficult? Why am I constantly being asked to step 
aside, given no answers or hope? I had a choice to make; either forget, 
let this crime ruin my life or create change. The choice was easy and 
actually felt as though it chose me. As I asked myself those questions, 
I quickly realized I couldn't wait for someone else to do something. I 
had to do it myself.
    I founded a nonprofit organization in 2006 called the Identity 
Theft Action Council of Nebraska. Our mission is to educate about 
identity theft, provide victim resources and help shape legislation 
that empowers consumers. Our goals are to create a national model on 
how to tackle identity theft issues and reduce its impact on victims' 
lives.
    On this journey I have done things I have never imagined possible: 
traveled, met with leaders in the field and seen the difference courage 
to speak out can make. I have spoken to local, state and national media 
about identity theft.
    I have testified before the Nebraska legislature and played an 
integral part in the passage of the first consumer-led identity theft 
legislation in the state that gave consumers the right to place a 
security freeze on their credit files--a tool that prevents creditors 
from checking credit files, thus preventing ID thieves from opening new 
accounts.
    In 2007 our organization has educated over 2,000 Nebraskans about 
identity theft.
    We have built relationships with Nebraska Attorney General, 
Nebraska AARP, Consumers Union and other community groups. Our 
organization will continue to bring to the table groups and entities 
that can contribute and facilitate discussions across the state on how 
we can best help consumers and victims.

                 WHAT SHOULD BE DONE ABOUT THE PROBLEM:

    First, provide tougher penalties and greater victim restitution.
    The Privacy and Cybercrime Enforcement Act addresses that aspect of 
the problem by enhancing penalties and making it easier for victims to 
receive restitution for out-of-pocket costs and the value of the time 
spent resolving the problems of ID theft. Because one of the long-term 
impacts of ID theft is credit score damage--the cost of which may only 
later be realized--I'd recommend that the Committee make clear that the 
time spent resolving the problems of ID theft includes time spent 
repairing one's credit score--a process that goes beyond just wiping 
errors off one's credit file. In addition, I urge the committee to 
ensure that the actual and potential higher cost of credit to a victim 
of ID theft is explicitly covered as an out of pocket cost for which 
restitution is available.
    But criminal penalties alone cannot solve the problem of ID theft.* 
Identity theft has been a federal crime for many years, but those 
penalties didn't deter my perpetrator. Thus, criminal penalties and 
tools for law enforcement are only part of the solution. To more fully 
address the problem, Congress should:

          Require business and government to notify consumers 
        when they are at risk.* Congress should require mandatory 
        consumer notification when the security of sensitive personal 
        information held by businesses about their customers and their 
        employees is compromised. We need to know when we are at 
        heightened risk so we can take steps to protect ourselves. But 
        without requirements that we be notified, businesses have every 
        incentive to sweep any security breach incident under the 
        carpet. Tough penalties for failure to notify should also be 
        imposed. Your bill, while not providing for mandatory 
        notification, at least imposes penalties on those who do not 
        meet existing, albeit largely weak, notification requirements 
        under state and federal law.

          Impose duties upon business and government to 
        safeguard our data.* Congress should couple mandatory 
        notification with mandatory requirements that private 
        businesses and government agencies adopt new data security 
        procedures and technologies. Doing so creates both strong 
        incentives and real obligations for businesses to protect 
        sensitive information to prevent any breach from occurring in 
        the first place. Tough penalties should be imposed for failure 
        to comply. More than likely, I wouldn't be here before you as a 
        victim of identity theft if my employer had simply locked a 
        file cabinet containing my social security number. Data 
        security can be achieved through both common-sense low-tech and 
        high-tech means, just as identity thieves use both low-tech and 
        high-tech means to perpetrate their crimes.

          Provide consumers with security freeze rights.* 
        Congress should also provide consumers with affordable, easy to 
        use security freeze rights. Right now, though the rights exist 
        in many states, the freeze is still expensive and cumbersome 
        (consumers must submit freeze requests via mail and most states 
        don't provide for quick thaw allowing consumers to quickly and 
        securely lift the freeze when they want to access credit). And 
        the voluntary freeze the credit bureaus are making available is 
        too expensive, and it is a tool that they could withdraw at any 
        time. Plus, they have little incentive to promote its 
        availability because, with the freeze in place, it makes their 
        for-profit tools, like credit monitoring, irrelevant. Yet the 
        security freeze is the only tool we have to stop the cycle of 
        victimization of new account theft. It is not a luxury item and 
        shouldn't be priced as one.

                              CONCLUSION:

    Even though I have spoken many times about my victimization over 
the past two years, this is the first time I have spoken about the 
depth of my pain publicly. It was not easy to do. And because ID theft 
is a crime that rarely leaves physical marks, beyond tarnished credit 
records, it is not easy for those who haven't been victims to 
understand how deeply identity theft affects us. So I thank you for 
this opportunity.
    My story represents just one of the approximately ten million 
stories of Americans who were victimized by identity theft in 2005. I 
join a group of roughly fifty million American who have become victims 
of this crime since 2003. Each victim has his or her own unique story 
of loss.
    I applaud the committee again for your interest in the issue and 
urge you to move forward with your legislation. But I also urge 
Congress to do more. Congress must adopt tools that prevent these 
crimes from occurring in the first place by imposing new duties on 
those businesses and government agencies that hold the key to our 
identities in their databases and filing cabinets. Congress should go 
beyond criminal penalties and adopt strong protections without 
interfering with existing state laws regarding notice of breach, 
affordable, easy to use security freeze rights for all Americans and 
obligations for all businesses and government entities to protect 
sensitive data.
    Thank you again for this opportunity to testify.

    Mr. Scott. Thank you very much for your very moving 
testimony.
    We will vote. There are three votes pending, and we will be 
back as soon as we can. It will probably be about 15 minutes.
    [Recess.]
    Mr. Scott. The Subcommittee will come to order.
    The gentleman from California has approved starting off 
without the Ranking Member. So if the Ranking Member comes, he 
can blame it on the gentleman from California.
    Thank you.
    Mr. Holleyman.

   TESTIMONY OF ROBERT W. HOLLEYMAN, II, PRESIDENT AND CEO, 
           BUSINESS SOFTWARE ALLIANCE, WASHINGTON, DC

    Mr. Holleyman. Mr. Chairman, Mr. Lungren, Mr. Coble, 
Members of the Subcommittee, I want to thank you for the 
opportunity to testify today. There is an urgent need to update 
our Federal criminal laws. And law enforcement needs new tools 
to find and prosecute cyber criminals.
    Why does the Business Software Alliance care about this 
issue? Several reasons. First, it hurts our member companies' 
businesses. Second, it hurts the development of electronic 
commerce. And third, because it hurts the economy as a whole.
    I want to thank you, Mr. Chairman, for calling this hearing 
and for the leadership you have shown in sponsoring the pending 
legislation, H.R. 4175. I also want to commend Congressmen 
Schiff, Chabot, Mr. Lungren and others for their leadership in 
introducing H.R. 2290 earlier this year.
    Today's hearing could not come at a better time. We are in 
the midst of the holiday season, and Americans will spend 
nearly $30 billion in online shopping activity. They will be 
able to shop at thousands of sites, compare products, services 
and get prices that would have been unavailable just a few 
years ago because of the advances related to geography and 
comparative shopping that are brought about by the Internet.
    At the same time, we know--studies show that many 
individuals are concerned about their safety when doing 
business online, about the risk of criminals who might be 
lurking in cyberspace who want to steal their identity, their 
financial records or more. Unfortunately, these concerns are 
fully justified.
    The reality is that we use our computers at home and the 
office in ways today that were unimaginable the last time there 
were major revisions in the Federal criminal laws. This has led 
to an evolution of cybercrime, and it has changed the type of 
criminals.
    Two big changes have occurred in computing. First is the 
sheer growth of the number of people using computers. The 
second is the fact that computers are now almost always on and 
connected to the Internet. This has given criminals the 
opportunity to create malicious code that can be sent out 
surreptitiously and can compromise thousands or hundreds of 
thousands of computers. This results in the creation of zombie 
computers that the criminal can then remotely control to carry 
out the attacks. The zombies may not themselves suffer monetary 
damage, but they may become an unwitting accomplice in 
attacking other victims of financial crimes or identity theft 
or denial of service.
    We also see that cybercrime today is overwhelmingly fueled 
by profit. Criminals used to write malicious code for the 
bragging rights. Today they do it for the money. And that is a 
change.
    What can Congress do about it? We believe that there is an 
urgent need to update our criminal laws to get law enforcement 
the tools they need to respond to the changing nature of the 
threat and the changing nature of cybercrime. We would suggest 
doing this in five ways.
    First, targe botnets in ways that have been identified 
today by criminalizing cyber attacks on 10 or more computers 
even if they don't suffer more than $5,000 worth of damages.
    Two, address new forms of cyber extortion.
    Three, broaden the coverage of cybercrime laws to include 
computers affecting interstate and foreign commerce.
    Fourth, attack organized cybercrime by creating an explicit 
conspiracy to commit cybercrime as an offense.
    And fifth, strengthen penalties by calling for the 
forfeiture of computers and other equipment that are used to 
conduct crime and by adopting tougher sentencing guidelines.
    Fortunately, there is broad congressional, law enforcement 
and industry support for such legislation. There are a number 
of pending bills, including H.R. 2290, that address these 
issues. Last month, the Senate adopted S. 2168, and finally, 
Mr. Chairman, your bill does that with the exception of the 
provision to target botnets, which we hope will be added to any 
final measure.
    Of course H.R. 4175 has many other provisions, including 
data breach notification and privacy. BSA understands the 
seriousness of the problems data breaches represent. We are 
committed to working with this Committee and with the six other 
Committees who have jurisdiction over this legislation in data 
breach to develop a comprehensive Federal legislation. But we 
are very concerned that the inclusion of data breach or privacy 
in cybercrime legislation will delay or prevent enactment.
    In conclusion, we are eager to work with this Committee. We 
believe the time is now, and we encourage moving forward and 
addressing and closing the loopholes that exist under today's 
cybercrime laws.
    Thank you.
    [The prepared statement of Mr. Holleyman follows:]

               Prepared Statement of Robert W. Holleyman













    Mr. Scott. Thank you very much.
    Ms. Coney.

   TESTIMONY OF LILLIE CONEY, ASSOCIATE DIRECTOR, ELECTRONIC 
           PRIVACY INFORMATION CENTER, WASHINGTON, DC

    Ms. Coney. Thank you, Chairman Scott, Ranking Member 
Gohmert and Members of the Subcommittee for this opportunity to 
testify on the bill H.R. 4175, the ``Privacy and Cybercrime 
Enforcement Act of 2007.''
    My name is Lillie Coney. I am associate director at the 
Electronic Privacy Information Center. EPIC is a nonprofit 
research center based here in Washington, D.C. We focus on 
privacy, civil liberties and constitutional values.
    With me this afternoon is Jonathan David, a student at 
Northeastern Law School who assisted with the preparation of 
our statement. Our thanks go to the sponsor of the bill.
    To a great degree, the lack of transparency on data 
breaches, computer system breaches, anomalies and software 
failures inhibits the ability of the government to proactively 
address computer network vulnerabilities and enforce privacy 
laws. The old saying that what you don't know won't hurt you 
has rarely held true, and when it relates to data breaches, it 
is never true.
    According to the Federal Trade Commission, for the seventh 
year in a row, identity theft is the number one concern of 
American consumers. We also know that 260 million Americans 
have had data breaches impact them. The failings of private 
actors to manage the personally identifiable information 
entrusted to their care justify the passage of H.R. 4175.
    Further, a report from the Samuelson Clinic confirms that 
the private sector is willing and able to act in putting in 
place security measures to protect computer networks that house 
personally identifiable information when that data--when data 
breaches require, under statute, notification to consumers.
    We appreciate that this bill will do what the Privacy Act 
should have done: Include private data networks under the 
requirements to protect personally identifiable information. 
This is a key component for privacy protection afforded by fair 
information practices that are outlined in the Privacy Act.
    The provisions of the bill do not preempt State law but 
rather create an important Federal baseline. As we have 
learned, the States can respond more quickly than the Federal 
Government can to emerging privacy challenges, and it is very 
important that the Federal Government not limit the important 
work of the States in this area.
    The bill creates a great start on defining personally 
identifiable information, but more needs to be done.
    We are now seeing a tremendous increase in the collection 
of personal information in the form of biometrics, behavioral 
targeting and associational information, all of which is 
completely unregulated.
    The challenge for the Committee is to create a definition 
that recognizes the ever-evolving risk data collection poses to 
privacy.
    EPIC endorses the bill language that requires technology 
protection measures that render the data elements 
indecipherable. We note that significant data breaches have 
occurred because of poor security practices or circumvention of 
security measures, such as removal of large quantities of data 
records from office locations on personal portable computer 
devices that were subsequently lost or stolen.
    Regarding the promulgation of the final privacy impact 
assessment, electronic records are illusive things. It may be 
very difficult to enforce the intent of the provisions of this 
statute.
    For example, EPIC recently discovered in the midst of our 
involvement in an agency proceeding before the Federal Trade 
Commission regarding the proposed merger of Google and 
DoubleClick that the chair of the FTC's spouse's law firm, 
Jones Day, represents one of the parties to the merger. Upon 
our making a complaint requesting the recusal of the chair from 
participation in the commission's decision-making role on the 
merger request, the electronic document disappeared from the 
Jones Day Web site.
    This phenomena of the disappearing of electronic documents 
is not limited to non-government Internet communications. It 
has also been observed by EPIC and the actions taken by Federal 
Government agencies when publishing documents online.
    In closing, I would like to thank the Subcommittee for this 
opportunity speak on the record regarding the important 
measures set forth in H.R. 4175 and strongly endorse the 
efforts to address the issue of data breaches involving 
personally identifiable information, and the efforts of the 
sponsors of the bill and the Subcommittee to make more 
transparent the rule-making process related to privacy impact 
assessments.
    Thank you.
    [The prepared statement of Ms. Coney follows:]

                   Prepared Statement of Lillie Coney































    Mr. Scott. Thank you very much.
    We will now have questions from the Members, and I will 
recognize myself for 5 minutes at this time.
    Mr. Lourie, Mr. Magaw, the Identify Theft Penalty 
Enhancement Act included $10 million authorized to track down 
identity thieves. What have you done with the money?
    Mr. Lourie. We have been actively pursuing identity theft 
cases around the country, Chairman Scott. In the last--between 
2005 and 2006, identity theft cases alone increased about 22 or 
23 percent from 1,500 and change to 1,900 and change.
    Many of those were under the aggravated identity fraud 
statute. Those numbers increased from 226 in 2005 to 507 in 
2006.
    In addition, there are--the Secret Service and the FBI have 
been establishing task forces all over the country joining 
together with their Federal colleagues as well as local law 
enforcement and State law enforcement to attack identity crime 
at a local level and to ensure that as few of these cases as 
possible slip through the cracks.
    Mr. Scott. So you are putting the $10 million to good use?
    Mr. Lourie. Yes.
    Mr. Scott. Did you run out of money?
    Mr. Lourie. I don't know if we did, but I can get back to 
you.
    Mr. Scott. Well, if you are tracking down cases with the 
money, do you have enough? When one of the bills, the $10 
million came out of, the original bill had $100 million, and we 
were told by the Administration they didn't need any money so 
we just left it $10 million; $10 million we got left. It seems 
to me that this ought to be a high priority, and I think the 
Committee--maybe, I can't speak for the Committee--but I would 
be willing to put some more authority so that you could track 
down more thieves so that people will get the idea that they 
might get caught.
    Have you used up all of the $10 million so we might 
consider increasing the authorization?
    Mr. Lourie. As I sit here today, I can't tell you whether 
or not we have used up all of the $10 million, and I would be 
happy to work with the Committee and get back to you on that.
    Mr. Scott. If you have limited funds, you have to make 
decisions. You have the $5,000 threshold. Anybody stealing less 
than $5,000 is pretty much home free. What would it--how much 
would it take to get cases under $5,000 also on your target 
list?
    Mr. Lourie. Well, I can't tell you how much it would take 
with respect to money, if that is your question, for 
prosecution offices, U.S. Attorneys' Offices around the country 
to lower their thresholds or if the Department would support 
that.
    I can tell you that we have used the money that we have had 
to create these regional task forces to work together closely 
with the State prosecutors' offices and State law enforcement, 
and train them in the investigation and prosecution of these 
types of crimes.
    Mr. Scott. The problem with these cases, they are, in fact, 
labor intensive because there is a lot of work that needs to be 
done. And the information is there, but some of it might 
include, when you find out that somebody with a stolen credit 
card has it delivered to a post office box, you may have to 
have somebody sit out there until they come and pick it up. You 
have to pay for that. That is an hourly rate.
    So that many of these cases can be solved if you just had 
the resources, and so we will work together to find out what 
resources you may need to lower the threshold, so if somebody 
gets the information, they may feel they have--they are at risk 
of actually getting caught.
    Now if a database is breached, is the mere possession of 
the database a crime?
    Mr. Lourie. It depends if it is knowing. If a database is 
breached and somebody extracts the information, then, yes. If 
it is unauthorized extraction, it is a crime.
    Mr. Scott. Is buying a Social Security number from somebody 
a crime before you actually--without using it----
    Mr. Lourie. I don't have the statutes in front of me, but I 
believe under title 42, the Social Security statute, that that 
possession, if it is with intent to commit fraud, would be a 
crime.
    Mr. Scott. But mere position, if you buy a Social Security 
number and that is all you have got, you don't know what they 
are going to do with it?
    Mr. Lourie. Well, it is fairly easy to prove that somebody 
who buys somebody else's Social Security number intends to 
commit fraud with it.
    But the answer to your question is, yes; if you could not 
prove that element, then you would not be able to satisfy the 
statute.
    Mr. Scott. Is phishing a crime?
    Mr. Lourie. Phishing is a crime if it violates one of the 
statutes set forth in 1030, the elements.
    Mr. Scott. Do we need to make it clear that phishing is in 
fact a crime?
    Mr. Lourie. No, Chairman Scott. I don't think it is 
necessary--it is necessary to change the language of the bill 
the way you have it now to indicate that phishing itself is a 
crime. The language set forth in the bill is adequate to 
capture those types of scams with the suggestions that we have 
set forth here today.
    Mr. Scott. Several people have mentioned whether or not 
just putting a cookie on somebody's computer where you can 
extract information without so-called damaging the computer, is 
that not trespassing or some crime, unauthorized placing of one 
of those cookies in somebody's computer so that you can get 
information? Isn't that some kind of crime?
    Mr. Lourie. Well, what I would like to do is go back and 
get back to the Committee on that question.
    Certainly it sounds like a variation of a botnet the way 
you asked that question. But there are, depending on the way 
you analyzed the statute and the various elements of the 
statute, the intent of the person who puts it there is 
significant.
    Mr. Scott. I have heard the suggestion that it ought to be 
a crime if you do it to 10 computers. Is there any reason why 
if you do it to one computer, why that shouldn't be a crime?
    Mr. Lourie. It may very well be a crime under various State 
statutes. What we are attempting to do is bring more crimes 
within the purview of the Federal statute, not less.
    Mr. Scott. So we will be working together on that.
    The gentleman from Texas.
    Mr. Gohmert. Thank you, Mr. Chairman.
    Appreciate your testimony and appreciate your patience.
    Just so I am clear on the BSA's position,
    does BSA support a new Federal law that would require 
businesses to report or to notify consumers every time a 
security breach occurs?
    Mr. Holleyman. We support the concept of a comprehensive 
Federal data breach bill that would address the issue of 
businesses notifying consumers when there is a significant or 
major breach that occurs.
    Mr. Gohmert. My question is not whether we should have a 
comprehensive bill that addresses that but whether you support 
actually requiring businesses to notify consumers when the 
breaches occur.
    Mr. Holleyman. We support notification to consumers under a 
properly crafted definition of what a significant breach is 
with other key components. For example, as one of my colleagues 
on the panel spoke of, if information is encrypted or redacted 
or otherwise stored in such a fashion that it is not accessible 
when it is breached, there shouldn't be an obligation to 
notify.
    We also believe that there are a number of other important 
provisions in an overall data security bill. That is simply one 
element of a number of provisions we would like to see.
    Mr. Gohmert. Ms. Napp, we appreciate your coming forward. 
Apparently, we may not even know how many people have actually 
been adversely harmed as you have. And you mentioned that the 
perpetrator against you was going to have their record wiped 
clean after a year and a half of drug treatment apparently.
    So let me ask. I know there have been laws, like in Texas 
where people have become so outraged about driving while 
intoxicated or driving under the influence, depending on what 
your State calls it, or negligent infliction of harm through 
driving while intoxicated, and people became outraged enough 
they said, okay, let us have a law. No more deferred 
adjudication. If you commit this, it ought to be on your record 
for good and you can't come out from under it.
    By bringing that up, are you actually urging the 
possibility, at least in the Federal realm as far as we can, 
end deferred adjudication where it has to be on someone's 
record?
    Ms. Napp. I was referring to my case as it stands and what 
is happening to me.
    Mr. Gohmert. But I am asking. You were adversely affected. 
What do you think?
    Ms. Napp. I personally don't think, you know, something 
like this--I think it has to do with identity theft victims in 
general. A lot of the time in the judicial system, we are not 
seen as victims of a crime a lot of times. And in my case, I 
don't believe that I was seen as a victim when the judge at the 
plea hearing--he felt like a restitution hearing wouldn't be 
needed because, how could I possibly have any type of out-of-
pocket costs, and that comment to me says, I don't see you.
    Mr. Gohmert. Obviously the judge didn't understand the 
crime. But it seems to me that as we contemplate this crime, 
what is a crime, that it brings to mind some of the lessons we 
learned in law school about crimes of moral turpitude, and in 
society, we think those are more serious crimes because they 
involved a mens rea. They involved an intent.
    You brought up intent a lot of times. It seems to me that 
this ought to be one of those crimes that if you break into 
somebody's computer, if you get their private information, then 
regardless of what the intent is, you know, the res ipsa 
loquitur ought to apply; the thing speaks for itself. You have 
the intent and take that intentional aspect out of the proof 
that you have to put on.
    So think about it. It involves lying. It involves fraud. It 
involves theft. In some cases, like when recently a week or so 
ago, it involved burglary to break in and put stuff on a 
computer so you could track what they were doing.
    So I think this hearing is a great thing, and I do think we 
need to make this bill as tough as possible so that America 
understands how serious this crime is.
    I would like to ask. I note, Ms. Napp, you recommended 
requiring mandatory notification when data is breached.
    Let me ask you all. Who among the witnesses has actually 
read this bill that we are here about today? Anybody? Wow. All 
of you.
    Well, I see my red light is on.
    I would like to ask specifically if you could quickly say 
if you have any specific provisions that you would like to see 
changed so we could make note of them and try to improve the 
legislation.
    Mr. Lourie, starting with you. If you have got a long list 
there, I would like to hear the list.
    Mr. Lourie. Thank you, Congressman.
    Our recommendation and request would be to modify Section 
1030(a)5 regarding damage to computers, as we spoke about 
before, to add language that would make it a felony if the 
conduct affected 10 or more computers, and also to make it a 
misdemeanor for damage under $5,000.
    We would recommend modifications to Section 1028 and 
1028(a) to define persons to include corporations so that the 
stealing of identity of a corporation often used in phishing 
schemes would also be a crime under 1028.
    We would also add certain crimes to the list that would be 
predicates for the aggravated felony under 1028(a), and we 
provided those in our papers.
    We would ask for a modification to 1030(a)7, which is the 
extortion statute, to enable that statute to reach threats to 
do--to release--for example, to release information that had 
already been stolen.
    The way that the statute is drafted now, it covers threats 
to do damage but not necessarily threats related to damage 
already done.
    So we believe that the statute needs a little bit of 
tweaking there.
    We have some suggestions for the forfeiture section to 
include real property and to change the language in one of the 
prongs from proceeds to gross proceeds.
    And, finally, and perhaps most significantly, we request 
changes or directives to the sentencing commission to focus not 
just on the sentences in general but certain specifics which 
would include defining a victim as not just somebody who 
suffers monetary loss but somebody who suffers an invasion of 
privacy. And that relates to some of the topics that have 
already been discussed in this hearing today. And in any event, 
it is hard to value information stolen.
    Finally, with respect to the sentencing commission, we 
would request that they be directed to look into the 
aggravating factors that are already there or the enhancements 
that are already in the statute, that they be accumulated 
instead of now, applying whether they are the greatest of, is 
the language that is now used.
    We would also suggest an enhancement that the sentencing 
commission look at whether there should be an enhancement for 
disclosure of information stolen, because it is a separate harm 
and in some senses maybe even a more significant harm once 
information is stolen to disclose it, depending on how many 
people it is disclosed to.
    Thank you for that opportunity.
    Mr. Gohmert. We have got five more, and I don't want to 
exceed my time that much. If I could ask the witnesses if you 
could submit in writing any suggestions for changes to the 
legislation, that would be greatly appreciated. And that would 
include all of you, including, Mr. Lourie, if you think of 
anything else. But thank you so much.
    Mr. Scott. The gentleman from North Carolina.
    Mr. Coble. We appreciate you all being here.
    Mr. Holleyman, you responded to Mr. Gohmert's question 
regarding notifying consumers under a properly crafted statute. 
Would you also require--support the requirement that business 
notify law enforcement?
    Mr. Holleyman. Mr. Coble, I appreciate your follow-up 
question on that.
    The answer is yes. We would support the requirement that 
businesses notify law enforcement when there is a breach, and I 
think there is probably great clarity in terms of our support 
for that.
    Again, it is with the caveat that the requirement it needs 
to define what a significant breach is. It needs to ensure that 
there is not notification if it is unnecessary, but the 
principle is worthwhile. We would hope that is addressed as 
part of a comprehensive breach bill.
    Mr. Coble. Thank you, sir.
    Mr. Winston, what steps does the FTC take to make sure that 
businesses adequately protect personal information from 
identity thefts.
    Mr. Winston. We go about this in several ways, beginning 
with law enforcement. As I mentioned in my testimony, we have 
brought 15 law enforcement cases now against companies that 
failed to reasonably protect consumer data, in most cases 
leading to a data breach.
    And in addition to law enforcement, we also do a lot of 
consumer and business education and outreach. We have published 
educational materials. We are going to be holding regional 
seminars for businesses so that they understand what their 
obligations are and they understand what the consequences are 
if they don't meet their obligations.
    Mr. Coble. Thank you, sir.
    Are laws, Mr. Winston, requiring protection of personal 
information limited to certain industries or certain sectors, 
such as banking or other financial industries?
    Mr. Winston. Yes, that is correct. There are a number of 
data security laws that apply to different kinds of data or 
different kinds of industries. The financial services industry 
is one; the health care industry is another.
    As part of the Identity Theft Task Force recommendations, 
we have supported a national data security law that would apply 
across the board to any business that maintains personal 
information. We think that there should be one rule.
    Mr. Coble. Thank you, sir.
    Ms. Napp, how can we assist in improving restitution for 
identity theft victims?
    Ms. Napp. Thank you, sir, for that question.
    I think what you are doing with allowing victims to count 
their time is very important. I think this is the first time 
that we have actually seen some of that, because time is so 
much of what we deal with.
    Mr. Coble. Now, fortunately I have never been a victim. How 
does one fairly and, if possible, easily restore one's credit 
record after having been a victim?
    Ms. Napp. That one is--each----
    Mr. Coble. It probably can't be done easily.
    Ms. Napp. In my opinion, it is difficult. There are 
barriers and things. And each person's victimization is 
different, but the journey is not an easy one, I can tell you 
that.
    Mr. Coble. Well, again, thank you all for being here.
    Mr. Chairman, note that I am yielding back before the red 
light illuminates.
    Mr. Scott. That is very kind of you, Mr. Coble.
    The gentleman from California, Mr. Lungren.
    Mr. Lungren. Thank you very much, Mr. Chairman. I didn't 
know whether the Ranking Member needed more time for his 
questions.
    Mr. Scott. That is between you and the Ranking Member.
    Mr. Gohmert. Thank you for yielding.
    Mr. Lungren. Well, it must be a Texas thing.
    Representative of the Justice Department and also the 
gentleman representing the FTC, I am concerned about this whole 
area, particularly, of identity theft. And if we enact 
legislation, I would like to ensure that it actually works.
    And one of the things that strikes me on the bill that we 
have before us is that it acts a little differently than some 
other laws that I am aware of, which is that when the Congress 
preempts State law, it then gives the State AGs the authority 
to assist in the enforcement of Federal statutes.
    This bill as drafted, as I understand it, allows that, but 
does no preemption at all. Is that unusual in law, in your 
experience, or is that something that we see somewhere else?
    Mr. Lourie. Well, with respect to our experience, I would 
be happy to get back to the Committee on other areas where we 
have seen this.
    I will note that in the Task Force's strategic report, 
which is cochaired by the Department, they did recommend that 
type of preemption.
    Mr. Lungren. See, my concern is we are creating a lot of 
criminalization of activity on a Federal level, and yet I 
wonder whether we have the resources to follow through with it 
truly. And, therefore, is this really an attempt to create a 
Federal statute of criminal sanctions, but with the expectation 
that it will truly be enforced by the States instead of the 
Feds? And if we are going to do that, we ought to know about 
that.
    But it seems to me a little different than we've done 
before. And maybe I am wrong. Maybe there are other areas of 
the law. Maybe the gentleman from the FTC can help me on this.
    Mr. Winston. As Mr. Lourie said, the Identity Theft Task 
Force, in some of its recommendations, particularly with regard 
to----
    Mr. Lungren. Look, I understand they may have suggestions. 
I am asking, is this a precedent or is this something that we 
have found in other areas of the law? That is what I am trying 
to figure out.
    Mr. Winston. I think there are a number of laws that 
provide for Federal preemption but allow for State attorney 
general enforcement. The Fair Credit Reporting Act is one. So 
that model is, I think, not uncommon.
    Mr. Lungren. Where we have no preemption here, but still 
extending that.
    Mr. Winston. Well, that I am not sure about. I know there 
are----
    Mr. Lungren. Okay. That is what I am trying to figure out. 
If you can help me in looking at that and submitting that for 
the record.
    Title 2 of the legislation authorizes a civil action with 
civil penalties up to $500,000 or a million dollars if it is 
intentional from any business entity that--it says, ``from any 
business entity that engages in conduct that constitutes a 
violation of Federal law relating to data security.''
    If you have had a chance to look at the bill, do you think 
that limits it to for-profit entities only, or would that be 
not-for-profit as well? And how would you look at it from the 
Justice Department standpoint?
    Mr. Lourie. I am appearing here as a member of the Criminal 
Division, so I did not scrub the civil sections of the bill. 
But we would be happy to review that and get back to you on our 
opinions about whether or not it would cover both those types 
of entities.
    Mr. Lungren. Okay. I am trying to sort of figure out where 
we are here. Because I want a statute that works, but I also 
want one that doesn't just sit on the books and we think it is 
going to work. Or, frankly, if we pass Federal laws that are 
primarily being enforced by Federal authorities, to me that is 
extremely important, but it is more difficult for us to have 
oversight if what we are doing is passing Federal laws that are 
going to be absolutely, if not exclusively--or primarily, if 
not exclusively, prosecuted at the State level. And I wonder if 
there are implications with respect to constitutional authority 
in that.
    The way I read the bill--I would ask you if this seems to 
make sense, because we can certainly change it--it looks like 
it provides an across-the-board maximum penalty of 20 years for 
all violations of Section 1030 of title 18.
    Now, unless I missed something, that could be interpreted 
as meaning that failure to notify breaches would carry a 
harsher penalty for the businesses than for the ID thieves 
themselves. To me, that doesn't sound like a proper priority. 
Would you agree with that, or is that something that you think 
makes sense?
    Mr. Lourie. I believe the way the bill was drafted, it 
provides for a 5-year penalty, maximum penalty, for the failure 
to notify.
    Mr. Lungren. So your answer is, that is what you would 
want, rather than the way I thought it was written.
    I have a lot more questions, but I would like to respect my 
time limits and would yield back.
    Mr. Scott. That is a novel concept on this Subcommittee, 
but thank you.
    The gentleman from Ohio.
    Mr. Chabot. I thank the gentleman for yielding.
    Mr. Holleyman, news reports indicate that crimes committed 
via computers are becoming increasingly prevalent, and I know 
that is what we have been discussing today, with as many as 10 
million computers falling victim to hackers. FBI Director 
Mueller is quoted as saying that, quote, ``Botnets are the 
weapon of choice for cyber criminals,'' unquote.
    How urgent is it that we pass cybercrime legislation? And 
can we afford to wait on cybercrime legislation while we 
address other problems with Internet security?
    Mr. Holleyman. Mr. Chabot, thank you for that question.
    I think that it is imperative and urgent to pass cybercrime 
legislation. I think there is broad agreement in both houses of 
Congress and across the aisle in terms of what loopholes need 
to be closed.
    Your question is correct, the growth in botnets is an 
enormous problem. And that is bringing law-abiding citizens 
unwittingly into a process in which their computers are being 
hijacked and used to perpetrate crimes. It may slow down their 
computer, it may be a nuisance for them, but they don't 
otherwise know what is happening. And we should not insist that 
law enforcement be required to show that there is $5,000 worth 
of damage to take action in that case.
    So we believe the problem is immediate, and is growing. 
There is a solution, and we hope the Congress moves quickly on 
this.
    Mr. Chabot. Thank you.
    And are legislative efforts enough? And what can consumers 
and businesses do to protect themselves to minimize the threat 
of cybercrime?
    Mr. Holleyman. Legislation is a key part, but it is not, by 
itself, the sole solution. There are public awareness 
activities that are under way through the FTC and other 
agencies to build awareness of cybercrime. There are private-
sector efforts to provide checklists to business owners of the 
type of security products they need to deploy and security 
procedures.
    And finally, there are joint partnerships between industry 
and law enforcement. The National Cyber Forensic Training 
Alliance in Pittsburgh is just such an organization. BSA 
supports it, as do many in the industry. They collect data on 
cybercrime, share that information with law enforcement, and 
assist with investigations.
    So it takes a combined effort, of which legislation is only 
one component, but it is an essential component.
    Mr. Chabot. Thank you very much.
    And, Mr. Chairman, as my colleague from North Carolina did, 
I would be happy to yield back my time at this time in the 
interest of the rest of the Committee. I could divide it 
between the gentleman from Texas and the gentleman from 
California here, but I think I will just yield back.
    Mr. Scott. Well, we will see.
    The gentlelady from Texas.
    Mr. Jackson Lee. Thank you very much, Mr. Chairman.
    Let me thank you, Mr. Conyers, and the other cosponsors for 
moving forward on what will continue to grow to be, maybe in 
some eyes, an insurmountable problem as we become more 
technological and the sophistication of the technology that we 
use becomes more finite, certainly, and more broadly utilized.
    It seems that privacy in the midst of innovation is a 
stepchild. And I think that the Congress has a duty to ensure, 
as the ninth amendment instructed us to do, to not forget 
privacy but also the abuse of too much information, identity 
theft and otherwise. With the good comes the bad; with the 
benefit comes the burden.
    And so, Mr. Magaw, as it relates to the potential crime 
that may come about through the misuse of this technology, 
cyber security, my question would be the ability and the need, 
if you will, to ensure coordination between all levels of law 
enforcement, even if you are speaking of, for example, in 
Houston, Texas, what we call layered police work.
    We have, like, a constable that has a jurisdiction, maybe, 
of 750,000 or 800,000. Those are individuals that are closer to 
the constituents. They are the ones who do the eviction work 
and otherwise. But, again, they are right there on the ground. 
And we have sheriffs, we have police officers, of course we 
have the FBI, and of course the U.S. Secret Service, and just a 
number of layers.
    So I would be interested in that.
    I would be interested for Ms. Coney--and welcome--to again 
establish for us how significant a problem is this whole issue 
of the invasion of our privacy. Give us, if you will, the 
broadness of the problem and the depth of the problem, if you 
will.
    And I have another question, but let me yield to Mr. Magaw.
    Mr. Magaw. Thank you very much.
    We partner very well with State and local law enforcement, 
as well as Federal agencies. And we realize the importance of 
sharing information on different cases that we are working.
    Quite frankly, across the country we have 29 different 
financial crimes task forces and 24 electronic crime task 
forces. Those task forces are built on sharing of information, 
not only with law enforcement, with the private sector, as well 
as the academic community. I feel the sharing of the 
information with Federal, State and local law enforcement 
addresses those concerns that you have.
    Mr. Jackson Lee. And let me just expand a little bit more. 
Are you in constant communication with local law enforcement? 
Maybe I have missed it. Are there task forces that are 
addressing this question?
    Mr. Magaw. Yes. On all of our task forces, financial crimes 
task forces, as well as electronic task forces, State and local 
law enforcements are key partners in those task forces. 
Information is disseminated through them back to their 
department, so that we are coordinating our efforts to address 
identity theft.
    Mr. Jackson Lee. Ms. Coney?
    Ms. Coney. Thank you, Congresswoman Jackson Lee.
    This is probably the most significant part of why data 
breach is even being considered by this Committee. Millions of 
records of individuals are online or available through 
electronic transfer. The question is whether it is the victim's 
responsibility or whether it is the data holder's 
responsibility to manage control of that information.
    You have to remember, victims are in damage-control mode. 
They have no idea that they have been attacked until they get 
notice. When they get notice, they can react. Unfortunately, 
the notice is usually coming because they have gotten some 
communication through the mail or looked at their credit report 
and that is when they know that someone has appropriated their 
identity and literally stolen their names.
    It takes hundreds of hours sometimes just to correct that 
information. And the mental anxiety and the stress that comes 
with that is very difficult for people who have not been 
victimized to even understand.
    Those who are in possession of the data have an obligation, 
a moral obligation--and it should be a legal obligation--to 
inform people when these things occur.
    Now, the jurisdiction of this Committee limits what you can 
do in that regard. You can hold data managers--because the data 
owners are really the people whose information they are 
controlling--make them responsible for reporting to a 
Government agency. That agency, in turn, will report through 
the Federal Register a list of those entities who have had 
their data compromised.
    I think this is a reasonable approach. The numbers of 
victims--216 million Americans have been impacted by loss of 
data. It is appropriate and definitely----
    Mr. Jackson Lee. Is that in this legislation, what you have 
just recommended?
    Ms. Coney. Yes, it is. The part that requires those 
entities that suspect that their data has been compromised must 
report to the Secret Service the compromise. And the Secret 
Service, in turn, once a year, will publish in the Federal 
Register a list of those entities.
    Mr. Jackson Lee. Thank you, Mr. Chairman.
    Let me just comment and highlight Section 102 that provides 
criminal penalties for those who don't provide the notice of 
the security breach.
    And, finally, might I say, what we don't have yet, which we 
expect to have in the next couple of years, is electronic 
reporting of medical records. Once we add that large component 
required to the system, putting all medical facilities and 
physicians online, we have an enhanced opportunity for abuse. 
And so I hope this legislation will move through this Committee 
and move to the floor and have the President's signature.
    I yield back.
    Mr. Scott. Thank you.
    And I want to thank all of our witnesses for their 
testimony.
    Members may have additional questions to ask, and we will 
submit those to you in writing, and we would appreciate it if 
you could respond as soon as possible so the answers can be 
part of the record.
    Without objection, the hearing record will remain open for 
1 week for the submission of additional materials.
    The Chairwoman of the Commercial and Administrative Law 
Subcommittee has offered a statement. She has reminded us that 
some of the parts of the bill come under the jurisdiction of 
her Subcommittee, as well as most of it in this Committee, and 
so she has an interest in this legislation.
    The gentleman from Texas.
    Mr. Gohmert. Thank you, Mr. Chairman.
    I was made aware that there may have been a study that 
actually deals with how often businesses notify consumers of 
breach or loss of data. And is that right, Mr. Lourie?
    Mr. Lourie. It is not a Government study, but there has 
been a study done.
    Mr. Gohmert. Okay. Could you direct us to that and the 
information to follow?
    Mr. Lourie. Yes, I will provide that information.
    [The information referred to is available in the Appendix.]
    Mr. Scott. And does that study indicate how often criminal 
activity takes place after a breach?
    Mr. Lourie. I don't know if it does. The only thing I know 
about this study is that--and, again, this is not a Government 
study, and we cannot say with any degree of certainty whether 
it is accurate. But the only thing I know about the study as I 
sit here--and we will provide it to you--is that they estimate 
that approximately 30 percent of breaches are reported by 
victims.
    Mr. Scott. Thank you.
    Without objection, the Committee stands adjourned.
    [Whereupon, at 4:55 p.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

       Prepared Statement of the Honorable Sheila Jackson Lee, a 
           Representative in Congress from the State of Texas



















                                

Prepared Statement of the Honorable Linda T. Sanchez, a Representative 
in Congress from the State of California, and Chairwoman, Subcommittee 
                  on Commercial and Administrative Law







                                

 Prepared Statement of the Honorable Lamar Smith, a Representative in 
Congress from the State of Texas, and Ranking Member, Committee on the 
                               Judiciary











                                









                                











                                



                                 
