b"<html>\n<title> - PRIVACY AND CYBERCRIME ENFORCEMENT ACT OF 2007</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n \n             PRIVACY AND CYBERCRIME ENFORCEMENT ACT OF 2007\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                   SUBCOMMITTEE ON CRIME, TERRORISM,\n                         AND HOMELAND SECURITY\n\n                                 OF THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\n                               H.R. 4175\n\n                               __________\n\n                           DECEMBER 18, 2007\n\n                               __________\n\n                           Serial No. 110-128\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n39-708 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n                       COMMITTEE ON THE JUDICIARY\n\n                 JOHN CONYERS, Jr., Michigan, Chairman\nHOWARD L. BERMAN, California         LAMAR SMITH, Texas\nRICK BOUCHER, Virginia               F. JAMES SENSENBRENNER, Jr., \nJERROLD NADLER, New York                 Wisconsin\nROBERT C. ``BOBBY'' SCOTT, Virginia  HOWARD COBLE, North Carolina\nMELVIN L. WATT, North Carolina       ELTON GALLEGLY, California\nZOE LOFGREN, California              BOB GOODLATTE, Virginia\nSHEILA JACKSON LEE, Texas            STEVE CHABOT, Ohio\nMAXINE WATERS, California            DANIEL E. LUNGREN, California\nWILLIAM D. DELAHUNT, Massachusetts   CHRIS CANNON, Utah\nROBERT WEXLER, Florida               RIC KELLER, Florida\nLINDA T. SANCHEZ, California         DARRELL ISSA, California\nSTEVE COHEN, Tennessee               MIKE PENCE, Indiana\nHANK JOHNSON, Georgia                J. RANDY FORBES, Virginia\nBETTY SUTTON, Ohio                   STEVE KING, Iowa\nLUIS V. GUTIERREZ, Illinois          TOM FEENEY, Florida\nBRAD SHERMAN, California             TRENT FRANKS, Arizona\nTAMMY BALDWIN, Wisconsin             LOUIE GOHMERT, Texas\nANTHONY D. WEINER, New York          JIM JORDAN, Ohio\nADAM B. SCHIFF, California\nARTUR DAVIS, Alabama\nDEBBIE WASSERMAN SCHULTZ, Florida\nKEITH ELLISON, Minnesota\n\n            Perry Apelbaum, Staff Director and Chief Counsel\n                 Joseph Gibson, Minority Chief Counsel\n                                 ------                                \n\n        Subcommittee on Crime, Terrorism, and Homeland Security\n\n             ROBERT C. ``BOBBY'' SCOTT, Virginia, Chairman\n\nMAXINE WATERS, California            LOUIE GOHMERT, Texas\nWILLIAM D. DELAHUNT, Massachusetts   J. RANDY FORGES, Virginia\nJERROLD NADLER, New York             F. JAMES SENSENBRENNER, Jr., \nHANK JOHNSON, Georgia                Wisconsin\nANTHONY D. WEINER, New York          HOWARD COBLE, North Carolina\nSHEILA JACKSON LEE, Texas            STEVE CHABOT, Ohio\nARTUR DAVIS, Alabama                 DANIEL E. LUNGREN, California\nTAMMY BALDWIN, Wisconsin\nBETTY SUTTON, Ohio\n\n                      Bobby Vassar, Chief Counsel\n\n                    Michael Volkov, Minority Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                           DECEMBER 18, 2007\n\n                                                                   Page\n\n                            TEXT OF THE BILL\n\nH.R. 4175, the ``Privacy and Cybercrime Enforcement Act of 2007''     3\n\n                           OPENING STATEMENT\n\nThe Honorable Robert C. ``Bobby'' Scott, a Representative in \n  Congress from the State of Virginia, and Chairman, Subcommittee \n  on Crime, Terrorism, and Homeland Security.....................     1\nThe Honorable Louie Gohmert, a Representative in Congress from \n  the State of Texas, and Ranking Member, Subcommittee on Crime, \n  Terrorism, and Homeland Security...............................    13\n\n                               WITNESSES\n\nMr. Andrew Lourie, acting Principal Deputy Assistant Attorney \n  General and Chief of Staff to the Criminal Division, U.S. \n  Department of Justice, Washington, DC\n  Oral Testimony.................................................    20\n  Prepared Statement.............................................    22\nMr. Craig Magaw, Special Agent, Criminal Investigative Division, \n  U.S. Secret Service, U.S. Department of Homeland Security, \n  Washington, DC\n  Oral Testimony.................................................    43\n  Prepared Statement.............................................    44\nMr. Joel Winston, Associate Director, Division of Privacy and \n  Identity Protection, Bureau of Consumer Protection, Federal \n  Trade Commission, Washington, DC\n  Oral Testimony.................................................    48\n  Prepared Statement.............................................    50\nMs. Jaimee Napp, Executive Director, Identity Theft Action \n  Council of Nebraska, OMAHA, NE\n  Oral Testimony.................................................    71\n  Prepared Statement.............................................    72\nMr. Robert W. Holleyman, II, President and CEO, Business Software \n  Alliance, Washington, DC\n  Oral Testimony.................................................    76\n  Prepared Statement.............................................    79\nMs. Lillie Coney, Associate Director, Electronic Privacy \n  Information Center, Washington, DC\n  Oral Testimony.................................................    85\n  Prepared Statement.............................................    87\n\n          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING\n\nPrepared Statement of the Honorable Louie Gohmert, a \n  Representative in Congress from the State of Texas, and Ranking \n  Member, Subcommittee on Crime, Terrorism, and Homeland Security    14\nPrepared Statement of the Honorable John Conyers, Jr., a \n  Representative in Congress from the State of Michigan, and \n  Chairman, Committee on the Judiciary...........................    16\n\n                                APPENDIX\n\nMaterial Submitted for the Hearing Record........................   113\n\n\n             PRIVACY AND CYBERCRIME ENFORCEMENT ACT OF 2007\n\n                              ----------                              \n\n\n                       TUESDAY, DECEMBER 18, 2007\n\n              House of Representatives,    \n              Subcommittee on Crime, Terrorism,    \n                              and Homeland Security\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to notice, at 3 p.m., in \nroom 2141, Rayburn House Office Building, the Honorable Robert \nC. ``Bobby'' Scott (Chairman of the Subcommittee) presiding.\n    Present: Representatives Scott, Jackson Lee, Gohmert, \nCoble, Chabot, Lungren and Conyers (ex officio).\n    Staff Present: Bobby Vassar, Subcommittee Chief Counsel; \nAmeer Gopalani, Majority Counsel; Michael Volkov, Minority \nCounsel; and Veronica Eligan, Majority Professional Staff \nMember.\n    Mr. Scott. I am pleased to welcome you to the hearing of \nthe Subcommittee on Crime, Terrorism, and Homeland Security on \nH.R. 4175, the ``Privacy and Cybercrime Enforcement Act of \n2007.''\n    I would like to thank the Chairman of the full Committee, \nMr. Conyers, for introducing the bill with bipartisan support. \nThe bill was introduced at the time by the Chairman and Ranking \nMember of the Committee and the Subcommittee, and I am pleased \nto have been working with Mr. Conyers in drafting it to provide \neffective tools for Federal prosecutors and State and local law \nenforcement agencies to combat identity theft and other \ncybercrimes.\n    The Act takes several important steps to protect American \nconsumers from the dangers of identity theft. First, our bill \nprovides for the victims of identity theft, provides them with \nthe ability to seek restitution in Federal court for the loss \nof time and money spent restoring their credit. Under current \nlaw, restitution to the victims is only available to recover \nthe direct financial cost of identity theft offenses, such as \nrecovering funds from unauthorized credit card charges.\n    But many identity theft victims incur other indirect costs, \nsuch as loss of wages due to time taken off from work to \nresolve credit disputes. Our bill amends the present law to \nmake it clear that restitution orders may include an amount \nequal to the value of the victim's time spent addressing the \nactual or intended harm of the identity theft.\n    Second, the bill addresses urgent needs for agencies and \ncompanies to provide appropriate notification when they \nexperience major breaches. The problem of data breaches remains \na persistent and dangerous threat to Americans' privacy. For \nexample, in 2006, there was a disclosure that a company had \nsuffered a major computer breach involving up to 45 million \ncredit and debit card records. While the company knew about the \nbreach, none of its customers were told about it until a month \nlater. And we are all aware of the identity theft from 26 \nmillion of our veterans and active duty personnel from the \nDepartment of Veterans' Affairs last year.\n    Although up to 39 States have laws pertaining to data \nbreaches, there is no Federal standard or regulation to provide \nnotice. Our bill would require rapid notice of breaches to the \nFBI and Secret Service, and this notice is critical to the \nsuccessful investigation and prosecution of any criminal \nactivity associated with the breach. The FBI and Secret Service \nwould then publish the list of reported breaches in the Federal \nRegister so the public would be aware of where and to what \nextent major data breaches are occurring.\n    Finally, the bill makes it a crime punishable by up to 5 \nyears in prison for knowingly failing to report major breaches \nto the appropriate authorities.\n    Lastly, this bill provides much needed tools to Federal and \nState law enforcement agents. The bill adds Section 1030 to the \nComputer Fraud and Abuse Act to the RICO statute which will \nprovide the Department of Justice with a much-needed tool to \ninvestigate and prosecute organized crime syndicates which use \nsophisticated cyber schemes to commit criminal acts.\n    The bill also authorizes $25 million for each of the fiscal \nyears from 2008 to 2010 to establish State grant programs with \nenforcement of cybercrimes. State and local law enforcement \nresources need to be strengthened to attack the low lying \nidentity theft that Federal prosecutors fail to go after.\n    We heard the last Congress had a Subcommittee hearing about \nthe incident involving Senator Dominici where some $800 in \nmerchandise was charged to a stolen credit card. We found that \nthe crime was not being prosecuted.\n    So thieves are left with the knowledge that if they don't \nsteal too much, they can do so with impunity. The credit card \ncompany will cancel the debt, write off the loss, and there \nwill be no criminal investigation, and so the thieves can keep \nthe bounty of their crimes without worrying about prosecution.\n    I believe that the Secret Service working in partnership \nwith State law enforcement could quickly reverse this \nexpectation that thieves have in this front. H.R. 4175 is a \ncomprehensive bill. It not only deals with the need to provide \nlaw enforcement notice to law enforcement when innocent \nconsumers have their data briefed, it also deals with the \nunderlying problems of lack of accountability to deter crimes \nfrom occurring in the first place.\n    Our privacy in cybercrimes lag behind both capabilities of \nour technology and the sophistication of identity thieves, and \nthis legislation will close that gap.\n    [The text of the bill, H.R. 4175, follows:]\n\n<bullet>HR 4175 IH  ___________________________________________________\n\n                                                                      I\n110th CONGRESS\n    1st Session\n\n                                H. R. 4175\n\nTo amend title 18, United States Code, with respect to data privacy and \n    security, and for other purposes.\n                               __________\n\n                    IN THE HOUSE OF REPRESENTATIVES\n                           November 14, 2007\nMr. Conyers (for himself, Mr. Smith of Texas, Mr. Scott of Virginia, \n    Mr. Forbes, Ms. Linda T. Sanchez of California, Mr. Davis of \n    Alabama, and Ms. Jackson-Lee of Texas) introduced the following \n    bill; which was referred to the Committee on the Judiciary\n                               __________\n\n                                 A BILL\n\nTo amend title 18, United States Code, with respect to data privacy and \n    security, and for other purposes.\n\n    Be it enacted by the Senate and House of Representatives of the \nUnited States of America in Congress assembled,\n\nSECTION 1. SHORT TITLE.\n\n    (a) Short Title.--This Act may be cited as the ``Privacy and \nCybercrime Enforcement Act of 2007''.\n    (b) Table of Contents.--The title of contents for this Act is as \nfollows:\n\n    Sec. 1. Short title.\n\n TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS \n                      OF DATA PRIVACY AND SECURITY\n\n    Sec. 101. Organized criminal activity.\n    Sec. 102. Failure to provide notice of security breaches involving \nsensitive personally identifiable information.\n    Sec. 103. Use of full interstate and foreign commerce power for \ncriminal penalties.\n    Sec. 104. Cyber-extortion.\n    Sec. 105. Conspiracy to commit cyber-crimes.\n    Sec. 106. Penalties for section 1030 violations.\n    Sec. 107. Additional funding for resources to investigate and \nprosecute criminal activity involving computers.\n    Sec. 108. Criminal restitution.\n    Sec. 109. Review and amendment of Federal sentencing guidelines \nrelated to fraudulent access to or misuse of digitized or electronic \npersonally identifiable information.\n\n     TITLE II--NON-CRIMINAL PRIVACY ENFORCEMENT AND PRIVACY IMPACT \n                               STATEMENTS\n\n    Sec. 201. Enforcement by Attorney General and State authorities.\n    Sec. 202. Coordination of State and Federal efforts.\n    Sec. 203. Requirement that agency rulemaking take into \nconsideration impacts on individual privacy.\n\n  TITLE III--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT TO COMBAT \n     FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY \n                        IDENTIFIABLE INFORMATION\n\n    Sec. 301. Grants for State and local law enforcement.\n    Sec. 302. Authorization of appropriations.\n\n          TITLE IV--NATIONAL WHITE COLLAR CRIME CENTER GRANTS\n\n    Sec. 401. Authorization and Expansion of National White Collar \nCrime Center.\n\n TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS \n                      OF DATA PRIVACY AND SECURITY\n\nSEC. 101. ORGANIZED CRIMINAL ACTIVITY.\n\n    Section 1961(1) of title 18, United States Code, is amended by \ninserting ``section 1030 (relating to certain frauds and related \nactivities in connection with computers)''.\n\nSEC. 102. FAILURE TO PROVIDE NOTICE OF SECURITY BREACHES INVOLVING \n                    SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.\n\n    (a) In General.--Chapter 47 of title 18, United States Code, is \namended by adding at the end the following:\n\n``Sec. 1040. Failure to provide notice of security breaches involving \n                    sensitive personally identifiable information\n\n    ``(a) Whoever, having a covered obligation to provide notice of a \nsecurity breach involving sensitive personally identifiable \ninformation, knowingly fails to do so, shall be fined under this title \nor imprisoned not more than 5 years, or both.\n    ``(b) As used in this section--\n            ``(1) the term `covered obligation', with respect to \n        providing notice of a security breach, means an obligation \n        under Federal law or, if the breach is in or affects interstate \n        or foreign commerce, under State law;\n            ``(2) the term `sensitive personally identifiable \n        information' means any electronic or digital information that \n        includes--\n                    ``(A) an individual's first and last name, or first \n                initial and last name, or address or phone number in \n                combination with any 1 of the following data elements \n                where the data elements are not protected by a \n                technology protection measure that renders the data \n                element indecipherable--\n                            ``(i) a nontruncated social security \n                        number, driver's license number, state resident \n                        identification number, passport number, or \n                        alien registration number;\n                            ``(ii) both of the following--\n                                    ``(I) mother's maiden name, if \n                                identified as such; and\n                                    ``(II) month, day, and year of \n                                birth; and\n                            ``(iii) unique biometric data such as a \n                        finger print, voice print, a retina or iris \n                        image; or\n                    ``(B) a financial account number or credit or debit \n                card number in combination with any security code, \n                access code or password that is required for an \n                individual to obtain credit, withdraw funds, or engage \n                in a financial transaction by means of such number;\n            ``(3) the term `security breach' means a compromise of the \n        security, confidentiality, or integrity of computerized data \n        that there is reason to believe has resulted in improper access \n        to sensitive personally identifiable information; and\n            ``(4) the term `improper access' means access without \n        authorization or in excess of authorization.''.\n    (b) Clerical Amendment.--The table of sections at the beginning of \nchapter 47 of title 18, United States Code, is amended by adding at the \nend the following:\n\n    ``1040. Concealment of security breaches involving personally \nidentifiable information.''.\n    (c) Obligation To Report.--\n            (1) In general.--A person who owns or possesses data in \n        electronic form containing a means of identification and has \n        knowledge of a major security breach of the system containing \n        such data maintained by such person, must provide prompt notice \n        of such breach to the United States Secret Service or Federal \n        Bureau of Investigation.\n            (2) Publication of list of notifications.--The Secret \n        Service and the Federal Bureau of Investigation shall annually \n        publish in the Federal Register a list of all notifications \n        submitted the previous calendar year and the identity of each \n        entity with respect to which the major security breach \n        occurred.\n            (3) Definition.--In this subsection--\n                    (A) the term ``major security breach'' means any \n                security breach involving--\n                            (i) means of identification pertaining to \n                        10,000 or more individuals is, or is reasonably \n                        believed to have been acquired;\n                            (ii) databases owned by the Federal \n                        Government; or\n                            (iii) means of identification of Federal \n                        Government employees or contractors involved in \n                        national security matters or law enforcement; \n                        and\n                    (B) the term ``means of identification'' has the \n                meaning given that term in section 1028 of title 18, \n                United States Code.\n\nSEC. 103. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR \n                    CRIMINAL PENALTIES.\n\n    (a) Broadening of Scope.--Section 1030(e)(2)(B) of title 18, United \nStates Code, is amended by inserting ``or affecting'' after ``which is \nused in''.\n    (b) Elimination of Requirement of an Interstate or Foreign \nCommunication for Certain Offenses Involving Protected Computers.--\nSection 1030(a)(2)(C) of title 18, United States Code, is amended by \nstriking ``if the conduct involved an interstate or foreign \ncommunication''.\n\nSEC. 104. CYBER-EXTORTION.\n\n    Section 1030(a)(7) of title 18, United States Code, is amended by \ninserting ``, or to access without authorization or exceed authorized \naccess to a protected computer'' after ``cause damage to a protected \ncomputer''.\n\nSEC. 105. CONSPIRACY TO COMMIT CYBER-CRIMES.\n\n    Section 1030(b) of title 18, United States Code, is amended by \ninserting ``or conspires'' after ``attempts''.\n\nSEC. 106. PENALTIES FOR SECTION 1030 VIOLATIONS.\n\n    Subsection (c) of section 1030 of title 18, United States Code, is \namended to read as follows:\n    ``(c)(1) The punishment for an offense under subsection (a) or (b) \nis a fine under this title or imprisonment for not more than 20 years, \nor both, but if the offender in the course of a violation of subsection \n(a)(5)(A)(i) knowingly or recklessly causes or attempts to cause death, \nsuch offender shall be fined under this title or imprisoned for any \nterm of years or for life, or both.\n    ``(2) The court, in imposing sentence for an offense under \nsubsection (a) or (b), may, in addition to any other sentence imposed \nand irrespective of any provision of State law, order that the person \nforfeit to the United States--\n            ``(A) the person's interest in any personal property that \n        was used or intended to be used to commit or to facilitate the \n        commission of the offense; and\n            ``(B) any property, real or personal, constituting or \n        derived from, any proceeds the person obtained, directly or \n        indirectly, as a result of the offense.''.\n\nSEC. 107. ADDITIONAL FUNDING FOR RESOURCES TO INVESTIGATE AND PROSECUTE \n                    CRIMINAL ACTIVITY INVOLVING COMPUTERS.\n\n    (a) Additional Funding for Resources.--\n            (1) Authorization.--In addition to amounts otherwise \n        authorized for resources to investigate and prosecute criminal \n        activity involving computers, there are authorized to be \n        appropriated for each of the fiscal years 2008 through 2012--\n                    (A) $10,000,000 to the Director of the United \n                States Secret Service;\n                    (B) $10,000,000 to the Attorney General for the \n                Criminal Division of the Department of Justice; and\n                    (C) $10,000,000 to the Director of the Federal \n                Bureau of Investigation.\n            (2) Availability.--Any amounts appropriated under paragraph \n        (1) shall remain available until expended.\n    (b) Use of Additional Funding.--Funds made available under \nsubsection (a) shall be used by the Director of the United States \nSecret Service, the Director of the Federal Bureau of Investigation, \nand the Attorney General, for the United States Secret Service, the \nFederal Bureau of Investigation, and the criminal division of the \nDepartment of Justice, respectively, to--\n            (1) hire and train law enforcement officers to--\n                    (A) investigate crimes committed through the use of \n                computers and other information technology, including \n                through the use of the Internet; and\n                    (B) assist in the prosecution of such crimes; and\n            (2) procure advanced tools of forensic science to \n        investigate, prosecute, and study such crimes.\n\nSEC. 108. CRIMINAL RESTITUTION.\n\n    Section 3663(b) of title 18, United States Code, is amended--\n            (1) by striking ``and'' at the end of paragraph (4);\n            (2) by striking the period at the end of paragraph (5) and \n        inserting ``; and'' and\n            (3) by adding at the end the following:\n            ``(6) in the case of an offense under section 1028(a)(7), \n        1028A(a), or 1030(a)(2), pay an amount equal to the value of \n        the victim's time reasonably spent to remediate actual harm \n        resulting from the offense.''.\n\nSEC. 109. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED \n                    TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR \n                    ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.\n\n    The United States Sentencing Commission, pursuant to its authority \nunder section 994 of title 28, United States Code, and in accordance \nwith this section, shall review and, if appropriate, amend the Federal \nsentencing guidelines (including its policy statements) applicable to \npersons convicted of using fraud to access, or misuse of, digitized or \nelectronic personally identifiable information, including identity \ntheft or any offense under--\n            (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of \n        title 18, United States Code; and\n            (2) any other relevant provision.\n\n     TITLE II--NON-CRIMINAL PRIVACY ENFORCEMENT AND PRIVACY IMPACT \n                               STATEMENTS\n\nSEC. 201. ENFORCEMENT BY ATTORNEY GENERAL AND STATE AUTHORITIES.\n\n    (a) Definition of ``Authorized Entity''.--As used in this section, \nthe term ``authorized entity'' means the Attorney General, with respect \nto any conduct constituting a violation of a Federal law enacted after \nthe date of the enactment of this Act relating to data security and \nengaged in by a business entity, and a State Attorney General with \nrespect to that conduct to the extent the conduct adversely affects an \ninterest of the residents of a State.\n    (b) Civil Penalty.--\n            (1) Generally.--An authorized entity may in a civil action \n        obtain a civil penalty of not more than $500,000 from any \n        business entity that engages in conduct constituting a \n        violation of a Federal law enacted after the date of the \n        enactment of this Act relating to data security.\n            (2) Special rule for intentional violation.--If the \n        violation described in subsection (a) is intentional, the \n        maximum civil penalty is $1,000,000.\n    (c) Injunctive Relief.--An authorized entity may, in a civil action \nagainst a business entity that has engaged, or is engaged, in any \nconduct constituting a violation of a Federal law enacted after the \ndate of the enactment of this Act relating data security, obtain an \norder--\n            (1) enjoining such act or practice; or\n            (2) enforcing compliance with that law.\n    (d) Other Rights and Remedies.--The rights and remedies available \nunder this section do not affect any other rights and remedies \navailable under Federal or State law.\n\nSEC. 202. COORDINATION OF STATE AND FEDERAL EFFORTS.\n\n    (a) Notice.--\n            (1) In general.--A State consumer protection attorney may \n        not bring an action under section 201, until the attorney \n        general of the State involved provides to the Attorney General \n        of the United States--\n                    (A) written notice of the action; and\n                    (B) a copy of the complaint for the action.\n            (2) Exception.--Paragraph (1) does not apply with respect \n        to the filing of an action by an attorney general of a State \n        under this section if the State attorney general determines \n        that it is not feasible to provide the notice described in such \n        subparagraph before the filing of the action, in such a case \n        the State attorney general shall provide notice and a copy of \n        the complaint to the Attorney General at the time the State \n        attorney general files the action.\n    (b) Federal Proceedings.--The Attorney General may--\n            (1) move to stay any non Federal action under section 201, \n        pending the final disposition of a pending Federal action under \n        that section;\n            (2) initiate an action in an appropriate United States \n        district court and move to consolidate all pending actions \n        under section 201, including State actions, in that court; and\n            (3) intervene in a State action under section 201.\n    (c) Pending Proceedings.--If the Attorney General institutes a \nproceeding or action for a violation of a Federal law enacted after the \ndate of the enactment of this Act relating data security, no authority \nof a State may, during the pendency of such proceeding or action, bring \nan action under this section against any defendant named in such \ncriminal proceeding or a civil action against any defendant for any \nviolation that is alleged in that proceeding or action.\n    (d) Definition.--As used in this section, the term ``State consumer \nprotection attorney'' means the attorney general of a State or any \nState or local law enforcement agency authorized by the State attorney \ngeneral or by State statute to prosecute violations of consumer \nprotection law.\n\nSEC. 203. REQUIREMENT THAT AGENCY RULEMAKING TAKE INTO CONSIDERATION \n                    IMPACTS ON INDIVIDUAL PRIVACY.\n\n    (a) In General.--Title 5, United States Code, is amended by adding \nafter section 553 the following new section:\n\n``Sec. 553a. Privacy impact assessment in rulemaking\n\n    ``(a) Initial Privacy Impact Assessment.--\n            ``(1) In general.--Whenever an agency is required by \n        section 553 of this title, or any other law, to publish a \n        general notice of proposed rulemaking for a proposed rule, or \n        publishes a notice of proposed rulemaking for an interpretative \n        rule involving the internal revenue laws of the United States, \n        and such rule or proposed rulemaking pertains to the \n        collection, maintenance, use, or disclosure of personally \n        identifiable information from 10 or more individuals, other \n        than agencies, instrumentalities, or employees of the Federal \n        government, the agency shall prepare and make available for \n        public comment an initial privacy impact assessment that \n        describes the impact of the proposed rule on the privacy of \n        individuals. Such assessment or a summary thereof shall be \n        signed by the senior agency official with primary \n        responsibility for privacy policy and be published in the \n        Federal Register at the time of the publication of a general \n        notice of proposed rulemaking for the rule.\n            ``(2) Contents.--Each initial privacy impact assessment \n        required under this subsection shall contain the following:\n                    ``(A) A description and analysis of the extent to \n                which the proposed rule will impact the privacy \n                interests of individuals, including the extent to which \n                the proposed rule--\n                            ``(i) provides notice of the collection of \n                        personally identifiable information, and \n                        specifies what personally identifiable \n                        information is to be collected and how it is to \n                        be collected, maintained, used, and disclosed;\n                            ``(ii) allows access to such information by \n                        the person to whom the personally identifiable \n                        information pertains and provides an \n                        opportunity to correct inaccuracies;\n                            ``(iii) prevents such information, which is \n                        collected for one purpose, from being used for \n                        another purpose; and\n                            ``(iv) provides security for such \n                        information, including the provision of written \n                        notice to any individual, within 14 days of the \n                        date of compromise, whose privacy interests are \n                        compromised by the unauthorized release of \n                        personally identifiable information as a result \n                        of a breach of security at or by the agency.\n                    ``(B) A description of any significant alternatives \n                to the proposed rule which accomplish the stated \n                objectives of applicable statutes and which minimize \n                any significant privacy impact of the proposed rule on \n                individuals.\n    ``(b) Final Privacy Impact Assessment.--\n            ``(1) In general.--Whenever an agency promulgates a final \n        rule under section 553 of this title, after being required by \n        that section or any other law to publish a general notice of \n        proposed rulemaking, or promulgates a final interpretative rule \n        involving the internal revenue laws of the United States, and \n        such rule or proposed rulemaking pertains to the collection, \n        maintenance, use, or disclosure of personally identifiable \n        information from 10 or more individuals, other than agencies, \n        instrumentalities, or employees of the Federal government, the \n        agency shall prepare a final privacy impact assessment, signed \n        by the senior agency official with primary responsibility for \n        privacy policy.\n            ``(2) Contents.--Each final privacy impact assessment \n        required under this subsection shall contain the following:\n                    ``(A) A description and analysis of the extent to \n                which the final rule will impact the privacy interests \n                of individuals, including the extent to which such \n                rule--\n                            ``(i) provides notice of the collection of \n                        personally identifiable information, and \n                        specifies what personally identifiable \n                        information is to be collected and how it is to \n                        be collected, maintained, used, and disclosed;\n                            ``(ii) allows access to such information by \n                        the person to whom the personally identifiable \n                        information pertains and provides an \n                        opportunity to correct inaccuracies;\n                            ``(iii) prevents such information, which is \n                        collected for one purpose, from being used for \n                        another purpose; and\n                            ``(iv) provides security for such \n                        information, including the provision of written \n                        notice to any individual, within 14 days of the \n                        date of compromise, whose privacy interests are \n                        compromised by the unauthorized release of \n                        personally identifiable information as a result \n                        of a breach of security at or by the agency.\n                    ``(B) A summary of any significant issues raised by \n                the public comments in response to the initial privacy \n                impact assessment, a summary of the analysis of the \n                agency of such issues, and a statement of any changes \n                made in such rule as a result of such issues.\n                    ``(C) A description of the steps the agency has \n                taken to minimize the significant privacy impact on \n                individuals consistent with the stated objectives of \n                applicable statutes, including a statement of the \n                factual, policy, and legal reasons for selecting the \n                alternative adopted in the final rule and why each one \n                of the other significant alternatives to the rule \n                considered by the agency which affect the privacy \n                interests of individuals was rejected.\n            ``(3) Availability to public.--The agency shall make copies \n        of the final privacy impact assessment available to members of \n        the public and shall publish in the Federal Register such \n        assessment or a summary thereof.\n    ``(c) Waivers.--\n            ``(1) Emergencies.--An agency head may waive or delay the \n        completion of some or all of the requirements of subsections \n        (a) and (b) to the same extent as the agency head may, under \n        section 608, waive or delay the completion of some or all of \n        the requirements of sections 603 and 604, respectively.\n            ``(2) National security.--An agency head may, for national \n        security reasons, or to protect from disclosure classified \n        information, confidential commercial information, or \n        information the disclosure of which may adversely affect a law \n        enforcement effort, waive or delay the completion of some or \n        all of the following requirements:\n                    ``(A) The requirement of subsection (a)(1) to make \n                an assessment available for public comment, provided \n                that such assessment is made available, in classified \n                form, to the Committees on the Judiciary of the House \n                of Representatives and the Senate, in lieu of making \n                such assessment available to the public.\n                    ``(B) The requirement of subsection (a)(1) to have \n                an assessment or summary thereof published in the \n                Federal Register, provided that such assessment or \n                summary is made available, in classified form, to the \n                Committees on the Judiciary of the House of \n                Representatives and the Senate, in lieu of publishing \n                such assessment or summary in the Federal Register.\n                    ``(C) The requirements of subsection (b)(3), \n                provided that the final privacy impact assessment is \n                made available, in classified form, to the Committees \n                on the Judiciary of the House of Representatives and \n                the Senate, in lieu of making such assessment available \n                to the public and publishing such assessment in the \n                Federal Register.\n    ``(d) Procedures for Gathering Comments.--When any rule is \npromulgated which may have a significant privacy impact on individuals, \nor a privacy impact on a substantial number of individuals, the head of \nthe agency promulgating the rule or the official of the agency with \nstatutory responsibility for the promulgation of the rule shall assure \nthat individuals have been given an opportunity to participate in the \nrulemaking for the rule through techniques such as--\n            ``(1) the inclusion in an advance notice of proposed \n        rulemaking, if issued, of a statement that the proposed rule \n        may have a significant privacy impact on individuals, or a \n        privacy impact on a substantial number of individuals;\n            ``(2) the publication of a general notice of proposed \n        rulemaking in publications of national circulation likely to be \n        obtained by individuals;\n            ``(3) the direct notification of interested individuals;\n            ``(4) the conduct of open conferences or public hearings \n        concerning the rule for individuals, including soliciting and \n        receiving comments over computer networks; and\n            ``(5) the adoption or modification of agency procedural \n        rules to reduce the cost or complexity of participation in the \n        rulemaking by individuals.\n    ``(e) Periodic Review of Rules.--\n            ``(1) In general.--Each agency shall carry out a periodic \n        review of the rules promulgated by the agency that have a \n        significant privacy impact on individuals, or a privacy impact \n        on a substantial number of individuals. Under such periodic \n        review, the agency shall determine, for each such rule, whether \n        the rule can be amended or rescinded in a manner that minimizes \n        any such impact while remaining in accordance with applicable \n        statutes. For each such determination, the agency shall \n        consider the following factors:\n                    ``(A) The continued need for the rule.\n                    ``(B) The nature of complaints or comments received \n                from the public concerning the rule.\n                    ``(C) The complexity of the rule.\n                    ``(D) The extent to which the rule overlaps, \n                duplicates, or conflicts with other Federal rules, and, \n                to the extent feasible, with State and local \n                governmental rules.\n                    ``(E) The length of time since the rule was last \n                reviewed under this subsection.\n                    ``(F) The degree to which technology, economic \n                conditions, or other factors have changed in the area \n                affected by the rule since the rule was last reviewed \n                under this subsection.\n            ``(2) Plan required.--Each agency shall carry out the \n        periodic review required by paragraph (1) in accordance with a \n        plan published by such agency in the Federal Register. Each \n        such plan shall provide for the review under this subsection of \n        each rule promulgated by the agency not later than 10 years \n        after the date on which such rule was published as the final \n        rule and, thereafter, not later than 10 years after the date on \n        which such rule was last reviewed under this subsection. The \n        agency may amend such plan at any time by publishing the \n        revision in the Federal Register.\n            ``(3) Annual publication.--Each year, each agency shall \n        publish in the Federal Register a list of the rules to be \n        reviewed by such agency under this subsection during the \n        following year. The list shall include a brief description of \n        each such rule and the need for and legal basis of such rule \n        and shall invite public comment upon the determination to be \n        made under this subsection with respect to such rule.\n    ``(f) Judicial Review.--\n            ``(1) In general.--For any rule subject to this section, an \n        individual who is adversely affected or aggrieved by final \n        agency action is entitled to judicial review of agency \n        compliance with the requirements of subsections (b) and (c) in \n        accordance with chapter 7. Agency compliance with subsection \n        (d) shall be judicially reviewable in connection with judicial \n        review of subsection (b).\n            ``(2) Jurisdiction.--Each court having jurisdiction to \n        review such rule for compliance with section 553, or under any \n        other provision of law, shall have jurisdiction to review any \n        claims of noncompliance with subsections (b) and (c) in \n        accordance with chapter 7. Agency compliance with subsection \n        (d) shall be judicially reviewable in connection with judicial \n        review of subsection (b).\n            ``(3) Limitations.--\n                    ``(A) An individual may seek such review during the \n                period beginning on the date of final agency action and \n                ending 1 year later, except that where a provision of \n                law requires that an action challenging a final agency \n                action be commenced before the expiration of 1 year, \n                such lesser period shall apply to an action for \n                judicial review under this subsection.\n                    ``(B) In the case where an agency delays the \n                issuance of a final privacy impact assessment pursuant \n                to subsection (c), an action for judicial review under \n                this section shall be filed not later than--\n                            ``(i) 1 year after the date the assessment \n                        is made available to the public; or\n                            ``(ii) where a provision of law requires \n                        that an action challenging a final agency \n                        regulation be commenced before the expiration \n                        of the 1-year period, the number of days \n                        specified in such provision of law that is \n                        after the date the assessment is made available \n                        to the public.\n            ``(4) Relief.--In granting any relief in an action under \n        this subsection, the court shall order the agency to take \n        corrective action consistent with this section and chapter 7, \n        and may--\n                    ``(A) remand the rule to the agency; and\n                    ``(B) defer the enforcement of the rule against \n                individuals, unless the court finds that continued \n                enforcement of the rule is in the public interest.\n            ``(5) Rule of construction.--Nothing in this subsection \n        limits the authority of any court to stay the effective date of \n        any rule or provision thereof under any other provision of law \n        or to grant any other relief in addition to the requirements of \n        this subsection.\n            ``(6) Record of agency action.--In an action for the \n        judicial review of a rule, the privacy impact assessment for \n        such rule, including an assessment prepared or corrected \n        pursuant to paragraph (4), shall constitute part of the entire \n        record of agency action in connection with such review.\n            ``(7) Exclusivity.--Compliance or noncompliance by an \n        agency with the provisions of this section shall be subject to \n        judicial review only in accordance with this subsection.\n            ``(8) Savings clause.--Nothing in this subsection bars \n        judicial review of any other impact statement or similar \n        assessment required by any other law if judicial review of such \n        statement or assessment is otherwise permitted by law.\n    ``(g) Definition.--For purposes of this section, the term \n`personally identifiable information' means information that can be \nused to identify an individual, including such individual's name, \naddress, telephone number, photograph, social security number or other \nidentifying information. It includes information about such \nindividual's medical or financial condition.''.\n    (b) Periodic Review Transition Provisions.--\n            (1) Initial plan.--For each agency, the plan required by \n        subsection (e) of section 553a of title 5, United States Code \n        (as added by subsection (a)), shall be published not later than \n        180 days after the date of the enactment of this Act.\n            (2) Review period.--In the case of a rule promulgated by an \n        agency before the date of the enactment of this Act, such plan \n        shall provide for the periodic review of such rule before the \n        expiration of the 10-year period beginning on the date of the \n        enactment of this Act. For any such rule, the head of the \n        agency may provide for a 1-year extension of such period if the \n        head of the agency, before the expiration of the period, \n        certifies in a statement published in the Federal Register that \n        reviewing such rule before the expiration of the period is not \n        feasible. The head of the agency may provide for additional 1-\n        year extensions of the period pursuant to the preceding \n        sentence, but in no event may the period exceed 15 years.\n    (c) Congressional Review.--Section 801(a)(1)(B) of title 5, United \nStates Code, is amended--\n            (1) by redesignating clauses (iii) and (iv) as clauses (iv) \n        and (v), respectively; and\n            (2) by inserting after clause (ii) the following new \n        clause:\n            ``(iii) the agency's actions relevant to section 553a;''.\n    (d) Clerical Amendment.--The table of sections at the beginning of \nchapter 5 of title 5, United States Code, is amended by adding after \nthe item relating to section 553 the following new item:\n\n    ``553a. Privacy impact assessment in rulemaking.''.\n\n  TITLE III--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT TO COMBAT \n     FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY \n                        IDENTIFIABLE INFORMATION\n\nSEC. 301. GRANTS FOR STATE AND LOCAL LAW ENFORCEMENT.\n\n    (a) In General.--Subject to the availability of amounts provided in \nadvance in appropriations Acts, the Assistant Attorney General for the \nOffice of Justice Programs of the Department of Justice may award \ngrants to States to establish and develop programs to increase and \nenhance enforcement against crimes related to fraudulent, unauthorized, \nor other criminal use of personally identifiable information.\n    (b) Application.--To be eligible for a grant under subsection (a), \na State shall submit an application to the Assistant Attorney General \nfor the Office of Justice Programs of the Department of Justice at such \ntime, in such manner, and containing such information, including as \ndescribed in subsection (d), as the Assistant Attorney General may \nrequire.\n    (c) Use of Grant Amounts.--A grant awarded to a State under \nsubsection (a) shall be used by a State, in conjunction with units of \nlocal government within that State, State and local courts, other \nStates, or combinations thereof, to establish and develop programs to--\n            (1) assist State and local law enforcement agencies in \n        enforcing State and local criminal laws relating to crimes \n        involving the fraudulent, unauthorized, or other criminal use \n        of personally identifiable information;\n            (2) assist State and local law enforcement agencies in \n        educating the public to prevent and identify crimes involving \n        the fraudulent, unauthorized, or other criminal use of \n        personally identifiable information;\n            (3) educate and train State and local law enforcement \n        officers and prosecutors to conduct investigations and forensic \n        analyses of evidence and prosecutions of crimes involving the \n        fraudulent, unauthorized, or other criminal use of personally \n        identifiable information;\n            (4) assist State and local law enforcement officers and \n        prosecutors in acquiring computer and other equipment to \n        conduct investigations and forensic analysis of evidence of \n        crimes involving the fraudulent, unauthorized, or other \n        criminal use of personally identifiable information; and\n            (5) facilitate and promote the sharing of Federal law \n        enforcement expertise and information about the investigation, \n        analysis, and prosecution of crimes involving the fraudulent, \n        unauthorized, or other criminal use of personally identifiable \n        information with State and local law enforcement officers and \n        prosecutors, including the use of multi-jurisdictional task \n        forces.\n    (d) Assurances and Eligibility.--To be eligible to receive a grant \nunder subsection (a), a State shall provide assurances to the Attorney \nGeneral that the State--\n            (1) has in effect laws that penalize crimes involving the \n        fraudulent, unauthorized, or other criminal use of personally \n        identifiable information, such as penal laws prohibiting--\n                    (A) fraudulent schemes executed to obtain \n                personally identifiable information;\n                    (B) schemes executed to sell or use fraudulently \n                obtained personally identifiable information; and\n                    (C) online sales of personally identifiable \n                information obtained fraudulently or by other illegal \n                means;\n            (2) will provide an assessment of the resource needs of the \n        State and units of local government within that State, \n        including criminal justice resources being devoted to the \n        investigation and enforcement of laws related to crimes \n        involving the fraudulent, unauthorized, or other criminal use \n        of personally identifiable information;\n            (3) will develop a plan for coordinating the programs \n        funded under this section with other federally funded technical \n        assistant and training programs, including directly funded \n        local programs such as the Local Law Enforcement Block Grant \n        program (described under the heading ``Violent Crime Reduction \n        Programs, State and Local Law Enforcement Assistance'' of the \n        Departments of Commerce, Justice, and State, the Judiciary, and \n        Related Agencies Appropriations Act, 1998 (Public Law 105-\n        119)); and\n            (4) will submit to the Assistant Attorney General for the \n        Office of Justice Programs of the Department of Justice \n        applicable reports in accordance with subsection (f).\n    (e) Matching Funds.--The Federal share of a grant received under \nthis section may not exceed 90 percent of the total cost of a program \nor proposal funded under this section unless the Attorney General \nwaives, wholly or in part, the requirements of this subsection.\n    (f) Reports.--For each year that a State receives a grant under \nsubsection (a) for a program, the State shall submit to the Assistant \nAttorney General for the Office of Justice Programs of the Department \nof Justice a report on the results, including the effectiveness, of \nsuch program during such year.\n\nSEC. 302. AUTHORIZATION OF APPROPRIATIONS.\n\n    (a) In General.--There is authorized to be appropriated to carry \nout this title $25,000,000 for each of fiscal years 2008 through 2010.\n    (b) Limitations.--Of the amount made available to carry out this \ntitle in any fiscal year not more than 3 percent may be used by the \nAttorney General for salaries and administrative expenses.\n    (c) Minimum Amount.--Unless all eligible applications submitted by \na State or units of local government within a State for a grant under \nthis title have been funded, the State, together with grantees within \nthe State (other than Indian tribes), shall be allocated in each fiscal \nyear under this title not less than 0.75 percent of the total amount \nappropriated in the fiscal year for grants pursuant to this title, \nexcept that the United States Virgin Islands, American Samoa, Guam, and \nthe Northern Mariana Islands each shall be allocated 0.25 percent.\n    (d) Grants to Indian Tribes.--Notwithstanding any other provision \nof this title, the Attorney General may use amounts made available \nunder this title to make grants to Indian tribes for use in accordance \nwith this title.\n\n          TITLE IV--NATIONAL WHITE COLLAR CRIME CENTER GRANTS\n\nSEC. 401. AUTHORIZATION AND EXPANSION OF NATIONAL WHITE COLLAR CRIME \n                    CENTER.\n\n    (a) In General.--Title I of the Omnibus Crime Control and Safe \nStreets Act of 1968 (42 U.S.C. 3711 et seq.) is amended--\n            (1) by redesignating part X, as added by section 623 of \n        Public Law 109-248, as part JJ; and\n            (2) by adding at the end the following new part:\n\n          ``PART KK--NATIONAL WHITE COLLAR CRIME CENTER GRANTS\n\n``SEC. 3021. ESTABLISHMENT OF GRANTS PROGRAM.\n\n    ``(a) Authorization.--The Director of the Bureau of Justice \nAssistance is authorized to make grants and enter into contracts with \nState and local criminal justice agencies and nonprofit organizations \nfor the purpose of improving the identification, investigation, and \nprosecution of certain criminal activities.\n    ``(b) Certain Criminal Activities Defined.--For purposes of this \npart, the term `certain criminal activity' means a criminal conspiracy \nor activity or a terrorist conspiracy or activity that spans \njurisdictional boundaries, including the following:\n            ``(1) Terrorism.\n            ``(2) Economic crime.\n            ``(3) High-tech crime, also known as cyber crime or \n        computer crime, including internet-based crime against children \n        and child pornography.\n    ``(c) Criminal Justice Agency Defined.--For purposes of this part, \nthe term `criminal justice agency', with respect to a State or a unit \nof local government within such State, includes a law enforcement \nagency, a State regulatory body with criminal investigative authority, \nand a State or local prosecution office to the extent that such agency, \nbody, or office, respectively, is involved in the prevention, \ninvestigation, and prosecution of certain criminal activities.\n\n``SEC. 3022. AUTHORIZED PROGRAMS.\n\n    ``Grants and contracts awarded under this part may be made only for \nthe following programs, with respect to the prevention, investigation, \nand prosecution of certain criminal activities:\n            ``(1) Programs to provide a nationwide support system for \n        State and local criminal justice agencies.\n            ``(2) Programs to assist State and local criminal justice \n        agencies to develop, establish, and maintain intelligence-\n        focused policing strategies and related information sharing.\n            ``(3) Programs to provide training and investigative \n        support services to State and local criminal justice agencies \n        to provide such agencies with skills and resources needed to \n        investigate and prosecute such criminal activities and related \n        criminal activities.\n            ``(4) Programs to provide research support, to establish \n        partnerships, and to provide other resources to aid State and \n        local criminal justice agencies to prevent, investigate, and \n        prosecute such criminal activities and related problems.\n            ``(5) Programs to provide information and research to the \n        general public to facilitate the prevention of such criminal \n        activities.\n            ``(6) Programs to establish National training and research \n        centers regionally, including within Virginia, Texas, and \n        Michigan, to provide training and research services for State \n        and local criminal justice agencies.\n            ``(7) Any other programs specified by the Attorney General \n        as furthering the purposes of this part.\n\n``SEC. 3023. APPLICATION.\n\n    ``To be eligible for an award of a grant or contract under this \npart, an entity shall submit to the Director of the Bureau of Justice \nAssistance an application in such form and manner, and containing such \ninformation, as required by the Director.\n\n``SEC. 3024. RULES AND REGULATIONS.\n\n    ``Not later than 180 days after the date of the enactment of this \npart, the Director of the Bureau of Justice Assistance shall promulgate \nsuch rules and regulations as are necessary to carry out the this part, \nincluding rules and regulations for submitting and reviewing \napplications under section 3023.''.\n    (b) Authorization of Appropriation.--Section 1001(a) of such Act \n(42 U.S.C. 3793) is amended by adding at the end the following new \nparagraph:\n            ``(26) There is authorized to be appropriated to carry out \n        part KK--\n                    ``(A) $25,000,000 for fiscal year 2008;\n                    ``(B) $28,000,000 for fiscal year 2009;\n                    ``(C) $31,000,000 for fiscal year 2010;\n                    ``(D) $34,000,000 for fiscal year 2011;\n                    ``(E) $37,000,000 for fiscal year 2012; and\n                    ``(F) $40,000,000 for fiscal year 2013.''.\n                                 <all>\n\n\n\n    Mr. Scott. It is now my pleasure to recognize our new \nRanking Member of the Subcommittee, the gentleman from Texas, \nJudge Gohmert.\n    Mr. Gohmert. Thank you, Chairman Scott. Thank you to the \nwitnesses. I stayed until 1:30, when it was apparent we were \ngoing to be a while, and I ran over to the Capitol, but because \nthe hour is so much later, I have an opening statement, but I \nwould ask unanimous consent simply to submit it for the record. \nUnless you all want me to read my opening statement, I will. \nBut otherwise, we will submit that.\n    H.R. 4175 was introduced by Chairman Conyers, Ranking \nMember Smith, Subcommittee Member Scott and then-Ranking Member \nForbes. A bipartisan proposal, I think, represents a good first \nstep in tackling the difficult problem of identity theft and \ncybercrime.\n    And so I will look forward to hearing the witnesses and \nworking with my colleagues on this important piece of \nlegislation.\n    And with that, I guess hearing no objection----\n    Mr. Scott. Without objection, the statement is entered into \nthe record.\n    [The prepared statement of Mr. Gohmert follows:]\nPrepared Statement of the Honorable Louie Gohmert, a Representative in \n Congress from the State of Texas, and Ranking Member, Subcommittee on \n                Crime, Terrorism, and Homeland Security\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Scott. The gentleman from Michigan.\n    Mr. Conyers. Thank you. And as the one that is guilty for \nholding you up so long, I won't--I will not give you my \nstatement, and I will put it in the record and add that the \nprivacy in the Cybercrime Enforcement Act is a strong \nbipartisan measure that I believe will help combat the growing \nthreat of identity theft and other cybercrimes. This balanced \nbill protects the privacy rights of consumers, the interest of \nbusinesses and the legitimate needs of law enforcement.\n    And I would like to emphasize that I look forward to the \npassage of a crime law but not at the expense of the \nsubstantive issues involved, including requiring much needed \nnotices for security breaches.\n    I am aware of the passage of S. 2168 in the Senate, but our \nbill is more comprehensive, and we need to examine it before \nmaking hasty decisions that impact consumers for years to come.\n    Thank you very much, Mr. Chairman, for your patience and \nforbearance.\n    [The prepared statement of Chairman Conyers follows:]\n\nPrepared Statement of the Honorable John Conyers, Jr., a Representative \nin Congress from the State of Michigan, and Chairman, Committee on the \n                               Judiciary\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Scott. Thank you, Mr. Chairman.\n    The gentleman from North Carolina.\n    Mr. Coble. In view of the belated hour, I waive my opening \nstatement and join you in welcoming our panel.\n    Mr. Scott. And without objection, other Members will be \nallowed to include opening statements in the record at this \npoint.\n    I want to thank the witnesses for your patience. Sometimes \nbecause of votes and things, the schedule just goes array, and \nwe appreciate your patience in remaining with us.\n    We have a distinguished panel of witnesses here today to \nhelp us consider important issues that are here before us.\n    The first witness is Andrew Lourie, who was the acting \nPrincipal Deputy Assistant Attorney General and chief of staff \nof the Criminal Division at the Department of Justice. He is \ncurrently serving a detail from the U.S. Attorney's Office from \nthe Southern District of Florida where, for the past 5 years, \nhe has served as Managing Assistant U.S. Attorney in the West \nPalm Beach office. He served two prior details at the \nDepartment, both as chief of the Public Integrity Section.\n    The next witness is Greg Magaw, a special agent in charge \nof the United States Secret Service. He provides guidance in \ndetermining the investigative focus of the division which \nprovides direction to all Secret Service field offices. He is a \n20-year veteran of the Secret Service, native of Columbus, \nOhio. He received his Bachelor of Arts degree from the \nUniversity of Maryland and masters degree in the field of \nmanagement from Johns Hopkins.\n    Next will be Joel Winton, the associate director of the \nDivision of Privacy and Identity Protection at the Federal \nTrade Commission's Bureau of Consumer Protection. That division \nhas responsibility over consumer privacy and data security \nissues, identity theft and credit reporting matters. Mr. \nWinston is currently serving on the Federal Government's \nIdentity Theft Task Force, which was created by the President \nin March 2006. Mr. Winston received his undergraduate and law \ndegrees from the University of Michigan.\n    Next will be Jaimee Napp, executive director of the \nIdentity Theft Action Council of Nebraska. He founded the \ncouncil in 2006--excuse me, she founded the council in 2006 to \nuse her journey as an identity theft victim to help others. The \ncouncil is the first nonprofit organization dedicated solely to \nidentity theft issues assisting victims in Nebraska. She \nreceived her bachelors of journalism from the University of \nNebraska at Lincoln.\n    Next will be Robert Holleyman, president, CEO, of the \nBusiness Software Alliance. Mr. Holleyman has headed the \nalliance since 1990, overseeing operations in more than 85 \ncountries. He is widely known for his work on policy related \nissues affecting the technology industry, including \nintellectual property laws, cyber security, international trade \nand electronic commerce. He earned his bachelor of arts degree \nin Political Science at Trinity University in Texas and his \njuris doctorate from Louisiana State University in Baton Rouge.\n    Finally, we have Lillie Coney, associate director of the \nElectronic Privacy Information Center in Washington, D.C. She \nserves as the coordinator for the Privacy Coalition. The \nPrivacy Coalition has over 40 organizations and affiliates who \nshare a commitment to freedom and privacy rights. She has \ntestified before the Department of Homeland Security, the \nDepartment of Homeland Security's Data Privacy and Integrity \nAdvisory Committee, on domestic surveillance.\n    Now each of our witnesses' written statements will be made \npart of the record and all of those statements in their \nentirety. I would ask each witness to summarize his or her \ntestimony in 5 minutes or less. And to help you stay within \nthat time, there is a timing device on your table that will \nstart green and go to yellow when you have 1 minute left and \nthen finally to red when your time has expired.\n    We will begin with--and unfortunately, we are expecting a \nvote any minute now so we will go as far as we can, break for a \nvote and then come right back.\n    Mr. Lourie.\n\n TESTIMONY OF ANDREW LOURIE, ACTING PRINCIPAL DEPUTY ASSISTANT \n ATTORNEY GENERAL AND CHIEF OF STAFF TO THE CRIMINAL DIVISION, \n           U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC\n\n    Mr. Lourie. Thank you. Good afternoon, Chairman Scott, \nRanking Member Gohmert and Members of the Subcommittee.\n    It is a pleasure to appear before you today to testify \nabout the Department of Justice's commitment to combatting \ncomputer crime and identity theft, and about the important \nlegislation this Subcommittee is considering to address these \nthreats.\n    As information technology increasingly pervades every \naspect of our society, the opportunity for criminals to take \nadvantage of it was also increased.\n    One result has been the rise of identity theft. The \nDepartment of Justice is dedicated to aggressively pursuing all \nforms of cybercrime and identity theft. However, shortcomings \nin existing law have, at times, inhibited its ability to do so. \nThe Privacy and Cyber Crime Act of 2007 would address several \nof these shortcomings and provide important tools to promote \nlaw enforcement's efforts.\n    The act includes many provisions also recommended in the \nstrategic plan released earlier this year by the President's \nIdentity Theft Task Force. The Department is pleased to see the \ndepth of the common ground that we share in these key issues. \nIn particular, the Department applauds the amendments in the \nact that would ensure that victims receive fair restitution for \nthe time spent to remediate the harm resulting from identity \ntheft offenses.\n    Similarly, the Department supports the provisions of the \nact that enhance our ability to prosecute the theft of \nsensitive information from computers, close loopholes in the \ncyber extortion statute and enable us to bring computer crime \ncharges against criminal conspiracies and organized criminal \ngroups.\n    In addition to these many positive aspects, the Department \nwould like to provide some suggestions that would strengthen \nthe bill.\n    First, we strongly encourage the Committee to consider \namending 18 USC, section 1030(a)(5), to close a loophole and \nappropriately penalize the use of malicious spyware, botnets \nand keyloggers. Current law criminalizes actions that cause \ndamage to computers by impairing the integrity or ability of \ndata or computer systems. Absent special circumstances, \nhowever, the conduct must cause loss exceeding $5,000 to \nconstitute a Federal crime. Many identity thieves obtain \npersonal information by installing malicious software on \nnumerous individual computers. Whether or not the programs \nsucceed in stealing information, they harm the integrity of the \ncomputer and data. However, it is often difficult or impossible \nto measure the loss to each computer owner or to prove that the \nmany small losses together exceed $5,000.\n    Two amendments could remedy this situation. First, Congress \ncould amend section 1030(a)(5) to make it a misdemeanor offense \nto damage a protected computer and cause less than $5,000 in \nloss. Whether or not the Committee considers that amendment, we \nstrongly recommend adding a provision to the act that would \nmake it a Federal felony to damage 10 or more protected \ncomputers regardless of loss.\n    Let me turn now to Section 102 of the bill, the provision \nthat requires victims of major executive breaches to provide \nnotice to law enforcement. The bill defines a major security \nbreach as a breach that involves the means of identification \npertaining to 10,000 or more individuals. This threshold is too \nhigh. To give the numbers some context, the theft of as few as \n1,000 credit card numbers is, under the current sentencing \nguidelines, presumed to involve a minimum loss of $500,000. We \ntherefore recommend that the threshold for major security \nbreach be reduced.\n    The definition should also be amended to include any breach \nwhere there may be a threat to national security or risk of \nsignificant monetary loss without regard to the number of \nrecords affected.\n    I would also like to mention Section 106, which contains a \nuseful provision on the forfeiture of the instrumentalities and \nproceeds of cybercrime. We support the addition of a forfeiture \nprovision. We suggest, however, that the act explicitly allow \nfor both civil and criminal forfeiture and spell out the \nappropriate procedures. Language to accomplish these changes \nand other technical suggestions to improve the forfeiture \nprocedures is included with the written testimony I have \nsubmitted to the Subcommittee.\n    In conclusion, the Department would like to emphasize that \nlaw enforcement can continue to fulfill its role in addressing \nthe growing threats of computer crime and identify theft if we \nhave the appropriate laws and appropriate resources. The \nPrivacy in Cyber Crime Act of 2007 addresses many of those \nneeds by closing loopholes in existing cybercrime statutes, \nimproving our ability to prosecute criminal groups and \nproviding much needed resources. We believe the act will be an \nimportant tool in the fight against cybercrime.\n    Mr. Chairman, this concludes my remarks.\n    [The prepared statement of Mr. Lourie follows:]\n\n                  Prepared Statement of Andrew Lourie\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Scott. Thank you.\n    Mr. Magaw.\n\nTESTIMONY OF CRAIG MAGAW, SPECIAL AGENT, CRIMINAL INVESTIGATIVE \n  DIVISION, U.S. SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND \n                    SECURITY, WASHINGTON, DC\n\n    Mr. Magaw. Good afternoon, Chairman Scott and distinguished \nMembers of the Subcommittee. I would like to thank you for the \nopportunity to address the Subcommittee on the subject of \nidentity crime and the roll of the Secret Service in these \ninvestigations.\n    While the Secret Service perhaps is best known for \nprotecting our Nation's leaders, we also investigate a wide \narray of financial crimes and work to safeguard our Nation's \ncritical financial infrastructure.\n    With the passage of legislation in 1984 and 1986, the \nSecret Service was authorized to investigate access device \nfraud, and we were given parallel authority with other law \nenforcement agencies in identity crimes and computer fraud \ncases. Through our financial and electronic crime \ninvestigations, the Secret Service has developed a particular \nexpertise in the area of identity theft, false identification \nfraud, access device fraud, bank fraud and computer fraud.\n    In fiscal year 2007, agents of the Secret Service arrested \nover 4,300 suspects for identity theft crimes. These suspects \nwere responsible for approximately $690 million in actual fraud \nloss to American consumers and American institutions.\n    The Secret Service has observed a marked increase in \nidentity theft and cybercrime. Criminals continue to seek new \nmethods to compromise victims' personal financial information. \nThe recent trend observed by law enforcement is the use of \ncomputers and the Internet to launch cyber attacks targeting \ncitizens and financial institutions.\n    Cyber criminals have become proficient at stealing victims' \npersonal information through the use of phishing e-mails, \naccount takeovers, malicious software, hacking attack and \nnetwork intrusions resulting in data breach.\n    This stolen information is often sold in bulk quantities \nthrough illicit Web sites on the Internet. Criminal groups \ninvolved in identity theft and cybercrimes routinely operate in \na multi-jurisdictional environment. By working closely with \nFederal, State, and local law enforcement representatives, as \nwell as international police agencies, we are able to provide a \ncomprehensive network of intelligence sharing, resource sharing \nand technical expertise that bridge jurisdictional boundaries. \nThis partnership approach to law enforcement is vital to our \ncriminal investigative mission.\n    The Secret Service has established a national network of \nfinancial crimes task forces and electronic crime task forces \nin cities across the United States. These task forces leverage \nthe combined resources of local, State, and Federal law \nenforcement partners as well as technical experts from the \nacademic community and private industry in an organized effort \nto combat threats to our financial payment system and critical \ninfrastructure.\n    Collaboration between law enforcement and private sector is \ncritical to our preventative approach to identity theft and \ncybercrime.\n    We also build partners with the academic community to \nensure that law enforcement is on the cutting edge of \ntechnology by leveraging research and development capabilities \nof teaching institutions and technical colleges. The Secret \nService appreciates the Subcommittee's work to enhance the \npenalties and broaden investigative jurisdictions associated \nwith identity theft and cybercrime.\n    H.R. 4175 addresses many of the issues I have discussed \ntoday concerning these offenses. H.R. 4175 expands the \ndefinition of cybercrime; requires data or brokers to notify \nlaw enforcement authorities of major security breaches; and \nincreases penalties for identity theft and other violations of \ndata privacy and security. The Secret Service looks forward to \nworking closely with Congress as they address identity crime \nlegislation.\n    As I have highlighted in my written statement, the Secret \nService has implemented a number of initiatives pertaining to \nidentity crimes. We have dedicated enormous resources to \nincrease public awareness, provide training to law enforcement \npartners and improve investigative techniques. We will continue \nto aggressively investigate identity theft offenders to protect \nconsumers. The Secret Service is committed to our mission to \nsafeguard the Nation's critical and financial infrastructure.\n    This concludes my prepared remarks. Thank you again for the \nopportunity to testify on behalf of the Secret Service.\n    [The prepared statement of Mr. Magaw follows:]\n\n                   Prepared Statement of Craig Magaw\n\n    Good afternoon, Chairman Scott, Ranking Member Gohmert and \ndistinguished members of the subcommittee. I would like to thank you \nfor the opportunity to address this subcommittee on the subject of \nidentity crime and the role of the U.S. Secret Service in these \ninvestigations.\n    While the Secret Service is perhaps best known for protecting our \nnation's leaders, we also investigate a wide variety of financial \ncrimes. In our role of protecting the nation's critical infrastructure \nand financial payment systems, the Secret Service has a long history of \nprotecting American consumers and the financial industry from fraud. \nWith the passage of legislation in 1984, the Secret Service was \nprovided authority for the investigation of access device fraud, \nincluding credit and debit card fraud, and parallel authority with \nother law enforcement agencies in identity crime cases. In recent \nyears, the combination of the information revolution and the effects of \nglobalization have caused the investigative mission of the Secret \nService to evolve.\n    Through our work in the areas of financial and electronic crime, \nthe Secret Service has developed particular expertise in the \ninvestigation of identity theft, false identification fraud, credit \ncard fraud, debit card fraud, check fraud, bank fraud, cyber crime, and \ncomputer intrusions. In Fiscal Year 2007, agents assigned to Secret \nService offices across the United States arrested over 4,300 suspects \nfor identity theft crimes. These suspects were responsible for \napproximately $690 million in actual fraud loss to individuals and \nfinancial institutions.\n    These criminals seek the personal identifiers generally required to \nobtain goods and services on credit, such as Social Security numbers, \nnames, and dates of birth. Identity crimes also involve the theft or \nmisuse of an individual's financial identifiers such as credit card \nnumbers, bank account numbers, and personal identification numbers.\n    The Secret Service has observed a marked increase in identity theft \nand access device fraud. Criminals continue to seek new methods of \ncompromising victims' personal and financial information. In the 1980's \nand 1990's, criminals obtained stolen personal and financial \ninformation through traditional means such as, theft of mail, theft of \ntrash from businesses or victims, home and vehicle burglaries, and \ntheft of a victim's wallet or purse. While these low-tech methods of \ntheft remain popular, criminal activity has evolved to new methods of \nobtaining large quantities of stolen information.\n    The recent trend observed by law enforcement is the use of \ncomputers and the Internet to launch cyber attacks targeting citizens \nand financial institutions. Cyber criminals have become adept at \nstealing victims' personal information through the use of phishing \nemails, account takeovers, malicious software, hacking attacks, and \nnetwork intrusions resulting in data breaches.\n    The Secret Service continues to see a considerable volume of access \ndevice fraud, usually in the form of criminal exploitation of stolen \ncredit card data. Of particular concern are those incidents in which \nlarge quantities of credit card and related personal data are stolen \nthrough electronic intrusions into the networked systems of major \nretailers or the systems of credit card processors. A considerable \nportion of this type of electronic theft appears to be attributable to \norganized groups, many of them based abroad, who pursue both the \nintrusions, as well as the subsequent exploitation of the stolen data. \nStolen credit card data is often trafficked in units that include more \nthan just the card number and expiration date. ``Full-info cards'' \ninclude such additional information as complete name and address \ninformation of the cardholder, mother's maiden name, date of birth, \nSocial Security number, PIN, and other personal information that allows \nadditional criminal exploitation of the account. Another marked trend \nobserved in 2007, has been the rise in volume of trafficking in card \ntrack data together with PINs; this data allows a criminal to \nmanufacture a fully functional counterfeit card and execute ATM \nwithdrawals or other PIN-enabled transactions against the account.\n    This stolen information is often sold in bulk quantities on various \nillicit Internet carding portals. These portals, or ``carding \nwebsites,'' can be likened to online bazaars where the criminal element \nconverges to conduct their business. The websites vary in size, from a \nfew dozen members, to some of the more popular sites which boast \nmemberships of approximately 8,000 users. Within these portals, there \nare separate forums which are moderated by notorious members of the \ncarding community. Members can meet online and discuss specific topics \nof interest. Criminal purveyors buy, sell, and trade malicious \nsoftware, spamming services, credit, debit, and ATM card data, personal \nidentification data, bank account information, hacking services and \nother contraband.\n    In addition to the exploitation of credit and debit card accounts, \nmany of the more sophisticated online criminal networks are now \nactively exploiting compromised online financial accounts. Criminals \nwho gain access to victim accounts using online systems then execute \nfraudulent electronic banking transfers or sell the information to \nother criminals. The desire to exploit online bank accounts has led to \nthe explosive growth of phishing, as well as the recent wave of \n``malware'' or ``crimeware,'' malicious software designed specifically \nto harvest account login information from the computers of infected \nvictims. The technical sophistication of the illicit services readily \navailable continues to grow. For example, the online fraud networks are \nincreasingly leveraging the technical capabilities of ``botnets'' (i.e. \nnetworks of thousands of infected computers which can be controlled by \na criminal from a central location) for financial attacks ranging in \nnature from the hosting of phishing and other malicious websites to the \nlaunching of widespread attacks against the online authentication \nsystems of U.S. financial institutions.\n    The information revolution of the 1990's has turned our personal \nand financial information into a valuable commodity, whether it is \nbeing collected and brokered by a legitimate company or stolen by an \nidentity thief. This information is no longer only an instrument used \nto facilitate a financial crime; it is now the primary target of \ncriminals. Consequently, private citizens as well as corporations and \nfinancial institutions must take appropriate measures to secure \nsensitive personally identifiable information. This information is \nparticularly vulnerable when it is stored on personal computers or \ndisclosed over Internet and email connections. Consumers must adhere to \ncomprehensive computer security practices.\n    Today, hundreds of companies specialize in data mining, data \nwarehousing, and information brokerage. This wealth of available \npersonal information creates a target-rich environment for today's \nsophisticated criminals. However, businesses can provide a first line \nof defense against identity crime by safeguarding the information they \ncollect. Such efforts can significantly limit the opportunities for \nidentity crime. Furthermore, the prompt reporting by data brokers of \nmajor security breaches involving sensitive personally identifiable \ninformation to the proper authorities would ensure a thorough \ninvestigation is conducted.\n    Globalization has made commerce easy and convenient for \ncorporations and consumers. Financial institutions and systems are \naccessible worldwide. Today's cyber criminals have adapted to this new \nmeans of global trade and exploit our dependence on information \ntechnology. With the explosion of Internet accessibility world-wide, \nthe criminal element has modified their fraudulent schemes to a new, \nmore anonymous and constantly evolving cyber arena. Having been the \ntarget of many of these crimes, the financial sector has some of the \nmost sophisticated security and authentication mechanisms and are \nconstantly evolving their practices to counter this criminal activity \nLikewise, the Secret Service has modified its investigative techniques \nto keep pace with emerging technologies.\n    Criminal groups involved in identity crimes routinely operate in a \nmulti-jurisdictional environment. This creates problems for local law \nenforcement agencies that generally act as the first responders. By \nworking closely with other federal, state, and local law enforcement \nrepresentatives, as well as international police agencies, the Secret \nService is able to provide a comprehensive network of intelligence \nsharing, resource sharing, and technical expertise that bridges \njurisdictional boundaries. This partnership approach to law enforcement \nis vital to our criminal investigative mission.\n    The Secret Service's expertise is enhanced through partnerships and \nidentity theft task forces to assist in the national effort to \nsafeguard personal and financial information. These partnerships with \nother law enforcement agencies and industry representatives perform a \ncrucial role in protecting the financial infrastructure and economic \nstability of the United States by leveraging the technical expertise \nand investigative experience of partner agencies.\n    The Secret Service has established unique partnerships with state, \nlocal, and other federal law enforcement agencies through years of \ncollaboration on our investigative and protective endeavors. These \npartnerships enabled the Secret Service to establish a national network \nof Financial Crimes Task Forces (FCTFs) to combine the resources of the \nprivate sector and other law enforcement agencies in an organized \neffort to combat threats to our financial payment systems and critical \ninfrastructures. The Secret Service currently maintains 29 FCTFs \nlocated in metropolitan regions across the country. While our FCTFs do \nnot focus exclusively on identity crime, we recognize that stolen \nidentifiers are often a central component of other financial crimes. \nConsequently, our task forces devote considerable time and resources to \nthe issue of identity crime.\n    The Secret Service has always employed a proactive, rather than \nreactive, approach to combating crime. In 1996, the Secret Service \nestablished the New York Electronic Crimes Task Force (ECTF) to combine \nthe resources of academia, the private sector, and local, state, and \nfederal law enforcement agencies to combat computer-based threats to \nour financial payment systems and critical infrastructures. The USA \nPATRIOT Act of 2001, P.L. 107-56, recognized the effectiveness of the \nNew York ECTF and mandated that the Secret Service establish a \nnationwide network of ECTFs to prevent, detect, and investigate various \nforms of electronic crimes, including potential terrorist attacks \nagainst critical infrastructure and financial payment systems.\n    ECTFs leverage combined resources in an organized effort to combat \nthreats to our financial payment systems and critical infrastructures. \nPartnerships between law enforcement and the private sector are \ncritical to the success of the ECTF's ``focus on prevention'' approach. \nOur ECTFs collaborate with private sector technical experts in an \neffort to protect their system networks and critical information by \nencouraging the development of business continuity plans and routine \nrisk management assessments of their electronic infrastructure. Greater \nECTF liaison with the business community provides rapid access to law \nenforcement and vital technical expertise during incidents of malicious \ncyber crimes. The ECTFs also focus on partnerships with academia to \nensure that law enforcement is on the cutting edge of technology by \nleveraging the research and development capabilities of teaching \ninstitutions and technical colleges.\n    These resources allow ECTFs to identify and address potential cyber \nvulnerabilities before the criminal element exploits them. This \nproactive approach has successfully prevented cyber attacks that \notherwise would have resulted in large-scale financial losses to U.S. \nbased companies or disruptions of critical infrastructures.\n    The Secret Service task force models open the lines of \ncommunication and encourage the unlimited exchange of information \nbetween federal, state, and local law enforcement. Currently, the \nSecret Service maintains 24 ECTFs in major metropolitan regions across \nthe United States.\n    Another important goal of the Secret Service is to raise awareness \nof issues related to identity theft and financial crimes, both in the \nlaw enforcement community and the general public. The Secret Service \nhas worked to educate consumers and provide training to law enforcement \npersonnel through a variety of programs and initiatives. Agents from \nlocal field offices routinely provide community outreach seminars and \npublic awareness training on the subjects of identity theft and \ncomputer fraud. Agents often address these topics when speaking to \nschool groups, civic organizations, and staff meetings involving \nbusinesses or financial institutions.\n    Additionally, the Secret Service provides recurring identity theft \ntraining to state and local police departments. This training includes \nformal and informal classes which occur at police roll calls, field \noffice sponsored seminars, police academies, and other various \nsettings. Currently, the Secret Service provides formal computer \ntraining to state and local police departments to allow officers to act \nas ``first responders'' in cyber crimes investigations. Officers are \ntrained in basic electronic crimes investigations, network intrusion \ninvestigations, and computer forensics.\n    The Secret Service currently participates in a joint effort with \nthe Department of Justice, the U.S. Postal Inspection Service, the \nFederal Trade Commission (FTC), the International Association of Chiefs \nof Police (IACP), and the American Association of Motor Vehicle \nAdministrators to host identity crime training for law enforcement \nofficers. In the last three years, Identity Crime Training Seminars \nhave been held in approximately 20 cities nationwide. These training \nseminars are focused on providing local and state law enforcement \nofficers with tools and resources that they can immediately put into \nuse in their investigations of identity crime.\n    The Secret Service has also assigned a special agent to the FTC as \na liaison to support all aspects of the Commission's program to \nencourage the use of the Identity Theft Data Clearinghouse as a law \nenforcement tool. The FTC has done an excellent job of providing people \nwith the information and assistance they need in order to take the \nsteps necessary to correct their credit records, as well as undertaking \na variety of consumer awareness initiatives regarding identity theft.\n    Additionally, the Secret Service is committed to providing our law \nenforcement partners with publications and guides to assist them in \ncombating identity theft and cyber crime. As criminals increasingly use \ncomputers and electronic storage devices, these items become important \npieces of evidence. To ensure proper investigation and successful \nprosecution, officers need specific instructions pertaining to the \nseizure and analysis of electronic evidence. To provide this essential \nknowledge, the Secret Service published the ``Best Practices Guide for \nSeizing Electronic Evidence'' which is designed as a pocket guide for \nthe police officers and detectives acting as first responders. This \nguide assists law enforcement officers in recognizing, protecting, \nseizing, and searching electronic devices in accordance with applicable \nstatutes and policies. This guide has been updated as appropriate, and \nit is currently issued in its third edition.\n    The Secret Service also cooperated with several of our task force \npartners to produce the interactive, computer-based training program \nknown as ``Forward Edge.'' Forward Edge is a CD-ROM that provides law \nenforcement and corporate investigative personnel with practical \ntraining in the recognition and seizure of electronic storage items. \nThis year we completed an updated version of this training tool and \njust released ``Forward Edge II.''\n    In addition, the Secret Service produced an Identity Crime Video/\nCD-ROM which contains over 50 investigative and victim assistance \nresources that local and state law enforcement officers can use when \ncombating identity crime. This CD-ROM also contains a short identity \ncrime video that can be shown to police officers at their roll call \nmeetings which discusses why identity crime is important, what other \ndepartments are doing to combat identity crime, and what tools and \nresources are available to officers. The Identity Crime CD-ROM is an \ninteractive resource guide that was made in collaboration with the U.S. \nPostal Inspection Service, the FTC and the IACP.\n    To date, approximately 50,000 Identity Crime CD-ROMs have been \ndistributed to law enforcement departments and agencies across the \nUnited States. We have distributed over 400,000 Best Practices Guides \nand over 50,000 Forward Edge training CD-ROMs to local and federal law \nenforcement officers nationwide.\n    In conclusion, I would like to reiterate that identity theft is an \nevolving threat. Law enforcement agencies must be able to adapt to \nemerging technologies and criminal methods. The Secret Service is \npleased that Congress is considering legislation that recognizes the \nmagnitude of these issues and the constantly changing nature of these \ncrimes. To effectively fight this crime, our criminal statutes must be \namended to safeguard sensitive personally identifiable information and \nto afford law enforcement the appropriate resources to investigate data \nbreaches.\n    The Secret Service appreciates the Subcommittee's work to enhance \npenalties and broaden investigative jurisdictions associated with \nidentity theft and cyber crime. H.R. 4175 addresses many of the issues \nI have discussed in this statement concerning these offenses. H.R. 4175 \nexpands the definition of cyber crime, requires data brokers to notify \nlaw enforcement authorities of major security breaches, and increases \npenalties for identity theft and other violations of data privacy and \nsecurity. The Secret Service looks forward to working closely with \nCongress as they address identity crime legislation.\n    As I have highlighted in my statement, the Secret Service has \nimplemented a number of initiatives pertaining to identity crimes. We \nhave dedicated enormous resources to increase awareness, educate the \npublic, provide training for law enforcement partners, and improve \ninvestigative techniques. We will continue to aggressively investigate \nidentity theft offenders to protect consumers. The Secret Service is \ncommitted to our mission of safeguarding the nation's critical \ninfrastructure and financial payment systems.\n    Chairman Scott, Ranking Member Gohmert, this concludes my prepared \nstatement. Thank you again for this opportunity to testify on behalf of \nthe Secret Service. I will be pleased to answer any questions at this \ntime.\n\n    Mr. Scott. Thank you.\n    Mr. Winston.\n\n  TESTIMONY OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF \nPRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, \n            FEDERAL TRADE COMMISSION, WASHINGTON, DC\n\n    Mr. Winston. Thank you, Chairman Scott, Ranking Member \nGohmert and Members of the Subcommittee. I appreciate the \nopportunity to testify today about these critical issues of \nprivacy and identity theft.\n    As the Federal Trade Commission's recently issued national \nsurvey shows, identity theft continues to afflict millions of \nAmericans every year with losses in the billions of dollars. \nBut beyond these real and substantial direct costs, this crime \nharms our economic system by threatening consumer confidence. \nMany polls show that the level of consumer anxiety about \nidentity theft is extremely high.\n    The FTC plays a lead role in the battle against identity \ntheft through its law enforcement efforts; its work on the \nPresident's task force; its extensive consumer and business \neducation; and its assistance to criminal law enforcement \npartners.\n    One way to stop identity theft is to keep sensitive \ninformation out of the hands of thieves by ensuring that \nbusinesses protect the information they collect. Reports of the \nlatest data breaches appear almost daily and continue to shake \nconsumer confidence. Of course, not all data breaches lead to \nidentity theft, but some do, causing real damage to affected \nconsumers.\n    The Commission uses its authority under several Federal \nlaws to take action against businesses that fail to reasonably \nprotect sensitive consumer information. Since 2001, the FTC has \nbrought 15 data security cases, including our most recent case \nannounced this morning against a mortgage company that threw \nsensitive consumer loan files into publicly accessible \ndumpsters.\n    In addition to its enforcement efforts, the Commission has \nplayed a lead role in the President's Identity Theft Task \nForce. The task force's strategic plan recommended 31 \ninitiatives to reduce the incidence and impact of identity \ntheft. The recommendations focus on, first, prevention, making \nit more difficult for criminals to steal data or to misuse data \nthey do manage to steal. Second, victim assistance, helping \nconsumers recover from identity theft. And, third, deterrence: \nStrengthening the tools that we have to catch and punish the \ncriminals. Most of these 31 recommendations have been or are in \nthe process of being implemented.\n    With respect to prevention, the FTC has developed and \ndistributed highly successful business and consumer guidance on \ndata security. Materials include a very popular data security \nguide for businesses, which now comes with an online tutorial. \nAnd the Commission staff will be holding a series of regional \ndata security seminars across the country beginning next year.\n    On the consumer side, the Commission launched last year a \nmultimedia campaign titled, Deter, Detect, Defend. Here is a \ncopy of the package. It includes brochures and training kits. \nAnd the Commission sponsors a multimedia Web site, OnGuard \nOnline, which has information for consumers on basic computer \nsecurity. Since its launch, this Web site has attracted over \n4.3 million visits.\n    Despite our best efforts to improve data security, however, \nthere is no foolproof way to stop data theft. For that reason, \nit is critical that we do whatever we can to make the data less \nuseful for thieves.\n    As recommended by the task force, the Commission conducted \ntwo public workshops this year relating to the issue of \nconsumer authentication. By creating better ways to verify \nconsumers' identities when they open new accounts or when they \naccess existing accounts, we can make it more difficult for \ncriminals to use stolen data.\n    Regulations recently issued by the FTC and the Federal bank \nregulatory agencies, under the FACT Act, provide another tool \nin the battle to prevent identity theft. These rules require \nall businesses that hold consumer accounts to establish an \nidentity theft prevention program.\n    With regard to victim assistance, the Commission has \ncontinued its role as a central repository for identity theft \ninformation. Between 15,000 and 20,000 consumers contact us \neach week for information on how to guard against identity \ntheft, or to obtain help on recovery from it. Consumers who \ncontact us receive step-by-step advice. At the same time, the \ninformation these consumers give us is entered into our \nclearinghouse and is made available to over 1,700 law \nenforcement agencies for use in law enforcement.\n    We are also partnering with other agencies to provide \ntraining for local law enforcement across the country. And we \nhave developed and posted a universal police report identity \ntheft victims can complete online, print and take to law \nenforcement for verification. With this report, victims have \naccess to a number of rights, including the right to place a 7-\nyear fraud alert on their credit file.\n    To summarize, identity theft is one of the most important \nconsumer protection issues of our time and must be attacked \nfrom every angle. The Commission will continue to place a high \npriority on preventing this crime and helping victims to \nrecover.\n    We look forward to continuing our work with Congress in \nthis effort. I would be happy to answer any questions you may \nhave.\n    [The prepared statement of Mr. Winston follows:]\n\n                   Prepared Statement of Joel Winston\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Scott. Thank you.\n    We have about 10 minutes before we have to be on the floor. \nSo we will take your testimony, and then we will come back as \nsoon as we can.\n    Ms. Napp.\n\n TESTIMONY OF JAIMEE NAPP, EXECUTIVE DIRECTOR, IDENTITY THEFT \n             ACTION COUNCIL OF NEBRASKA, OMAHA, NE\n\n    Ms. Napp. Thank you, Chairman Scott and Members of the \nSubcommittee.\n    Thank you for this opportunity to share my story today and \nfor your leadership and interest in this issue.\n    My name is Jaimee Napp, and I am the executive director of \nthe Identity Theft Action Council of Nebraska, a proud mother \nof a 7-year-old, and I am also an identity theft victim. Today \nI will speak about my own personal experience and offer support \nfor the Privacy and Cybercrime Enforcement Act of 2007 but also \nwill provide some additional suggestions on what can be done.\n    I have regrets in my life, and one of them was taking a \nparticular part-time job and handing over my Social Security \nnumber to my employer.\n    In May 2005, my personal information, including my name, \nbirth date and Social Security number were stolen and used to \napply for four credit cards.\n    The perpetrator turned out to be a manager at my former \nemployer who stole my information from employee records. She \nwas arrested in October of 2005 and charged with criminal \nimpersonation, a felony, for stealing my identity. She served 5 \nmonths in county jail only because she couldn't make bail, and \nthen she was ordered to go undergo drug treatment for \nmethamphetamine addiction.\n    My perpetrator pleaded guilty on the felony charge in \nOctober of 2007 and was ordered to drug court, which is a \nprogram for nonviolent offenders with substance abuse problems. \nAt drug court graduation in January 2008, a total of four \nfelonies will be wiped clean from her criminal record like they \nnever existed after only a year and a half of drug treatment.\n    I have lost more than a nine-digit number from a piece of \npaper. This number happens to be the key to my financial past, \npresent and future, even though no one assigns monetary value \nto a Social Security value number.\n    When I became a victim of identity theft, I was not \nprepared for the overwhelming feeling of helplessness. And I \nwas stunned at how quickly destruction came and how easy it was \nfor my perpetrator to open credit cards.\n    What I experienced was a deep sense of loss, including the \nsense of who I am, my entire core belief system, friends who \ndidn't understand what I was going through and a sense of \nsafety.\n    The worry and uncertainty caused me to change my physical \nappearance and intensely watch for strange people or cars \nfollowing me.\n    In April 2006, the trauma started to affect my personal \nlife working for a different employer. Because the original \ntheft happened in the workplace, I started to become very \nuncomfortable and wasn't able to function at a normal level \nwith my coworkers nor did I feel like I could trust management \nor my employer.\n    Shortly thereafter, the stress became too much to hide or \ncontrol. It started showing itself physically through my \ninability to sleep and increased paranoia, cloudy vision and \nforgetfulness. In May 2006, I sought counseling and was \nofficially diagnosed with post-traumatic stress disorder. I am \nnot a victim of a violent physical crime, but I certainly feel \nlike someone who is.\n    My reality is that I will never be in total control of how \nand when my Social Security will be used for the rest of my \nlife. I must always have my guard up.\n    My story does not end with heartache. It ends with hope. I \nhad a choice to make. I could either forget, let this crime \nruin my life, or create change. And the choice was easy.\n    I founded a nonprofit organization in 2006 called the \nIdentity Theft Action Council of Nebraska, and we educate \nconsumers about identity theft and provide victim resources.\n    I support tougher penalties and greater victim restitution \nincluded in this bill but would also like to offer a few \nsuggestions.\n    Criminal penalties and tools for law enforcement are only \npart of the solution. To more fully address the problem, \nCongress should require mandatory notification when personal \ninformation is breached and require mandatory data security \nrequirements for business and government, and also provide \nconsumers with affordable, easy-to-use security freeze rights.\n    This is the first time I have spoken publicly about the \ndepths of my pain with my crime, and I thank you for this \nopportunity. But my story only represents one person out of the \nmillions of Americans who become victims each year.\n    I would like to thank you again for this opportunity, and I \nwould be happy to answer any questions.\n    [The prepared statement of Ms. Napp follows:]\n\n                   Prepared Statement of Jaimee Napp\n\n    Chairman Conyers and members of the Subcommittee, thank you for \nthis opportunity to share my story today and for your leadership and \ninterest in this important issue. Today I will speak about my own \npersonal experience with identity theft, offer support for the Privacy \nand Cybercrime Enforcement Act of 2007 and provide additional \nsuggestions on what can be done to prevent identity theft. I hope my \nwords will give you a glimpse into what real people--real victims of \nidentity theft--are facing today and the depth of their suffering.\n    No one actively seeks out opportunities to tell the world about the \nmost vulnerable time in his or her life, but I speak today out of \nnecessity. It is time for change--for new protections for victims and \nnew tools to prevent ID theft--and time for identity theft victims to \nbecome visible to make that happen.\n\n                        HOW I BECAME VICTIMIZED:\n\n    I have regrets in my life as many people do. One of them was taking \na part-time job in 2004 and handing over my social security number to \nmy employer. It is an experience no one ever dreams could change your \nlife in such a drastic way. Unfortunately for my family and me, this \nchoice came with consequences for which I will pay for the rest of my \nlife. Because of this one innocent exchange of information with my \nemployer, I became a victim of identity theft.\n    In May 2005 my personal information, including my name, birth date \nand social security number, was stolen and used to apply for four \ncredit cards over the Internet. The perpetrator was a manager at my \nformer employer who stole my information from employee records. I \ntrusted my employer to keep these pieces of information safe and my \nemployer had failed me.\n    The perpetrator was not working in position that should have had \naccess to employee's personal information. But the file cabinet where \nmy information and that of twenty-three other employees was not kept \nlocked as corporate security policy stated it should be. My employer \nalso failed to complete a background check on the perpetrator, \nsomething also required by corporate policy. A background check would \nhave shown my manager's criminal record contained forgery and theft-by-\ndeception felony arrests.\n\n    HOW I DISCOVERED THE THEFT AND WHAT HAPPENED TO THE PREPETRATOR:\n\n    I am considered lucky because I was alerted to the crime soon after \nit occurred. One of the credit card companies called me to verify \ninformation on the application I had submitted. There was just one \nproblem. I never submitted an application. After many hours digging for \nclues on my credit reports, I found three other credit cards that had \nbeen applied for in my name.\n    I'm a member of a very small group of identity theft victims who \nhave experienced the arrest and prosecution of their perpetrator. My \nperpetrator was arrested in October 2005 and charged with criminal \nimpersonation--a felony--for stealing my identity. But the journey from \ninvestigation, arrest and charges was not an easy road. I had to fight \neveryday for seven months for someone to listen to me, pay attention to \nme and to acknowledge me.\n    There wasn't a day that I didn't want to give up and let the \nperpetrator win, but something kept me going. I believe the arrest and \nprosecution of my perpetrator only happened because of my sheer \ndetermination. Most victims give up because the feeling of helplessness \nis overwhelming. Identity theft victims are largely invisible to law \nenforcement and the judicial system. We are seen as victims of property \ncrime and many times not seen as victims at all.\n    My imposter served five months in county jail before going to court \nand being ordered to undergo drug treatment for Methamphetamine \naddiction. Then for over a year and a half, I waited.\n    Finally in October 2007 the plea hearing for the case was held. My \nperpetrator pleaded guilty to felony criminal impersonation for \nstealing my identity and was ordered to drug court. For the past year \nand a half, my perpetrator was participating in the drug court program \nfor three additional felony charges.\n    In January 2008, my perpetrator will graduate from drug court and \nall four felonies will be wiped clean from her criminal record, like \nthey never existed. As I watch this happen, I stand before the court \ninvisible.\n\n                      IMPACT ON ME AND MY FAMILY:\n\n    On that day over two years ago I lost more than a nine-digit number \nfrom a piece of paper. No one assigns monetary value to a social \nsecurity number even though it is the key to my financial past, present \nand future.\n    Identity theft feels a lot like having your home being robbed. A \nburglar goes through all your possessions and belongings and takes \nitems you cannot replace. But before they leave, they steal the front \ndoor. Now what? Do you get a new door, change your locks, increase \nsecurity around your home or move if you don't feel safe? As an \nidentity theft victim none of these are options. You are helpless. \nImagine what it would be like to try to sleep at night without a front \ndoor protecting your family from the night. It's a scary proposition. \nYour choices would be to either stand guard twenty-four hours a day or \ngive up. Most identity theft victims give up.\n    I consider myself an educated woman and capable of handling a lot \nof what life throws at me. When I became a victim of identity theft, I \nwas not prepared for the overwhelming feeling of helplessness. There \nwas literally nothing I could do but watch as my strong credit score, \nthe result of years of hard work and sacrifice for my family's future \nhopes and dreams, was destroyed in a matter of moments. I am a young \nperson and what flashed before my eyes was my dream house which I \ndidn't live in yet, trips of a lifetime I dreamed of taking with my \nfamily and my eventual retirement. I was stunned at how quickly \ndestruction came and how easy it was for my perpetrator to execute.\n    What I experienced was a deep sense of loss of:\n\n        <bullet>  A sense of who I am\n\n        <bullet>  How I am portrayed to society\n\n        <bullet>  My core belief system\n\n        <bullet>  My internal intuition\n\n        <bullet>  My love of hobbies\n\n        <bullet>  My ability to express feelings and emotion\n\n        <bullet>  Friends who didn't understand what I was going \n        through\n\n        <bullet>  My safety and security\n\n    I had no idea how much information my perpetrator and their friends \nknew about me, but had to assume it was everything contained in my \ninitial job application--name, address, social security number, \neducation, references, phone numbers, previous work experience, birth \ndate and email. The worry and uncertainty caused me to change my \nphysical appearance, watch for strange cars around my home, watch for \npeople or cars following me. I even went to my local police department \nto request mug shots of my perpetrator's friends so I could identify \nthem if I was attacked.\n    In April 2006, this trauma started to affect my professional life \nwhile I was working for a different employer. Because the original \ntheft happened at work, I started to become very uncomfortable in the \nworkplace. I was not able to function at a normal level with co-workers \nnor could I trust management and my employer.\n    Shortly thereafter, the stress became too much to hide or control. \nIt started showing itself physically. They included, cloudy vision; \nforgetfulness; increased heart rate; increasing paranoia; agitation; \nand inability to sleep\n    In May 2006, I sought counseling and was officially diagnosed with \nPosttraumatic Stress Disorder--a definition adapted from the DSM-IV \n(American Psychiatric Association) as being exposed to a traumatic \nevent, re-experiencing the event, persistently avoiding things or \nevents, called triggers, associated with the trauma, persistent \nsymptoms of physical arousal, symptoms that last more than a month. \nBecause of these symptoms, there is significant impairment and distress \nin social, occupational or other important areas of functioning.\n    I understand this may be difficult to comprehend. I fought the \ndiagnosis, too. I'm not a soldier returning home from war; I'm not an \nassault victim; and I'm not a battered woman. I'm not a victim of \nviolent physical crime, but I feel like someone who is. What I've \nlearned is that no one can determine how a crime victim responds to the \ntrauma of any type of crime.\n    For a year I could not sleep through the night. I was awakened by \nevery car door I heard in the street, every gust of wind and every \nsound of the night. I had increasing nightmares and became isolated. I \nnumbed emotions and was paralyzed with irrational fear.\n    My counselor, in collaboration with another psychologist, \ndetermined that my trauma triggers and crime scene were associated with \nthe workplace. Even though my current work place was different, certain \nelements were constant. I was subjected to my trauma everyday, all day \nand it became clear I needed a break.\n    My doctors determined I needed to be removed from the situation in \norder to learn how to cope, grieve for what I have lost, and respond to \nfeelings in order to return as a productive worker. Their official \ndiagnosis stated I needed three months away from work to complete this \ntask. Because this time off could not be arranged with my employer, I \nleft the job. Since then I have not been employed full-time by any \ncompany and my family continues to suffer from my lost wages.\n    Identity theft is a cycle of victimization that can last for years. \nI do believe I will be victimized again in my lifetime. There's nothing \nstopping my perpetrator from harming me again. There is no protection \norder I can request from law enforcement that will keep me safe. My \nreality is that I will never be in total control over how or when my \nsocial security number is used for the rest of my life.\n    For me, the damage was increased by the deliberateness of the \nperpetrator, whom I knew from a six-month working relationship and the \nindifference of law enforcement, the judicial system, my former \nemployer, my current employer, the credit bureaus, and creditors. To be \nclear, I do not place blame on these entities. They appear uneducated \nabout the harms they subject consumers to by either using lax security \nor by simply doing nothing at all. As I note below, more must be done \nto ensure that those who hold our financial futures in their hands are \nheld accountable for their failure to meet their responsibilities.\n\n                    HOW I TRANSFORMED MY EXPERIENCE:\n\n    My story does not end with heartache. It ends with hope. Early in \nmy journey I asked myself a lot of questions. Why isn't someone helping \nme? Why is this so difficult? Why am I constantly being asked to step \naside, given no answers or hope? I had a choice to make; either forget, \nlet this crime ruin my life or create change. The choice was easy and \nactually felt as though it chose me. As I asked myself those questions, \nI quickly realized I couldn't wait for someone else to do something. I \nhad to do it myself.\n    I founded a nonprofit organization in 2006 called the Identity \nTheft Action Council of Nebraska. Our mission is to educate about \nidentity theft, provide victim resources and help shape legislation \nthat empowers consumers. Our goals are to create a national model on \nhow to tackle identity theft issues and reduce its impact on victims' \nlives.\n    On this journey I have done things I have never imagined possible: \ntraveled, met with leaders in the field and seen the difference courage \nto speak out can make. I have spoken to local, state and national media \nabout identity theft.\n    I have testified before the Nebraska legislature and played an \nintegral part in the passage of the first consumer-led identity theft \nlegislation in the state that gave consumers the right to place a \nsecurity freeze on their credit files--a tool that prevents creditors \nfrom checking credit files, thus preventing ID thieves from opening new \naccounts.\n    In 2007 our organization has educated over 2,000 Nebraskans about \nidentity theft.\n    We have built relationships with Nebraska Attorney General, \nNebraska AARP, Consumers Union and other community groups. Our \norganization will continue to bring to the table groups and entities \nthat can contribute and facilitate discussions across the state on how \nwe can best help consumers and victims.\n\n                 WHAT SHOULD BE DONE ABOUT THE PROBLEM:\n\n    First, provide tougher penalties and greater victim restitution.\n    The Privacy and Cybercrime Enforcement Act addresses that aspect of \nthe problem by enhancing penalties and making it easier for victims to \nreceive restitution for out-of-pocket costs and the value of the time \nspent resolving the problems of ID theft. Because one of the long-term \nimpacts of ID theft is credit score damage--the cost of which may only \nlater be realized--I'd recommend that the Committee make clear that the \ntime spent resolving the problems of ID theft includes time spent \nrepairing one's credit score--a process that goes beyond just wiping \nerrors off one's credit file. In addition, I urge the committee to \nensure that the actual and potential higher cost of credit to a victim \nof ID theft is explicitly covered as an out of pocket cost for which \nrestitution is available.\n    But criminal penalties alone cannot solve the problem of ID theft.* \nIdentity theft has been a federal crime for many years, but those \npenalties didn't deter my perpetrator. Thus, criminal penalties and \ntools for law enforcement are only part of the solution. To more fully \naddress the problem, Congress should:\n\n        <bullet>  Require business and government to notify consumers \n        when they are at risk.* Congress should require mandatory \n        consumer notification when the security of sensitive personal \n        information held by businesses about their customers and their \n        employees is compromised. We need to know when we are at \n        heightened risk so we can take steps to protect ourselves. But \n        without requirements that we be notified, businesses have every \n        incentive to sweep any security breach incident under the \n        carpet. Tough penalties for failure to notify should also be \n        imposed. Your bill, while not providing for mandatory \n        notification, at least imposes penalties on those who do not \n        meet existing, albeit largely weak, notification requirements \n        under state and federal law.\n\n        <bullet>  Impose duties upon business and government to \n        safeguard our data.* Congress should couple mandatory \n        notification with mandatory requirements that private \n        businesses and government agencies adopt new data security \n        procedures and technologies. Doing so creates both strong \n        incentives and real obligations for businesses to protect \n        sensitive information to prevent any breach from occurring in \n        the first place. Tough penalties should be imposed for failure \n        to comply. More than likely, I wouldn't be here before you as a \n        victim of identity theft if my employer had simply locked a \n        file cabinet containing my social security number. Data \n        security can be achieved through both common-sense low-tech and \n        high-tech means, just as identity thieves use both low-tech and \n        high-tech means to perpetrate their crimes.\n\n        <bullet>  Provide consumers with security freeze rights.* \n        Congress should also provide consumers with affordable, easy to \n        use security freeze rights. Right now, though the rights exist \n        in many states, the freeze is still expensive and cumbersome \n        (consumers must submit freeze requests via mail and most states \n        don't provide for quick thaw allowing consumers to quickly and \n        securely lift the freeze when they want to access credit). And \n        the voluntary freeze the credit bureaus are making available is \n        too expensive, and it is a tool that they could withdraw at any \n        time. Plus, they have little incentive to promote its \n        availability because, with the freeze in place, it makes their \n        for-profit tools, like credit monitoring, irrelevant. Yet the \n        security freeze is the only tool we have to stop the cycle of \n        victimization of new account theft. It is not a luxury item and \n        shouldn't be priced as one.\n\n                              CONCLUSION:\n\n    Even though I have spoken many times about my victimization over \nthe past two years, this is the first time I have spoken about the \ndepth of my pain publicly. It was not easy to do. And because ID theft \nis a crime that rarely leaves physical marks, beyond tarnished credit \nrecords, it is not easy for those who haven't been victims to \nunderstand how deeply identity theft affects us. So I thank you for \nthis opportunity.\n    My story represents just one of the approximately ten million \nstories of Americans who were victimized by identity theft in 2005. I \njoin a group of roughly fifty million American who have become victims \nof this crime since 2003. Each victim has his or her own unique story \nof loss.\n    I applaud the committee again for your interest in the issue and \nurge you to move forward with your legislation. But I also urge \nCongress to do more. Congress must adopt tools that prevent these \ncrimes from occurring in the first place by imposing new duties on \nthose businesses and government agencies that hold the key to our \nidentities in their databases and filing cabinets. Congress should go \nbeyond criminal penalties and adopt strong protections without \ninterfering with existing state laws regarding notice of breach, \naffordable, easy to use security freeze rights for all Americans and \nobligations for all businesses and government entities to protect \nsensitive data.\n    Thank you again for this opportunity to testify.\n\n    Mr. Scott. Thank you very much for your very moving \ntestimony.\n    We will vote. There are three votes pending, and we will be \nback as soon as we can. It will probably be about 15 minutes.\n    [Recess.]\n    Mr. Scott. The Subcommittee will come to order.\n    The gentleman from California has approved starting off \nwithout the Ranking Member. So if the Ranking Member comes, he \ncan blame it on the gentleman from California.\n    Thank you.\n    Mr. Holleyman.\n\n   TESTIMONY OF ROBERT W. HOLLEYMAN, II, PRESIDENT AND CEO, \n           BUSINESS SOFTWARE ALLIANCE, WASHINGTON, DC\n\n    Mr. Holleyman. Mr. Chairman, Mr. Lungren, Mr. Coble, \nMembers of the Subcommittee, I want to thank you for the \nopportunity to testify today. There is an urgent need to update \nour Federal criminal laws. And law enforcement needs new tools \nto find and prosecute cyber criminals.\n    Why does the Business Software Alliance care about this \nissue? Several reasons. First, it hurts our member companies' \nbusinesses. Second, it hurts the development of electronic \ncommerce. And third, because it hurts the economy as a whole.\n    I want to thank you, Mr. Chairman, for calling this hearing \nand for the leadership you have shown in sponsoring the pending \nlegislation, H.R. 4175. I also want to commend Congressmen \nSchiff, Chabot, Mr. Lungren and others for their leadership in \nintroducing H.R. 2290 earlier this year.\n    Today's hearing could not come at a better time. We are in \nthe midst of the holiday season, and Americans will spend \nnearly $30 billion in online shopping activity. They will be \nable to shop at thousands of sites, compare products, services \nand get prices that would have been unavailable just a few \nyears ago because of the advances related to geography and \ncomparative shopping that are brought about by the Internet.\n    At the same time, we know--studies show that many \nindividuals are concerned about their safety when doing \nbusiness online, about the risk of criminals who might be \nlurking in cyberspace who want to steal their identity, their \nfinancial records or more. Unfortunately, these concerns are \nfully justified.\n    The reality is that we use our computers at home and the \noffice in ways today that were unimaginable the last time there \nwere major revisions in the Federal criminal laws. This has led \nto an evolution of cybercrime, and it has changed the type of \ncriminals.\n    Two big changes have occurred in computing. First is the \nsheer growth of the number of people using computers. The \nsecond is the fact that computers are now almost always on and \nconnected to the Internet. This has given criminals the \nopportunity to create malicious code that can be sent out \nsurreptitiously and can compromise thousands or hundreds of \nthousands of computers. This results in the creation of zombie \ncomputers that the criminal can then remotely control to carry \nout the attacks. The zombies may not themselves suffer monetary \ndamage, but they may become an unwitting accomplice in \nattacking other victims of financial crimes or identity theft \nor denial of service.\n    We also see that cybercrime today is overwhelmingly fueled \nby profit. Criminals used to write malicious code for the \nbragging rights. Today they do it for the money. And that is a \nchange.\n    What can Congress do about it? We believe that there is an \nurgent need to update our criminal laws to get law enforcement \nthe tools they need to respond to the changing nature of the \nthreat and the changing nature of cybercrime. We would suggest \ndoing this in five ways.\n    First, targe botnets in ways that have been identified \ntoday by criminalizing cyber attacks on 10 or more computers \neven if they don't suffer more than $5,000 worth of damages.\n    Two, address new forms of cyber extortion.\n    Three, broaden the coverage of cybercrime laws to include \ncomputers affecting interstate and foreign commerce.\n    Fourth, attack organized cybercrime by creating an explicit \nconspiracy to commit cybercrime as an offense.\n    And fifth, strengthen penalties by calling for the \nforfeiture of computers and other equipment that are used to \nconduct crime and by adopting tougher sentencing guidelines.\n    Fortunately, there is broad congressional, law enforcement \nand industry support for such legislation. There are a number \nof pending bills, including H.R. 2290, that address these \nissues. Last month, the Senate adopted S. 2168, and finally, \nMr. Chairman, your bill does that with the exception of the \nprovision to target botnets, which we hope will be added to any \nfinal measure.\n    Of course H.R. 4175 has many other provisions, including \ndata breach notification and privacy. BSA understands the \nseriousness of the problems data breaches represent. We are \ncommitted to working with this Committee and with the six other \nCommittees who have jurisdiction over this legislation in data \nbreach to develop a comprehensive Federal legislation. But we \nare very concerned that the inclusion of data breach or privacy \nin cybercrime legislation will delay or prevent enactment.\n    In conclusion, we are eager to work with this Committee. We \nbelieve the time is now, and we encourage moving forward and \naddressing and closing the loopholes that exist under today's \ncybercrime laws.\n    Thank you.\n    [The prepared statement of Mr. Holleyman follows:]\n\n               Prepared Statement of Robert W. Holleyman\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Scott. Thank you very much.\n    Ms. Coney.\n\n   TESTIMONY OF LILLIE CONEY, ASSOCIATE DIRECTOR, ELECTRONIC \n           PRIVACY INFORMATION CENTER, WASHINGTON, DC\n\n    Ms. Coney. Thank you, Chairman Scott, Ranking Member \nGohmert and Members of the Subcommittee for this opportunity to \ntestify on the bill H.R. 4175, the ``Privacy and Cybercrime \nEnforcement Act of 2007.''\n    My name is Lillie Coney. I am associate director at the \nElectronic Privacy Information Center. EPIC is a nonprofit \nresearch center based here in Washington, D.C. We focus on \nprivacy, civil liberties and constitutional values.\n    With me this afternoon is Jonathan David, a student at \nNortheastern Law School who assisted with the preparation of \nour statement. Our thanks go to the sponsor of the bill.\n    To a great degree, the lack of transparency on data \nbreaches, computer system breaches, anomalies and software \nfailures inhibits the ability of the government to proactively \naddress computer network vulnerabilities and enforce privacy \nlaws. The old saying that what you don't know won't hurt you \nhas rarely held true, and when it relates to data breaches, it \nis never true.\n    According to the Federal Trade Commission, for the seventh \nyear in a row, identity theft is the number one concern of \nAmerican consumers. We also know that 260 million Americans \nhave had data breaches impact them. The failings of private \nactors to manage the personally identifiable information \nentrusted to their care justify the passage of H.R. 4175.\n    Further, a report from the Samuelson Clinic confirms that \nthe private sector is willing and able to act in putting in \nplace security measures to protect computer networks that house \npersonally identifiable information when that data--when data \nbreaches require, under statute, notification to consumers.\n    We appreciate that this bill will do what the Privacy Act \nshould have done: Include private data networks under the \nrequirements to protect personally identifiable information. \nThis is a key component for privacy protection afforded by fair \ninformation practices that are outlined in the Privacy Act.\n    The provisions of the bill do not preempt State law but \nrather create an important Federal baseline. As we have \nlearned, the States can respond more quickly than the Federal \nGovernment can to emerging privacy challenges, and it is very \nimportant that the Federal Government not limit the important \nwork of the States in this area.\n    The bill creates a great start on defining personally \nidentifiable information, but more needs to be done.\n    We are now seeing a tremendous increase in the collection \nof personal information in the form of biometrics, behavioral \ntargeting and associational information, all of which is \ncompletely unregulated.\n    The challenge for the Committee is to create a definition \nthat recognizes the ever-evolving risk data collection poses to \nprivacy.\n    EPIC endorses the bill language that requires technology \nprotection measures that render the data elements \nindecipherable. We note that significant data breaches have \noccurred because of poor security practices or circumvention of \nsecurity measures, such as removal of large quantities of data \nrecords from office locations on personal portable computer \ndevices that were subsequently lost or stolen.\n    Regarding the promulgation of the final privacy impact \nassessment, electronic records are illusive things. It may be \nvery difficult to enforce the intent of the provisions of this \nstatute.\n    For example, EPIC recently discovered in the midst of our \ninvolvement in an agency proceeding before the Federal Trade \nCommission regarding the proposed merger of Google and \nDoubleClick that the chair of the FTC's spouse's law firm, \nJones Day, represents one of the parties to the merger. Upon \nour making a complaint requesting the recusal of the chair from \nparticipation in the commission's decision-making role on the \nmerger request, the electronic document disappeared from the \nJones Day Web site.\n    This phenomena of the disappearing of electronic documents \nis not limited to non-government Internet communications. It \nhas also been observed by EPIC and the actions taken by Federal \nGovernment agencies when publishing documents online.\n    In closing, I would like to thank the Subcommittee for this \nopportunity speak on the record regarding the important \nmeasures set forth in H.R. 4175 and strongly endorse the \nefforts to address the issue of data breaches involving \npersonally identifiable information, and the efforts of the \nsponsors of the bill and the Subcommittee to make more \ntransparent the rule-making process related to privacy impact \nassessments.\n    Thank you.\n    [The prepared statement of Ms. Coney follows:]\n\n                   Prepared Statement of Lillie Coney\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Scott. Thank you very much.\n    We will now have questions from the Members, and I will \nrecognize myself for 5 minutes at this time.\n    Mr. Lourie, Mr. Magaw, the Identify Theft Penalty \nEnhancement Act included $10 million authorized to track down \nidentity thieves. What have you done with the money?\n    Mr. Lourie. We have been actively pursuing identity theft \ncases around the country, Chairman Scott. In the last--between \n2005 and 2006, identity theft cases alone increased about 22 or \n23 percent from 1,500 and change to 1,900 and change.\n    Many of those were under the aggravated identity fraud \nstatute. Those numbers increased from 226 in 2005 to 507 in \n2006.\n    In addition, there are--the Secret Service and the FBI have \nbeen establishing task forces all over the country joining \ntogether with their Federal colleagues as well as local law \nenforcement and State law enforcement to attack identity crime \nat a local level and to ensure that as few of these cases as \npossible slip through the cracks.\n    Mr. Scott. So you are putting the $10 million to good use?\n    Mr. Lourie. Yes.\n    Mr. Scott. Did you run out of money?\n    Mr. Lourie. I don't know if we did, but I can get back to \nyou.\n    Mr. Scott. Well, if you are tracking down cases with the \nmoney, do you have enough? When one of the bills, the $10 \nmillion came out of, the original bill had $100 million, and we \nwere told by the Administration they didn't need any money so \nwe just left it $10 million; $10 million we got left. It seems \nto me that this ought to be a high priority, and I think the \nCommittee--maybe, I can't speak for the Committee--but I would \nbe willing to put some more authority so that you could track \ndown more thieves so that people will get the idea that they \nmight get caught.\n    Have you used up all of the $10 million so we might \nconsider increasing the authorization?\n    Mr. Lourie. As I sit here today, I can't tell you whether \nor not we have used up all of the $10 million, and I would be \nhappy to work with the Committee and get back to you on that.\n    Mr. Scott. If you have limited funds, you have to make \ndecisions. You have the $5,000 threshold. Anybody stealing less \nthan $5,000 is pretty much home free. What would it--how much \nwould it take to get cases under $5,000 also on your target \nlist?\n    Mr. Lourie. Well, I can't tell you how much it would take \nwith respect to money, if that is your question, for \nprosecution offices, U.S. Attorneys' Offices around the country \nto lower their thresholds or if the Department would support \nthat.\n    I can tell you that we have used the money that we have had \nto create these regional task forces to work together closely \nwith the State prosecutors' offices and State law enforcement, \nand train them in the investigation and prosecution of these \ntypes of crimes.\n    Mr. Scott. The problem with these cases, they are, in fact, \nlabor intensive because there is a lot of work that needs to be \ndone. And the information is there, but some of it might \ninclude, when you find out that somebody with a stolen credit \ncard has it delivered to a post office box, you may have to \nhave somebody sit out there until they come and pick it up. You \nhave to pay for that. That is an hourly rate.\n    So that many of these cases can be solved if you just had \nthe resources, and so we will work together to find out what \nresources you may need to lower the threshold, so if somebody \ngets the information, they may feel they have--they are at risk \nof actually getting caught.\n    Now if a database is breached, is the mere possession of \nthe database a crime?\n    Mr. Lourie. It depends if it is knowing. If a database is \nbreached and somebody extracts the information, then, yes. If \nit is unauthorized extraction, it is a crime.\n    Mr. Scott. Is buying a Social Security number from somebody \na crime before you actually--without using it----\n    Mr. Lourie. I don't have the statutes in front of me, but I \nbelieve under title 42, the Social Security statute, that that \npossession, if it is with intent to commit fraud, would be a \ncrime.\n    Mr. Scott. But mere position, if you buy a Social Security \nnumber and that is all you have got, you don't know what they \nare going to do with it?\n    Mr. Lourie. Well, it is fairly easy to prove that somebody \nwho buys somebody else's Social Security number intends to \ncommit fraud with it.\n    But the answer to your question is, yes; if you could not \nprove that element, then you would not be able to satisfy the \nstatute.\n    Mr. Scott. Is phishing a crime?\n    Mr. Lourie. Phishing is a crime if it violates one of the \nstatutes set forth in 1030, the elements.\n    Mr. Scott. Do we need to make it clear that phishing is in \nfact a crime?\n    Mr. Lourie. No, Chairman Scott. I don't think it is \nnecessary--it is necessary to change the language of the bill \nthe way you have it now to indicate that phishing itself is a \ncrime. The language set forth in the bill is adequate to \ncapture those types of scams with the suggestions that we have \nset forth here today.\n    Mr. Scott. Several people have mentioned whether or not \njust putting a cookie on somebody's computer where you can \nextract information without so-called damaging the computer, is \nthat not trespassing or some crime, unauthorized placing of one \nof those cookies in somebody's computer so that you can get \ninformation? Isn't that some kind of crime?\n    Mr. Lourie. Well, what I would like to do is go back and \nget back to the Committee on that question.\n    Certainly it sounds like a variation of a botnet the way \nyou asked that question. But there are, depending on the way \nyou analyzed the statute and the various elements of the \nstatute, the intent of the person who puts it there is \nsignificant.\n    Mr. Scott. I have heard the suggestion that it ought to be \na crime if you do it to 10 computers. Is there any reason why \nif you do it to one computer, why that shouldn't be a crime?\n    Mr. Lourie. It may very well be a crime under various State \nstatutes. What we are attempting to do is bring more crimes \nwithin the purview of the Federal statute, not less.\n    Mr. Scott. So we will be working together on that.\n    The gentleman from Texas.\n    Mr. Gohmert. Thank you, Mr. Chairman.\n    Appreciate your testimony and appreciate your patience.\n    Just so I am clear on the BSA's position,\n    does BSA support a new Federal law that would require \nbusinesses to report or to notify consumers every time a \nsecurity breach occurs?\n    Mr. Holleyman. We support the concept of a comprehensive \nFederal data breach bill that would address the issue of \nbusinesses notifying consumers when there is a significant or \nmajor breach that occurs.\n    Mr. Gohmert. My question is not whether we should have a \ncomprehensive bill that addresses that but whether you support \nactually requiring businesses to notify consumers when the \nbreaches occur.\n    Mr. Holleyman. We support notification to consumers under a \nproperly crafted definition of what a significant breach is \nwith other key components. For example, as one of my colleagues \non the panel spoke of, if information is encrypted or redacted \nor otherwise stored in such a fashion that it is not accessible \nwhen it is breached, there shouldn't be an obligation to \nnotify.\n    We also believe that there are a number of other important \nprovisions in an overall data security bill. That is simply one \nelement of a number of provisions we would like to see.\n    Mr. Gohmert. Ms. Napp, we appreciate your coming forward. \nApparently, we may not even know how many people have actually \nbeen adversely harmed as you have. And you mentioned that the \nperpetrator against you was going to have their record wiped \nclean after a year and a half of drug treatment apparently.\n    So let me ask. I know there have been laws, like in Texas \nwhere people have become so outraged about driving while \nintoxicated or driving under the influence, depending on what \nyour State calls it, or negligent infliction of harm through \ndriving while intoxicated, and people became outraged enough \nthey said, okay, let us have a law. No more deferred \nadjudication. If you commit this, it ought to be on your record \nfor good and you can't come out from under it.\n    By bringing that up, are you actually urging the \npossibility, at least in the Federal realm as far as we can, \nend deferred adjudication where it has to be on someone's \nrecord?\n    Ms. Napp. I was referring to my case as it stands and what \nis happening to me.\n    Mr. Gohmert. But I am asking. You were adversely affected. \nWhat do you think?\n    Ms. Napp. I personally don't think, you know, something \nlike this--I think it has to do with identity theft victims in \ngeneral. A lot of the time in the judicial system, we are not \nseen as victims of a crime a lot of times. And in my case, I \ndon't believe that I was seen as a victim when the judge at the \nplea hearing--he felt like a restitution hearing wouldn't be \nneeded because, how could I possibly have any type of out-of-\npocket costs, and that comment to me says, I don't see you.\n    Mr. Gohmert. Obviously the judge didn't understand the \ncrime. But it seems to me that as we contemplate this crime, \nwhat is a crime, that it brings to mind some of the lessons we \nlearned in law school about crimes of moral turpitude, and in \nsociety, we think those are more serious crimes because they \ninvolved a mens rea. They involved an intent.\n    You brought up intent a lot of times. It seems to me that \nthis ought to be one of those crimes that if you break into \nsomebody's computer, if you get their private information, then \nregardless of what the intent is, you know, the res ipsa \nloquitur ought to apply; the thing speaks for itself. You have \nthe intent and take that intentional aspect out of the proof \nthat you have to put on.\n    So think about it. It involves lying. It involves fraud. It \ninvolves theft. In some cases, like when recently a week or so \nago, it involved burglary to break in and put stuff on a \ncomputer so you could track what they were doing.\n    So I think this hearing is a great thing, and I do think we \nneed to make this bill as tough as possible so that America \nunderstands how serious this crime is.\n    I would like to ask. I note, Ms. Napp, you recommended \nrequiring mandatory notification when data is breached.\n    Let me ask you all. Who among the witnesses has actually \nread this bill that we are here about today? Anybody? Wow. All \nof you.\n    Well, I see my red light is on.\n    I would like to ask specifically if you could quickly say \nif you have any specific provisions that you would like to see \nchanged so we could make note of them and try to improve the \nlegislation.\n    Mr. Lourie, starting with you. If you have got a long list \nthere, I would like to hear the list.\n    Mr. Lourie. Thank you, Congressman.\n    Our recommendation and request would be to modify Section \n1030(a)5 regarding damage to computers, as we spoke about \nbefore, to add language that would make it a felony if the \nconduct affected 10 or more computers, and also to make it a \nmisdemeanor for damage under $5,000.\n    We would recommend modifications to Section 1028 and \n1028(a) to define persons to include corporations so that the \nstealing of identity of a corporation often used in phishing \nschemes would also be a crime under 1028.\n    We would also add certain crimes to the list that would be \npredicates for the aggravated felony under 1028(a), and we \nprovided those in our papers.\n    We would ask for a modification to 1030(a)7, which is the \nextortion statute, to enable that statute to reach threats to \ndo--to release--for example, to release information that had \nalready been stolen.\n    The way that the statute is drafted now, it covers threats \nto do damage but not necessarily threats related to damage \nalready done.\n    So we believe that the statute needs a little bit of \ntweaking there.\n    We have some suggestions for the forfeiture section to \ninclude real property and to change the language in one of the \nprongs from proceeds to gross proceeds.\n    And, finally, and perhaps most significantly, we request \nchanges or directives to the sentencing commission to focus not \njust on the sentences in general but certain specifics which \nwould include defining a victim as not just somebody who \nsuffers monetary loss but somebody who suffers an invasion of \nprivacy. And that relates to some of the topics that have \nalready been discussed in this hearing today. And in any event, \nit is hard to value information stolen.\n    Finally, with respect to the sentencing commission, we \nwould request that they be directed to look into the \naggravating factors that are already there or the enhancements \nthat are already in the statute, that they be accumulated \ninstead of now, applying whether they are the greatest of, is \nthe language that is now used.\n    We would also suggest an enhancement that the sentencing \ncommission look at whether there should be an enhancement for \ndisclosure of information stolen, because it is a separate harm \nand in some senses maybe even a more significant harm once \ninformation is stolen to disclose it, depending on how many \npeople it is disclosed to.\n    Thank you for that opportunity.\n    Mr. Gohmert. We have got five more, and I don't want to \nexceed my time that much. If I could ask the witnesses if you \ncould submit in writing any suggestions for changes to the \nlegislation, that would be greatly appreciated. And that would \ninclude all of you, including, Mr. Lourie, if you think of \nanything else. But thank you so much.\n    Mr. Scott. The gentleman from North Carolina.\n    Mr. Coble. We appreciate you all being here.\n    Mr. Holleyman, you responded to Mr. Gohmert's question \nregarding notifying consumers under a properly crafted statute. \nWould you also require--support the requirement that business \nnotify law enforcement?\n    Mr. Holleyman. Mr. Coble, I appreciate your follow-up \nquestion on that.\n    The answer is yes. We would support the requirement that \nbusinesses notify law enforcement when there is a breach, and I \nthink there is probably great clarity in terms of our support \nfor that.\n    Again, it is with the caveat that the requirement it needs \nto define what a significant breach is. It needs to ensure that \nthere is not notification if it is unnecessary, but the \nprinciple is worthwhile. We would hope that is addressed as \npart of a comprehensive breach bill.\n    Mr. Coble. Thank you, sir.\n    Mr. Winston, what steps does the FTC take to make sure that \nbusinesses adequately protect personal information from \nidentity thefts.\n    Mr. Winston. We go about this in several ways, beginning \nwith law enforcement. As I mentioned in my testimony, we have \nbrought 15 law enforcement cases now against companies that \nfailed to reasonably protect consumer data, in most cases \nleading to a data breach.\n    And in addition to law enforcement, we also do a lot of \nconsumer and business education and outreach. We have published \neducational materials. We are going to be holding regional \nseminars for businesses so that they understand what their \nobligations are and they understand what the consequences are \nif they don't meet their obligations.\n    Mr. Coble. Thank you, sir.\n    Are laws, Mr. Winston, requiring protection of personal \ninformation limited to certain industries or certain sectors, \nsuch as banking or other financial industries?\n    Mr. Winston. Yes, that is correct. There are a number of \ndata security laws that apply to different kinds of data or \ndifferent kinds of industries. The financial services industry \nis one; the health care industry is another.\n    As part of the Identity Theft Task Force recommendations, \nwe have supported a national data security law that would apply \nacross the board to any business that maintains personal \ninformation. We think that there should be one rule.\n    Mr. Coble. Thank you, sir.\n    Ms. Napp, how can we assist in improving restitution for \nidentity theft victims?\n    Ms. Napp. Thank you, sir, for that question.\n    I think what you are doing with allowing victims to count \ntheir time is very important. I think this is the first time \nthat we have actually seen some of that, because time is so \nmuch of what we deal with.\n    Mr. Coble. Now, fortunately I have never been a victim. How \ndoes one fairly and, if possible, easily restore one's credit \nrecord after having been a victim?\n    Ms. Napp. That one is--each----\n    Mr. Coble. It probably can't be done easily.\n    Ms. Napp. In my opinion, it is difficult. There are \nbarriers and things. And each person's victimization is \ndifferent, but the journey is not an easy one, I can tell you \nthat.\n    Mr. Coble. Well, again, thank you all for being here.\n    Mr. Chairman, note that I am yielding back before the red \nlight illuminates.\n    Mr. Scott. That is very kind of you, Mr. Coble.\n    The gentleman from California, Mr. Lungren.\n    Mr. Lungren. Thank you very much, Mr. Chairman. I didn't \nknow whether the Ranking Member needed more time for his \nquestions.\n    Mr. Scott. That is between you and the Ranking Member.\n    Mr. Gohmert. Thank you for yielding.\n    Mr. Lungren. Well, it must be a Texas thing.\n    Representative of the Justice Department and also the \ngentleman representing the FTC, I am concerned about this whole \narea, particularly, of identity theft. And if we enact \nlegislation, I would like to ensure that it actually works.\n    And one of the things that strikes me on the bill that we \nhave before us is that it acts a little differently than some \nother laws that I am aware of, which is that when the Congress \npreempts State law, it then gives the State AGs the authority \nto assist in the enforcement of Federal statutes.\n    This bill as drafted, as I understand it, allows that, but \ndoes no preemption at all. Is that unusual in law, in your \nexperience, or is that something that we see somewhere else?\n    Mr. Lourie. Well, with respect to our experience, I would \nbe happy to get back to the Committee on other areas where we \nhave seen this.\n    I will note that in the Task Force's strategic report, \nwhich is cochaired by the Department, they did recommend that \ntype of preemption.\n    Mr. Lungren. See, my concern is we are creating a lot of \ncriminalization of activity on a Federal level, and yet I \nwonder whether we have the resources to follow through with it \ntruly. And, therefore, is this really an attempt to create a \nFederal statute of criminal sanctions, but with the expectation \nthat it will truly be enforced by the States instead of the \nFeds? And if we are going to do that, we ought to know about \nthat.\n    But it seems to me a little different than we've done \nbefore. And maybe I am wrong. Maybe there are other areas of \nthe law. Maybe the gentleman from the FTC can help me on this.\n    Mr. Winston. As Mr. Lourie said, the Identity Theft Task \nForce, in some of its recommendations, particularly with regard \nto----\n    Mr. Lungren. Look, I understand they may have suggestions. \nI am asking, is this a precedent or is this something that we \nhave found in other areas of the law? That is what I am trying \nto figure out.\n    Mr. Winston. I think there are a number of laws that \nprovide for Federal preemption but allow for State attorney \ngeneral enforcement. The Fair Credit Reporting Act is one. So \nthat model is, I think, not uncommon.\n    Mr. Lungren. Where we have no preemption here, but still \nextending that.\n    Mr. Winston. Well, that I am not sure about. I know there \nare----\n    Mr. Lungren. Okay. That is what I am trying to figure out. \nIf you can help me in looking at that and submitting that for \nthe record.\n    Title 2 of the legislation authorizes a civil action with \ncivil penalties up to $500,000 or a million dollars if it is \nintentional from any business entity that--it says, ``from any \nbusiness entity that engages in conduct that constitutes a \nviolation of Federal law relating to data security.''\n    If you have had a chance to look at the bill, do you think \nthat limits it to for-profit entities only, or would that be \nnot-for-profit as well? And how would you look at it from the \nJustice Department standpoint?\n    Mr. Lourie. I am appearing here as a member of the Criminal \nDivision, so I did not scrub the civil sections of the bill. \nBut we would be happy to review that and get back to you on our \nopinions about whether or not it would cover both those types \nof entities.\n    Mr. Lungren. Okay. I am trying to sort of figure out where \nwe are here. Because I want a statute that works, but I also \nwant one that doesn't just sit on the books and we think it is \ngoing to work. Or, frankly, if we pass Federal laws that are \nprimarily being enforced by Federal authorities, to me that is \nextremely important, but it is more difficult for us to have \noversight if what we are doing is passing Federal laws that are \ngoing to be absolutely, if not exclusively--or primarily, if \nnot exclusively, prosecuted at the State level. And I wonder if \nthere are implications with respect to constitutional authority \nin that.\n    The way I read the bill--I would ask you if this seems to \nmake sense, because we can certainly change it--it looks like \nit provides an across-the-board maximum penalty of 20 years for \nall violations of Section 1030 of title 18.\n    Now, unless I missed something, that could be interpreted \nas meaning that failure to notify breaches would carry a \nharsher penalty for the businesses than for the ID thieves \nthemselves. To me, that doesn't sound like a proper priority. \nWould you agree with that, or is that something that you think \nmakes sense?\n    Mr. Lourie. I believe the way the bill was drafted, it \nprovides for a 5-year penalty, maximum penalty, for the failure \nto notify.\n    Mr. Lungren. So your answer is, that is what you would \nwant, rather than the way I thought it was written.\n    I have a lot more questions, but I would like to respect my \ntime limits and would yield back.\n    Mr. Scott. That is a novel concept on this Subcommittee, \nbut thank you.\n    The gentleman from Ohio.\n    Mr. Chabot. I thank the gentleman for yielding.\n    Mr. Holleyman, news reports indicate that crimes committed \nvia computers are becoming increasingly prevalent, and I know \nthat is what we have been discussing today, with as many as 10 \nmillion computers falling victim to hackers. FBI Director \nMueller is quoted as saying that, quote, ``Botnets are the \nweapon of choice for cyber criminals,'' unquote.\n    How urgent is it that we pass cybercrime legislation? And \ncan we afford to wait on cybercrime legislation while we \naddress other problems with Internet security?\n    Mr. Holleyman. Mr. Chabot, thank you for that question.\n    I think that it is imperative and urgent to pass cybercrime \nlegislation. I think there is broad agreement in both houses of \nCongress and across the aisle in terms of what loopholes need \nto be closed.\n    Your question is correct, the growth in botnets is an \nenormous problem. And that is bringing law-abiding citizens \nunwittingly into a process in which their computers are being \nhijacked and used to perpetrate crimes. It may slow down their \ncomputer, it may be a nuisance for them, but they don't \notherwise know what is happening. And we should not insist that \nlaw enforcement be required to show that there is $5,000 worth \nof damage to take action in that case.\n    So we believe the problem is immediate, and is growing. \nThere is a solution, and we hope the Congress moves quickly on \nthis.\n    Mr. Chabot. Thank you.\n    And are legislative efforts enough? And what can consumers \nand businesses do to protect themselves to minimize the threat \nof cybercrime?\n    Mr. Holleyman. Legislation is a key part, but it is not, by \nitself, the sole solution. There are public awareness \nactivities that are under way through the FTC and other \nagencies to build awareness of cybercrime. There are private-\nsector efforts to provide checklists to business owners of the \ntype of security products they need to deploy and security \nprocedures.\n    And finally, there are joint partnerships between industry \nand law enforcement. The National Cyber Forensic Training \nAlliance in Pittsburgh is just such an organization. BSA \nsupports it, as do many in the industry. They collect data on \ncybercrime, share that information with law enforcement, and \nassist with investigations.\n    So it takes a combined effort, of which legislation is only \none component, but it is an essential component.\n    Mr. Chabot. Thank you very much.\n    And, Mr. Chairman, as my colleague from North Carolina did, \nI would be happy to yield back my time at this time in the \ninterest of the rest of the Committee. I could divide it \nbetween the gentleman from Texas and the gentleman from \nCalifornia here, but I think I will just yield back.\n    Mr. Scott. Well, we will see.\n    The gentlelady from Texas.\n    Mr. Jackson Lee. Thank you very much, Mr. Chairman.\n    Let me thank you, Mr. Conyers, and the other cosponsors for \nmoving forward on what will continue to grow to be, maybe in \nsome eyes, an insurmountable problem as we become more \ntechnological and the sophistication of the technology that we \nuse becomes more finite, certainly, and more broadly utilized.\n    It seems that privacy in the midst of innovation is a \nstepchild. And I think that the Congress has a duty to ensure, \nas the ninth amendment instructed us to do, to not forget \nprivacy but also the abuse of too much information, identity \ntheft and otherwise. With the good comes the bad; with the \nbenefit comes the burden.\n    And so, Mr. Magaw, as it relates to the potential crime \nthat may come about through the misuse of this technology, \ncyber security, my question would be the ability and the need, \nif you will, to ensure coordination between all levels of law \nenforcement, even if you are speaking of, for example, in \nHouston, Texas, what we call layered police work.\n    We have, like, a constable that has a jurisdiction, maybe, \nof 750,000 or 800,000. Those are individuals that are closer to \nthe constituents. They are the ones who do the eviction work \nand otherwise. But, again, they are right there on the ground. \nAnd we have sheriffs, we have police officers, of course we \nhave the FBI, and of course the U.S. Secret Service, and just a \nnumber of layers.\n    So I would be interested in that.\n    I would be interested for Ms. Coney--and welcome--to again \nestablish for us how significant a problem is this whole issue \nof the invasion of our privacy. Give us, if you will, the \nbroadness of the problem and the depth of the problem, if you \nwill.\n    And I have another question, but let me yield to Mr. Magaw.\n    Mr. Magaw. Thank you very much.\n    We partner very well with State and local law enforcement, \nas well as Federal agencies. And we realize the importance of \nsharing information on different cases that we are working.\n    Quite frankly, across the country we have 29 different \nfinancial crimes task forces and 24 electronic crime task \nforces. Those task forces are built on sharing of information, \nnot only with law enforcement, with the private sector, as well \nas the academic community. I feel the sharing of the \ninformation with Federal, State and local law enforcement \naddresses those concerns that you have.\n    Mr. Jackson Lee. And let me just expand a little bit more. \nAre you in constant communication with local law enforcement? \nMaybe I have missed it. Are there task forces that are \naddressing this question?\n    Mr. Magaw. Yes. On all of our task forces, financial crimes \ntask forces, as well as electronic task forces, State and local \nlaw enforcements are key partners in those task forces. \nInformation is disseminated through them back to their \ndepartment, so that we are coordinating our efforts to address \nidentity theft.\n    Mr. Jackson Lee. Ms. Coney?\n    Ms. Coney. Thank you, Congresswoman Jackson Lee.\n    This is probably the most significant part of why data \nbreach is even being considered by this Committee. Millions of \nrecords of individuals are online or available through \nelectronic transfer. The question is whether it is the victim's \nresponsibility or whether it is the data holder's \nresponsibility to manage control of that information.\n    You have to remember, victims are in damage-control mode. \nThey have no idea that they have been attacked until they get \nnotice. When they get notice, they can react. Unfortunately, \nthe notice is usually coming because they have gotten some \ncommunication through the mail or looked at their credit report \nand that is when they know that someone has appropriated their \nidentity and literally stolen their names.\n    It takes hundreds of hours sometimes just to correct that \ninformation. And the mental anxiety and the stress that comes \nwith that is very difficult for people who have not been \nvictimized to even understand.\n    Those who are in possession of the data have an obligation, \na moral obligation--and it should be a legal obligation--to \ninform people when these things occur.\n    Now, the jurisdiction of this Committee limits what you can \ndo in that regard. You can hold data managers--because the data \nowners are really the people whose information they are \ncontrolling--make them responsible for reporting to a \nGovernment agency. That agency, in turn, will report through \nthe Federal Register a list of those entities who have had \ntheir data compromised.\n    I think this is a reasonable approach. The numbers of \nvictims--216 million Americans have been impacted by loss of \ndata. It is appropriate and definitely----\n    Mr. Jackson Lee. Is that in this legislation, what you have \njust recommended?\n    Ms. Coney. Yes, it is. The part that requires those \nentities that suspect that their data has been compromised must \nreport to the Secret Service the compromise. And the Secret \nService, in turn, once a year, will publish in the Federal \nRegister a list of those entities.\n    Mr. Jackson Lee. Thank you, Mr. Chairman.\n    Let me just comment and highlight Section 102 that provides \ncriminal penalties for those who don't provide the notice of \nthe security breach.\n    And, finally, might I say, what we don't have yet, which we \nexpect to have in the next couple of years, is electronic \nreporting of medical records. Once we add that large component \nrequired to the system, putting all medical facilities and \nphysicians online, we have an enhanced opportunity for abuse. \nAnd so I hope this legislation will move through this Committee \nand move to the floor and have the President's signature.\n    I yield back.\n    Mr. Scott. Thank you.\n    And I want to thank all of our witnesses for their \ntestimony.\n    Members may have additional questions to ask, and we will \nsubmit those to you in writing, and we would appreciate it if \nyou could respond as soon as possible so the answers can be \npart of the record.\n    Without objection, the hearing record will remain open for \n1 week for the submission of additional materials.\n    The Chairwoman of the Commercial and Administrative Law \nSubcommittee has offered a statement. She has reminded us that \nsome of the parts of the bill come under the jurisdiction of \nher Subcommittee, as well as most of it in this Committee, and \nso she has an interest in this legislation.\n    The gentleman from Texas.\n    Mr. Gohmert. Thank you, Mr. Chairman.\n    I was made aware that there may have been a study that \nactually deals with how often businesses notify consumers of \nbreach or loss of data. And is that right, Mr. Lourie?\n    Mr. Lourie. It is not a Government study, but there has \nbeen a study done.\n    Mr. Gohmert. Okay. Could you direct us to that and the \ninformation to follow?\n    Mr. Lourie. Yes, I will provide that information.\n    [The information referred to is available in the Appendix.]\n    Mr. Scott. And does that study indicate how often criminal \nactivity takes place after a breach?\n    Mr. Lourie. I don't know if it does. The only thing I know \nabout this study is that--and, again, this is not a Government \nstudy, and we cannot say with any degree of certainty whether \nit is accurate. But the only thing I know about the study as I \nsit here--and we will provide it to you--is that they estimate \nthat approximately 30 percent of breaches are reported by \nvictims.\n    Mr. Scott. Thank you.\n    Without objection, the Committee stands adjourned.\n    [Whereupon, at 4:55 p.m., the Subcommittee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n       Prepared Statement of the Honorable Sheila Jackson Lee, a \n           Representative in Congress from the State of Texas\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                <F-dash>\n\nPrepared Statement of the Honorable Linda T. Sanchez, a Representative \nin Congress from the State of California, and Chairwoman, Subcommittee \n                  on Commercial and Administrative Law\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                <F-dash>\n\n Prepared Statement of the Honorable Lamar Smith, a Representative in \nCongress from the State of Texas, and Ranking Member, Committee on the \n                               Judiciary\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                <F-dash>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                <F-dash>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                <F-dash>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                 <all>\n\x1a\n</pre></body></html>\n"