[Congressional Record Volume 153, Number 156 (Tuesday, October 16, 2007)]
[Senate]
[Pages S12938-S12940]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Specter, Mr. Grassley, Mr. Nelson 
        of Florida, and Mr. Durbin):
  S. 2168. A bill to amend title 18, United States Code, to enable 
increased federal prosecution of identity theft crimes and to allow for 
restitution to victims of identity theft; to the Committee on the 
Judiciary.
  Mr. LEAHY. Mr. President, this month the Nation is observing National 
Cyber Security Awareness Month and, today, I am pleased to have Senator 
Specter join me in introducing our Identity Theft Enforcement and 
Restitution Act of 2007. This bipartisan criminal bill will provide new 
tools to federal prosecutors to combat identity theft and other cyber 
crimes.
  Senator Specter has been a valuable partner in addressing the growing 
problem of identity theft for many years. When he served as Chairman of 
the Judiciary Committee, we worked closely together on comprehensive 
data privacy legislation to combat identity theft. During my tenure as 
Chairman, we have continued our efforts to enact comprehensive data 
privacy legislation. I appreciate Senator Specter's willingness to work 
with me once again on this important privacy issue and I look forward 
to our close partnership yielding results in this Congress.
  When Senator Specter and I first introduced our comprehensive data 
privacy bill in 2005, we both knew that there was an urgent need to 
bring data privacy reforms to the American people. The Judiciary 
Committee has twice favorably reported the Leahy-Specter Personal Data 
Privacy and Security Act, most recently in May 2007, and that important 
privacy bill is now

[[Page S12939]]

awaiting consideration by the full Senate as S.495. The privacy reforms 
in that bill are long overdue and I sincerely hope that the Senate will 
fulfill its obligation to bring meaningful privacy protections to the 
American people.
  The bipartisan Identity Theft Enforcement and Restitution Act that we 
are introducing today takes several important steps to build upon our 
past efforts to protect Americans from the dangers of identity theft. 
First, our bill provides the victims of identity theft with the ability 
to seek restitution in Federal court for the loss of time and money 
spent restoring their credit and remedying the harms of identity theft. 
Unfortunately, under current law, restitution for identity theft 
victims is only available to recover the direct financial costs 
incurred by victims, such as recovering funds for unauthorized credit 
card charges. But, many identity theft victims incur other, indirect 
costs, such as lost wages due to time taken off from work to resolve 
credit disputes. Our bill amends the Federal criminal code to clarify 
that restitution orders in identity theft cases may include a recovery 
of these kinds of indirect costs, so that identity theft victims can be 
made whole.
  Second, to address the more sophisticated and complex identity theft 
crimes committed in today's digital era, our bill also expands the 
scope of the Federal identity theft statutes so that the law keeps up 
with the ingenuity of today's identity thieves. The bill expands the 
definition of ``aggravated identity theft'' under existing law, to 
include the crime of ``conspiracy'' to commit any of the crimes defined 
as aggravated identity theft in the criminal code. The bill also adds 
three new crimes--passing counterfeit securities, mail theft, and tax 
fraud--to the list of predicate offenses for aggravated identity theft. 
In order to better deter this kind of criminal activity, the bill 
significantly increases the criminal penalties for these crimes.
  In addition, our bill addresses several growing and disturbing trends 
in the area of cyber crime. To address the increasing number of 
computer hacking crimes that involve computers located within the same 
state, the bill eliminates the jurisdictional requirement that a 
computer's information must be stolen through an interstate or foreign 
communication in order to federally prosecute this crime. Our bill also 
addresses the growing problem of the malicious use of spyware to steal 
sensitive personal information, by amending the criminal code to 
eliminate the requirement that the loss resulting from the damage to a 
victim's computer must exceed $5,000 in order to federally prosecute 
this offense.
  Our bill also addresses the increasing number of cyber attacks on 
multiple computers, by making it a felony to employ spyware or 
keyloggers to damage ten or more computers, regardless of the aggregate 
amount of damage caused. By making this crime a felony, the bill 
ensures that the most egregious identity thieves will not escape with 
minimal punishment under Federal cyber crime laws.
  Lastly, our bill strengthens the protections for American businesses 
which are more and more becoming the focus of identity thieves. Because 
in today's digital economy, cyber-criminals often seek to extort money 
from American businesses without explicitly threatening to shut down or 
otherwise cause damage to a company computer, our bill amends the 
Federal criminal code to expressly cover extortion plots that do not 
involve a specific threat to damage a computer. The current law does 
not reach this kind of bad conduct; but, our bill corrects this 
shortcoming by adding two new causes of action under the cyber 
extortion statute, threatening to obtain or release information from a 
protected computer and demanding money in relation to a protected 
computer, so that this bad conduct can be federally prosecuted. In 
addition, because a business as well as an individual can be a prime 
target for identity theft, our bill also closes several gaps in the 
federal identity theft and the aggravated identity theft statutes, so 
that identity thieves who steal sensitive information belonging to a 
small business or a corporation may also be prosecuted under these 
laws.
  Senator Specter and I have worked closely with the Department of 
Justice in crafting this criminal legislation and the Leahy-Specter 
Identity Theft Enforcement and Restitution Act has the strong support 
of the Department of Justice, the Secret Service and the Federal 
prosecutors and investigators who are on the front lines of the battle 
against identity theft and other cyber crimes. The bill is also 
supported by the business community and consumer groups.
  Enacting good, bipartisan legislation to combat identity theft and to 
protect American consumers should be one of the Senate's top 
legislative priorities. Senator Specter and I are deeply committed to 
bringing long overdue data privacy protections to the American people. 
I hope that all Members of the Senate will join with us in supporting 
this important privacy legislation.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 2168

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Identity Theft Enforcement 
     and Restitution Act of 2007''.

     SEC. 2. CRIMINAL RESTITUTION.

       Section 3663(b) of title 18, United States Code, is 
     amended--
       (1) in paragraph (4), by striking ``; and'' and inserting a 
     semicolon;
       (2) in paragraph (5), by striking the period at the end and 
     inserting ``; and''; and
       (3) by adding at the end the following:
       ``(6) in the case of an offense under sections 1028(a)(7) 
     or 1028A(a) of this title, pay an amount equal to the value 
     of the time reasonably spent by the victim in an attempt to 
     remediate the intended or actual harm incurred by the victim 
     from the offense.''.

     SEC. 3. PREDICATE OFFENSES FOR AGGRAVATED IDENTITY THEFT AND 
                   MISUSE OF IDENTIFYING INFORMATION OF 
                   ORGANIZATIONS.

       (a) Identity Theft.--Section 1028 of title 18, United 
     States Code, is amended--
       (1) in subsection (a)(7), by inserting ``(including an 
     organization as defined in section 18 of this title)'' after 
     ``person''; and
       (2) in subsection (d)(7), by inserting ``or other person'' 
     after ``specific individual''.
       (b) Aggravated Identity Theft.--Section 1028A of title 18, 
     United States Code, is amended--
       (1) in subsection (a)(1), by inserting ``(including an 
     organization as defined in section 18 of this title)'' after 
     ``person''; and
       (2) in subsection (c)--
       (A) in the matter preceding paragraph (1), by inserting ``, 
     or a conspiracy to commit such a felony violation,'' after 
     ``any offense that is a felony violation'';
       (B) by redesignating--
       (i) paragraph (11) as paragraph (14);
       (ii) paragraphs (8) through (10) as paragraphs (10) through 
     (12), respectively; and
       (iii) paragraphs (1) through (7) as paragraphs (2) through 
     (8), respectively;
       (C) by inserting prior to paragraph (2), as so 
     redesignated, the following:
       ``(1) section 513 (relating to making, uttering, or 
     possessing counterfeited securities);'';
       (D) by inserting after paragraph (8), as so redesignated, 
     the following:
       ``(9) section 1708 (relating to mail theft);'';
       (E) in paragraph (12), as so redesignated, by striking ``; 
     or'' and inserting a semicolon; and
       (F) by inserting after paragraph (12), as so redesignated, 
     the following:
       ``(13) section 7201, 7206, or 7207 of title 26 (relating to 
     tax fraud); or''.

     SEC. 4. ENSURING JURISDICTION OVER THE THEFT OF SENSITIVE 
                   IDENTITY INFORMATION.

       Section 1030(a)(2)(C) of title 18, United States Code, is 
     amended by striking ``if the conduct involved an interstate 
     or foreign communication''.

     SEC. 5. MALICIOUS SPYWARE, HACKING AND KEYLOGGERS.

       (a) In General.--Section 1030 of title 18, United States 
     Code, is amended--
       (1) in subsection (a)(5)--
       (A) by striking subparagraph (B); and
       (B) in subparagraph (A)--
       (i) by striking ``(A)(i) knowingly'' and inserting ``(A) 
     knowingly'';
       (ii) by redesignating clauses (ii) and (iii) as 
     subparagraphs (B) and (C), respectively; and
       (iii) in subparagraph (C), as so redesignated, by striking 
     ``; and'' and inserting a period;
       (2) in subsection (c)--
       (A) in paragraph (2)(A), by striking ``(a)(5)(A)(iii),'';
       (B) in paragraph (3)(B), by striking ``(a)(5)(A)(iii),'';
       (C) by amending paragraph (4) to read as follows:
       ``(4)(A) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 5 
     years, or both, in the case of--
       ``(i) an offense under subsection (a)(5)(B), which does not 
     occur after a conviction for another offense under this 
     section, if the offense caused (or, in the case of an 
     attempted offense, would, if completed, have caused)--
       ``(I) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding

[[Page S12940]]

     brought by the United States only, loss resulting from a 
     related course of conduct affecting 1 or more other protected 
     computers) aggregating at least $5,000 in value;
       ``(II) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(III) physical injury to any person;
       ``(IV) a threat to public health or safety;
       ``(V) damage affecting a computer used by or for an entity 
     of the United States Government in furtherance of the 
     administration of justice, national defense, or national 
     security; or
       ``(VI) damage affecting 10 or more protected computers 
     during any 1-year period; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(B) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 10 
     years, or both, in the case of--
       ``(i) an offense under subsection (a)(5)(A), which does not 
     occur after a conviction for another offense under this 
     section, if the offense caused (or, in the case of an 
     attempted offense, would, if completed, have caused) a harm 
     provided in subclauses (I) through (VI) of subparagraph 
     (A)(i); or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(C) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 20 
     years, or both, in the case of--
       ``(i) an offense or an attempt to commit an offense under 
     subparagraphs (A) or (B) of subsection (a)(5) that occurs 
     after a conviction for another offense under this section; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, in the case of--
       ``(i) an offense or an attempt to commit an offense under 
     subsection (a)(5)(C) that occurs after a conviction for 
     another offense under this section; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(E) if the offender attempts to cause or knowingly or 
     recklessly causes serious bodily injury from conduct in 
     violation of subsection (a)(5)(A), a fine under this title, 
     imprisonment for not more than 20 years, or both;
       ``(F) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both; or
       ``(G) a fine under this title, imprisonment for not more 
     than 1 year, or both, for--
       ``(i) any other offense under subsection (a)(5); or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph.''; and
       (D) by striking paragraph (5); and
       (3) in subsection (g)--
       (A) in the second sentence, by striking ``in clauses (i), 
     (ii), (iii), (iv), or (v) of subsection (a)(5)(B)'' and 
     inserting ``in subclauses (I), (II), (III), (IV), (V), or 
     (VI) of subsection (c)(4)(A)(i)''; and
       (B) in the third sentence, by striking ``subsection 
     (a)(5)(B)(i)'' and inserting ``subsection (c)(4)(A)(i)(I)''.
       (b) Conforming Changes.--Section 2332b(g)(5)(B)(i) of title 
     18, United States Code, is amended by striking 
     ``1030(a)(5)(A)(i) resulting in damage as defined in 
     1030(a)(5)(B)(ii) through (v)'' and inserting ``1030(a)(5)(A) 
     resulting in damage as defined in 1030(c)(4)(A)(i)(II) 
     through (VI)''.

     SEC. 6. CYBER-EXTORTION.

       Section 1030(a)(7) of title 18, United States Code, is 
     amended to read as follows:
       ``(7) with intent to extort from any person any money or 
     other thing of value, transmits in interstate or foreign 
     commerce any communication containing any--
       ``(A) threat to cause damage to a protected computer;
       ``(B) threat to obtain information from a protected 
     computer without authorization or in excess of authorization 
     or to impair the confidentiality of information obtained from 
     a protected computer without authorization or by exceeding 
     authorized access; or
       ``(C) demand or request for money or other thing of value 
     in relation to damage to a protected computer, where such 
     damage was caused to facilitate the extortion;''.

  Mr. SPECTER. Mr. President, I seek recognition today to discuss the 
Identity Theft Enforcement and Restitution Act of 2007, which I am 
introducing with Senator Leahy.
  In 2006, some 8.4 million Americans became victims to identity theft. 
Victims are often left with a bad credit report and must spend months 
and even years regaining their financial health. In the meantime, 
victims have difficulty getting credit, obtaining loans, renting 
apartments, and even getting hired. On a national level, experts 
estimate that identity theft costs the U.S. economy $49.3 billion last 
year and costs each victim an average of $617.
  Identity thieves frequently acquire a person's existing credit 
account information and then purchase products and services using 
either the actual credit card or simply the account number and 
expiration date. They also use Social Security numbers and other 
identifying information to open new accounts in a person's name. 
Identity thieves frequently obtain both existing account information 
and the information needed to open new accounts electronically--either 
by gaining unauthorized access to a computer or by fraudulently 
inducing victims to provide such information.
  The Identity Theft Enforcement and Restitution Act will provide 
Federal prosecutors with new tools to combat identity theft.
  First, the bill will expand Federal computer fraud statutes to cover 
business organizations. Identity thieves frequently impersonate 
businesses in order to steal sensitive personal information from 
consumers. However, current law only provides for prosecution of 
identity theft perpetrated against an individual.
  Under the bill, prosecutors will be able to go after identity thieves 
even when the computer they use to steal information is located in the 
same State as the victim's computer. Under current law, Federal courts 
only have jurisdiction if the thief uses an interstate communication to 
access the victim's computer.
  The bill will make it a crime to threaten to steal or release 
information from a computer. Under current law, prosecutors can only 
bring extortion charges against those who threaten to shut down or 
damage a computer.
  The bill will make it a crime to use malicious ``spyware'' to damage 
a computer, regardless of the amount of damage. Under current law, 
damage to a victim's computer must exceed $5,000 before a prosecutor 
can bring charges.
  The bill will also increase the penalties Federal prosecutors can 
seek for identity theft.
  The bill will enable prosecutors to seek enhanced penalties where a 
violation of the Federal computer fraud statutes includes conspiracy.
  Prosecutors also will be able to seek enhanced penalties where a 
violation of the Federal computer fraud statutes involves passing 
counterfeit securities, mail theft, and tax fraud.
  Finally, and perhaps most importantly, the bill will enable Federal 
prosecutors to seek restitution for the time and money that victims 
spend restoring their credit. The impact of identity theft is not 
limited to direct financial loss. Victims frequently spend significant 
amounts of time fixing or monitoring credit reports and disputing 
charges with individual creditors. The Federal Trade Commission has 
reported that victims spend an average of 30 hours trying to resolve 
identity theft-related issues with banks, credit agencies, and other 
institutions. According to the FTC, a total of 297 million hours were 
expended in 1 year by victims trying to deal with the impact of 
identity theft.
  The Criminal Code currently allows prosecutors to seek restitution 
for the direct financial losses that victims experience. However, the 
code does not expressly permit prosecutors to obtain restitution for 
the time and money victims spend resolving the problems that arise as a 
result of identity theft. The Identity Theft Enforcement and 
Restitution Act of 2007 will allow prosecutors to seek restitution from 
a criminal defendant for the time and resources victims spend trying to 
repair their credit. The bill will require judges to determine the 
amount of time reasonably spent and the value of the victim's time.
  Many of these provisions were included in the recommendations of the 
President's Identity Theft Task Force. These changes were recommended 
by the agency responsible for prosecuting identity theft, the Justice 
Department. I expect broad bipartisan support for this bill, and I urge 
my colleagues to support it.
                                 ______