[Congressional Record Volume 158, Number 25 (Wednesday, February 15, 2012)]
[Senate]
[Pages S700-S702]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY:
  S. 2111. A bill to enhance punishment for identity theft and other 
violations of data privacy and security; read the first time.
  Mr. LEAHY. Mr. President, today, I am pleased to introduce the Cyber 
Crime Protection Security Act, a bill to strengthen our Nation's 
cybercrime laws. Developing a comprehensive strategy for cybersecurity 
is one of the most pressing challenges facing our Nation today, and an 
issue that the Senate will tackle in the coming weeks. A legislative 
response to the growing threat of cyber crime must be a part of that 
conversation.
  Protecting American consumers and businesses from cyber crime and 
other threats in cyberspace has long been a priority of the Senate 
Judiciary Committee. In September, the Committee favorably reported 
legislation which included a provision essentially identical to this 
bill as a part of the Personal Data Privacy and Security Act. Since 
then, I have worked closely with Senator Grassley to advance cyber 
crime legislation that will have strong bipartisan support.
  Cyber crime impacts all of us, regardless of political party or 
ideology. Recently, several Republican Senators stated the following in 
an opinion piece about the Senate's cybersecurity legislation: ``In 
addition, our nation's criminal laws must be updated to account for the 
growing number of cybercrimes. We support legislation to clarify and 
expand the Computer Fraud and Abuse Act--including increasing existing 
penalties, defining new offenses and clarifying the scope of current 
criminal conduct. These changes will ensure that our criminal laws keep 
pace with the ever-evolving threats posed by cybercriminals.'' I could 
not agree more. I hope that all Senators will support this bill and I 
urge the Senate to quickly pass this important legislation.
  We simply cannot afford to ignore the growing threat of cyber crime. 
A study released by Symantec Corp estimates that the cost of cybercrime 
globally is $114 billion a year. During the past year, we have 
witnessed major data breaches at Sony, Epsilon, RSA, the International 
Monetary Fund, and Lockheed Martin, just to name a few. In addition, 
our Government computer networks have not been spared, as evidenced by 
the hacking incidents involving the websites of the Senate and Central 
Intelligence Agency.
  The Cyber Crime Protection Security Act takes several important steps 
to combat cyber crime. First, the bill updates the Federal RICO statute 
to add violations of the Computer Fraud and

[[Page S701]]

Abuse Act to the definition of racketeering activity, so that the 
Government can better prosecute organized criminal activity involving 
computer fraud. Second, the bill streamlines and enhances the penalty 
structure under the Computer Fraud and Abuse Act. To address cyber 
crime involving the trafficking of consumers' passwords, the bill also 
expands the scope of the offense for trafficking in passwords under 
title 18, United States Code, section 1030(a)(6) to include passwords 
used to access a protected Government or non-government computer, and 
to include any other means of unauthorized access to a Government 
computer.
  In addition, the bill clarifies that both conspiracy and attempt to 
commit a computer hacking offense are subject to the same penalties as 
completed, substantive offenses, and the bill adds new forfeiture tools 
to help the Government recover the proceeds of illegal activity.
  This legislation also strengthens the legal tools available to law 
enforcement to protect our nation's critical infrastructure, by adding 
a new criminal offense that would make it a felony to damage a computer 
that manages or controls national defense, national security, 
transportation, public health and safety, or other critical 
infrastructure systems or information. Lastly, the bill clarifies that 
relatively innocuous conduct, such as violating a terms of use 
agreement, should not be prosecuted under the Computer Fraud and Abuse 
Act.
  The bill is strongly supported by the Department of Justice, which is 
on the front lines of the battle against cybercrime. In fact, the 
criminal law updates in this bill were a part of the cybersecurity 
proposal that President Obama delivered to Congress last May. We must 
give the dedicated prosecutors and investigators in our Government the 
tools that they need to address criminal activity in cyberspace.
  To build a secure future for our Nation and its citizens in 
cyberspace, Congress must work together, across party lines and 
ideology, to address the dangers of cybercrime and other cyber threats. 
It is in that cooperative spirit that I urge all Senators to support 
this important cybercrime legislation.
  There being no objection, the text of the bill was ordered to be 
printed in the Record as follows:

                                S. 2111

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cyber Crime Protection 
     Security Act''.

     SEC. 2. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
                   UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       Section 1961(1) of title 18, United States Code, is amended 
     by inserting ``section 1030 (relating to fraud and related 
     activity in connection with computers) if the act is a 
     felony,'' before ``section 1084''.

     SEC. 3. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     paragraph (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 1 year, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (D), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both; or
       ``(D) a fine under this title, imprisonment for not more 
     than 1 year, or both, for any other offense under subsection 
     (a)(5);
       ``(6) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(7) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section..''.

     SEC. 4. TRAFFICKING IN PASSWORDS.

       Section 1030(a) of title 18, United States Code, is amended 
     by striking paragraph (6) and inserting the following:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in--
       ``(A) any password or similar information or means of 
     access through which a protected computer as defined in 
     subparagraphs (A) and (B) of subsection (e)(2) may be 
     accessed without authorization; or
       ``(B) any means of access through which a protected 
     computer as defined in subsection (e)(2)(A) may be accessed 
     without authorization.''.

     SEC. 5. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``for the completed offense'' after ``punished 
     as provided''.

     SEC. 6. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 of title 18, 
     United States Code, relating to civil forfeitures, except 
     that such duties as are imposed on the Secretary of the 
     Treasury under the customs laws described in section 981(d) 
     of title 18, United States Code, shall be performed by such 
     officers, agents and other persons as may be designated for 
     that purpose by the Secretary of Homeland Security or the 
     Attorney General.''.

     SEC. 7. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``SEC. 1030A. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE 
                   COMPUTER.

       ``(a) Definitions.--In this section--
       ``(1) the terms `computer' and `damage' have the meanings 
     given such terms in section 1030; and
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or

[[Page S702]]

     controls systems or assets vital to national defense, 
     national security, national economic security, public health 
     or safety, or any combination of those matters, whether 
     publicly or privately owned or operated, including--
       ``(A) gas and oil production, storage, and delivery 
     systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public.
       ``(b) Offense.--It shall be unlawful to, during and in 
     relation to a felony violation of section 1030, intentionally 
     cause or attempt to cause damage to a critical infrastructure 
     computer, and such damage results in (or, in the case of an 
     attempt, would, if completed have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be fined under this title, imprisoned for not less than 
     3 years nor more than 20 years, or both.
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for the felony violation section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``Sec. 1030A. Aggravated damage to a critical infrastructure 
              computer.''.

     SEC. 8. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.
                                 ______