[Congressional Record (Bound Edition), Volume 153 (2007), Part 23]
[Senate]
[Pages 31675-31679]
[From the U.S. Government Publishing Office, www.gpo.gov]




         IDENTITY THEFT ENFORCEMENT AND RESTITUTION ACT OF 2007

  Mr. SALAZAR. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 459, S. 2168.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The assistant legislative clerk read as follows:

       A bill (S. 2168) to amend title 18 United States Code to 
     enable increased Federal prosecution of identity theft crimes 
     and to allow for restitution to victims of identity theft.

  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the committee on the Judiciary, with 
amendments, as follows:
  (The parts of the bill intended to be stricken are shown in boldface 
brackets and the parts of the bill intended to be inserted are shown in 
italics.)

                                S. 2168

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Identity Theft Enforcement 
     and Restitution Act of 2007''.

     SEC. 2. CRIMINAL RESTITUTION.

       Section 3663(b) of title 18, United States Code, is 
     amended--
       (1) in paragraph (4), by striking ``; and'' and inserting a 
     semicolon;
       (2) in paragraph (5), by striking the period at the end and 
     inserting ``; and''; and
       (3) by adding at the end the following:
       ``(6) in the case of an offense under sections 1028(a)(7) 
     or 1028A(a) of this title, pay an amount equal to the value 
     of the time reasonably spent by the victim in an attempt to 
     remediate the intended or actual harm incurred by the victim 
     from the offense.''.

     SEC. 3. PREDICATE OFFENSES FOR AGGRAVATED IDENTITY THEFT AND 
                   MISUSE OF IDENTIFYING INFORMATION OF 
                   ORGANIZATIONS.

       (a) Identity Theft.--Section 1028 of title 18, United 
     States Code, is amended--
       (1) in subsection (a)(7), by inserting ``(including an 
     organization as defined in section 18 of this title)'' after 
     ``person''; and
       (2) in subsection (d)(7), by inserting ``or other person'' 
     after ``specific individual''.
       (b) Aggravated Identity Theft.--Section 1028A of title 18, 
     United States Code, is amended--
       (1) in subsection (a)(1), by inserting ``(including an 
     organization as defined in section 18 of this title)'' after 
     ``person''; and
       (2) in subsection (c)--
       (A) in the matter preceding paragraph (1), by inserting ``, 
     or a conspiracy to commit such a felony violation,'' after 
     ``any offense that is a felony violation'';
       (B) by redesignating--
       (i) paragraph (11) as paragraph (14);
       (ii) paragraphs (8) through (10) as paragraphs (10) through 
     (12), respectively; and
       (iii) paragraphs (1) through (7) as paragraphs (2) through 
     (8), respectively;
       (C) by inserting prior to paragraph (2), as so 
     redesignated, the following:
       ``(1) section 513 (relating to making, uttering, or 
     possessing counterfeited securities);'';
       (D) by inserting after paragraph (8), as so redesignated, 
     the following:
       ``(9) section 1708 (relating to mail theft);'';
       (E) in paragraph (12), as so redesignated, by striking ``; 
     or'' and inserting a semicolon; and
       (F) by inserting after paragraph (12), as so redesignated, 
     the following:
       ``(13) section 7201, 7206, or 7207 of title 26 (relating to 
     tax fraud); or''.

     SEC. 4. ENSURING JURISDICTION OVER THE THEFT OF SENSITIVE 
                   IDENTITY INFORMATION.

       Section 1030(a)(2)(C) of title 18, United States Code, is 
     amended by striking ``if the conduct involved an interstate 
     or foreign communication''.

     SEC. 5. MALICIOUS SPYWARE, HACKING AND KEYLOGGERS.

       (a) In General.--Section 1030 of title 18, United States 
     Code, is amended--
       (1) in subsection (a)(5)--
       (A) by striking subparagraph (B); and
       (B) in subparagraph (A)--
       (i) by striking ``(A)(i) knowingly'' and inserting ``(A) 
     knowingly'';
       (ii) by redesignating clauses (ii) and (iii) as 
     subparagraphs (B) and (C), respectively; and
       [(iii) in subparagraph (C), as so redesignated, by striking 
     ``; and'' and inserting a period;]
       (iii) in subparagraph (C), as so redesignated--

       (I) by inserting ``and loss'' after ``damage''; and
       (II) by striking ``; and'' and inserting a period;

       (2) in subsection (c)--
       (A) in paragraph (2)(A), by striking ``(a)(5)(A)(iii),'';
       (B) in paragraph (3)(B), by striking ``(a)(5)(A)(iii),'';
       (C) by amending paragraph (4) to read as follows:
       ``(4)(A) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 5 
     years, or both, in the case of--
       ``(i) an offense under subsection (a)(5)(B), which does not 
     occur after a conviction for another offense under this 
     section, if the offense caused (or, in the case of an 
     attempted offense, would, if completed, have caused)--
       ``(I) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(II) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(III) physical injury to any person;
       ``(IV) a threat to public health or safety;
       ``(V) damage affecting a computer used by or for an entity 
     of the United States Government in furtherance of the 
     administration of justice, national defense, or national 
     security; or
       ``(VI) damage affecting 10 or more protected computers 
     during any 1-year period; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(B) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 10 
     years, or both, in the case of--
       ``(i) an offense under subsection (a)(5)(A), which does not 
     occur after a conviction for another offense under this 
     section, if the offense caused (or, in the case of an 
     attempted offense, would, if completed, have caused) a harm 
     provided in subclauses (I) through (VI) of subparagraph 
     (A)(i); or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(C) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 20 
     years, or both, in the case of--
       ``(i) an offense or an attempt to commit an offense under 
     subparagraphs (A) or (B) of subsection (a)(5) that occurs 
     after a conviction for another offense under this section; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, in the case of--
       ``(i) an offense or an attempt to commit an offense under 
     subsection (a)(5)(C) that occurs after a conviction for 
     another offense under this section; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(E) if the offender attempts to cause or knowingly or 
     recklessly causes serious bodily injury from conduct in 
     violation of subsection (a)(5)(A), a fine under this title, 
     imprisonment for not more than 20 years, or both;
       ``(F) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both; or
       ``(G) a fine under this title, imprisonment for not more 
     than 1 year, or both, for--
       ``(i) any other offense under subsection (a)(5); or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph.''; and
       (D) by striking paragraph (5); and
       (3) in subsection (g)--
       (A) in the second sentence, by striking ``in clauses (i), 
     (ii), (iii), (iv), or (v) of subsection (a)(5)(B)'' and 
     inserting ``in subclauses (I), (II), (III), [(IV), (V), or 
     (VI)] (IV), or (V) of subsection (c)(4)(A)(i)''; and
       (B) in the third sentence, by striking ``subsection 
     (a)(5)(B)(i)'' and inserting ``subsection (c)(4)(A)(i)(I)''.
       (b) Conforming Changes.--Section 2332b(g)(5)(B)(i) of title 
     18, United States Code, is amended by striking 
     ``1030(a)(5)(A)(i) resulting in damage as defined in 
     1030(a)(5)(B)(ii) through (v)'' and inserting ``1030(a)(5)(A) 
     resulting in damage as defined in 1030(c)(4)(A)(i)(II) 
     through (VI)''.

     SEC. 6. CYBER-EXTORTION.

       Section 1030(a)(7) of title 18, United States Code, is 
     amended to read as follows:
       ``(7) with intent to extort from any person any money or 
     other thing of value, transmits in interstate or foreign 
     commerce any communication containing any--
       ``(A) threat to cause damage to a protected computer;

[[Page 31676]]

       ``(B) threat to obtain information from a protected 
     computer without authorization or in excess of authorization 
     or to impair the confidentiality of information obtained from 
     a protected computer without authorization or by exceeding 
     authorized access; or
       ``(C) demand or request for money or other thing of value 
     in relation to damage to a protected computer, where such 
     damage was caused to facilitate the extortion;''.

     SEC. 7. CONSPIRACY TO COMMIT CYBER-CRIMES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``conspires to commit or'' after ``Whoever''.

     SEC. 8. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR 
                   CRIMINAL PENALTIES.

       Section 1030(e)(2)(B) of title 18, United States Code, is 
     amended by inserting ``or affecting'' after ``which is used 
     in''.

     SEC. 9. FORFEITURE FOR SECTION 1030 VIOLATIONS.

       Section 1030 of title 18, United States Code, is amended by 
     adding at the end the following:
       ``(i)(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any personal property that 
     was used or intended to be used to commit or to facilitate 
     the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from, any proceeds that such person obtained, 
     directly or indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, any seizure and disposition thereof, and any 
     judicial proceeding in relation thereto, shall be governed by 
     the provisions of section 413 of the Comprehensive Drug Abuse 
     Prevention and Control Act of 1970 (21 U.S.C. 853), except 
     subsection (d) of that section.
       ``(j) For purposes of subsection (i), the following shall 
     be subject to forfeiture to the United States and no property 
     right shall exist in them:
       ``(1) Any personal property used or intended to be used to 
     commit or to facilitate the commission of any violation of 
     this section, or a conspiracy to violate this section.
       ``(2) Any property, real or personal, which constitutes or 
     is derived from proceeds traceable to any violation of this 
     section, or a conspiracy to violate this section''.

     SEC. 10. DIRECTIVE TO UNITED STATES SENTENCING COMMISSION.

       (a) Directive.--Pursuant to its authority under section 
     994(p) of title 28, United States Code, and in accordance 
     with this section, the United States Sentencing Commission 
     shall review its guidelines and policy statements applicable 
     to persons convicted of offenses under sections 1028, 1028A, 
     1030, 2511, and 2701 of title 18, United States Code, and any 
     other relevant provisions of law, in order to reflect the 
     intent of Congress that such penalties be increased in 
     comparison to those currently provided by such guidelines and 
     policy statements.
       (b) Requirements.--In determining its guidelines and policy 
     statements on the appropriate sentence for the crimes 
     enumerated in subsection (a), the United States Sentencing 
     Commission shall consider the extent to which the guidelines 
     and policy statements may or may not account for the 
     following factors in order to create an effective deterrent 
     to computer crime and the theft or misuse of personally 
     identifiable data:
       (1) The level of sophistication and planning involved in 
     such offense.
       (2) Whether such offense was committed for purpose of 
     commercial advantage or private financial benefit.
       (3) The potential and actual loss resulting from the 
     offense including--
       (A) the value of information obtained from a protected 
     computer, regardless of whether the owner was deprived of use 
     of the information; and
       (B) where the information obtained constitutes a trade 
     secret or other proprietary information, the cost the victim 
     incurred developing or compiling the information.
       (4) Whether the defendant acted with intent to cause either 
     physical or property harm in committing the offense.
       (5) The extent to which the offense violated the privacy 
     rights of individuals.
       (6) The effect of the offense upon the operations of an 
     agency of the United States Government, or of a State or 
     local government.
       (7) Whether the offense involved a computer used by the 
     United States Government, a State, or a local government in 
     furtherance of national defense, national security, or the 
     administration of justice.
       (8) Whether the offense was intended to, or had the effect 
     of, significantly interfering with or disrupting a critical 
     infrastructure.
       (9) Whether the offense was intended to, or had the effect 
     of, creating a threat to public health or safety, causing 
     injury to any person, or causing death.
       (10) Whether the defendant purposefully involved a juvenile 
     in the commission of the offense.
       (11) Whether the defendant's intent to cause damage or 
     intent to obtain personal information should be disaggregated 
     and considered separately from the other factors set forth in 
     USSG 2B1.1(b)(14).
       (12) Whether the term ``victim'' as used in USSG 2B1.1, 
     should include individuals whose privacy was violated as a 
     result of the offense in addition to individuals who suffered 
     monetary harm as a result of the offense.
       (13) Whether the defendant disclosed personal information 
     obtained during the commission of the offense.
       (c) Additional Requirements.--In carrying out this section, 
     the United States Sentencing Commission shall--
       (1) assure reasonable consistency with other relevant 
     directives and with other sentencing guidelines;
       (2) account for any additional aggravating or mitigating 
     circumstances that might justify exceptions to the generally 
     applicable sentencing ranges;
       (3) make any conforming changes to the sentencing 
     guidelines; and
       (4) assure that the guidelines adequately meet the purposes 
     of sentencing as set forth in section 3553(a)(2) of title 18, 
     United States Code.
  Mr. LEAHY. Mr. President, I am pleased that the Senate has taken an 
important step to combat identity theft and to protect the privacy 
rights of all Americans by passing the Leahy-Specter Identity Theft 
Enforcement and Restitution Act of 2007. This bipartisan cyber crime 
bill will provide new tools to Federal prosecutors to combat identity 
theft and other computer crimes. Today's prompt action by the Senate 
brings us one step closer to providing these much-needed tools to 
Federal prosecutors and investigators who are on the front lines of the 
battle against identity theft and other cyber crimes.
  I thank Senator Specter, who has been a valuable partner in combating 
the growing problem of identity theft for many years, for joining with 
me to introduce this important privacy bill. I also thank Senators 
Durbin, Grassley, Schumer, Bill Nelson, Inouye, Stevens and Feinstein 
for joining with us as cosponsors of this important legislation.
  I commend Senators Biden and Hatch for their important work in this 
area. I am pleased that several provisions that they have drafted to 
further strengthen this cyber crime legislation will be included in 
this bill, and that with those additions, they have also cosponsored 
it.
  Senator Specter and I have worked closely with the Department of 
Justice in crafting this bill and the Leahy-Specter Identity Theft 
Enforcement and Restitution Act has the strong support of the 
Department of Justice and the Secret Service. This bill is also 
supported by a broad coalition of business, high tech and consumer 
groups, including Microsoft, Consumers Union, the Cyber Security 
Industry Alliance, the Business Software Alliance, AARP and the Chamber 
of Commerce.
  The Identity Theft Enforcement and Restitution Act takes several 
important and long overdue steps to protect Americans from the growing 
and evolving threat of identity theft and other cyber crimes. First, to 
better protect American consumers, our bill provides the victims of 
identity theft with the ability to seek restitution in Federal court 
for the loss of time and money spent restoring their credit and 
remedying the harms of identity theft, so that identity theft victims 
can be made whole.
  Second, because identity theft schemes are much more sophisticated 
and cunning in today's digital era, our bill also expands the scope of 
the Federal identity theft statutes so that the law keeps up with the 
ingenuity of today's identity thieves. Our bill adds three new crimes--
passing counterfeit securities, mail theft, and tax fraud--to the list 
of predicate offenses for aggravated identity theft. And, in order to 
better deter this kind of criminal activity, our bill also 
significantly increases the criminal penalties for these crimes. To 
address the increasing number of computer hacking crimes that involve 
computers located within the same State, our bill also eliminates the 
jurisdictional requirement that a computer's information must be stolen 
through an interstate or foreign communication in order to federally 
prosecute this crime.
  Our bill also addresses the growing problem of the malicious use of 
spyware to steal sensitive personal information, by eliminating the 
requirement that the loss resulting from the damage to a victim's 
computer must exceed $5,000 in order to federally prosecute this 
offense. The bill also carefully balances this necessary change

[[Page 31677]]

with the legitimate need to protect innocent actors from frivolous 
prosecutions, and clarifies that the elimination of the $5,000 
threshold applies only to criminal cases. In addition, our bill 
addresses the increasing number of cyber attacks on multiple computers, 
by making it a felony to employ spyware or keyloggers to damage 10 or 
more computers, regardless of the aggregate amount of damage caused. By 
making this crime a felony, the bill ensures that the most egregious 
identity thieves will not escape with minimal punishment under Federal 
cyber crime laws.
  Lastly, our bill strengthens the protections for American businesses, 
which are more and more becoming the focus of identity thieves, by 
adding 2 new causes of action under the cyber extortion statute--
threatening to obtain or release information from a protected computer 
and demanding money in relation to a protected computer--so that this 
bad conduct can be federally prosecuted. In addition, because a 
business as well as an individual can be a prime target for identity 
theft, our bill closes several gaps in the federal identity theft and 
the aggravated identity theft statutes to ensure that identity thieves 
who target a small business or a corporation can be prosecuted under 
these laws. The bill also adds the remedy of civil and criminal 
forfeiture to the arsenal of tools to combat cyber crime and our bill 
directs the United States Sentencing Commission to review its 
guidelines for identity theft and cyber crime offenses.
  The Identity Theft Enforcement and Restitution Act is a good, 
bipartisan measure to help combat the growing threat of identity theft 
and other cyber crimes to all Americans. Just this week, FBI Director 
Robert Mueller reminded all Americans that cyber threats will continue 
to grow as our Nation becomes more dependent upon high technology. This 
carefully balanced bill protects the privacy rights of American 
consumers, the interests of business and the legitimate needs of law 
enforcement. This privacy bill also builds upon our prior efforts to 
enact comprehensive data privacy legislation. The Leahy-Specter 
Personal Data Privacy and Security Act, S. 495, which Senator Specter 
and I reintroduced earlier this year, would address the growing dangers 
of identity theft at its source--lax data security and inadequate 
breach notification. Protecting the privacy and security of American 
consumers should be one of the Senate's top legislative priorities and 
I urge the majority leader to take up that measure at the earliest 
opportunity.
  Again, I thank the bipartisan coalition of Senators who have joined 
Senator Specter and me in supporting this important privacy 
legislation, as well as the many consumer and business groups that 
support this bill. I ask unanimous consent that a copy of a support 
letter that I have received from the Chamber of Commerce regarding this 
bill be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                        Chamber of Commerce of the


                                     United States of America,

                                 Washington, DC, November 2, 2007.
     Hon. Patrick Leahy,
     Chairman, Committee on the Judiciary, U.S. Senate, 
         Washington, DC.
     Hon. Arlen Specter,
     Ranking Member, Committee on the Judiciary, U.S. Senate, 
         Washington, DC.
       Dear Chairman Leahy and Ranking Member Specter: The U.S. 
     Chamber of Commerce, the world's largest business federation 
     representing more than three million businesses and 
     organizations of every size, sector, and region, thank you 
     for your leadership on issues related to identity theft and 
     other types of cyber crime. The Chamber strongly supports S. 
     2168, the ``Identity Theft Enforcement and Restitution Act of 
     2007,'' and congratulates the Committee on the Judiciary for 
     reporting favorably this important legislation.
       The Internet today is a major engine of economic growth for 
     the United States. Unfortunately, accompanying this amazing 
     growth has been the continued rise of malicious cyber 
     activity by very coordinated and clever criminal networks. S. 
     2168 will go a long way to address this very serious issue by 
     giving law enforcement officials much needed tools and 
     resources to combat these criminals.
       Once again, the Chamber appreciates your leadership on 
     these issues, and looks forward to working with the Committee 
     to assure passage of S. 2168 by the full Senate.
           Sincerely,
                                                  R. Bruce Josten.

  Mr. SALAZAR. Mr. President, I ask unanimous consent that the 
committee amendments be agreed to, the bill as amended be read a third 
time and passed, the motions to reconsider be laid upon the table with 
no intervening action or debate, and any statements be printed in the 
Record.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The committee amendments were agreed to.
  The bill (S. 2168), as amended, was ordered to be engrossed for a 
third reading, was read the third time, and passed, as follows:

                                S. 2168

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Identity Theft Enforcement 
     and Restitution Act of 2007''.

     SEC. 2. CRIMINAL RESTITUTION.

       Section 3663(b) of title 18, United States Code, is 
     amended--
       (1) in paragraph (4), by striking ``; and'' and inserting a 
     semicolon;
       (2) in paragraph (5), by striking the period at the end and 
     inserting ``; and''; and
       (3) by adding at the end the following:
       ``(6) in the case of an offense under sections 1028(a)(7) 
     or 1028A(a) of this title, pay an amount equal to the value 
     of the time reasonably spent by the victim in an attempt to 
     remediate the intended or actual harm incurred by the victim 
     from the offense.''.

     SEC. 3. PREDICATE OFFENSES FOR AGGRAVATED IDENTITY THEFT AND 
                   MISUSE OF IDENTIFYING INFORMATION OF 
                   ORGANIZATIONS.

       (a) Identity Theft.--Section 1028 of title 18, United 
     States Code, is amended--
       (1) in subsection (a)(7), by inserting ``(including an 
     organization as defined in section 18 of this title)'' after 
     ``person''; and
       (2) in subsection (d)(7), by inserting ``or other person'' 
     after ``specific individual''.
       (b) Aggravated Identity Theft.--Section 1028A of title 18, 
     United States Code, is amended--
       (1) in subsection (a)(1), by inserting ``(including an 
     organization as defined in section 18 of this title)'' after 
     ``person''; and
       (2) in subsection (c)--
       (A) in the matter preceding paragraph (1), by inserting ``, 
     or a conspiracy to commit such a felony violation,'' after 
     ``any offense that is a felony violation'';
       (B) by redesignating--
       (i) paragraph (11) as paragraph (14);
       (ii) paragraphs (8) through (10) as paragraphs (10) through 
     (12), respectively; and
       (iii) paragraphs (1) through (7) as paragraphs (2) through 
     (8), respectively;
       (C) by inserting prior to paragraph (2), as so 
     redesignated, the following:
       ``(1) section 513 (relating to making, uttering, or 
     possessing counterfeited securities);'';
       (D) by inserting after paragraph (8), as so redesignated, 
     the following:
       ``(9) section 1708 (relating to mail theft);'';
       (E) in paragraph (12), as so redesignated, by striking ``; 
     or'' and inserting a semicolon; and
       (F) by inserting after paragraph (12), as so redesignated, 
     the following:
       ``(13) section 7201, 7206, or 7207 of title 26 (relating to 
     tax fraud); or''.

     SEC. 4. ENSURING JURISDICTION OVER THE THEFT OF SENSITIVE 
                   IDENTITY INFORMATION.

       Section 1030(a)(2)(C) of title 18, United States Code, is 
     amended by striking ``if the conduct involved an interstate 
     or foreign communication''.

     SEC. 5. MALICIOUS SPYWARE, HACKING AND KEYLOGGERS.

       (a) In General.--Section 1030 of title 18, United States 
     Code, is amended--
       (1) in subsection (a)(5)--
       (A) by striking subparagraph (B); and
       (B) in subparagraph (A)--
       (i) by striking ``(A)(i) knowingly'' and inserting ``(A) 
     knowingly'';
       (ii) by redesignating clauses (ii) and (iii) as 
     subparagraphs (B) and (C), respectively; and
       (iii) in subparagraph (C), as so redesignated--

       (I) by inserting ``and loss'' after ``damage''; and
       (II) by striking ``; and'' and inserting a period;

       (2) in subsection (c)--
       (A) in paragraph (2)(A), by striking ``(a)(5)(A)(iii),'';
       (B) in paragraph (3)(B), by striking ``(a)(5)(A)(iii),'';
       (C) by amending paragraph (4) to read as follows:
       ``(4)(A) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 5 
     years, or both, in the case of--
       ``(i) an offense under subsection (a)(5)(B), which does not 
     occur after a conviction for

[[Page 31678]]

     another offense under this section, if the offense caused 
     (or, in the case of an attempted offense, would, if 
     completed, have caused)--
       ``(I) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(II) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(III) physical injury to any person;
       ``(IV) a threat to public health or safety;
       ``(V) damage affecting a computer used by or for an entity 
     of the United States Government in furtherance of the 
     administration of justice, national defense, or national 
     security; or
       ``(VI) damage affecting 10 or more protected computers 
     during any 1-year period; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(B) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 10 
     years, or both, in the case of--
       ``(i) an offense under subsection (a)(5)(A), which does not 
     occur after a conviction for another offense under this 
     section, if the offense caused (or, in the case of an 
     attempted offense, would, if completed, have caused) a harm 
     provided in subclauses (I) through (VI) of subparagraph 
     (A)(i); or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(C) except as provided in subparagraphs (E) and (F), a 
     fine under this title, imprisonment for not more than 20 
     years, or both, in the case of--
       ``(i) an offense or an attempt to commit an offense under 
     subparagraphs (A) or (B) of subsection (a)(5) that occurs 
     after a conviction for another offense under this section; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, in the case of--
       ``(i) an offense or an attempt to commit an offense under 
     subsection (a)(5)(C) that occurs after a conviction for 
     another offense under this section; or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph;
       ``(E) if the offender attempts to cause or knowingly or 
     recklessly causes serious bodily injury from conduct in 
     violation of subsection (a)(5)(A), a fine under this title, 
     imprisonment for not more than 20 years, or both;
       ``(F) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both; or
       ``(G) a fine under this title, imprisonment for not more 
     than 1 year, or both, for--
       ``(i) any other offense under subsection (a)(5); or
       ``(ii) an attempt to commit an offense punishable under 
     this subparagraph.''; and
       (D) by striking paragraph (5); and
       (3) in subsection (g)--
       (A) in the second sentence, by striking ``in clauses (i), 
     (ii), (iii), (iv), or (v) of subsection (a)(5)(B)'' and 
     inserting ``in subclauses (I), (II), (III), (IV), or (V) of 
     subsection (c)(4)(A)(i)''; and
       (B) in the third sentence, by striking ``subsection 
     (a)(5)(B)(i)'' and inserting ``subsection (c)(4)(A)(i)(I)''.
       (b) Conforming Changes.--Section 2332b(g)(5)(B)(i) of title 
     18, United States Code, is amended by striking 
     ``1030(a)(5)(A)(i) resulting in damage as defined in 
     1030(a)(5)(B)(ii) through (v)'' and inserting ``1030(a)(5)(A) 
     resulting in damage as defined in 1030(c)(4)(A)(i)(II) 
     through (VI)''.

     SEC. 6. CYBER-EXTORTION.

       Section 1030(a)(7) of title 18, United States Code, is 
     amended to read as follows:
       ``(7) with intent to extort from any person any money or 
     other thing of value, transmits in interstate or foreign 
     commerce any communication containing any--
       ``(A) threat to cause damage to a protected computer;
       ``(B) threat to obtain information from a protected 
     computer without authorization or in excess of authorization 
     or to impair the confidentiality of information obtained from 
     a protected computer without authorization or by exceeding 
     authorized access; or
       ``(C) demand or request for money or other thing of value 
     in relation to damage to a protected computer, where such 
     damage was caused to facilitate the extortion;''.

     SEC. 7. CONSPIRACY TO COMMIT CYBER-CRIMES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``conspires to commit or'' after ``Whoever''.

     SEC. 8. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR 
                   CRIMINAL PENALTIES.

       Section 1030(e)(2)(B) of title 18, United States Code, is 
     amended by inserting ``or affecting'' after ``which is used 
     in''.

     SEC. 9. FORFEITURE FOR SECTION 1030 VIOLATIONS.

       Section 1030 of title 18, United States Code, is amended by 
     adding at the end the following:
       ``(i)(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any personal property that 
     was used or intended to be used to commit or to facilitate 
     the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from, any proceeds that such person obtained, 
     directly or indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, any seizure and disposition thereof, and any 
     judicial proceeding in relation thereto, shall be governed by 
     the provisions of section 413 of the Comprehensive Drug Abuse 
     Prevention and Control Act of 1970 (21 U.S.C. 853), except 
     subsection (d) of that section.
       ``(j) For purposes of subsection (i), the following shall 
     be subject to forfeiture to the United States and no property 
     right shall exist in them:
       ``(1) Any personal property used or intended to be used to 
     commit or to facilitate the commission of any violation of 
     this section, or a conspiracy to violate this section.
       ``(2) Any property, real or personal, which constitutes or 
     is derived from proceeds traceable to any violation of this 
     section, or a conspiracy to violate this section''.

     SEC. 10. DIRECTIVE TO UNITED STATES SENTENCING COMMISSION.

       (a) Directive.--Pursuant to its authority under section 
     994(p) of title 28, United States Code, and in accordance 
     with this section, the United States Sentencing Commission 
     shall review its guidelines and policy statements applicable 
     to persons convicted of offenses under sections 1028, 1028A, 
     1030, 2511, and 2701 of title 18, United States Code, and any 
     other relevant provisions of law, in order to reflect the 
     intent of Congress that such penalties be increased in 
     comparison to those currently provided by such guidelines and 
     policy statements.
       (b) Requirements.--In determining its guidelines and policy 
     statements on the appropriate sentence for the crimes 
     enumerated in subsection (a), the United States Sentencing 
     Commission shall consider the extent to which the guidelines 
     and policy statements may or may not account for the 
     following factors in order to create an effective deterrent 
     to computer crime and the theft or misuse of personally 
     identifiable data:
       (1) The level of sophistication and planning involved in 
     such offense.
       (2) Whether such offense was committed for purpose of 
     commercial advantage or private financial benefit.
       (3) The potential and actual loss resulting from the 
     offense including--
       (A) the value of information obtained from a protected 
     computer, regardless of whether the owner was deprived of use 
     of the information; and
       (B) where the information obtained constitutes a trade 
     secret or other proprietary information, the cost the victim 
     incurred developing or compiling the information.
       (4) Whether the defendant acted with intent to cause either 
     physical or property harm in committing the offense.
       (5) The extent to which the offense violated the privacy 
     rights of individuals.
       (6) The effect of the offense upon the operations of an 
     agency of the United States Government, or of a State or 
     local government.
       (7) Whether the offense involved a computer used by the 
     United States Government, a State, or a local government in 
     furtherance of national defense, national security, or the 
     administration of justice.
       (8) Whether the offense was intended to, or had the effect 
     of, significantly interfering with or disrupting a critical 
     infrastructure.
       (9) Whether the offense was intended to, or had the effect 
     of, creating a threat to public health or safety, causing 
     injury to any person, or causing death.
       (10) Whether the defendant purposefully involved a juvenile 
     in the commission of the offense.
       (11) Whether the defendant's intent to cause damage or 
     intent to obtain personal information should be disaggregated 
     and considered separately from the other factors set forth in 
     USSG 2B1.1(b)(14).
       (12) Whether the term ``victim'' as used in USSG 2B1.1, 
     should include individuals whose privacy was violated as a 
     result of the offense in addition to individuals who suffered 
     monetary harm as a result of the offense.
       (13) Whether the defendant disclosed personal information 
     obtained during the commission of the offense.
       (c) Additional Requirements.--In carrying out this section, 
     the United States Sentencing Commission shall--
       (1) assure reasonable consistency with other relevant 
     directives and with other sentencing guidelines;
       (2) account for any additional aggravating or mitigating 
     circumstances that might justify exceptions to the generally 
     applicable sentencing ranges;

[[Page 31679]]

       (3) make any conforming changes to the sentencing 
     guidelines; and
       (4) assure that the guidelines adequately meet the purposes 
     of sentencing as set forth in section 3553(a)(2) of title 18, 
     United States Code.

                          ____________________