[Congressional Record (Bound Edition), Volume 158 (2012), Part 9]
[Senate]
[Pages 12158-12168]
[From the U.S. Government Publishing Office, www.gpo.gov]




                           TEXT OF AMENDMENTS

  SA 2573. Mr. HATCH (for himself, Mr. McConnell, Mr. Johanns, Mr. 
Roberts, Mr. Burr, Mr. Thune, Mr. Cornyn, Mr. Kyl, Mr. Boozman, Mr. 
Blunt, Mr. Rubio, Mr. McCain, Mr. Grassley, Mr. Barrasso, Mr. Kirk, 
Mrs. Hutchison, Mr. Hoeven, Mr. Shelby, and Mr. Isakson) proposed an 
amendment to the bill S. 3412, to amend the Internal Revenue Code of 
1986 to provide tax relief to middle-class families; as follows:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Tax Hike Prevention Act of 
     2012''.

     SEC. 2. TEMPORARY EXTENSION OF 2001 TAX RELIEF.

       (a) In General.--Section 901 of the Economic Growth and Tax 
     Relief Reconciliation Act of 2001 is amended by striking 
     ``December 31, 2012'' both places it appears and inserting 
     ``December 31, 2013''.
       (b) Effective Date.--The amendment made by this section 
     shall take effect as if included in the enactment of the 
     Economic Growth and Tax Relief Reconciliation Act of 2001.

     SEC. 3. TEMPORARY EXTENSION OF 2003 TAX RELIEF.

       (a) In General.--Section 303 of the Jobs and Growth Tax 
     Relief Reconciliation Act of 2003 is amended by striking 
     ``December 31, 2012'' and inserting ``December 31, 2013''.

[[Page 12159]]

       (b) Effective Date.--The amendment made by this section 
     shall take effect as if included in the enactment of the Jobs 
     and Growth Tax Relief Reconciliation Act of 2003.

     SEC. 4. ALTERNATIVE MINIMUM TAX RELIEF.

       (a) Temporary Extension of Increased Alternative Minimum 
     Tax Exemption Amount.--
       (1) In general.--Paragraph (1) of section 55(d) of the 
     Internal Revenue Code of 1986 is amended--
       (A) by striking ``$72,450'' and all that follows through 
     ``2011'' in subparagraph (A) and inserting ``$78,750 in the 
     case of taxable years beginning in 2012 and $79,850 in the 
     case of taxable years beginning in 2013'', and
       (B) by striking ``$47,450'' and all that follows through 
     ``2011'' in subparagraph (B) and inserting ``$50,600 in the 
     case of taxable years beginning in 2012 and $51,150 in the 
     case of taxable years beginning in 2013''.
       (b) Temporary Extension of Alternative Minimum Tax Relief 
     for Nonrefundable Personal Credits.--
       (1) In general.--Paragraph (2) of section 26(a) of the 
     Internal Revenue Code of 1986 is amended--
       (A) by striking ``or 2011'' and inserting ``2011, 2012, or 
     2013'', and
       (B) by striking ``2011'' in the heading thereof and 
     inserting ``2013''.
       (c)  Effective Date.--The amendments made by this section 
     shall apply to taxable years beginning after December 31, 
     2011.

     SEC. 5. EXTENSION OF INCREASED EXPENSING LIMITATIONS AND 
                   TREATMENT OF CERTAIN REAL PROPERTY AS SECTION 
                   179 PROPERTY.

       (a) In General.--
       (1) Dollar limitation.--Section 179(b)(1) of the Internal 
     Revenue Code of 1986 is amended--
       (A) by striking ``2010 or 2011,'' in subparagraph (B) and 
     inserting ``2010, 2011, 2012, or 2013, and'',
       (B) by striking subparagraph (C),
       (C) by redesignating subparagraph (D) as subparagraph (C), 
     and
       (D) in subparagraph (C), as so redesignated, by striking 
     ``2012'' and inserting ``2013''.
       (2) Reduction in limitation.--Section 179(b)(2) of such 
     Code is amended--
       (A) by striking ``2010 or 2011,'' in subparagraph (B) and 
     inserting ``2010, 2011, 2012, or 2013, and'',
       (B) by striking subparagraph (C),
       (C) by redesignating subparagraph (D) as subparagraph (C), 
     and
       (D) in subparagraph (C), as so redesignated, by striking 
     ``2012'' and inserting ``2013''.
       (3) Conforming amendment.--Subsection (b) of section 179 of 
     such Code is amended by striking paragraph (6).
       (b) Computer Software.--Section 179(d)(1)(A)(ii) of the 
     Internal Revenue Code of 1986 is amended by striking ``2013'' 
     and inserting ``2014''.
       (c) Election.--Section 179(c)(2) of the Internal Revenue 
     Code of 1986 is amended by striking ``2013'' and inserting 
     ``2014''.
       (d) Special Rules for Treatment of Qualified Real 
     Property.--
       (1) In general.--Section 179(f)(1) of the Internal Revenue 
     Code of 1986 is amended by striking ``2010 or 2011'' and 
     inserting ``2010, 2011, 2012, or 2013''.
       (2) Carryover limitation.--
       (A) In general.--Section 179(f)(4) of such Code is amended 
     by striking ``2011'' each place it appears and inserting 
     ``2013''.
       (B) Conforming amendment.--The heading for subparagraph (C) 
     of section 179(f)(4) of such Code is amended by striking 
     ``2010'' and inserting ``2010, 2011 and 2012''.
       (e) Effective Date.--The amendments made by this section 
     shall apply to taxable years beginning after December 31, 
     2011.

     SEC. 6. INSTRUCTIONS FOR TAX REFORM.

       (a) In General.--The Senate Committee on Finance shall 
     report legislation not later than 12 months after the date of 
     the enactment of this Act that consists of changes in laws 
     within its jurisdiction which meet the requirements of 
     subsection (b).
       (b) Requirements.--Legislation meets the requirements of 
     this subsection if the legislation--
       (1) simplifies the Internal Revenue Code of 1986 by 
     reducing the number of tax preferences and reducing 
     individual tax rates proportionally, with the highest 
     individual tax rate significantly below 35 percent;
       (2) permanently repeals the alternative minimum tax;
       (3) is projected, when compared to the current tax policy 
     baseline, to be revenue neutral or result in revenue losses;
       (4) has a dynamic effect which is projected to stimulate 
     economic growth and lead to increased revenue;
       (5) applies any increased revenue from stimulated economic 
     growth to additional rate reductions and does not permit any 
     such increased revenue to be used for additional Federal 
     spending;
       (6) retains a progressive tax code; and
       (7) provides for revenue-neutral reform of the taxation of 
     corporations and businesses by--
       (A) providing a top tax rate on corporations of no more 
     than 25 percent; and
       (B) implementing a competitive territorial tax system.
                                 ______
                                 
  SA 2574. Mrs. HUTCHISON submitted an amendment intended to be 
proposed by her to the bill S. 3414, to enhance the security and 
resiliency of the cyber and communications infrastructure of the United 
States; which was ordered to lie on the table; as follows:

       At the end of the bill, add the following:

                       TITLE VIII--MISCELLANEOUS

     SEC. 801. COMPLIANCE WITH OR VIOLATION OF ENVIRONMENTAL LAWS 
                   WHILE UNDER EMERGENCY ORDER.

       (a) In General.--Section 202(c) of the Federal Power Act 
     (16 U.S.C. 824a(c)) is amended--
       (1) by striking ``(c) During'' and inserting the following:
       ``(c) Temporary Connection and Exchange of Facilities 
     During Emergency.--
       ``(1) In general.--During''; and
       (2) by adding at the end the following:
       ``(2) Compliance with or violation of environmental laws 
     while under emergency order.--
       ``(A) In general.--If an order issued under this subsection 
     may result in a conflict with a requirement of any Federal, 
     State, or local environmental law or regulation, the 
     Commission shall ensure that the order--
       ``(i) requires generation, delivery, interchange, or 
     transmission of electric energy only during hours necessary 
     to meet the emergency and serve the public interest; and
       ``(ii) to the maximum extent practicable, is consistent 
     with any applicable Federal, State, or local environmental 
     law or regulation and minimizes any adverse environmental 
     impacts.
       ``(B) Effect of compliance with emergency orders.--To the 
     extent any omission or action taken by a party that is 
     necessary to comply with an order issued under this 
     subsection (including any omission or action taken to 
     voluntarily comply with the order) results in noncompliance 
     with, or causes the party to not comply with, any Federal, 
     State, or local environmental law or regulation, the omission 
     or action shall not be considered a violation of the 
     environmental law or regulation, or subject the party to any 
     requirement, civil or criminal liability, or a citizen suit 
     under the environmental law or regulation.
       ``(C) Term of emergency orders.--Subject to subparagraph 
     (D), an order issued under this subsection that may result in 
     a conflict with a requirement of any Federal, State, or local 
     environmental law or regulation shall expire not later than 
     90 days after the order is issued.
       ``(D) Renewal or reissuance of emergency orders.--
       ``(i) In general.--The Commission may renew or reissue the 
     order pursuant to this subsection for subsequent periods, not 
     to exceed 90 days for each period, as the Commission 
     determines necessary to meet the emergency and serve the 
     public interest.
       ``(ii) Administration.--In renewing or reissuing an order 
     under clause (i), the Commission shall--

       ``(I) consult with the primary Federal agency with 
     expertise in the environmental interest protected by the law 
     or regulation; and
       ``(II) include in the renewed or reissued order such 
     conditions as the Federal agency determines necessary to 
     minimize any adverse environmental impacts to the maximum 
     extent practicable.

       ``(iii) Public availability of conditions.--The conditions, 
     if any, submitted by the Federal agency shall be made 
     available to the public.
       ``(iv) Exclusion of conditions.--The Commission may exclude 
     a condition from the renewed or reissued order if the 
     Commission--

       ``(I) determines that the condition would prevent the order 
     from adequately addressing the emergency necessitating the 
     order; and
       ``(II) provides in the order, or otherwise makes publicly 
     available, an explanation of the determination.''.

       (b) Temporary Connection or Construction by 
     Municipalities.--Section 202(d) of the Federal Power Act (16 
     U.S.C. 824a(d)) is amended by inserting ``or municipality'' 
     before ``engaged in the transmission or sale of electric 
     energy''.
                                 ______
                                 
  SA 2575. Mr. LAUTENBERG (for himself, Mrs. Boxer, Mr. Reed, Mr. 
Menendez, Mrs. Gillibrand, Mr. Schumer, and Mrs. Feinstein) submitted 
an amendment intended to be proposed by him to the bill S. 3414, to 
enhance the security and resiliency of the cyber and communications 
infrastructure of the United States; which was ordered to lie on the 
table; as follows:

       At the appropriate place, insert the following

     SEC. __. PROHIBITION ON TRANSFER OR POSSESSION OF LARGE 
                   CAPACITY AMMUNITION FEEDING DEVICES.

       (a) Definition.--Section 921(a) of title 18, United States 
     Code, is amended by inserting after paragraph (29) the 
     following:
       ``(30) The term `large capacity ammunition feeding 
     device'--
       ``(A) means a magazine, belt, drum, feed strip, or similar 
     device that has a capacity of, or that can be readily 
     restored or converted to accept, more than 10 rounds of 
     ammunition; but

[[Page 12160]]

       ``(B) does not include an attached tubular device designed 
     to accept, and capable of operating only with, .22 caliber 
     rimfire ammunition.''.
       (b) Prohibitions.--Section 922 of such title is amended by 
     inserting after subsection (u) the following:
       ``(v)(1)(A)(i) Except as provided in clause (ii), it shall 
     be unlawful for a person to transfer or possess a large 
     capacity ammunition feeding device.
       ``(ii) Clause (i) shall not apply to the possession of a 
     large capacity ammunition feeding device otherwise lawfully 
     possessed within the United States on or before the date of 
     the enactment of this subsection.
       ``(B) It shall be unlawful for any person to import or 
     bring into the United States a large capacity ammunition 
     feeding device.
       ``(2) Paragraph (1) shall not apply to--
       ``(A) a manufacture for, transfer to, or possession by the 
     United States or a department or agency of the United States 
     or a State or a department, agency, or political subdivision 
     of a State, or a transfer to or possession by a law 
     enforcement officer employed by such an entity for purposes 
     of law enforcement (whether on or off duty);
       ``(B) a transfer to a licensee under title I of the Atomic 
     Energy Act of 1954 for purposes of establishing and 
     maintaining an on-site physical protection system and 
     security organization required by Federal law, or possession 
     by an employee or contractor of such a licensee on-site for 
     such purposes or off-site for purposes of licensee-authorized 
     training or transportation of nuclear materials;
       ``(C) the possession, by an individual who is retired from 
     service with a law enforcement agency and is not otherwise 
     prohibited from receiving ammunition, of a large capacity 
     ammunition feeding device transferred to the individual by 
     the agency upon that retirement; or
       ``(D) a manufacture, transfer, or possession of a large 
     capacity ammunition feeding device by a licensed manufacturer 
     or licensed importer for the purposes of testing or 
     experimentation authorized by the Attorney General.''.
       (c) Penalties.--Section 924(a) of such title is amended by 
     adding at the end the following:
       ``(8) Whoever knowingly violates section 922(v) shall be 
     fined under this title, imprisoned not more than 10 years, or 
     both.''.
       (d) Identification Markings.--Section 923(i) of such title 
     is amended by adding at the end the following: ``A large 
     capacity ammunition feeding device manufactured after the 
     date of the enactment of this sentence shall be identified by 
     a serial number that clearly shows that the device was 
     manufactured after such date of enactment, and such other 
     identification as the Attorney General may by regulation 
     prescribe.''.
                                 ______
                                 
  SA 2576. Mr. LEAHY submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       Beginning on page 109, strike line 4 and all that follows 
     through page 110, line 6, and insert the following:
       (d) Cybersecurity Modeling and Test Beds.--
       (1) Review.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall conduct a review of 
     cybersecurity test beds in existence on the date of enactment 
     of this Act to inform the program established under paragraph 
     (2).
       (2) Establishment of program.--
       (A) In general.--The Director of the National Science 
     Foundation, the Secretary, and the Secretary of Commerce 
     shall establish a program for the appropriate Federal 
     agencies to award grants to institutions of higher education 
     or research and development non-profit institutions to 
     establish cybersecurity test beds capable of realistic 
     modeling of real-time cyber attacks and defenses. The test 
     beds shall work to enhance the security of public systems and 
     focus on enhancing the security of critical private sector 
     systems such as those in the finance, energy, and other 
     sectors.
       (B) Requirements.--
       (i) Size of test beds.--The test beds established under the 
     program established under subparagraph (A) shall be 
     sufficiently large in order to model the scale and complexity 
     of real world networks and environments.
       (ii) Use of existing test beds.--The test bed program 
     established under subparagraph (A) shall build upon and 
     expand test beds and cyber attack simulation, experiment, and 
     distributed gaming tools developed by the Under Secretary of 
     Homeland Security for Science and Technology prior to the 
     date of enactment of this Act.
       (3) Purposes.--The purposes of the program established 
     under paragraph (2) shall be to--
       (A) support the rapid development of new cybersecurity 
     defenses, techniques, and processes by improving 
     understanding and assessing the latest technologies in a 
     real-world environment; and
       (B) to improve understanding among private sector partners 
     of the risk, magnitude, and consequences of cyber attacks.
                                 ______
                                 
  SA 2577. Mr. LEAHY submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the end, add the following:

                       TITLE VIII--DATA SECURITY

     SEC. 801. DEFINITIONS.

       In this title, the following definitions shall apply:
       (1) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, or venture 
     established to make a profit, or nonprofit.
       (2) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form that is a means of identification, as defined by 
     section 1028(d)(7) of title 18, United State Code.
       (3) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any information or compilation of information, in electronic 
     or digital form that includes the following:
       (A) An individual's first and last name or first initial 
     and last name in combination with any 2 of the following data 
     elements:
       (i) Home address or telephone number.
       (ii) Mother's maiden name.
       (iii) Month, day, and year of birth.
       (B) A non-truncated social security number, driver's 
     license number, passport number, or alien registration number 
     or other government-issued unique identification number.
       (C) Unique biometric data such as a finger print, voice 
     print, a retina or iris image, or any other unique physical 
     representation.
       (D) A unique account identifier, including a financial 
     account number or credit or debit card number, electronic 
     identification number, user name, or routing code.
       (E) Any combination of the following data elements:
       (i) An individual's first and last name or first initial 
     and last name.
       (ii) A unique account identifier, including a financial 
     account number or credit or debit card number, electronic 
     identification number, user name, or routing code.
       (iii) Any security code, access code, or password, or 
     source code that could be used to generate such codes or 
     passwords.
       (4) Service provider.--The term ``service provider'' means 
     a business entity that provides electronic data transmission, 
     routing, intermediate and transient storage, or connections 
     to its system or network, where the business entity providing 
     such services does not select or modify the content of the 
     electronic data, is not the sender or the intended recipient 
     of the data, and the business entity transmits, routes, 
     stores, or provides connections for personal information in a 
     manner that personal information is undifferentiated from 
     other types of data that such business entity transmits, 
     routes, stores, or provides connections. Any such business 
     entity shall be treated as a service provider under this 
     title only to the extent that it is engaged in the provision 
     of such transmission, routing, intermediate and transient 
     storage or connections.

     SEC. 802. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Purpose.--The purpose of this title is to ensure 
     standards for developing and implementing administrative, 
     technical, and physical safeguards to protect the security of 
     sensitive personally identifiable information.
       (b) Applicability.--A business entity engaging in 
     interstate commerce that involves collecting, accessing, 
     transmitting, using, storing, or disposing of sensitive 
     personally identifiable information in electronic or digital 
     form on 10,000 or more United States persons is subject to 
     the requirements for a data privacy and security program 
     under section 803 for protecting sensitive personally 
     identifiable information.
       (c) Limitations.--Notwithstanding any other obligation 
     under this title, this title does not apply to the following:
       (1) Financial institutions.--Financial institutions--
       (A) subject to the data security requirements and standards 
     under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6801(b)); and
       (B) subject to the jurisdiction of an agency or authority 
     described in section 505(a) of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6805(a)).
       (2) HIPAA regulated entities.--
       (A) Covered entities.--Covered entities subject to the 
     Health Insurance Portability and Accountability Act of 1996 
     (42 U.S.C. 1301 et seq.), including the data security 
     requirements and implementing regulations of that Act.
       (B) Business entities.--A Business entity shall be deemed 
     in compliance with this title if the business entity--
       (i) is acting as a business associate, as that term is 
     defined under the Health Insurance Portability and 
     Accountability Act of 1996 (42 U.S.C. 1301 et seq.) and is in 
     compliance

[[Page 12161]]

     with the requirements imposed under that Act and implementing 
     regulations promulgated under that Act; and
       (ii) is subject to, and currently in compliance, with the 
     privacy and data security requirements under sections 13401 
     and 13404 of division A of the American Reinvestment and 
     Recovery Act of 2009 (42 U.S.C. 17931 and 17934) and 
     implementing regulations promulgated under such sections.
       (3) Service providers.--A service provider for any 
     electronic communication by a third-party, to the extent that 
     the service provider is exclusively engaged in the 
     transmission, routing, or temporary, intermediate, or 
     transient storage of that communication.
       (4) Public records.--Public records not otherwise subject 
     to a confidentiality or nondisclosure requirement, or 
     information obtained from a public record, including 
     information obtained from a news report or periodical.
       (d) Safe Harbors.--
       (1) In general.--A business entity shall be deemed in 
     compliance with the privacy and security program requirements 
     under section 803 if the business entity complies with or 
     provides protection equal to industry standards or standards 
     widely accepted as an effective industry practice, as 
     identified by the Federal Trade Commission, that are 
     applicable to the type of sensitive personally identifiable 
     information involved in the ordinary course of business of 
     such business entity.
       (2) Limitation.--Nothing in this subsection shall be 
     construed to permit, and nothing does permit, the Federal 
     Trade Commission to issue regulations requiring, or according 
     greater legal status to, the implementation of or application 
     of a specific technology or technological specifications for 
     meeting the requirements of this title.

     SEC. 803. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Personal Data Privacy and Security Program.--A business 
     entity subject to this title shall comply with the following 
     safeguards and any other administrative, technical, or 
     physical safeguards identified by the Federal Trade 
     Commission in a rulemaking process pursuant to section 553 of 
     title 5, United States Code, for the protection of sensitive 
     personally identifiable information:
       (1) Scope.--A business entity shall implement a 
     comprehensive personal data privacy and security program that 
     includes administrative, technical, and physical safeguards 
     appropriate to the size and complexity of the business entity 
     and the nature and scope of its activities.
       (2) Design.--The personal data privacy and security program 
     shall be designed to--
       (A) ensure the privacy, security, and confidentiality of 
     sensitive personally identifying information;
       (B) protect against any anticipated vulnerabilities to the 
     privacy, security, or integrity of sensitive personally 
     identifying information; and
       (C) protect against unauthorized access to use of sensitive 
     personally identifying information that could create a 
     significant risk of harm or fraud to any individual.
       (3) Risk assessment.--A business entity shall--
       (A) identify reasonably foreseeable internal and external 
     vulnerabilities that could result in unauthorized access, 
     disclosure, use, or alteration of sensitive personally 
     identifiable information or systems containing sensitive 
     personally identifiable information;
       (B) assess the likelihood of and potential damage from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information;
       (C) assess the sufficiency of its policies, technologies, 
     and safeguards in place to control and minimize risks from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information; and
       (D) assess the vulnerability of sensitive personally 
     identifiable information during destruction and disposal of 
     such information, including through the disposal or 
     retirement of hardware.
       (4) Risk management and control.--Each business entity 
     shall--
       (A) design its personal data privacy and security program 
     to control the risks identified under paragraph (3);
       (B) adopt measures commensurate with the sensitivity of the 
     data as well as the size, complexity, and scope of the 
     activities of the business entity that--
       (i) control access to systems and facilities containing 
     sensitive personally identifiable information, including 
     controls to authenticate and permit access only to authorized 
     individuals;
       (ii) detect, record, and preserve information relevant to 
     actual and attempted fraudulent, unlawful, or unauthorized 
     access, disclosure, use, or alteration of sensitive 
     personally identifiable information, including by employees 
     and other individuals otherwise authorized to have access;
       (iii) protect sensitive personally identifiable information 
     during use, transmission, storage, and disposal by 
     encryption, redaction, or access controls that are widely 
     accepted as an effective industry practice or industry 
     standard, or other reasonable means (including as directed 
     for disposal of records under section 628 of the Fair Credit 
     Reporting Act (15 U.S.C. 1681w) and the implementing 
     regulations of such Act as set forth in section 682 of title 
     16, Code of Federal Regulations);
       (iv) ensure that sensitive personally identifiable 
     information is properly destroyed and disposed of, including 
     during the destruction of computers, diskettes, and other 
     electronic media that contain sensitive personally 
     identifiable information;
       (v) trace access to records containing sensitive personally 
     identifiable information so that the business entity can 
     determine who accessed or acquired such sensitive personally 
     identifiable information pertaining to specific individuals; 
     and
       (vi) ensure that no third party or customer of the business 
     entity is authorized to access or acquire sensitive 
     personally identifiable information without the business 
     entity first performing sufficient due diligence to 
     ascertain, with reasonable certainty, that such information 
     is being sought for a valid legal purpose; and
       (C) establish a plan and procedures for minimizing the 
     amount of sensitive personally identifiable information 
     maintained by such business entity, which shall provide for 
     the retention of sensitive personally identifiable 
     information only as reasonably needed for the business 
     purposes of such business entity or as necessary to comply 
     with any legal obligation.
       (b) Training.--Each business entity subject to this title 
     shall take steps to ensure employee training and supervision 
     for implementation of the data security program of the 
     business entity.
       (c) Vulnerability Testing.--
       (1) In general.--Each business entity subject to this title 
     shall take steps to ensure regular testing of key controls, 
     systems, and procedures of the personal data privacy and 
     security program to detect, prevent, and respond to attacks 
     or intrusions, or other system failures.
       (2) Frequency.--The frequency and nature of the tests 
     required under paragraph (1) shall be determined by the risk 
     assessment of the business entity under subsection (a)(3).
       (d) Relationship to Certain Providers of Services.--In the 
     event a business entity subject to this title engages a 
     person or entity not subject to this title (other than a 
     service provider) to receive sensitive personally 
     identifiable information in performing services or functions 
     (other than the services or functions provided by a service 
     provider) on behalf of and under the instruction of such 
     business entity, such business entity shall--
       (1) exercise appropriate due diligence in selecting the 
     person or entity for responsibilities related to sensitive 
     personally identifiable information, and take reasonable 
     steps to select and retain a person or entity that is capable 
     of maintaining appropriate safeguards for the security, 
     privacy, and integrity of the sensitive personally 
     identifiable information at issue; and
       (2) require the person or entity by contract to implement 
     and maintain appropriate measures designed to meet the 
     objectives and requirements governing entities subject to 
     this section.
       (e) Periodic Assessment and Personal Data Privacy and 
     Security Modernization.--Each business entity subject to this 
     title shall on a regular basis monitor, evaluate, and adjust, 
     as appropriate its data privacy and security program in light 
     of any relevant changes in--
       (1) technology;
       (2) the sensitivity of personally identifiable information;
       (3) internal or external threats to personally identifiable 
     information; and
       (4) the changing business arrangements of the business 
     entity, such as--
       (A) mergers and acquisitions;
       (B) alliances and joint ventures;
       (C) outsourcing arrangements;
       (D) bankruptcy; and
       (E) changes to sensitive personally identifiable 
     information systems.
       (f) Implementation Timeline.--Not later than 1 year after 
     the date of enactment of this title, a business entity 
     subject to the provisions of this title shall implement a 
     data privacy and security program pursuant to this title.

     SEC. 804. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any business entity that violates the 
     provisions of section 803 shall be subject to civil penalties 
     of not more than $5,000 per violation per day while such a 
     violation exists, with a maximum of $500,000 per violation.
       (2) Intentional or willful violation.--A business entity 
     that intentionally or willfully violates the provisions of 
     section 803 shall be subject to additional penalties in the 
     amount of $5,000 per violation per day while such a violation 
     exists, with a maximum of an additional $500,000 per 
     violation.
       (3) Penalty limits.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     title resulting from the same or related acts or omissions 
     shall not exceed $500,000, unless such conduct is found to be 
     willful or intentional.

[[Page 12162]]

       (B) Determinations.--The determination of whether a 
     violation of a provision of this title has occurred, and if 
     so, the amount of the penalty to be imposed, if any, shall be 
     made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     title was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     title was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $500,000.
       (4) Equitable relief.--A business entity engaged in 
     interstate commerce that violates a provision of this title 
     may be enjoined from further violations by a United States 
     district court.
       (5) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Federal Trade Commission Authority.--Any business 
     entity shall have the provisions of this title enforced 
     against it by the Federal Trade Commission.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the acts or practices of a business entity that violate this 
     title, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this title; or
       (C) obtain civil penalties of not more than $5,000 per 
     violation per day while such violations persist, up to a 
     maximum of $500,000 per violation.
       (2) Penalty limits.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     title resulting from the same or related acts or omissions 
     shall not exceed $500,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this title has occurred, and if 
     so, the amount of the penalty to be imposed, if any, shall be 
     made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     title was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     title was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $500,000.
       (3) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Federal Trade Commission--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Federal Trade Commission as soon after the filing of the 
     complaint as practicable.
       (4) Federal trade commission authority.--Upon receiving 
     notice under paragraph (3), the Federal Trade Commission 
     shall have the right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (5);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (5) Pending proceedings.--If the Federal Trade Commission 
     initiates a Federal civil action for a violation of this 
     title, or any regulations thereunder, no attorney general of 
     a State may bring an action for a violation of this title 
     that resulted from the same or related acts or omissions 
     against a defendant named in the Federal civil action 
     initiated by the Federal Trade Commission.
       (6) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1) nothing in this title shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (7) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection, process may be served in any district in which 
     the defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (d) No Private Cause of Action.--Nothing in this title 
     establishes a private cause of action against a business 
     entity for violation of any provision of this title.

     SEC. 805. RELATION TO OTHER LAWS.

       (a) In General.--No State may require any business entity 
     subject to this title to comply with any requirements with 
     respect to administrative, technical, and physical safeguards 
     for the protection of personal information.
       (b) Limitations.--Nothing in this title shall be construed 
     to modify, limit, or supersede the operation of the Gramm-
     Leach-Bliley Act or its implementing regulations, including 
     those adopted or enforced by States.
                                 ______
                                 
  SA 2578. Mr. LEAHY submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the end, add the following:

                       DIVISION __--DATA BREACHES

     SECTION 1. SHORT TITLE.

       This division may be cited as the ``Personal Data Privacy 
     and Security Act of 2012''.

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) databases of personally identifiable information are 
     increasingly prime targets of hackers, identity thieves, 
     rogue employees, and other criminals, including organized and 
     sophisticated criminal operations;
       (2) identity theft is a serious threat to the Nation's 
     economic stability, national security, homeland security, 
     cybersecurity, the development of e-commerce, and the privacy 
     rights of Americans;
       (3) security breaches are a serious threat to consumer 
     confidence, homeland security, national security, e-commerce, 
     and economic stability;
       (4) it is important for business entities that own, use, or 
     license personally identifiable information to adopt 
     reasonable procedures to ensure the security, privacy, and 
     confidentiality of that personally identifiable information;
       (5) individuals whose personal information has been 
     compromised or who have been victims of identity theft should 
     receive the necessary information and assistance to mitigate 
     their damages and to restore the integrity of their personal 
     information and identities;
       (6) data misuse and use of inaccurate data have the 
     potential to cause serious or irreparable harm to an 
     individual's livelihood, privacy, and liberty and undermine 
     efficient and effective business and government operations;
       (7) government access to commercial data can potentially 
     improve safety, law enforcement, and national security; and
       (8) because government use of commercial data containing 
     personal information potentially affects individual privacy, 
     and law enforcement and national security operations, there 
     is a need for Congress to exercise oversight over government 
     use of commercial data.

     SEC. 3. DEFINITIONS.

       In this division, the following definitions shall apply:
       (1) Affiliate.--The term ``affiliate'' means persons 
     related by common ownership or by corporate control.
       (2) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551 of title 5, United States Code.
       (3) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, or venture 
     established to make a profit, or nonprofit.
       (4) Data system communication information.--The term ``data 
     system communication information'' means dialing, routing, 
     addressing, or signaling information that identifies the 
     origin, direction, destination, processing, transmission, or 
     termination of each communication initiated, attempted, or 
     received.
       (5) Designated entity.--The term ``designated entity'' 
     means the Federal Government entity designated by the 
     Secretary of Homeland Security under section 206(a).
       (6) Encryption.--The term ``encryption''--
       (A) means the protection of data in electronic form, in 
     storage or in transit, using an encryption technology that 
     has been generally accepted by experts in the field of 
     information security that renders such data

[[Page 12163]]

     indecipherable in the absence of associated cryptographic 
     keys necessary to enable decryption of such data; and
       (B) includes appropriate management and safeguards of such 
     cryptographic keys so as to protect the integrity of the 
     encryption.
       (7) Identity theft.--The term ``identity theft'' means a 
     violation of section 1028(a)(7) of title 18, United States 
     Code.
       (8) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form that is a means of identification, as defined by 
     section 1028(d)(7) of title 18, United State Code.
       (9) Public record source.--The term ``public record 
     source'' means the Congress, any agency, any State or local 
     government agency, the government of the District of Columbia 
     and governments of the territories or possessions of the 
     United States, and Federal, State or local courts, courts 
     martial and military commissions, that maintain personally 
     identifiable information in records available to the public.
       (10) Security breach.--
       (A) In general.--The term ``security breach'' means 
     compromise of the security, confidentiality, or integrity of, 
     or the loss of, computerized data that result in, or that 
     there is a reasonable basis to conclude has resulted in--
       (i) the unauthorized acquisition of sensitive personally 
     identifiable information; and
       (ii) access to sensitive personally identifiable 
     information that is for an unauthorized purpose, or in excess 
     of authorization.
       (B) Exclusion.--The term ``security breach'' does not 
     include--
       (i) a good faith acquisition of sensitive personally 
     identifiable information by a business entity or agency, or 
     an employee or agent of a business entity or agency, if the 
     sensitive personally identifiable information is not subject 
     to further unauthorized disclosure;
       (ii) the release of a public record not otherwise subject 
     to confidentiality or nondisclosure requirements or the 
     release of information obtained from a public record, 
     including information obtained from a news report or 
     periodical; or
       (iii) any lawfully authorized investigative, protective, or 
     intelligence activity of a law enforcement or intelligence 
     agency of the United States, a State, or a political 
     subdivision of a State.
       (11) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any information or compilation of information, in electronic 
     or digital form that includes the following:
       (A) An individual's first and last name or first initial 
     and last name in combination with any two of the following 
     data elements:
       (i) Home address or telephone number.
       (ii) Mother's maiden name.
       (iii) Month, day, and year of birth.
       (B) A non-truncated social security number, driver's 
     license number, passport number, or alien registration number 
     or other government-issued unique identification number.
       (C) Unique biometric data such as a finger print, voice 
     print, a retina or iris image, or any other unique physical 
     representation.
       (D) A unique account identifier, including a financial 
     account number or credit or debit card number, electronic 
     identification number, user name, or routing code.
       (E) Any combination of the following data elements:
       (i) An individual's first and last name or first initial 
     and last name.
       (ii) A unique account identifier, including a financial 
     account number or credit or debit card number, electronic 
     identification number, user name, or routing code.
       (iii) Any security code, access code, or password, or 
     source code that could be used to generate such codes or 
     passwords.
       (12) Service provider.--The term ``service provider'' means 
     a business entity that provides electronic data transmission, 
     routing, intermediate and transient storage, or connections 
     to its system or network, where the business entity providing 
     such services does not select or modify the content of the 
     electronic data, is not the sender or the intended recipient 
     of the data, and the business entity transmits, routes, 
     stores, or provides connections for personal information in a 
     manner that personal information is undifferentiated from 
     other types of data that such business entity transmits, 
     routes, stores, or provides connections. Any such business 
     entity shall be treated as a service provider under this 
     division only to the extent that it is engaged in the 
     provision of such transmission, routing, intermediate and 
     transient storage or connections.

               TITLE I--CONCEALMENT OF SECURITY BREACHES

     SEC. 101. CONCEALMENT OF SECURITY BREACHES INVOLVING 
                   SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding at the end the following:

     ``Sec. 1041. Concealment of security breaches involving 
       sensitive personally identifiable information

       ``(a) In General.--Whoever, having knowledge of a security 
     breach and of the fact that notice of such security breach is 
     required under title II of the Personal Data Privacy and 
     Security Act of 2012, intentionally and willfully conceals 
     the fact of such security breach, shall, in the event that 
     such security breach results in economic harm to any 
     individual in the amount of $1,000 or more, be fined under 
     this title or imprisoned for not more than 5 years, or both.
       ``(b) Person Defined.--For purposes of subsection (a), the 
     term `person' has the same meaning as in section 1030(e)(12) 
     of title 18, United States Code.
       ``(c) Notice Requirement.--Any person seeking an exemption 
     under section 202(b) of the Personal Data Privacy and 
     Security Act of 2012 shall be immune from prosecution under 
     this section if the Federal Trade Commission does not 
     indicate, in writing, that such notice be given under section 
     202(b)(1)(C) of such Act.''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by adding at the end the following:

``1041. Concealment of security breaches involving sensitive personally 
              identifiable information.''.

       (c) Enforcement Authority.--
       (1) In general.--The United States Secret Service and 
     Federal Bureau of Investigation shall have the authority to 
     investigate offenses under this section.
       (2) Nonexclusivity.--The authority granted in paragraph (1) 
     shall not be exclusive of any existing authority held by any 
     other Federal agency.

                 TITLE II--SECURITY BREACH NOTIFICATION

     SEC. 201. NOTICE TO INDIVIDUALS.

       (a) In General.--Any agency, or business entity engaged in 
     interstate commerce, other than a service provider, that 
     uses, accesses, transmits, stores, disposes of or collects 
     sensitive personally identifiable information shall, 
     following the discovery of a security breach of such 
     information, notify any resident of the United States whose 
     sensitive personally identifiable information has been, or is 
     reasonably believed to have been, accessed, or acquired.
       (b) Obligation of Owner or Licensee.--
       (1) Notice to owner or licensee.--Any agency, or business 
     entity engaged in interstate commerce, that uses, accesses, 
     transmits, stores, disposes of, or collects sensitive 
     personally identifiable information that the agency or 
     business entity does not own or license shall notify the 
     owner or licensee of the information following the discovery 
     of a security breach involving such information.
       (2) Notice by owner, licensee, or other designated third 
     party.--Nothing in this title shall prevent or abrogate an 
     agreement between an agency or business entity required to 
     give notice under this section and a designated third party, 
     including an owner or licensee of the sensitive personally 
     identifiable information subject to the security breach, to 
     provide the notifications required under subsection (a).
       (3) Business entity relieved from giving notice.--A 
     business entity obligated to give notice under subsection (a) 
     shall be relieved of such obligation if an owner or licensee 
     of the sensitive personally identifiable information subject 
     to the security breach, or other designated third party, 
     provides such notification.
       (4) Service providers.--If a service provider becomes aware 
     of a security breach of data in electronic form containing 
     sensitive personal information that is owned or possessed by 
     another business entity that connects to or uses a system or 
     network provided by the service provider for the purpose of 
     transmitting, routing, or providing intermediate or transient 
     storage of such data, the service provider shall be required 
     to notify the business entity who initiated such connection, 
     transmission, routing, or storage of the security breach if 
     the business entity can be reasonably identified. Upon 
     receiving such notification from a service provider, the 
     business entity shall be required to provide the notification 
     required under subsection (a).
       (c) Timeliness of Notification.--
       (1) In general.--All notifications required under this 
     section shall be made without unreasonable delay following 
     the discovery by the agency or business entity of a security 
     breach.
       (2) Reasonable delay.--
       (A) In general.--Reasonable delay under this subsection may 
     include any time necessary to determine the scope of the 
     security breach, prevent further disclosures, conduct the 
     risk assessment described in section 202(b)(1)(A), and 
     restore the reasonable integrity of the data system and 
     provide notice to law enforcement when required.
       (B) Extension.--
       (i) In general.--Except as provided in section 202, delay 
     of notification shall not exceed 60 days following the 
     discovery of the security breach, unless the business entity 
     or agency request an extension of time and the Federal Trade 
     Commission determines in writing that additional time is 
     reasonably

[[Page 12164]]

     necessary to determine the scope of the security breach, 
     prevent further disclosures, conduct the risk assessment, 
     restore the reasonable integrity of the data system, or to 
     provide notice to the entity designated by the Secretary of 
     Homeland Security pursuant to section 206.
       (ii) Approval of request.--If the Federal Trade Commission 
     approves the request for delay, the agency or business entity 
     may delay the time period for notification for additional 
     periods of up to 30 days.
       (3) Burden of production.--The agency, business entity, 
     owner, or licensee required to provide notice under this 
     title shall, upon the request of the Attorney General or the 
     Federal Trade Commission provide records or other evidence of 
     the notifications required under this title, including to the 
     extent applicable, the reasons for any delay of notification.
       (d) Delay of Notification Authorized for Law Enforcement or 
     National Security Purposes.--
       (1) In general.--If the United States Secret Service or the 
     Federal Bureau of Investigation determines that the 
     notification required under this section would impede a 
     criminal investigation, or national security activity, such 
     notification shall be delayed upon written notice from the 
     United States Secret Service or the Federal Bureau of 
     Investigation to the agency or business entity that 
     experienced the breach. The notification from the United 
     States Secret Service or the Federal Bureau of Investigation 
     shall specify in writing the period of delay requested for 
     law enforcement or national security purposes.
       (2) Extended delay of notification.--If the notification 
     required under subsection (a) is delayed pursuant to 
     paragraph (1), an agency or business entity shall give notice 
     30 days after the day such law enforcement or national 
     security delay was invoked unless a Federal law enforcement 
     or intelligence agency provides written notification that 
     further delay is necessary.
       (3) Law enforcement immunity.--No nonconstitutional cause 
     of action shall lie in any court against any agency for acts 
     relating to the delay of notification for law enforcement or 
     national security purposes under this title.
       (e) Limitations.--Notwithstanding any other obligation 
     under this title, this title does not apply to the following:
       (1) Financial institutions.--Financial institutions--
       (A) subject to the data security requirements and standards 
     under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6801(b)); and
       (B) subject to the jurisdiction of an agency or authority 
     described in section 505(a) of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6805(a)).
       (2) HIPAA regulated entities.--
       (A) Covered entities.--Covered entities subject to the 
     Health Insurance Portability and Accountability Act of 1996 
     (42 U.S.C. 1301 et seq.), including the data security 
     requirements and implementing regulations of that Act.
       (B) Business entities.--A business entity shall be deemed 
     in compliance with this division if the business entity--
       (i)(I) is acting as a covered entity and as a business 
     associate, as those terms are defined under the Health 
     Insurance Portability and Accountability Act of 1996 (42 
     U.S.C. 1301 et seq.) and is in compliance with the 
     requirements imposed under that Act and implementing 
     regulations promulgated under that Act; and
       (II) is subject to, and currently in compliance, with the 
     data breach notification, privacy and data security 
     requirements under the Health Information Technology for 
     Economic and Clinical Health (HITECH) Act, (42 U.S.C. 17932) 
     and implementing regulations promulgated thereunder; or
       (ii) is acting as a vendor of personal health records and 
     third party service provider, subject to the Health 
     Information Technology for Economic and Clinical Health 
     (HITECH) Act (42 U.S.C. 17937), including the data breach 
     notification requirements and implementing regulations of 
     that Act.

     SEC. 202. EXEMPTIONS.

       (a) Exemption for National Security and Law Enforcement.--
       (1) In general.--Section 201 shall not apply to an agency 
     or business entity if--
       (A) the United States Secret Service or the Federal Bureau 
     of Investigation determines that notification of the security 
     breach could be expected to reveal sensitive sources and 
     methods or similarly impede the ability of the Government to 
     conduct law enforcement investigations; or
       (B) the Federal Bureau of Investigation determines that 
     notification of the security breach could be expected to 
     cause damage to the national security.
       (2) Immunity.--No nonconstitutional cause of action shall 
     lie in any court against any Federal agency for acts relating 
     to the exemption from notification for law enforcement or 
     national security purposes under this title.
       (b) Safe Harbor.--
       (1) In general.--An agency or business entity shall be 
     exempt from the notice requirements under section 201, if--
       (A) a risk assessment conducted by the agency or business 
     entity concludes that, based upon the information available, 
     there is no significant risk that a security breach has 
     resulted in, or will result in, identity theft, economic loss 
     or harm, or physical harm to the individuals whose sensitive 
     personally identifiable information was subject to the 
     security breach;
       (B) without unreasonable delay, but not later than 45 days 
     after the discovery of a security breach, unless extended by 
     the Federal Trade Commission, the agency or business entity 
     notifies the Federal Trade Commission, in writing, of--
       (i) the results of the risk assessment; and
       (ii) its decision to invoke the risk assessment exemption; 
     and
       (C) the Federal Trade Commission does not indicate, in 
     writing, within 10 business days from receipt of the 
     decision, that notice should be given.
       (2) Rebuttable presumptions.--For purposes of paragraph 
     (1)--
       (A) the encryption of sensitive personally identifiable 
     information described in paragraph (1)(A) shall establish a 
     rebuttable presumption that no significant risk exists; and
       (B) the rendering of sensitive personally identifiable 
     information described in paragraph (1)(A) unusable, 
     unreadable, or indecipherable through data security 
     technology or methodology that is generally accepted by 
     experts in the field of information security, such as 
     redaction or access controls shall establish a rebuttable 
     presumption that no significant risk exists.
       (3) Violation.--It shall be a violation of this section 
     to--
       (A) fail to conduct the risk assessment in a reasonable 
     manner, or according to standards generally accepted by 
     experts in the field of information security; or
       (B) submit the results of a risk assessment that contains 
     fraudulent or deliberately misleading information.
       (c) Financial Fraud Prevention Exemption.--
       (1) In general.--A business entity will be exempt from the 
     notice requirement under section 201 if the business entity 
     utilizes or participates in a security program that--
       (A) effectively blocks the use of the sensitive personally 
     identifiable information to initiate unauthorized financial 
     transactions before they are charged to the account of the 
     individual; and
       (B) provides for notice to affected individuals after a 
     security breach that has resulted in fraud or unauthorized 
     transactions.
       (2) Limitation.--The exemption in paragraph (1) does not 
     apply if the information subject to the security breach 
     includes an individual's first and last name, or any other 
     type of sensitive personally identifiable information as 
     defined in section 3, unless that information is only a 
     credit card number or credit card security code.

     SEC. 203. METHODS OF NOTICE.

       An agency or business entity shall be in compliance with 
     section 201 if it provides the following:
       (1) Individual notice.--Notice to individuals by 1 of the 
     following means:
       (A) Written notification to the last known home mailing 
     address of the individual in the records of the agency or 
     business entity.
       (B) Telephone notice to the individual personally.
       (C) E-mail notice, if the individual has consented to 
     receive such notice and the notice is consistent with the 
     provisions permitting electronic transmission of notices 
     under section 101 of the Electronic Signatures in Global and 
     National Commerce Act (15 U.S.C. 7001).
       (2) Media notice.--Notice to major media outlets serving a 
     State or jurisdiction, if the number of residents of such 
     State whose sensitive personally identifiable information 
     was, or is reasonably believed to have been, accessed or 
     acquired by an unauthorized person exceeds 5,000.

     SEC. 204. CONTENT OF NOTIFICATION.

       (a) In General.--Regardless of the method by which notice 
     is provided to individuals under section 203, such notice 
     shall include, to the extent possible--
       (1) a description of the categories of sensitive personally 
     identifiable information that was, or is reasonably believed 
     to have been, accessed or acquired by an unauthorized person;
       (2) a toll-free number--
       (A) that the individual may use to contact the agency or 
     business entity, or the agent of the agency or business 
     entity; and
       (B) from which the individual may learn what types of 
     sensitive personally identifiable information the agency or 
     business entity maintained about that individual; and
       (3) the toll-free contact telephone numbers and addresses 
     for the major credit reporting agencies.
       (b) Additional Content.--Notwithstanding section 209, a 
     State may require that a notice under subsection (a) shall 
     also include information regarding victim protection 
     assistance provided for by that State.
       (c) Direct Business Relationship.--Regardless of whether a 
     business entity, agency, or a designated third party provides 
     the notice required pursuant to section 201(b), such notice 
     shall include the name of the business entity or agency that 
     has a direct relationship with the individual being notified.

[[Page 12165]]



     SEC. 205. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING 
                   AGENCIES.

       If an agency or business entity is required to provide 
     notification to more than 5,000 individuals under section 
     201(a), the agency or business entity shall also notify all 
     consumer reporting agencies that compile and maintain files 
     on consumers on a nationwide basis (as defined in section 
     603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) 
     of the timing and distribution of the notices. Such notice 
     shall be given to the consumer credit reporting agencies 
     without unreasonable delay and, if it will not delay notice 
     to the affected individuals, prior to the distribution of 
     notices to the affected individuals.

     SEC. 206. NOTICE TO LAW ENFORCEMENT.

       (a) Designation of Government Entity to Receive Notice.--
       (1) In general.--Not later than 60 days after the date of 
     enactment of this Act, the Secretary of Homeland Security 
     shall designate a Federal Government entity to receive the 
     notices required under section 201 and this section, and any 
     other reports and information about information security 
     incidents, threats, and vulnerabilities.
       (2) Responsibilities of the designated entity.--The 
     designated entity shall--
       (A) be responsible for promptly providing the information 
     that it receives to the United States Secret Service and the 
     Federal Bureau of Investigation, and to the Federal Trade 
     Commission for civil law enforcement purposes; and
       (B) provide the information described in subparagraph (A) 
     as appropriate to other Federal agencies for law enforcement, 
     national security, or data security purposes.
       (b) Notice.--Any business entity or agency shall notify the 
     designated entity of the fact that a security breach has 
     occurred if--
       (1) the number of individuals whose sensitive personally 
     identifying information was, or is reasonably believed to 
     have been accessed or acquired by an unauthorized person 
     exceeds 5,000;
       (2) the security breach involves a database, networked or 
     integrated databases, or other data system containing the 
     sensitive personally identifiable information of more than 
     500,000 individuals nationwide;
       (3) the security breach involves databases owned by the 
     Federal Government; or
       (4) the security breach involves primarily sensitive 
     personally identifiable information of individuals known to 
     the agency or business entity to be employees and contractors 
     of the Federal Government involved in national security or 
     law enforcement.
       (c) FTC Rulemaking and Review of Thresholds.--Not later 1 
     year after the date of the enactment of this Act, the Federal 
     Trade Commission, in consultation with the Attorney General 
     of the United States and the Secretary of Homeland Security, 
     shall promulgate regulations regarding the reports required 
     under subsection (a). The Federal Trade Commission, in 
     consultation with the Attorney General and the Secretary of 
     Homeland Security, after notice and the opportunity for 
     public comment, and in a manner consistent with this section, 
     shall promulgate regulations, as necessary, under section 553 
     of title 5, United States Code, to adjust the thresholds for 
     notice to law enforcement and national security authorities 
     under subsection (a) and to facilitate the purposes of this 
     section.
       (d) Timing.--The notice required under subsection (a) shall 
     be provided as promptly as possible, but such notice must be 
     provided either 72 hours before notice is provided to an 
     individual pursuant to section 201, or not later than 10 days 
     after the business entity or agency discovers the security 
     breach or discovers that the nature of the security breach 
     requires notice to law enforcement under this section, 
     whichever occurs first.

     SEC. 207. ENFORCEMENT.

       (a) In General.--The Attorney General of the United States 
     and the Federal Trade Commission may enforce civil violations 
     of section 201.
       (b) Civil Actions by the Attorney General of the United 
     States.--
       (1) In general.--The Attorney General may bring a civil 
     action in the appropriate United States district court 
     against any business entity that engages in conduct 
     constituting a violation of this title and, upon proof of 
     such conduct by a preponderance of the evidence, such 
     business entity shall be subject to a civil penalty of not 
     more than $11,000 per day per security breach.
       (2) Penalty limitation.--Notwithstanding any other 
     provision of law, the total amount of the civil penalty 
     assessed against a business entity for conduct involving the 
     same or related acts or omissions that results in a violation 
     of this title may not exceed $1,000,000.
       (3) Determinations.--The determination of whether a 
     violation of a provision of this title has occurred, and if 
     so, the amount of the penalty to be imposed, if any, shall be 
     made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     title was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (4) Additional penalty limit.--If a court determines under 
     paragraph (3) that a violation of a provision of this title 
     was willful or intentional and imposes an additional penalty, 
     the court may not impose an additional penalty in an amount 
     that exceeds $1,000,000.
       (c) Injunctive Actions by the Attorney General.--
       (1) In general.--If it appears that a business entity has 
     engaged, or is engaged, in any act or practice constituting a 
     violation of this title, the Attorney General may petition an 
     appropriate district court of the United States for an 
     order--
       (A) enjoining such act or practice; or
       (B) enforcing compliance with this title.
       (2) Issuance of order.--A court may issue an order under 
     paragraph (1), if the court finds that the conduct in 
     question constitutes a violation of this title.
       (d) Civil Actions by the Federal Trade Commission.--
       (1) In general.--Compliance with the requirements imposed 
     under this title may be enforced under the Federal Trade 
     Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade 
     Commission with respect to business entities subject to this 
     division. All of the functions and powers of the Federal 
     Trade Commission under the Federal Trade Commission Act are 
     available to the Federal Trade Commission to enforce 
     compliance by any person with the requirements imposed under 
     this title.
       (2) Penalty limitation.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     title resulting from the same or related acts or omissions 
     may not exceed $1,000,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this title has occurred, and if 
     so, the amount of the penalty to be imposed, if any, shall be 
     made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     title was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     title was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $1,000,000.
       (3) Unfair or deceptive acts or practices.--For the purpose 
     of the exercise by the Federal Trade Commission of its 
     functions and powers under the Federal Trade Commission Act, 
     a violation of any requirement or prohibition imposed under 
     this title shall constitute an unfair or deceptive act or 
     practice in commerce in violation of a regulation under 
     section 18(a)(1)(B) of the Federal Trade Commission Act (15 
     U.S.C. 57a(a)(I)(B)) regarding unfair or deceptive acts or 
     practices and shall be subject to enforcement by the Federal 
     Trade Commission under that Act with respect to any business 
     entity, irrespective of whether that business entity is 
     engaged in commerce or meets any other jurisdictional tests 
     in the Federal Trade Commission Act.
       (e) Coordination of Enforcement.--
       (1) In general.--Before opening an investigation, the 
     Federal Trade Commission shall consult with the Attorney 
     General.
       (2) Limitation.--The Federal Trade Commission may initiate 
     investigations under this subsection unless the Attorney 
     General determines that such an investigation would impede an 
     ongoing criminal investigation or national security activity.
       (3) Coordination agreement.--
       (A) In general.--In order to avoid conflicts and promote 
     consistency regarding the enforcement and litigation of 
     matters under this division, not later than 180 days after 
     the enactment of this Act, the Attorney General and the 
     Commission shall enter into an agreement for coordination 
     regarding the enforcement of this division
       (B) Requirement.--The coordination agreement entered into 
     under subparagraph (A) shall include provisions to ensure 
     that parallel investigations and proceedings under this 
     section are conducted in a matter that avoids conflicts and 
     does not impede the ability of the Attorney General to 
     prosecute violations of Federal criminal laws.
       (4) Coordination with the fcc.--If an enforcement action 
     under this division relates to customer proprietary network 
     information, the Federal Trade Commission shall coordinate 
     the enforcement action with the Federal Communications 
     Commission.
       (f) Rulemaking.--The Federal Trade Commission may, in 
     consultation with the Attorney General, issue such other 
     regulations as it determines to be necessary to carry out 
     this title. All regulations promulgated under this division 
     shall be issued in accordance with section 553 of title 5, 
     United States Code. Where regulations relate to customer 
     proprietary network information, the promulgation of such 
     regulations will be coordinated with the Federal 
     Communications Commission.
       (g) Other Rights and Remedies.--The rights and remedies 
     available under this title are cumulative and shall not 
     affect any

[[Page 12166]]

     other rights and remedies available under law.
       (h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by 
     inserting ``, or evidence that the consumer has received 
     notice that the consumer's financial information has or may 
     have been compromised,'' after ``identity theft report''.

     SEC. 208. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the engagement of a business entity in a practice that is 
     prohibited under this title, the State or the State or local 
     law enforcement agency on behalf of the residents of the 
     agency's jurisdiction, may bring a civil action on behalf of 
     the residents of the State or jurisdiction in a district 
     court of the United States of appropriate jurisdiction to--
       (A) enjoin that practice;
       (B) enforce compliance with this title; or
       (C) civil penalties of not more than $11,000 per day per 
     security breach up to a maximum of $1,000,000 per violation, 
     unless such conduct is found to be willful or intentional.
       (2) Penalty limitation.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     title resulting from the same or related acts or omissions 
     may not exceed $1,000,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this title has occurred, and if 
     so, the amount of the penalty to be imposed, if any, shall be 
     made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     title was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     title was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $1,000,000.
       (3) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General of the United States--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this title, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the time the 
     State attorney general files the action.
       (b) Federal Proceedings.--Upon receiving notice under 
     subsection (a)(3), the Attorney General shall have the right 
     to--
       (1) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action;
       (2) initiate an action in the appropriate United States 
     district court under section 207 and move to consolidate all 
     pending actions, including State actions, in such court;
       (3) intervene in an action brought under subsection (a)(1); 
     and
       (4) file petitions for appeal.
       (c) Pending Proceedings.--If the Attorney General or the 
     Federal Trade Commission initiate a criminal proceeding or 
     civil action for a violation of a provision of this title, or 
     any regulations thereunder, no attorney general of a State 
     may bring an action for a violation of a provision of this 
     title against a defendant named in the Federal criminal 
     proceeding or civil action.
       (d) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this title regarding 
     notification shall be construed to prevent an attorney 
     general of a State from exercising the powers conferred on 
     such attorney general by the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in--
       (A) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (B) another court of competent jurisdiction.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.
       (f) No Private Cause of Action.--Nothing in this title 
     establishes a private cause of action against a business 
     entity for violation of any provision of this title.

     SEC. 209. EFFECT ON FEDERAL AND STATE LAW.

       For any entity, or agency that is subject to this title, 
     the provisions of this title shall supersede any other 
     provision of Federal law, or any provisions of the law of any 
     State, relating to notification of a security breach, except 
     as provided in section 204(b). Nothing in this title shall be 
     construed to modify, limit, or supersede the operation of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or its 
     implementing regulations, including those regulations adopted 
     or enforced by States, the Health Insurance Portability and 
     Accountability Act of 1996 (42 U.S.C. 1301 et seq.) or its 
     implementing regulations, or the Health Information 
     Technology for Economic and Clinical Health Act (42 U.S.C. 
     17937) or its implementing regulations.

     SEC. 210. REPORTING ON EXEMPTIONS.

       (a) FTC Report.--Not later than 18 months after the date of 
     enactment of this Act, and upon request by Congress 
     thereafter, the Federal Trade Commission shall submit a 
     report to Congress on the number and nature of the security 
     breaches described in the notices filed by those business 
     entities invoking the risk assessment exemption under section 
     202(b) and their response to such notices.
       (b) Law Enforcement Report.--
       (1) In general.--Not later than 18 months after the date of 
     enactment of this Act, and upon the request by Congress 
     thereafter, the United States Secret Service and Federal 
     Bureau of Investigation shall submit a report to Congress on 
     the number and nature of security breaches subject to the 
     national security and law enforcement exemptions under 
     section 202(a).
       (2) Requirement.--The report required under paragraph (1) 
     shall not include the contents of any risk assessment 
     provided to the United States Secret Service and the Federal 
     Bureau of Investigation under this title.

     SEC. 211. EFFECTIVE DATE.

       This title shall take effect 90 days after the date of 
     enactment of this Act.

         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

     SEC. 301. BUDGET COMPLIANCE.

       The budgetary effects of this division, for the purpose of 
     complying with the Statutory Pay-As-You-Go Act of 2010, shall 
     be determined by reference to the latest statement titled 
     ``Budgetary Effects of PAYGO Legislation'' for this division, 
     submitted for printing in the Congressional Record by the 
     Chairman of the Senate Budget Committee, provided that such 
     statement has been submitted prior to the vote on passage.
                                 ______
                                 
  SA 2579. Mr. LEAHY submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the end, insert the following:

             TITLE __--CYBER CRIME PROTECTION SECURITY ACT

     SEC. _01. SHORT TITLE.

       This title may be cited as the ``Cyber Crime Protection 
     Security Act''.

     SEC. _02. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
                   UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       Section 1961(1) of title 18, United States Code, is amended 
     by inserting ``section 1030 (relating to fraud and related 
     activity in connection with computers) if the act is a 
     felony,'' before ``section 1084''.

     SEC. _03. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     paragraph (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 1 year, or both, in the case

[[Page 12167]]

     of an offense under subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (D), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both; or
       ``(D) a fine under this title, imprisonment for not more 
     than 1 year, or both, for any other offense under subsection 
     (a)(5);
       ``(6) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(7) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. _04. TRAFFICKING IN PASSWORDS.

       Section 1030(a) of title 18, United States Code, is amended 
     by striking paragraph (6) and inserting the following:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in--
       ``(A) any password or similar information or means of 
     access through which a protected computer as defined in 
     subparagraphs (A) and (B) of subsection (e)(2) may be 
     accessed without authorization; or
       ``(B) any means of access through which a protected 
     computer as defined in subsection (e)(2)(A) may be accessed 
     without authorization.''.

     SEC. _05. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``for the completed offense'' after ``punished 
     as provided''.

     SEC. _06. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 of title 18, 
     United States Code, relating to civil forfeitures, except 
     that such duties as are imposed on the Secretary of the 
     Treasury under the customs laws described in section 981(d) 
     of title 18, United States Code, shall be performed by such 
     officers, agents and other persons as may be designated for 
     that purpose by the Secretary of Homeland Security or the 
     Attorney General.''.

     SEC. _07. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``SEC. 1030A. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE 
                   COMPUTER.

       ``(a) Definitions.--In this section--
       ``(1) the terms `computer' and `damage' have the meanings 
     given such terms in section 1030; and
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) gas and oil production, storage, and delivery 
     systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public.
       ``(b) Offense.--It shall be unlawful to, during and in 
     relation to a felony violation of section 1030, intentionally 
     cause or attempt to cause damage to a critical infrastructure 
     computer, and such damage results in (or, in the case of an 
     attempt, would, if completed have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be fined under this title, imprisoned for not less than 
     3 years nor more than 20 years, or both.
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for the felony violation section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``Sec. 1030A. Aggravated damage to a critical infrastructure 
              computer.''.

     SEC. _08. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.
                                 ______
                                 
  SA 2580. Mr. LEAHY submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the end, add the following:

                    TITLE VIII--PRIVACY PROTECTIONS

                  Subtitle A--Video Privacy Protection

     SEC. 821. SHORT TITLE.

       This subtitle may be cited as the ``Video Privacy 
     Protection Act Amendments Act of 2012''.

     SEC. 822. VIDEO PRIVACY PROTECTION ACT AMENDMENT.

       Section 2710(b)(2) of title 18, United States Code, is 
     amended by striking subparagraph (B) and inserting the 
     following:
       ``(B) to any person with the informed, written consent 
     (including through an electronic

[[Page 12168]]

     means using the Internet) of the consumer that--
       ``(i) is in a form distinct and separate from any form 
     setting forth other legal or financial obligations of the 
     consumer;
       ``(ii)(I) is given at time the disclosure is sought; or
       ``(II) is given in advance for a set period of time or 
     until consent is withdrawn by the consumer; and
       ``(iii) the video tape service provider has provided an 
     opportunity, in a clear and conspicuous manner, for the 
     consumer to withdraw on a case-by-case basis or to withdraw 
     for ongoing disclosures;''.

             Subtitle B--Electronic Communications Privacy

     SEC. 841. SHORT TITLE.

       This subtitle may be cited as the ``Electronic 
     Communications Privacy Act Amendments Act of 2012''.

     SEC. 842. CONFIDENTIALITY OF ELECTRONIC COMMUNICATIONS.

       Section 2702(a)(3) of title 18, United States Code, is 
     amended to read as follows:
       ``(3) a provider of electronic communication service, or 
     remote computing service to the public shall not knowingly 
     divulge to any governmental entity the contents of any 
     communication described in section 2703(a), or any record or 
     other information pertaining to a subscriber or customer of 
     such service.''.

     SEC. 843. ELIMINATION OF 180-DAY RULE; SEARCH WARRANT 
                   REQUIREMENT; REQUIRED DISCLOSURE OF CUSTOMER 
                   RECORDS.

       (a) In General.--Section 2703 of title 18, United States 
     Code, is amended by striking subsections (a), (b), and (c) 
     and inserting the following:
       ``(a) Contents of Wire or Electronic Communications.--A 
     governmental entity may require the disclosure by a provider 
     of electronic communication service, or remote computing 
     service of the contents of a wire or electronic communication 
     that is in electronic storage with or otherwise stored, held, 
     or maintained by the provider if the governmental entity 
     obtains a warrant issued using the procedures described in 
     the Federal Rules of Criminal Procedure (or, in the case of a 
     State court, issued using State warrant procedures) that is 
     issued by a court of competent jurisdiction directing the 
     disclosure.
       ``(b) Notice.--Except as provided in section 2705, not 
     later than 3 days after a governmental entity receives the 
     contents of a wire or electronic communication of a 
     subscriber or customer from a provider of electronic 
     communication service, or remote computing service under 
     subsection (a), the governmental entity shall serve upon, or 
     deliver to by registered or first-class mail, electronic 
     mail, or other means reasonably calculated to be effective, 
     as specified by the court issuing the warrant, the subscriber 
     or customer--
       ``(1) a copy of the warrant; and
       ``(2) a notice that includes the information referred to in 
     section 2705(a)(5)(B)(i).
       ``(c) Records Concerning Electronic Communication Service, 
     or Remote Computing Service.--
       ``(1) In general.--Subject to paragraph (2), a governmental 
     entity may require a provider of electronic communication 
     service, or remote computing service to disclose a record or 
     other information pertaining to a subscriber or customer of 
     the provider or service (not including the contents of 
     communications), only if the governmental entity--
       ``(A) obtains a warrant issued using the procedures 
     described in the Federal Rules of Criminal Procedure (or, in 
     the case of a State court, issued using State warrant 
     procedures) that is issued by a court of competent 
     jurisdiction directing the disclosure;
       ``(B) obtains a court order directing the disclosure under 
     subsection (d);
       ``(C) has the consent of the subscriber or customer to the 
     disclosure; or
       ``(D) submits a formal written request relevant to a law 
     enforcement investigation concerning telemarketing fraud for 
     the name, address, and place of business of a subscriber or 
     customer of the provider or service that is engaged in 
     telemarketing (as defined in section 2325).
       ``(2) Subpoenas.--A provider of electronic communication 
     service, or remote computing service shall, in response to an 
     administrative subpoena authorized by Federal or State 
     statute or a Federal or State grand jury or trial subpoena, 
     disclose to a governmental entity the--
       ``(A) name;
       ``(B) address;
       ``(C) local and long distance telephone connection records, 
     or records of session times and durations;
       ``(D) length of service (including start date) and types of 
     service used;
       ``(E) telephone or instrument number or other subscriber 
     number or identity, including any temporarily assigned 
     network address; and
       ``(F) means and source of payment for such service 
     (including any credit card or bank account number), of a 
     subscriber or customer of such service.
       ``(3) Notice not required.--A governmental entity that 
     receives records or information under this subsection is not 
     required to provide notice to a subscriber or customer.''.
       (b) Technical and Conforming Amendments.--Section 2703(d) 
     of title 18, United States Code, is amended--
       (1) by striking ``A court order for disclosure under 
     subsection (b) or (c)'' and inserting ``A court order for 
     disclosure under subsection (c)''; and
       (2) by striking ``the contents of a wire or electronic 
     communication, or''.

     SEC. 844. DELAYED NOTICE.

       Section 2705 of title 18, United States Code, is amended to 
     read as follows:

     ``Sec. 2705. Delayed notice

       ``(a) Delay of Notification.--
       ``(1) In general.--A governmental entity that is seeking a 
     warrant under section 2703(a) may include in the application 
     for the warrant a request for an order delaying the 
     notification required under section 2703(a) for a period of 
     not more than 90 days.
       ``(2) Determination.--A court shall grant a request for 
     delayed notification made under paragraph (1) if the court 
     determines that there is reason to believe that notification 
     of the existence of the warrant may result in--
       ``(A) endangering the life or physical safety of an 
     individual;
       ``(B) flight from prosecution;
       ``(C) destruction of or tampering with evidence;
       ``(D) intimidation of potential witnesses; or
       ``(E) otherwise seriously jeopardizing an investigation or 
     unduly delaying a trial.
       ``(3) Extension.--Upon request by a governmental entity, a 
     court may grant 1 or more extensions of the delay of 
     notification granted under paragraph (2) of not more than 90 
     days.
       ``(4) Expiration of the delay of notification.--Upon 
     expiration of the period of delay of notification under 
     paragraph (2) or (3), the governmental entity shall serve 
     upon, or deliver to by registered or first-class mail, 
     electronic mail or other means reasonably calculated to be 
     effective as specified by the court approving the search 
     warrant, the customer or subscriber--
       ``(A) a copy of the warrant; and
       ``(B) notice that informs the customer or subscriber--
       ``(i) that information maintained for the customer or 
     subscriber by the provider of electronic communication 
     service, or remote computing service named in the process or 
     request was supplied to, or requested by, the governmental 
     entity;
       ``(ii) of the date on which the warrant was served on the 
     provider and the date on which the information was provided 
     by the provider to the governmental entity;
       ``(iii) that notification of the customer or subscriber was 
     delayed;
       ``(iv) the identity of the court authorizing the delay; and
       ``(v) of the provision of this chapter under which the 
     delay was authorized.
       ``(b) Preclusion of Notice to Subject of Governmental 
     Access.--
       ``(1) In general.--A governmental entity that is obtaining 
     the contents of a communication or information or records 
     under section 2703 may apply to a court for an order 
     directing a provider of electronic communication service, or 
     remote computing service to which a warrant, order, subpoena, 
     or other directive under section 2703 is directed not to 
     notify any other person of the existence of the warrant, 
     order, subpoena, or other directive for a period of not more 
     than 90 days.
       ``(2) Determination.--A court shall grant a request for an 
     order made under paragraph (1) if the court determines that 
     there is reason to believe that notification of the existence 
     of the warrant, order, subpoena, or other directive may 
     result in--
       ``(A) endangering the life or physical safety of an 
     individual;
       ``(B) flight from prosecution;
       ``(C) destruction of or tampering with evidence;
       ``(D) intimidation of potential witnesses;
       ``(E) otherwise seriously jeopardizing an investigation or 
     unduly delaying a trial; or
       ``(F) endangering national security.
       ``(3) Extension.--Upon request by a governmental entity, a 
     court may grant 1 or more extensions of an order granted 
     under paragraph (2) of not more than 90 days.''.

                          ____________________