Text: H.R.836 — 110th Congress (2007-2008)All Bill Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in House (02/06/2007)


110th CONGRESS
1st Session
H. R. 836

To amend title 18, United States Code, to better assure cyber-security, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES
February 6, 2007

Mr. Smith of Texas (for himself, Mr. Forbes, Mr. Gallegly, Mr. Chabot, Mr. Coble, Mr. Franks of Arizona, Mr. Goodlatte, and Mr. Pence) introduced the following bill; which was referred to the Committee on the Judiciary


A BILL

To amend title 18, United States Code, to better assure cyber-security, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Cyber-Security Enhancement and Consumer Data Protection Act of 2007”.

SEC. 2. Personal electronic records.

Section 1030(a)(2) of title 18, United States Code, is amended—

(1) by striking “or” at the end of subparagraph (B); and

(2) by adding at the end the following:

“(D) a means of identification (as defined in section 1028(d)) from a protected computer; or

“(E) the capability to gain access to or remotely control a protected computer.”.

SEC. 3. Use of full interstate and foreign commerce power for criminal penalties.

(a) Broadening of Scope.—Section 1030(e)(2)(B) of title 18, United States Code, is amended by inserting “or affecting” after “which is used in”.

(b) Elimination of Requirement of an Interstate or Foreign Communication for Certain Offenses Involving Protected Computers.—Section 1030(a)(2)(C) of title 18, United States Code, is amended by striking “if the conduct involved an interstate or foreign communication”.

SEC. 4. Rico predicates.

Section 1961(1)(B) of title 18, United States Code, is amended by inserting “section 1030 (relating to fraud and related activity in connection with computers),” before “section 1084”.

SEC. 5. Cyber-extortion.

Section 1030(a)(7) of title 18, United States Code, is amended by inserting “, or to access without authorization or exceed authorized access to a protected computer” after “cause damage to a protected computer”.

SEC. 6. Conspiracy to commit cyber-crimes.

Section 1030(b) of title 18, United States Code, is amended by inserting “or conspires” after “attempts”.

SEC. 7. Notice to law enforcement.

(a) Criminal Penalty for Failure To Notify Law Enforcement.—Chapter 47 of title 18, United States Code, is amended by adding at the end the following:

§ 1039. Concealment of security breaches involving personal information

“(a) Offense.—Whoever owns or possesses data in electronic form containing a means of identification (as defined in section 1028), having knowledge of a major security breach of the system containing such data maintained by such person, and knowingly fails to provide notice of such breach to the United States Secret Service or Federal Bureau of Investigation, with the intent to prevent, obstruct, or impede a lawful investigation of such breach, shall be fined under this title, imprisoned not more than 5 years, or both.

“(b) Definitions.—As used in this section—

“(1) MAJOR SECURITY BREACH.—The term ‘major security breach’ means any security breach—

“(A) whereby means of identification pertaining to 10,000 or more individuals is, or is reasonably believed to have been acquired, and such acquisition causes a significant risk of identity theft;

“(B) involving databases owned by the Federal Government; or

“(C) involving primarily data in electronic form containing means of identification of Federal Government employees or contractors involved in national security matters or law enforcement.

“(2) SIGNIFICANT RISK OF IDENTITY THEFT.—

“(A) IN GENERAL.—The term ‘significant risk of identity theft’ means such risk that a reasonable person would conclude, after a reasonable opportunity to investigate, that it is more probable than not that identity theft has occurred or will occur as a result of the breach.

“(B) PRESUMPTION.—If the data in electronic form containing a means of identification involved in a suspected breach has been encrypted, redacted, requires technology to use or access the data that is not commercially available, or has otherwise been rendered unusable, then there shall be a presumption that the breach has not caused a significant risk of identity theft. Such presumption may be rebutted by facts demonstrating that the encryption code has been or is reasonably likely to be compromised, that the entity that acquired the data is believed to possess the technology to access it, or the owner or possessor of the data is or reasonably should be aware of an unusual pattern of misuse of the data that indicates fraud or identity theft.”.

(b) Rulemaking.—Within 180 days after the date of enactment of this Act, the Attorney General and Secretary of Homeland Security shall jointly promulgate rules and regulations, after adequate notice and an opportunity for comment, as are reasonably necessary, governing the form, content, and timing of the notices required pursuant to section 1039 of title 18, United States Code. Such rules and regulations shall not require the deployment or use of specific products or technologies, including any specific computer hardware or software, to protect against a security breach. Such rules and regulations shall require that—

(1) such notice be provided to the United States Secret Service or Federal Bureau of Investigation before any notice of a breach is made to consumers under State or Federal law, and within 14 days of discovery of the breach;

(2) if the United States Secret Service or Federal Bureau of Investigation determines that any notice required to be made to consumers under State or Federal law would impede or compromise a criminal investigation or national security, the United States Secret Service or Federal Bureau of Investigation shall direct in writing within 7 days that such notice shall be delayed for 30 days, or until the United States Secret Service or Federal Bureau of Investigation determines that such notice will not impede or compromise a criminal investigation or national security;

(3) the United States Secret Service shall notify the Federal Bureau of Investigation, if the United States Secret Service determines that such breach may involve espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y))), except for offenses affecting the duties of the United States Secret Service under section 3056(a) of title 18, United States Code; and

(4) the United States Secret Service or Federal Bureau of Investigation notify the Attorney General in each State affected by the breach, if the United States Secret Service or Federal Bureau of Investigation declines to pursue a criminal investigation, or as deemed necessary and appropriate.

(c) Immunity From Lawsuit.—No cause of action shall lie in any court against any law enforcement entity or any person who notifies law enforcement of a security breach pursuant to this section for any penalty, prohibition, or damages relating to the delay of notification for law enforcement purposes under this Act.

(d) Civil Penalty for Failure To Notify.—Whoever knowingly fails to give a notice required under section 1039 of title 18, United States Code, shall be subject to a civil penalty of not more than $50,000 for each day of such failure, but not more than $1,000,000.

(e) Relation to State Laws.—

(1) IN GENERAL.—The requirement to notify law enforcement under this section shall supersede any other notice to law enforcement required under State law.

(2) EXCEPTION FOR STATE CONSUMER NOTICE LAWS.—The notice required to law enforcement under this section shall be in addition to any notice to consumers required under State or Federal law following the discovery of a security breach. Nothing in this section annuls, alters, affects or exempts any person from complying with the laws of any State with respect to notice to consumers of a security breach, except as provided by subsections (b) and (c).

(f) Duty of Federal Agencies and Departments.—An agency or department of the Federal Government which would be required to give notice of a major security breach under section 1039 of title 18, United States Code, if that agency or department were a person, shall notify the United States Secret Service or Federal Bureau of Investigation of the breach in the same time and manner as a person subject to that section. The rulemaking authority under subsection (b) shall include the authority to make rules for notice under this subsection of a major security breach.

(g) Clerical Amendment.—The table of sections at the beginning of chapter 47 of title 18, United States Code, is amended by adding at the end the following new item:


“1039. Concealment of security breaches involving personal information.”.

SEC. 8. PENALTIES FOR SECTION 1030 VIOLATIONS.

Subsection (c) of section 1030 of title 18, United States Code, is amended to read as follows:

“(c)(1) The punishment for an offense under subsection (a) or (b) is a fine under this title or imprisonment for not more than 30 years, or both.

“(2) The court, in imposing sentence for an offense under subsection (a) or (b), shall, in addition to any other sentence imposed and irrespective of any provision of State law, order that the person forfeit to the United States—

“(A) the person’s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and

“(B) any property, real or personal, constituting or derived from, any proceeds the person obtained, directly or indirectly, as a result of such violation.”.

SEC. 9. Directive to sentencing Commission.

(a) Directive.—Pursuant to its authority under section 994(p) of title 28, United States Code, and in accordance with this section, the United States Sentencing Commission shall forthwith review its guidelines and policy statements applicable to persons convicted of offenses under sections 1028, 1028A, 1030, 1030A, 2511 and 2701 of title 18, United States Code and any other relevant provisions of law, in order to reflect the intent of Congress that such penalties be increased in comparison to those currently provided by such guidelines and policy statements.

(b) Requirements.—In determining its guidelines and policy statements on the appropriate sentence for the crimes enumerated in paragraph (a), the Commission shall consider the extent to which the guidelines and policy statements may or may not account for the following factors in order to create an effective deterrent to computer crime and the theft or misuse of personally identifiable data—

(1) the level of sophistication and planning involved in such offense;

(2) whether such offense was committed for purpose of commercial advantage or private financial benefit;

(3) the potential and actual loss resulting from the offense;

(4) whether the defendant acted with intent to cause either physical or property harm in committing the offense;

(5) the extent to which the offense violated the privacy rights of individuals;

(6) the effect of the offense upon the operations of a government agency of the United States, or of a State or local government;

(7) whether the offense involved a computer used by the government in furtherance of national defense, national security or the administration of justice;

(8) whether the offense was intended to, or had the effect of significantly interfering with or disrupting a critical infrastructure;

(9) whether the offense was intended to, or had the effect of creating a threat to public health or safety, injury to any person, or death; and

(10) whether the defendant purposefully involved a juvenile in the commission of the offense to avoid punishment.

(c) Additional Requirements.—In carrying out this section, the Commission shall—

(1) assure reasonable consistency with other relevant directives and with other sentencing guidelines;

(2) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;

(3) make any conforming changes to the sentencing guidelines; and

(4) assure that the guidelines adequately meet the purposes of sentencing as set forth in section 3553(a)(2) of title 18, United States Code.

SEC. 10. Damage to protected computers.

(a) Section 1030(a)(5)(B) of title 18, United States Code, is amended—

(1) by striking “or” at the end of clause (iv);

(2) by inserting “or” at the end of clause (v); and

(3) by adding at the end the following:

“(vi) damage affecting ten or more protected computers during any 1-year period.”.

(b) Section 1030(g) of title 18, United States Code, is amended by striking “or” after “(iv),” and inserting “, or (vi)” after “(v)”.

(c) Section 2332b(g)(5)(B)(i) of title 18, United States Code, is amended by striking “(v) (relating to protection of computers)” and inserting “(vi) (relating to the protection of computers)”.

SEC. 11. Additional funding for resources to investigate and prosecute criminal activity involving computers.

(a) Additional Funding for Resources.—

(1) AUTHORIZATION.—In addition to amounts otherwise authorized for resources to investigate and prosecute criminal activity involving computers, there are authorized to be appropriated for each of the fiscal years 2007 through 2011—

(A) $10,000,000 to the Director of the United States Secret Service;

(B) $10,000,000 to the Attorney General for the Criminal Division of the Department of Justice; and

(C) $10,000,000 to the Director of the Federal Bureau of Investigation.

(2) AVAILABILITY.—Any amounts appropriated under paragraph (1) shall remain available until expended.

(b) Use of Additional Funding.—Funds made available under subsection (a) shall be used by the Director of the United States Secret Service, the Director of the Federal Bureau of Investigation, and the Attorney General, for the United States Secret Service, the Federal Bureau of Investigation, and the criminal division of the Department of Justice, respectively, to—

(1) hire and train law enforcement officers to—

(A) investigate crimes committed through the use of computers and other information technology, including through the use of the Internet; and

(B) assist in the prosecution of such crimes; and

(2) procure advanced tools of forensic science to investigate, prosecute, and study such crimes.