Draft of Computer Fraud and Abuse Act (March 22, 2013)
1 viewer
Draft of Computer Fraud and Abuse Act (March 22, 2013) Lyrics
[DISCUSSION DRAFT]
113TH CONGRESS
1ST SESSION H. R. ll
To amend title 18, United States Code, to provide for additional restrictions
On fraud and related activity in connection with computers, and for
Other purposes.
IN THE HOUSE OF REPRESENTATIVES
M_______ introduced the following bill; which was referred to the
Committee on ________
A BILL
To amend title 18, United States Code, to provide for additional restrictions on fraud and related activity in connection with computers, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘‘____ Act
Of 2013’’.
TITLE I—CRIMINAL PROVISIONS
SEC. 101. PROTECTING U.S. BUSINESSES FROM FOREIGN
ESPIONAGE.
Section 1831(a) of title 18, United States Code, is
Amended, in the matter after paragraph (5), by striking
‘‘15 years’’ and inserting ‘‘20 years’’.
SEC. 102. FRAUD AND RELATED ACTIVITY IN CONNECTION
WITH COMPUTERS AS RICO PREDICATE.
Section 1961(1)(B) of title 18, United States Code,
Is amended by inserting after ‘‘section 1029 (relating to
Fraud and related activity in connection with access de-
Vices), section 1084 (relating to the transmission of gam-
Bling information),’’ the following: ‘‘section 1030 (relating
To fraud and related activity in connection with com-
Puters),’’.
SEC. 103. FRAUD AND RELATED ACTIVITY IN CONNECTION
WITH COMPUTERS.
Section 1030 of title 18, United States Code, is
Amended as follows:
(1) TRAFFICKING IN PASSWORDS.—In sub-
Section (a), by striking paragraph (6) and inserting
The following:
‘‘(6) knowingly and with intent to defraud traf-
Fics (as defined in section 1029) in any password or
Similar information or means of access through
Which a protected computer as defined in subpara-
Graphs (A) and (B) of subsection (e)(2) may be
Accessed without authorization; or’’.
(2) CONSPIRACY AND ATTEMPT.—In subsection
(b), by inserting ‘‘for the completed offense’’ after
‘‘punished as provided’ ’’.
(3) PENALTIES.—By striking subsection (c)
And inserting the following:
‘‘(c) The punishment for an offense under subsection
(a) or (b) of this section is—
‘‘(1)(A) except as otherwise provided in this
Paragraph, in the case of an offense under sub-
Section (a)(5)(A) of this section, if the offender at-
Tempts to cause or knowingly or recklessly causes
Death from conduct in violation of subsection
(a)(5)(A), a fine under this title, imprisonment for
Any term of years or for life, or both;
‘‘(B) a fine under this title, imprisonment
For not more than 20 years, or both, in the case
Of an offense under subsection (a)(5)(A) of this
Section, if the offense caused—
‘‘(i) loss to 1 or more persons during
Any 1-year period (and, for purposes of an
Investigation, prosecution, or other pro-
Ceeding brought by the United States only,
Loss resulting from a related course of con-
Duct affecting 1 or more other protected
Computers) aggregating at least $5,000 in
Value;
‘‘(ii) the modification or impairment,
Or potential modification or impairment, of
The medical examination, diagnosis, treat-
Ment, or care of 1 or more individuals;
‘‘(iii) physical injury to any person;
‘‘(iv) a threat to public health or safe-
Ty;
‘‘(v) damage affecting a computer
Used by, or on behalf of, an entity of the
Nited States Government in furtherance
Of the administration of justice, national
Defense, or national security; or
‘‘(vi) damage affecting 10 or more
Protected computers during any 1-year pe-
Riod;
‘‘(C) a fine under this title, imprisonment
For not more than 10 years, or both, in the case
Of an offense under subsection (a)(5)(B), if the
Offense caused a harm provided in clause (i)
Through (vi) of subparagraph (A) of this sub-
Section; or
‘‘(D) a fine under this title, imprisonment
For not more than 1 year, or both, for any other
Offense under subsection (a)(5) of this section;
‘‘(2) a fine under this title or imprisonment for
Not more than 20 years, or both, in the case of an
Offense under—
‘‘(A) subsection (a)(1) of this section; or
‘‘(B) subsection (a)(4) of this section;
‘‘(3) a fine under this title or imprisonment for
Not more than 10 years, or both, in the case of an
Offense under—
‘‘(A) subsection (a)(6) of this section;
‘‘(B) subsection (a)(7) of this section;
‘‘(4)(A) except as provided in subparagraph
(B), a fine under this title or imprisonment for not
More than 3 years, or both, in the case of an offense
Under subsection (a)(2); or
‘‘(B) a fine under this title or imprison-
Ment for not more than 10 years, or both, in
The case of an offense under paragraph (a)(2)
Of this section, if—
‘‘(i) the offense was committed for
Purposes of commercial advantage or pri-
Vate financial gain;
‘‘(ii) the offense was committed in the
Furtherance of any criminal or tortious act
In violation of the Constitution or laws of
The United States, or of any State; or
‘‘(iii) the value of the information ob-
Tained, or that would have been obtained if
The offense was completed, exceeds $5,000;
Or
‘‘(5) a fine under this title or imprisonment for
Not more than 1 year, or both, in the case of an of-
Fense under subsection (a)(3) of this section;’’.
(4) EXCEEDS AUTHORIZED ACCESS.—In sub-
Section (a), by striking paragraph (2) and inserting
The following:
‘‘(2) intentionally—
‘‘(A) accesses a computer without author-
Ization, and thereby obtains—
‘‘(i) information contained in a finan-
Cial record of a financial institution, or of
A card issuer as defined in section 1602(n)
Of title 15, or contained in a file of a con-
Sumer reporting agency on a consumer, as
Such terms are defined in the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.);
‘‘(ii) information from any department
Or agency of the United States; or
‘‘(iii) information from any protected
Computer; or
‘‘(B) exceeds authorized access, and—
‘‘(i) thereby obtains from a computer
Information defined in paragraph (A)(i)
Through (iii); and
‘‘(ii) the offense—
‘‘(I) involves information that ex-
Ceeds $5,000 in value;
‘‘(II) was committed for purposes
Of obtaining sensitive or non-public in-
Formation of an entity or another indi-
Vidual (including such information in
The possession of a third party), in-
Cluding medical records, wills, diaries,
Private correspondence, financial
Records, photographs of a sensitive or
Private nature, trade secrets, or sen-
Sitive or non-public commercial busi-
Ness information;
‘‘(III) was committed in further-
Ance of any criminal act in violation
Of the Constitution or laws of the
United States or of any State, unless
Such state violation would be based
Solely on the obtaining of information
Without authorization or in excess of
Authorization; or
‘‘(IV) involves information ob-
Tained from a computer used by or for
A government entity; or’’.
(5) FORFEITURES.—By striking subsections (i)
And (j) and inserting the following:
‘‘(i) CRIMINAL FORFEITURE.—(1) The court, in im-
Posing sentence on any person convicted of a violation of
This section, or convicted of conspiracy to violate this sec-
Tion, shall order, in addition to any other sentence imposed
And irrespective of any provision of State law, that such
Person forfeit to the United States—
‘‘(A) such person’s interest in any property,
Real or personal, that was used, or intended to be
Used, to commit or facilitate the commission of such
Violation; and
‘‘(B) any property, real or personal, consti-
Tuting or derived from any gross proceeds, or any
Property traceable to such property, that such per-
Son obtained, directly or indirectly, as a result of
Such violation.
‘‘(2) The criminal forfeiture of property under this
Subsection, including any seizure and disposition of the
Property, and any related judicial or administrative pro-
Ceeding, shall be governed by the provisions of section 413
Of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
Section.
‘‘(j) CIVIL FORFEITURE.—(1) The following shall be
Subject to forfeiture to the United States and no property
Right, real or personal, shall exist in them:
‘‘(A) Any property, real or personal, that was
Used, or intended to be used, to commit or facilitate
The commission of any violation of this section, or a
Conspiracy to violate this section.
‘‘(B) Any property, real or personal, consti-
Tuting or derived from any gross proceeds obtained
Directly or indirectly, or any property traceable to
Such property, as a result of the commission of any
Violation of this section, or a conspiracy to violate
This section.
‘‘(2) Seizures and forfeitures under this subsection
Shall be governed by the provisions in chapter 46 of title
18, United States Code, relating to civil forfeitures, except
That such duties as are imposed on the Secretary of the
Treasury under the customs laws described in section
981(d) of title 18, United States Code, shall be performed
By such officers, agents and other persons as may be des-
Ignated for that purpose by the Secretary of Homeland
Security or the Attorney General.’’.
(6) DEFINITION.—In subsection (e)(6), by in-
Serting after ‘‘alter’’ the following: ‘‘, even if the
Accesser may be entitled to obtain or alter the same
Information in the computer for other purposes’’.
SEC. 104. DAMAGE TO CRITICAL INFRASTRUCTURE COM-
PUTERS.
(a) IN GENERAL.—Chapter 47 of title 18, United
States Code, is amended by inserting after section 1030
The following:
‘‘SEC. 1030A. AGGRAVATED DAMAGE TO A CRITICAL INFRA-
STRUCTURE COMPUTER.
‘‘(a) DEFINITIONS.—In this section—
‘‘(1) the terms ‘computer’ and ‘damage’ have
The meanings given such terms in section 1030; and
‘‘(2) the term ‘critical infrastructure computer’
Means a computer that manages or controls systems
Or assets vital to national defense, national security,
National economic security, public health or safety,
Or any combination of those matters, whether pub-
Licly or privately owned or operated, including—
‘‘(A) gas and oil production, storage, and
Delivery systems;
‘‘(B) water supply systems;
‘‘(C) telecommunication networks;
‘‘(D) electrical power delivery systems;
‘‘(E) finance and banking systems;
‘‘(F) emergency services;
‘‘(G) transportation systems and services;
And
‘‘(H) government operations that provide
Essential services to the public.
‘‘(b) OFFENSE.—Whoever, during and in relation to
A felony violation of section 1030, intentionally causes or
Attempts to cause damage to a critical infrastructure com-
Puter, and such damage results in (or, in the case of an
Attempt, would, if completed have resulted in) the substan-
Tial impairment—
‘‘(1) of the operation of the critical infrastruc-
Ture computer, or
‘‘(2) of the critical infrastructure associated
With the computer,
Shall be fined under this title, imprisoned for not more
Than 30 years, or both.
‘‘(c) CONSECUTIVE SENTENCE.—Notwithstanding
Any other provision of law—
‘‘(1) a court shall not place on probation any
Person convicted of a violation of this section;
‘‘(2) except as provided in paragraph (4), no
Term of imprisonment imposed on a person under
This section shall run concurrently with any other
Term of imprisonment, including any term of impris-
Onment imposed on the person under any other pro-
Vision of law, including any term of imprisonment
Imposed for the felony violation section 1030;
‘‘(3) in determining any term of imprisonment
To be imposed for a felony violation of section 1030,
A court shall not in any way reduce the term to be
Imposed for such crime so as to compensate for, or
Otherwise take into account, any separate term of
Imprisonment imposed or to be imposed for a viola-
Tion of this section; and
‘‘(4) a term of imprisonment imposed on a per-
Son for a violation of this section may, in the discre-
Tion of the court, run concurrently, in whole or in
Part, only with another term of imprisonment that
Is imposed by the court at the same time on that
Person for an additional violation of this section,
Provided that such discretion shall be exercised in
Accordance with any applicable guidelines and policy
Statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.’’.
(b) TECHNICAL AND CONFORMING AMENDMENT.—
The table of sections for chapter 47 of title 18, United
States Code, is amended by inserting after the item relat-
Ing to section 1030 the following:
‘‘Sec. 1030A. Aggravated damage to a critical infrastructure computer.’’.
SEC. 105. PREPAREDNESS OF FEDERAL COURTS TO PRO-
MOTE CYBER SECURITY.
Not later than 180 days after the date of enactment
Of this Act, the Administrative Office of the United States
Courts shall submit to the Committee on the Judiciary
Of the House of Representatives and the Committee on
The Judiciary of the Senate a report providing an assess-
Ment of the vulnerability of the Federal courts’ computer
And network systems to cyber intrusion and attacks that
Includes recommendations on changes and improvements
To the Federal courts’ computer and network security sys-
Tems to address any deficiencies in computer and network
Security.
SEC. 106. AUTHORIZATION OF NATIONAL CYBER INVES-
TIGATIVE JOINT TASK FORCE.
The Attorney General is authorized to establish the
National Cyber Investigative Joint Task Force, which
Shall be charged with coordinating, integrating, and sharing information related to all domestic cyber threat inves-
Tigations.
TITLE II—DATA SECURITY AND
BREACH NOTIFICATION
SEC. 201. NOTIFICATION OF INFORMATION SECURITY
BREACH.
(a) IN GENERAL.—Except as otherwise provided in
This section, a covered entity shall notify its customers of
A security breach affecting such customers not later than
ø14¿ days after that security breach.
(b) ADDITIONAL NOTIFICATION REQUIREMENTS.—
(1) THIRD-PARTY ENTITIES.—In the event of a
Security breach of a system maintained by a third-
Party entity, such third-party entity shall notify such
Covered entity of the security breach.
(2) SERVICE PROVIDERS.—If a service provider
Becomes aware of a security breach involving data in
Electronic form containing personal information that
Is owned or possessed by a covered entity that con-
Nects to or uses a system or network provided by the
Service provider for the purpose of transmitting,
Routing, or providing intermediate or transient stor-
Age of such data, such service provider shall notify
The covered entity who initiated such connection,
Transmission, routing, or storage if such covered en-
Tity can be reasonably identified.
(3) COVERED ENTITY NOTIFICATION.—Upon
Receiving notification from a third-party entity or a
Service provider under this subsection, a covered en-
Tity shall provide notification as required under sub-
Section (a) or subsection (d).
(c) DELAY OF NOTIFICATION AUTHORIZED FOR LAW
ENFORCEMENT OR NATIONAL SECURITY PURPOSES.—
(1) LAW ENFORCEMENT.—If a Federal øor
State¿ law enforcement agency determines that the
Notification required under subsection (a) would im-
Pede a civil or criminal investigation, such notifica-
Tion shall be delayed upon the request of the law en-
Forcement agency for any period which the law en-
Forcement agency determines is reasonably nec-
Essary. A law enforcement agency may, by a subse-
Quent request, revoke such delay or extend the pe-
Riod set forth in the original request made under
This subparagraph by a subsequent request if further
Delay is necessary.
(2) NATIONAL SECURITY.—If a Federal na-
Tional security agency or homeland security agency
Determines that the notification required under this
Section would threaten national or homeland security, such notification may be delayed upon the writ-
Ten request of the national security agency or home-
Land security agency for any period which the na-
Tional security agency or homeland security agency
Determines is reasonably necessary. A Federal na-
Tional security agency or homeland security agency
May revoke such delay or extend the period set forth
In the original request made under this subpara-
Graph by a subsequent written request if further
Delay is necessary.
(d) MAJOR SECURITY BREACH; NOTICE TO LAW EN-
FORCEMENT.—A covered entity shall notify the United
States Secret Service or the Federal Bureau of Investiga-
Tion of the fact that a major security breach has occurred
Not later than ø72 hours¿ after such major security
Breach has occurred.
(e) CONTENT OF NOTIFICATION.—Regardless of the
Method by which notification is provided to an individual
Under subsection (a) with respect to a security breach,
Such notification, to the extent practicable, shall include—
(1) the date, estimated date, or estimated date
Range of the security breach;
(2) a description of the personal information
That was accessed and acquired, or reasonably be-
Lieved to have been accessed and acquired, by an unauthorized person as a part of the security breach;
And
(3) information that the individual can use to
Contact the covered entity to inquire about—
(A) the security breach; or
(B) the information the covered entity
Maintained about that individual.
(f) TREATMENT OF PERSONS GOVERNED BY OTHER
FEDERAL LAW.—A covered entity who is in compliance
With any other Federal law that requires such covered en-
Tity to provide notification to individuals following a secu-
Rity breach shall be deemed to be in compliance with this
Section.
SEC. 202. CIVIL REMEDIES.
(a) CIVIL ACTION.—The Attorney General may in a
Civil action obtain a civil penalty of not more than
$500,000 from any covered entity that engages in conduct
Constituting a violation.
(b) SPECIAL RULE FOR INTENTIONAL VIOLA-
TIONS.—If the violation of this title described in sub-
Section (a) is intentional, the maximum civil penalty is
$1,000,000.
(c) NO PRIVATE CAUSE OF ACTION.—Nothing in this
Title shall be construed to establish a private cause of ac-
Tion against a person for a violation of this title.
SEC. 203. DEFINITIONS.
In this title:
(1) SECURITY BREACH.—The term ‘‘security
Breach’’ means unauthorized access and acquisition
Of data in electronic form containing personal infor-
Mation.
(2) COVERED ENTITY.—
(A) IN GENERAL.—The term ‘‘covered en-
Tity’’ means a commercial entity that acquires,
Maintains, stores, or utilizes personal informa-
Tion.
(B) EXEMPTIONS.—The term ‘‘covered en-
Tity’’ does not include the following:
(i) Financial institutions subject to
Title V of the Gramm-Leach-Bliley Act (15
U.S.C. 6801 et seq.).
(ii) An entity covered by the regula-
Tions issued under section 264(c) of the
Health Insurance Portability and Account-
Ability Act of 1996 (Public Law 104–191)
To the extent that such entity is subject to
The requirements of such regulations with
Respect to protected health information.
(3) DATA IN ELECTRONIC FORM.—The term
‘‘data in electronic form’’ means any data stored
Electronically or digitally on any computer system or
Other database and includes recordable tapes and
Other mass storage devices.
(4) MAJOR SECURITY BREACH.—The term
‘‘major security breach’’ means any security breach
Involving—
(A) means of identification pertaining to
10,000 or more individuals is, or is reasonably
Believed to have been acquired;
(B) databases owned by the Federal Gov-
Ernment; or
(C) means of identification of Federal Gov-
Ernment employees or contractors involved in
National security matters or law enforcement.
(5) MEANS OF IDENTIFICATION.—The term
‘‘means of identification’’ has the meaning given
That term in section 1028 of title 18, United States
Code.
(6) PERSONAL INFORMATION.—
(A) IN GENERAL.—The term ‘‘personal in-
Formation’’ means an individual’s first name or
First initial and last name in combination with
Any one or more of the following data elements
For that individual:
(i) Social Security number.
(ii) Driver’s license number, passport
Number, military identification number, or
Other similar number issued on a govern-
Ment document used to verify identity.
(iii) Financial account number, or
Credit or debit card number, and any re-
Quired security code, access code, or pass-
Word that is necessary to permit access to
An individual’s financial account.
(B) EXEMPTIONS FROM PERSONAL INFOR-
MATION.—
(i) PUBLIC RECORD INFORMATION.—
Personal information does not include in-
Formation obtained about an individual
Which has been lawfully made publicly
Available by a Federal, State, or local gov-
Ernment entity or widely distributed by
Media.
(ii) ENCRYPTED, REDACTED, OR SE-
CURED DATA.—Personal information does
Not include information that is encrypted,
Redacted, or secured by any other method
Or technology that renders the data ele-
Ments unusable.
(7) SERVICE PROVIDER.—The term ‘‘service
Provider’’ means an entity that provides electronic
Data transmission, routing, intermediate, and tran-
Sient storage, or connections to its system or net-
Work, where such entity providing such services does
Not select or modify the content of the electronic
Data, is not the sender or the intended recipient of
The data, and does not differentiate personal infor-
Mation from other information that such entity
Transmits, routes, stores, or for which such entity
Provides connections. Any such entity shall be treat-
Ed as a service provider under this title only to the
Extent that it is engaged in the provision of such
Transmission, routing, intermediate and transient
Storage, or connections.
(8) THIRD-PARTY ENTITY.—The term ‘‘third-
Party entity’’ means an entity that has been con-
Tracted to maintain, store, or process data in elec-
Tronic form containing personal information on be-
Half of a covered entity who owns or possesses such
Data.
SEC. 204. EFFECT ON FEDERAL AND STATE LAW.
The provisions of this title shall supersede any provi-
Sion of the law of any State, or a political subdivision
Thereof, relating to notification by a covered entity of a
Security breach
113TH CONGRESS
1ST SESSION H. R. ll
To amend title 18, United States Code, to provide for additional restrictions
On fraud and related activity in connection with computers, and for
Other purposes.
IN THE HOUSE OF REPRESENTATIVES
M_______ introduced the following bill; which was referred to the
Committee on ________
A BILL
To amend title 18, United States Code, to provide for additional restrictions on fraud and related activity in connection with computers, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘‘____ Act
Of 2013’’.
TITLE I—CRIMINAL PROVISIONS
SEC. 101. PROTECTING U.S. BUSINESSES FROM FOREIGN
ESPIONAGE.
Section 1831(a) of title 18, United States Code, is
Amended, in the matter after paragraph (5), by striking
‘‘15 years’’ and inserting ‘‘20 years’’.
SEC. 102. FRAUD AND RELATED ACTIVITY IN CONNECTION
WITH COMPUTERS AS RICO PREDICATE.
Section 1961(1)(B) of title 18, United States Code,
Is amended by inserting after ‘‘section 1029 (relating to
Fraud and related activity in connection with access de-
Vices), section 1084 (relating to the transmission of gam-
Bling information),’’ the following: ‘‘section 1030 (relating
To fraud and related activity in connection with com-
Puters),’’.
SEC. 103. FRAUD AND RELATED ACTIVITY IN CONNECTION
WITH COMPUTERS.
Section 1030 of title 18, United States Code, is
Amended as follows:
(1) TRAFFICKING IN PASSWORDS.—In sub-
Section (a), by striking paragraph (6) and inserting
The following:
‘‘(6) knowingly and with intent to defraud traf-
Fics (as defined in section 1029) in any password or
Similar information or means of access through
Which a protected computer as defined in subpara-
Graphs (A) and (B) of subsection (e)(2) may be
Accessed without authorization; or’’.
(2) CONSPIRACY AND ATTEMPT.—In subsection
(b), by inserting ‘‘for the completed offense’’ after
‘‘punished as provided’ ’’.
(3) PENALTIES.—By striking subsection (c)
And inserting the following:
‘‘(c) The punishment for an offense under subsection
(a) or (b) of this section is—
‘‘(1)(A) except as otherwise provided in this
Paragraph, in the case of an offense under sub-
Section (a)(5)(A) of this section, if the offender at-
Tempts to cause or knowingly or recklessly causes
Death from conduct in violation of subsection
(a)(5)(A), a fine under this title, imprisonment for
Any term of years or for life, or both;
‘‘(B) a fine under this title, imprisonment
For not more than 20 years, or both, in the case
Of an offense under subsection (a)(5)(A) of this
Section, if the offense caused—
‘‘(i) loss to 1 or more persons during
Any 1-year period (and, for purposes of an
Investigation, prosecution, or other pro-
Ceeding brought by the United States only,
Loss resulting from a related course of con-
Duct affecting 1 or more other protected
Computers) aggregating at least $5,000 in
Value;
‘‘(ii) the modification or impairment,
Or potential modification or impairment, of
The medical examination, diagnosis, treat-
Ment, or care of 1 or more individuals;
‘‘(iii) physical injury to any person;
‘‘(iv) a threat to public health or safe-
Ty;
‘‘(v) damage affecting a computer
Used by, or on behalf of, an entity of the
Nited States Government in furtherance
Of the administration of justice, national
Defense, or national security; or
‘‘(vi) damage affecting 10 or more
Protected computers during any 1-year pe-
Riod;
‘‘(C) a fine under this title, imprisonment
For not more than 10 years, or both, in the case
Of an offense under subsection (a)(5)(B), if the
Offense caused a harm provided in clause (i)
Through (vi) of subparagraph (A) of this sub-
Section; or
‘‘(D) a fine under this title, imprisonment
For not more than 1 year, or both, for any other
Offense under subsection (a)(5) of this section;
‘‘(2) a fine under this title or imprisonment for
Not more than 20 years, or both, in the case of an
Offense under—
‘‘(A) subsection (a)(1) of this section; or
‘‘(B) subsection (a)(4) of this section;
‘‘(3) a fine under this title or imprisonment for
Not more than 10 years, or both, in the case of an
Offense under—
‘‘(A) subsection (a)(6) of this section;
‘‘(B) subsection (a)(7) of this section;
‘‘(4)(A) except as provided in subparagraph
(B), a fine under this title or imprisonment for not
More than 3 years, or both, in the case of an offense
Under subsection (a)(2); or
‘‘(B) a fine under this title or imprison-
Ment for not more than 10 years, or both, in
The case of an offense under paragraph (a)(2)
Of this section, if—
‘‘(i) the offense was committed for
Purposes of commercial advantage or pri-
Vate financial gain;
‘‘(ii) the offense was committed in the
Furtherance of any criminal or tortious act
In violation of the Constitution or laws of
The United States, or of any State; or
‘‘(iii) the value of the information ob-
Tained, or that would have been obtained if
The offense was completed, exceeds $5,000;
Or
‘‘(5) a fine under this title or imprisonment for
Not more than 1 year, or both, in the case of an of-
Fense under subsection (a)(3) of this section;’’.
(4) EXCEEDS AUTHORIZED ACCESS.—In sub-
Section (a), by striking paragraph (2) and inserting
The following:
‘‘(2) intentionally—
‘‘(A) accesses a computer without author-
Ization, and thereby obtains—
‘‘(i) information contained in a finan-
Cial record of a financial institution, or of
A card issuer as defined in section 1602(n)
Of title 15, or contained in a file of a con-
Sumer reporting agency on a consumer, as
Such terms are defined in the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.);
‘‘(ii) information from any department
Or agency of the United States; or
‘‘(iii) information from any protected
Computer; or
‘‘(B) exceeds authorized access, and—
‘‘(i) thereby obtains from a computer
Information defined in paragraph (A)(i)
Through (iii); and
‘‘(ii) the offense—
‘‘(I) involves information that ex-
Ceeds $5,000 in value;
‘‘(II) was committed for purposes
Of obtaining sensitive or non-public in-
Formation of an entity or another indi-
Vidual (including such information in
The possession of a third party), in-
Cluding medical records, wills, diaries,
Private correspondence, financial
Records, photographs of a sensitive or
Private nature, trade secrets, or sen-
Sitive or non-public commercial busi-
Ness information;
‘‘(III) was committed in further-
Ance of any criminal act in violation
Of the Constitution or laws of the
United States or of any State, unless
Such state violation would be based
Solely on the obtaining of information
Without authorization or in excess of
Authorization; or
‘‘(IV) involves information ob-
Tained from a computer used by or for
A government entity; or’’.
(5) FORFEITURES.—By striking subsections (i)
And (j) and inserting the following:
‘‘(i) CRIMINAL FORFEITURE.—(1) The court, in im-
Posing sentence on any person convicted of a violation of
This section, or convicted of conspiracy to violate this sec-
Tion, shall order, in addition to any other sentence imposed
And irrespective of any provision of State law, that such
Person forfeit to the United States—
‘‘(A) such person’s interest in any property,
Real or personal, that was used, or intended to be
Used, to commit or facilitate the commission of such
Violation; and
‘‘(B) any property, real or personal, consti-
Tuting or derived from any gross proceeds, or any
Property traceable to such property, that such per-
Son obtained, directly or indirectly, as a result of
Such violation.
‘‘(2) The criminal forfeiture of property under this
Subsection, including any seizure and disposition of the
Property, and any related judicial or administrative pro-
Ceeding, shall be governed by the provisions of section 413
Of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
Section.
‘‘(j) CIVIL FORFEITURE.—(1) The following shall be
Subject to forfeiture to the United States and no property
Right, real or personal, shall exist in them:
‘‘(A) Any property, real or personal, that was
Used, or intended to be used, to commit or facilitate
The commission of any violation of this section, or a
Conspiracy to violate this section.
‘‘(B) Any property, real or personal, consti-
Tuting or derived from any gross proceeds obtained
Directly or indirectly, or any property traceable to
Such property, as a result of the commission of any
Violation of this section, or a conspiracy to violate
This section.
‘‘(2) Seizures and forfeitures under this subsection
Shall be governed by the provisions in chapter 46 of title
18, United States Code, relating to civil forfeitures, except
That such duties as are imposed on the Secretary of the
Treasury under the customs laws described in section
981(d) of title 18, United States Code, shall be performed
By such officers, agents and other persons as may be des-
Ignated for that purpose by the Secretary of Homeland
Security or the Attorney General.’’.
(6) DEFINITION.—In subsection (e)(6), by in-
Serting after ‘‘alter’’ the following: ‘‘, even if the
Accesser may be entitled to obtain or alter the same
Information in the computer for other purposes’’.
SEC. 104. DAMAGE TO CRITICAL INFRASTRUCTURE COM-
PUTERS.
(a) IN GENERAL.—Chapter 47 of title 18, United
States Code, is amended by inserting after section 1030
The following:
‘‘SEC. 1030A. AGGRAVATED DAMAGE TO A CRITICAL INFRA-
STRUCTURE COMPUTER.
‘‘(a) DEFINITIONS.—In this section—
‘‘(1) the terms ‘computer’ and ‘damage’ have
The meanings given such terms in section 1030; and
‘‘(2) the term ‘critical infrastructure computer’
Means a computer that manages or controls systems
Or assets vital to national defense, national security,
National economic security, public health or safety,
Or any combination of those matters, whether pub-
Licly or privately owned or operated, including—
‘‘(A) gas and oil production, storage, and
Delivery systems;
‘‘(B) water supply systems;
‘‘(C) telecommunication networks;
‘‘(D) electrical power delivery systems;
‘‘(E) finance and banking systems;
‘‘(F) emergency services;
‘‘(G) transportation systems and services;
And
‘‘(H) government operations that provide
Essential services to the public.
‘‘(b) OFFENSE.—Whoever, during and in relation to
A felony violation of section 1030, intentionally causes or
Attempts to cause damage to a critical infrastructure com-
Puter, and such damage results in (or, in the case of an
Attempt, would, if completed have resulted in) the substan-
Tial impairment—
‘‘(1) of the operation of the critical infrastruc-
Ture computer, or
‘‘(2) of the critical infrastructure associated
With the computer,
Shall be fined under this title, imprisoned for not more
Than 30 years, or both.
‘‘(c) CONSECUTIVE SENTENCE.—Notwithstanding
Any other provision of law—
‘‘(1) a court shall not place on probation any
Person convicted of a violation of this section;
‘‘(2) except as provided in paragraph (4), no
Term of imprisonment imposed on a person under
This section shall run concurrently with any other
Term of imprisonment, including any term of impris-
Onment imposed on the person under any other pro-
Vision of law, including any term of imprisonment
Imposed for the felony violation section 1030;
‘‘(3) in determining any term of imprisonment
To be imposed for a felony violation of section 1030,
A court shall not in any way reduce the term to be
Imposed for such crime so as to compensate for, or
Otherwise take into account, any separate term of
Imprisonment imposed or to be imposed for a viola-
Tion of this section; and
‘‘(4) a term of imprisonment imposed on a per-
Son for a violation of this section may, in the discre-
Tion of the court, run concurrently, in whole or in
Part, only with another term of imprisonment that
Is imposed by the court at the same time on that
Person for an additional violation of this section,
Provided that such discretion shall be exercised in
Accordance with any applicable guidelines and policy
Statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.’’.
(b) TECHNICAL AND CONFORMING AMENDMENT.—
The table of sections for chapter 47 of title 18, United
States Code, is amended by inserting after the item relat-
Ing to section 1030 the following:
‘‘Sec. 1030A. Aggravated damage to a critical infrastructure computer.’’.
SEC. 105. PREPAREDNESS OF FEDERAL COURTS TO PRO-
MOTE CYBER SECURITY.
Not later than 180 days after the date of enactment
Of this Act, the Administrative Office of the United States
Courts shall submit to the Committee on the Judiciary
Of the House of Representatives and the Committee on
The Judiciary of the Senate a report providing an assess-
Ment of the vulnerability of the Federal courts’ computer
And network systems to cyber intrusion and attacks that
Includes recommendations on changes and improvements
To the Federal courts’ computer and network security sys-
Tems to address any deficiencies in computer and network
Security.
SEC. 106. AUTHORIZATION OF NATIONAL CYBER INVES-
TIGATIVE JOINT TASK FORCE.
The Attorney General is authorized to establish the
National Cyber Investigative Joint Task Force, which
Shall be charged with coordinating, integrating, and sharing information related to all domestic cyber threat inves-
Tigations.
TITLE II—DATA SECURITY AND
BREACH NOTIFICATION
SEC. 201. NOTIFICATION OF INFORMATION SECURITY
BREACH.
(a) IN GENERAL.—Except as otherwise provided in
This section, a covered entity shall notify its customers of
A security breach affecting such customers not later than
ø14¿ days after that security breach.
(b) ADDITIONAL NOTIFICATION REQUIREMENTS.—
(1) THIRD-PARTY ENTITIES.—In the event of a
Security breach of a system maintained by a third-
Party entity, such third-party entity shall notify such
Covered entity of the security breach.
(2) SERVICE PROVIDERS.—If a service provider
Becomes aware of a security breach involving data in
Electronic form containing personal information that
Is owned or possessed by a covered entity that con-
Nects to or uses a system or network provided by the
Service provider for the purpose of transmitting,
Routing, or providing intermediate or transient stor-
Age of such data, such service provider shall notify
The covered entity who initiated such connection,
Transmission, routing, or storage if such covered en-
Tity can be reasonably identified.
(3) COVERED ENTITY NOTIFICATION.—Upon
Receiving notification from a third-party entity or a
Service provider under this subsection, a covered en-
Tity shall provide notification as required under sub-
Section (a) or subsection (d).
(c) DELAY OF NOTIFICATION AUTHORIZED FOR LAW
ENFORCEMENT OR NATIONAL SECURITY PURPOSES.—
(1) LAW ENFORCEMENT.—If a Federal øor
State¿ law enforcement agency determines that the
Notification required under subsection (a) would im-
Pede a civil or criminal investigation, such notifica-
Tion shall be delayed upon the request of the law en-
Forcement agency for any period which the law en-
Forcement agency determines is reasonably nec-
Essary. A law enforcement agency may, by a subse-
Quent request, revoke such delay or extend the pe-
Riod set forth in the original request made under
This subparagraph by a subsequent request if further
Delay is necessary.
(2) NATIONAL SECURITY.—If a Federal na-
Tional security agency or homeland security agency
Determines that the notification required under this
Section would threaten national or homeland security, such notification may be delayed upon the writ-
Ten request of the national security agency or home-
Land security agency for any period which the na-
Tional security agency or homeland security agency
Determines is reasonably necessary. A Federal na-
Tional security agency or homeland security agency
May revoke such delay or extend the period set forth
In the original request made under this subpara-
Graph by a subsequent written request if further
Delay is necessary.
(d) MAJOR SECURITY BREACH; NOTICE TO LAW EN-
FORCEMENT.—A covered entity shall notify the United
States Secret Service or the Federal Bureau of Investiga-
Tion of the fact that a major security breach has occurred
Not later than ø72 hours¿ after such major security
Breach has occurred.
(e) CONTENT OF NOTIFICATION.—Regardless of the
Method by which notification is provided to an individual
Under subsection (a) with respect to a security breach,
Such notification, to the extent practicable, shall include—
(1) the date, estimated date, or estimated date
Range of the security breach;
(2) a description of the personal information
That was accessed and acquired, or reasonably be-
Lieved to have been accessed and acquired, by an unauthorized person as a part of the security breach;
And
(3) information that the individual can use to
Contact the covered entity to inquire about—
(A) the security breach; or
(B) the information the covered entity
Maintained about that individual.
(f) TREATMENT OF PERSONS GOVERNED BY OTHER
FEDERAL LAW.—A covered entity who is in compliance
With any other Federal law that requires such covered en-
Tity to provide notification to individuals following a secu-
Rity breach shall be deemed to be in compliance with this
Section.
SEC. 202. CIVIL REMEDIES.
(a) CIVIL ACTION.—The Attorney General may in a
Civil action obtain a civil penalty of not more than
$500,000 from any covered entity that engages in conduct
Constituting a violation.
(b) SPECIAL RULE FOR INTENTIONAL VIOLA-
TIONS.—If the violation of this title described in sub-
Section (a) is intentional, the maximum civil penalty is
$1,000,000.
(c) NO PRIVATE CAUSE OF ACTION.—Nothing in this
Title shall be construed to establish a private cause of ac-
Tion against a person for a violation of this title.
SEC. 203. DEFINITIONS.
In this title:
(1) SECURITY BREACH.—The term ‘‘security
Breach’’ means unauthorized access and acquisition
Of data in electronic form containing personal infor-
Mation.
(2) COVERED ENTITY.—
(A) IN GENERAL.—The term ‘‘covered en-
Tity’’ means a commercial entity that acquires,
Maintains, stores, or utilizes personal informa-
Tion.
(B) EXEMPTIONS.—The term ‘‘covered en-
Tity’’ does not include the following:
(i) Financial institutions subject to
Title V of the Gramm-Leach-Bliley Act (15
U.S.C. 6801 et seq.).
(ii) An entity covered by the regula-
Tions issued under section 264(c) of the
Health Insurance Portability and Account-
Ability Act of 1996 (Public Law 104–191)
To the extent that such entity is subject to
The requirements of such regulations with
Respect to protected health information.
(3) DATA IN ELECTRONIC FORM.—The term
‘‘data in electronic form’’ means any data stored
Electronically or digitally on any computer system or
Other database and includes recordable tapes and
Other mass storage devices.
(4) MAJOR SECURITY BREACH.—The term
‘‘major security breach’’ means any security breach
Involving—
(A) means of identification pertaining to
10,000 or more individuals is, or is reasonably
Believed to have been acquired;
(B) databases owned by the Federal Gov-
Ernment; or
(C) means of identification of Federal Gov-
Ernment employees or contractors involved in
National security matters or law enforcement.
(5) MEANS OF IDENTIFICATION.—The term
‘‘means of identification’’ has the meaning given
That term in section 1028 of title 18, United States
Code.
(6) PERSONAL INFORMATION.—
(A) IN GENERAL.—The term ‘‘personal in-
Formation’’ means an individual’s first name or
First initial and last name in combination with
Any one or more of the following data elements
For that individual:
(i) Social Security number.
(ii) Driver’s license number, passport
Number, military identification number, or
Other similar number issued on a govern-
Ment document used to verify identity.
(iii) Financial account number, or
Credit or debit card number, and any re-
Quired security code, access code, or pass-
Word that is necessary to permit access to
An individual’s financial account.
(B) EXEMPTIONS FROM PERSONAL INFOR-
MATION.—
(i) PUBLIC RECORD INFORMATION.—
Personal information does not include in-
Formation obtained about an individual
Which has been lawfully made publicly
Available by a Federal, State, or local gov-
Ernment entity or widely distributed by
Media.
(ii) ENCRYPTED, REDACTED, OR SE-
CURED DATA.—Personal information does
Not include information that is encrypted,
Redacted, or secured by any other method
Or technology that renders the data ele-
Ments unusable.
(7) SERVICE PROVIDER.—The term ‘‘service
Provider’’ means an entity that provides electronic
Data transmission, routing, intermediate, and tran-
Sient storage, or connections to its system or net-
Work, where such entity providing such services does
Not select or modify the content of the electronic
Data, is not the sender or the intended recipient of
The data, and does not differentiate personal infor-
Mation from other information that such entity
Transmits, routes, stores, or for which such entity
Provides connections. Any such entity shall be treat-
Ed as a service provider under this title only to the
Extent that it is engaged in the provision of such
Transmission, routing, intermediate and transient
Storage, or connections.
(8) THIRD-PARTY ENTITY.—The term ‘‘third-
Party entity’’ means an entity that has been con-
Tracted to maintain, store, or process data in elec-
Tronic form containing personal information on be-
Half of a covered entity who owns or possesses such
Data.
SEC. 204. EFFECT ON FEDERAL AND STATE LAW.
The provisions of this title shall supersede any provi-
Sion of the law of any State, or a political subdivision
Thereof, relating to notification by a covered entity of a
Security breach
Comments
