[Senate Report 112-91] [From the U.S. Government Publishing Office] Calendar No. 181 112th Congress Report SENATE 1st Session 112-91 ====================================================================== PERSONAL DATA PRIVACY AND SECURITY ACT OF 2011 _______ November 7, 2011.--Ordered to be printed _______ Mr. Leahy, from the Committee on the Judiciary, submitted the following R E P O R T together with ADDITIONAL AND MINORITY VIEWS [To accompany S. 1151] [Including cost estimate of the Congressional Budget Office] The Committee on the Judiciary, to which was referred the bill (S. 1151), to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information, having considered the same, reports favorably thereon, with an amendment, and recommends that the bill, as amended, do pass. CONTENTS Page I. Background and Purpose of the Personal Data Privacy and Security Act of 2011......................................................2 II. History of the Bill and Committee Consideration.................10 III. Section-by-Section Summary of the Bill..........................13 IV. Congressional Budget Office Cost Estimate.......................19 V. Regulatory Impact Evaluation....................................24 VI. Conclusion......................................................24 VII. Additional and Minority Views...................................25 VIII.Changes to Existing Law Made by the Bill, as Reported...........35 I. Background and Purpose of the Personal Data Privacy and Security Act of 2011 A. SUMMARY Advanced technologies, combined with the realities of the post- 9/11 digital era, have created strong incentives and opportunities for collecting and selling personal information about ordinary Americans. Today, private sector and governmental entities alike routinely traffic in billions of electronic personal records about Americans. Americans rely on this data to facilitate financial transactions, provide services, prevent fraud, screen employees, investigate crimes, and find loved ones. The Government also relies upon this information to enhance national security and to combat crime. The growing market for personal information has also become a treasure trove that is both valuable and vulnerable to identity thieves. As a result, the consequences of a data security breach can be quite serious. For Americans caught up in the endless cycle of watching their credit unravel, undoing the damage caused by security breaches and identity theft can become a time-consuming and lifelong endeavor. In addition, while identity theft is a major privacy concern for most Americans, the use and collection of personal data by Government agencies can have an even greater impact on Americans' privacy. The loss or theft of Government data can potentially expose ordinary citizens, Government employees, and members of the armed services alike to national security and personal security threats. Despite these well-known dangers, the Nation's privacy laws lag far behind the capabilities of technology and the cunning of identity thieves. The Personal Data Privacy and Security Act of 2011 is a comprehensive privacy bill that seeks to close this privacy gap by establishing meaningful national standards for providing notice of data security breaches, and by addressing the underlying problem of lax data security to make it less likely for data security breaches to occur in the first place. B. THE GROWING PROBLEM OF DATA SECURITY BREACHES AND IDENTITY THEFT Since the Personal Data Privacy and Security Act was first reported by the Judiciary Committee in November 2005, more than 535 million records containing sensitive personal information have been involved in data security breaches, according to the Privacy Rights Clearinghouse.\1\ For example, during the spring of 2011, Sony disclosed several major data breaches involving its PlayStation Network, Qriocity music and video service and Sony Online Entertainment service, exposing the sensitive personal information of more than 101 million users.\2\ In another high-profile data security breach, a computer hacker penetrated the databases of the online marketing firm Epsilon, compromising name and email address information about the customers of scores of major U.S. businesses, including Target, Citigroup, and Walgreen, and affecting the privacy of millions of U.S. consumers.\3\ --------------------------------------------------------------------------- \1\See ``Privacy Rights Clearinghouse Chronology of Data Breaches,'' available at http://www.privacyrights.org/. \2\``Sony Data Breach Tally Rises to 101 Million,'' eWeek.com, May 3, 2011. \3\``Fact box: U.S. data breach hits Target, Marriott customers,'' Reuters/MSNBC, April 4, 2011. --------------------------------------------------------------------------- In January 2009, Heartland Payment Systems, one of the Nation's leading processors of credit and debit card transactions, announced that its processing system records containing more than 130 million credit card accounts had been breached by hackers. In January 2007, mega-retailer TJX disclosed that it suffered a data breach affecting at least 45.7 million credit and debit cards.\4\ These data breaches follow many other major commercial data breaches, including breaches at ChoicePoint and LexisNexis. --------------------------------------------------------------------------- \4\``Breach of data at TJX is called the biggest ever, Stolen numbers put at 45.7 million,'' Boston Globe, March 29, 2007. --------------------------------------------------------------------------- Federal Government agencies, and even the Congress, have not been immune to data security breaches. In June 2011, computer hackers affiliated with the hacker group known as Lulz Security breached the United States Senate website.\5\ In February 2009, the Federal Aviation Administration revealed that computer hackers breached one of its servers and stole sensitive personal information concerning 45,000 current and former FAA employees.\6\ In June 2008, Walter Reed Medical Center reported that the personal information of 1,000 Military Health System beneficiaries may have been improperly disclosed through the unauthorized sharing of data.\7\ In May 2006, the Department of Veterans Affairs lost an unsecured laptop computer hard drive containing the health records and other sensitive personal information of approximately 26.5 million veterans and their spouses.\8\ And, in May, 2007, the Transportation Security Administration (TSA) reported that the personal and financial records of 100,000 TSA employees were lost after a computer hard drive was reported missing from the Agency's headquarters, exposing the Department of Homeland Security to potential national security risks.\9\ --------------------------------------------------------------------------- \5\``Hackers Break into Senate Computers,'' Reuters, June 14, 2011. \6\``FAA Breach Heightens Cybersecurity Concerns,'' Federal Computer Week, February 23, 2009. \7\``Walter Reed: Data Breach at Military Hospitals,'' The Associated Press, June 3, 2008. \8\See Testimony of the Honorable James Nicholson, Secretary of Veterans Affairs, before the House Committee on Government Reform, June 8, 2006. \9\See ``TSA seeks hard drive, personal data for 100,000,'' USA Today, May 5, 2007; see also, the Federal Times, ``Union Sues TSA over loss of data on employees,'' May 9, 2007. --------------------------------------------------------------------------- The steady wave of data security breaches in recent years is a window into a broader, more challenging trend. Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud. Lax data security is also a threat to American businesses. The President's report on Cyberspace Policy Review noted that industry estimates of losses from data theft of intellectual property in 2008 alone range as high as $1 trillion.\10\ Because data security breaches adversely affect many segments of the American community, a meaningful solution to this growing problem must carefully balance the interests and needs of consumers, business, and the Government. --------------------------------------------------------------------------- \10\``President's Report on Cyberspace Policy Review,'' May 29, 2009, at page 2. A recent report to Congress by the Office of the National Counterintelligence Executive also found that cyber-espionage conducted by, among others, China and Russia has resulted in the theft of tens of billions of dollars of trade secrets, technology and intellectual property from U.S. Government and private computer systems each year. See ``Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011,'' October, 2011. --------------------------------------------------------------------------- C. THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2011 The Personal Data Privacy and Security Act of 2011 takes several meaningful and important steps to balance the interests and needs of consumers, business, and the Government in order to better protect Americans sensitive personal data. This legislation is supported by a wide range of consumer, business, and government organizations. 1. Data security program The bill recognizes that, in the Information Age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the information that it uses and collects. The bill takes important steps to accomplish this goal by requiring that companies that have databases with sensitive personal information on more than 10,000 Americans establish and implement a data privacy and security program. There are exemptions to this requirement for companies already subject to and in compliance with data security requirements under the Gramm-Leach-Bliley (GLB) Act and the Health Information Portability and Accountability (HIPAA) Act. Section 202(a)(4)(C) directs companies to consider data minimization as part of their data security program planning process. Eliminating personal data that is no longer needed is a crucial and basic element of good data security practice. By contrast, retaining sensitive data that is no longer needed for a business purpose unnecessarily creates rich targets for data breaches and identity theft.\11\ --------------------------------------------------------------------------- \11\For example, one of the recent breaches suffered by Sony included the financial information of tens of thousands of individuals held on an ``outdated'' database that the company retained but no longer used. This practice put the outdated data at an even greater risk of breach, because little attention was given to the safekeeping of the data. --------------------------------------------------------------------------- In addition, in light of the largely passive role of certain service providers that provide electronic data transmission, routing, intermediate and transient storage, or connections services with respect to sensitive personally identifiable information, the bill assigns limited obligations to such businesses. In the bill, the term ``service provider'' is defined as a business entity that provides electronic data transmission, routing, intermediate and transient storage, or connections to its system or network for sensitive personally identifiable information on an undifferentiated basis from other information that such entity transmits, routes, or stores, or for which such entity provides connections. Section 201(b)(3) of the bill exempts such service providers from the data security program requirements in the bill, to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication. By ``exclusively,'' the Committee intends that a service provider is exempt only to the extent it is engaged in the activities of a service provider as defined by the bill. The Committee also recognizes that a service provider may also be engaged in activities that are covered by the bill and does not intend that that an entity would lose the service provider exemption for its purely service provider functions.\12\ --------------------------------------------------------------------------- \12\The Committee notes that with respect to section 202(d) of the bill, the ``providers of services'' under this provision are not the same entities as the ``service providers'' defined by the bill. The entities subject to this provision are persons or entities other than service providers, with whom a business entity contracts for services other than the services or functions of a service provider. This provision does not impose any obligation on service providers to enter into contracts or implement or maintain the requirements of section 201 or 202 or subtitle B. --------------------------------------------------------------------------- 2. Notice Second, because American consumers should know when they are at risk of identity theft or other harms because of a data security breach, the bill also requires that business entities and Federal agencies promptly notify affected individuals and law enforcement when a data security breach occurs. Armed with such knowledge, consumers can take steps to protect themselves, their families, and their personal and financial well-being. Additionally, law enforcement can also take the steps needed to mitigate or thwart a cyberattack. Notice to individuals must be provided within 60 days following discovery of the security breach, unless delayed by the Federal Trade Commission, or Federal law enforcement. The trigger for notice to individuals is ``significant risk of identity theft, economic loss or harm, or physical harm,'' and this trigger includes appropriate checks and balances to prevent over-notification and underreporting of data security breaches. In this regard, the bill recognizes that there are harms other than identity theft that can result from a data security breach, including harm from other financial crimes, stalking, and other criminal activity. Consequently, the bill adopts a trigger of ``significant risk of identity theft, economic loss or harm, or physical harm, rather than a weaker trigger of ``significant risk of identity theft,'' for the notice requirement for individuals in the legislation. There are exemptions to the notice requirements for individuals for national security and law enforcement reasons, as well as an exemption to this requirement for credit card companies that have effective fraud-prevention programs.\13\ The bill also includes a safe harbor exemption from the notice requirement if the business entity or agency that suffered the security breach concludes, after conducting a risk assessment, that no significant risk of identity theft, economic harm or loss, or physical harm exists and the FTC concurs with that determination. The bill contemplates that a reasonable delay of notice could include the time necessary for a victimized business or agency to conduct a risk assessment under Section 212(b). --------------------------------------------------------------------------- \13\Some have incorrectly argued that S. 1151 will result in over- notification of consumers and in a lack of clarity for business. To the contrary, the bill contains meaningful checks and balances, including the risk assessment and financial fraud prevention provisions in Section 212, to prevent over-notification and the underreporting of data security breaches. The risk assessment provision in Section 212 furthermore, provides businesses with an opportunity to fully evaluate data security breaches when they occur, to determine whether notice should be provided to consumers. In addition, the bill compliments and properly builds upon other Federal statutes governing data privacy and security to ensure clarity for business in this area. For example, to avoid conflicting obligations regarding the bill's data security program requirements, Section 201(c) specifically exempts financial institutions that are already subject to, and complying with, the data privacy and security requirements under GLB, as well as HIPAA-regulated entities. The bill also builds upon existing Federal laws and guidance, such as the data security protections established by the Office of the Comptroller of the Currency for financial institutions. --------------------------------------------------------------------------- In addition, to strengthen the tools available to law enforcement to investigate data security breaches, combat identity theft and protect cybersecurity, the bill also requires that business entities and Federal agencies notify a new Government office to be established by the Secretary of the Department of Homeland Security of certain major security breaches that are likely to affect law enforcement or national security. Such notice to law enforcement is to be provided within 10 days following discovery of the security breach and at least 72 hours before providing notice to individuals. The new Government office will be responsible for disseminating the information that it receives to the Secret Service, FBI and the Federal Trade Commission (FTC), and to other Federal enforcement agencies as warranted. This notice will provide law enforcement with a valuable head start in pursuing the perpetrators of cyber intrusions and identity theft. The bill also empowers the FTC, Secret Service and FBI to obtain additional information about the data breach from business entities and Federal agencies to determine whether notice of the breach should be given to consumers. This notice mechanism also gives businesses and agencies certainty as to their legal obligation to provide notice and prevents them from sending notices when they are unnecessary, which over time, could result in consumers ignoring such notices. The notice of breach provisions for electronic health records that Congress enacted in the American Reinvestment and Recovery Act (ARRA) apply to information that is accessed or disclosed from personal health records. The notice of breach provisions in this bill are not intended to preempt the notice requirements established by ARRA. The bill also recognizes the benefits of separating the notice obligations of owners of sensitive personally identifiable information and third parties who use and manage sensitive personally identifiable information on the owner's behalf. The bill imposes an obligation on third parties that suffer a data security breach to notify the owners or licensees of the sensitive personally identifiable information, who would, in turn, notify consumers. If the owner or licensee of the data gives notice of the breach to the consumer, then the breached third party does not have to give notice. The bill also states that it does not abrogate any agreement between a breached entity and a data owner or licensee to provide the required notice in the event of a breach. Separating the notice obligations between data owners and licensees, and third parties, will encourage data owners and licensees to address the notice obligation in agreements with third parties and will help to ensure that consumers will receive timely notice from the entity with which they have a direct relationship. However, this notice can only be effective if the entity that suffers the breach, and any other third parties, provide to the entity who will give the notice complete and timely information about the nature and scope of the breach and the identity of the entity breached. As discussed above, the bill assigns limited obligations to service providers when solely engaging in certain conduct involving the transmission, routing, intermediate and transient storage, or when connecting to a system or network. A service provider's breach notification obligations under subtitle B of title II are exclusively set out in Section 211(b)(4) of the bill, which provides that if a service provider becomes aware of a security breach of data in electronic form containing sensitive personal information that is owned or possessed by another business entity that connects to or uses the service provider's system or network for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider is only required to notify the business entity who initiated the connection, transmission, routing, or storage. Such notice is required only in those cases where such business entity reasonably can be identified. 3. Enforcement Third, the legislation also establishes tough, but fair, enforcement provisions to punish those who fail to notify consumers of a data security breach, or to maintain a data security program. The bill makes it a crime for any individual, with knowledge of the obligation to provide notice of a security breach, to intentionally and willfully conceal the breach that subsequently causes economic harm to consumers. Violators of this provision are subject to a criminal fine under title 18, or imprisonment of up to five years, or both. This provision is no more onerous than criminal provisions for other types of fraudulent conduct that cause similar harm to individuals. The bill also contains strong but fair civil enforcement provisions. The bill authorizes the Secret Service, FBI and the FTC to investigate data security breaches and to provide guidance to companies that have been the victim of a data security breach on their notice obligations under the bill. The bill also authorizes the FTC to bring a civil enforcement action for violations of the data security program requirements in the bill and to recover a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation. Double penalties may be recovered for intentional and willful violations of these requirements. The bill provides that the determination about the amount of the civil penalty is to be made by the court. The bill also allows State Attorneys General to bring civil actions to recover these civil penalties in United States District Court. However if the FTC initiates a civil action to recover penalties, the bill also prohibits State Attorneys General from commencing another civil action against the same defendant, based on the same or related violations. In addition, the bill contains strong, but fair civil enforcement provisions for the requirements to provide notice of a security breach. The bill authorizes the FTC and the Attorney General of the United States to bring a civil enforcement action to recover a civil penalty of up to $11,000 per day per security breach and a maximum penalty of $1,000,000 for violation of the security breach notice requirements. Double penalties may be recovered for intentional and willful violations. The bill provides that the determination about the amount of the civil penalty is to be made by the court. The bill also allows State Attorneys General to bring civil actions to recover these civil penalties in United States District Court. However, if the Attorney General or the FTC initiates a civil action to recover penalties, the bill prohibits State Attorneys General from commencing another civil action against the same defendant, based on the same or related violations. It is not uncommon for Congress to authorize both Federal and State regulators to enforce Federal consumer protection laws. In fact, Federal antitrust laws, the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003), and the Communications Act of 1934 also authorize State Attorneys General to seek damages or to enjoin further Federal law violations. The State enforcement provisions in this bill are modeled after those laws. 4. Preemption The legislation also carefully balances the need for Federal uniformity in certain data privacy laws and the important role of States as leaders on privacy issues. Section 204 of the bill (relation to other laws) preempts State laws with respect to requirements for administrative, technical, and physical safeguards for the protection of sensitive personally identifying information. These requirements are the same requirements set forth in Section 202 of the bill. Section 204(b) of the bill also makes clear that the data security requirements in the bill do not preempt the Gramm-Leach-Bliley Act or that law's implementing regulations, including those regulations adopted or enforced by States. Section 219 of the bill (effect on Federal and State laws) also preempts State laws on breach notification for entities that are subject to the bill. The Committee intends for this provision to preempt State data breach laws only with respect to the business entities and Federal agencies covered by the bill. However, in recognition of the important role that the States have played in developing breach notification, the bill carves out an exception to preemption for State laws regarding providing consumers with information about victim protection assistance that is provided for by the State. In addition, Section 219 of the bill provides that the notice requirements in the bill supersede ``any provision of law of any State relating to notification of a security breach, except as provided in Section 214(b) of the bill.'' The bill's subtitle on security breach notification applies to ``any agency, or business entity engaged in interstate commerce,'' and the term ``agency'' is defined in the bill by referencing section 551 of title 5, United States Code, which pertains to Federal Governmental entities. As a result, the security breach notification requirements in the bill have no application to State and local governmental entities, and the Committee does not intend for this provision to preempt or displace State laws that address obligations of State and local governmental entities to provide notice of a security breach. Gramm-Leach-Bliley Act-covered and Health Insurance Portability and Accountability Act-covered entities are not subject to the bill. Consequently, the preemption provisions in the bill similarly do not apply to those entities. It is possible, however, that other Federal laws that govern these entities could preempt State law. 5. Criminal provisions Developing a comprehensive strategy for cybersecurity that includes a response to cybercrime remains a pressing challenge. For this reason, the bill includes, among other things, several cybercrime provisions that update the Computer Fraud and Abuse Act, so that this law remains a viable tool for law enforcement to respond to emerging cyber threats. First, the bill creates a new criminal offense for causing damage to a critical infrastructure computer that manages or controls national defense, national security, transportation, public health and safety, or other critical infrastructure systems. This new offense includes a three-year mandatory minimum sentence. The mandatory minimum sentence drew bipartisan opposition from several Judiciary Committee members during the Committee's consideration of the provision. In particular, Chairman Leahy expressed concern that the mandatory minimum sentence would lead to unfair sentencing results, while not adding any deterrence value.\14\ --------------------------------------------------------------------------- \14\Full Committee Markup of the Personal Data Privacy and Security Act of 2011, S. 1151, 112th Cong. (2011) [hereinafter Markup] (statement of Sen. Patrick Leahy, Chairman, S. Comm. on the Judiciary). --------------------------------------------------------------------------- Second, the bill amends title 18, United States Code, section 1961(1) to add violations of the Computer Fraud and Abuse Act to the definition of racketeering activity. This update to the law will make it easier for the Government to prosecute certain organized criminal groups that engage in computer network attacks. Third, Section 102 of the bill also makes it a crime for a person who knows of a security breach which requires notice to individuals under the bill, and who is under obligation to provide such notice, to intentionally and willfully conceal the fact of, or information related to, that security breach. Punishment is either a fine under title 18, or imprisonment of up to 5 years, or both. Fourth, the bill contains several other amendments to the Computer Fraud and Abuse Act. Section 103 amends title 18, United States Code, section 1030(c), to streamline and enhance the penalty structure under section 1030. Section 104 expands the scope of the offense for trafficking in passwords under section 1030(a)(6) to include passwords used to access a protected Government or non-government computer. Section 105 amends section 1030(b) to clarify that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses. Section 106 amends 1030(i) and (j) to clarify the criminal forfeiture provision in section 1030 and to create a civil forfeiture provision to provide the procedures governing civil forfeiture. To address civil liberties concerns about the scope of the Computer Fraud and Abuse Act, the bill amends the Computer Fraud and Abuse Act to exclude from criminal liability conduct that exclusively involves a violation of a contractual obligation or agreement, such as an acceptable use policy, or terms of service agreement. In particular, the definition for ``exceeds authorization'' in the statute is amended by the bill to exclude conduct solely involving a violation of a contractual agreement. The purpose of this amendment is to make clear that Congress does not intend for the Department of Justice to pursue criminal prosecutions under that statue for conduct solely involving a violation of a terms of use agreement or contractual agreement involving a private, non- government computer. The Committee does not, however, intend to prohibit the Department of Justice from using evidence of such contractual violations to support a charge under 1030, when coupled with other evidence. During the Judiciary Committee hearing, several Members of the Committee, including the Chairman, raised concerns about the Justice Department's decision to bring criminal charges in United States v. Lori Drew, which involved a Computer Fraud and Abuse Act charge based solely upon a violation of a MySpace terms of service agreement.\15\ In his testimony before the Committee, Associate Deputy Attorney General James Baker responded to concerns about the Drew prosecution by noting that the case was an anomaly. Specifically, Mr. Baker noted that if Congress responded to the Drew case by ``restricting the statute [by prohibiting claims bases solely upon a violation of terms of use or contractual agreements] . . . [that] would make it difficult or impossible to deter and address serious insider threats through prosecution.'' In addition, Mr. Baker cautioned against treating violations of contractual agreements in cyberspace any differently from violations of such agreements in other context. For example, he noted the fact that law enforcement can prosecute an employee who acts in violation of an office policy. Mr. Baker conceded that the Department of Justice would not appeal the court's decision to overturn the conviction in the Drew case. --------------------------------------------------------------------------- \15\In the Drew case, Ms. Drew was alleged to have violated a MySpace terms of service agreement by creating a false user identity, which she used to bully a teenager. The teenager later committed suicide. A jury found Ms. Drew guilty of a misdemeanor violation of the Computer Fraud and Abuse Act, because she exceeded the authorization to use MySpace. A Federal judge subsequently overturned the jury's misdemeanor conviction. United States v. Lori Drew, No CR 08-0582-GW (C.D. Cal. Aug. 28, 2009). In doing so, the court concluded that permitting a violation of a website's terms of service to constitute an intentional access of a computer without authorization or exceeding authorization under the Computer Fraud and Abuse Act would ``result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.'' Id. at 29. The Justice Department did not appeal the decision. --------------------------------------------------------------------------- Finally, to further address this issue, Section 107 of the bill amends section 1030(g) to preclude civil claims based exclusively on conduct that involves a violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement. Section 108 also adds a new reporting requirement to section 1030 that requires that the Attorney General annually report to Congress on the number of criminal cases brought under section 1030(a) in which the sole basis for the Government determining that access to the non-governmental computer was unauthorized, or in excess of authorization, was that the defendant violated a contractual obligation or agreement. II. History of the Bill and Committee Consideration A. INTRODUCTION OF THE BILL Chairman Leahy introduced the Personal Data Privacy and Security Act of 2011 on June 7, 2011. This privacy bill is cosponsored by Senators Schumer, Cardin, Franken and Blumenthal. This legislation is very similar to the Personal Data Privacy and Security Act of 2009, S. 1490, which Senator Leahy introduced on July 22, 2009, the Personal Data Privacy and Security Act of 2007, S. 495, which Senators Leahy and Specter introduced on July 6, 2007, and to the Personal Data Privacy and Security Act of 2005, S. 1789, which Senators Leahy and Specter introduced on September 29, 2005. The Judiciary Committee favorably reported S. 1490 by a bipartisan vote of 14 Yeas and 5 Nays on November 5, 2009; S. 495 on May 3, 2007, by voice vote and S. 1789 on November 17, 2005, by a bipartisan vote of 13 to 5. The Committee has held two hearings related to S. 1151. On June 21, 2011, the Judiciary Committee's Subcommittee on Crime and Terrorism held a hearing entitled, ``Cybersecurity: Evaluating the Administration's Proposals.'' This hearing examined the data breach and cybercrime proposals contained in the Obama administration's legislative package on cybersecurity. The following witnesses testified at this hearing: The Honorable Jim Langevin (D-RI), Member, United States House of Representatives; James A. Baker, Associate Deputy Attorney General, U.S. Department of Justice; Greg Schaffer, Acting Deputy Under Secretary, National Protection and Programs Directorate, Department of Homeland Security; and Ari Schwartz, Senior Internet Policy Advisor, National Institute of Standards and Technology (NIST), U.S. Department of Commerce. On September, 7, 2011, the Judiciary Committee held a hearing entitled, ``Cybercrime: Updating the Computer Fraud and Abuse Act to Protect Cyberspace and Combat Emerging Threats.'' This hearing examined the cybercrime proposals contained in the Obama administration's cybersecurity proposal, including the criminal proposals contained in S. 1151. The following witnesses testified at this hearing: James A. Baker, Esq., Associate Deputy Attorney General, U.S. Department of Justice and Pablo A. Martinez, Deputy Special Agent in Charge, Criminal Investigative Division, and United States Secret Service. B. COMMITTEE CONSIDERATION On September 7, 2011, S. 1151 was placed on the Judiciary Committee's agenda. The Committee considered this legislation on September 15 and 22, 2011. During the Committee's consideration of S. 1151, six amendments to the bill were offered and five amendments were adopted by the Committee: First, the Committee adopted, without objection, a complete substitute bill for S. 1151 (ALB11637), which Chairman Leahy offered. The substitute bill made several changes to the bill, including (1) striking the data broker and Government use titles in the bill; (2) adding a new criminal provision making it a felony to intentionally damage a critical infrastructure computer; (3) adding a knowledge requirement and economic harm requirement in the amount of at least $1,000 to the criminal provision on concealment of a security breach; (4) clarifying that the definition of security breach excludes public records and information obtained from public records; (5) modifying the trigger for breach notice to ``substantial risk of identity theft, economic loss or harm, or physical harm''; (6) clarifying that enforcement actions brought by State Attorneys General may only be brought in U.S. District Court; and (7) making technical corrections to the bill. Second, the Committee adopted, without objection, a manager's amendment (ALB11713) to S. 1151 which Chairman Leahy also offered. The manager's amendment made several changes to the bill, including: (1) adopting an amendment filed by Senator Grassley (HEN11631) to strike language authorizing the Federal Trade Commission to modify the definition for sensitive personally identifiable information in the bill through rulemaking; (2) making several technical changes to Section 202(d) regarding service providers; (3) adding limitation on liability language; (4) amending the State Attorney General Enforcement provisions in Section 203 to clarify that if a Federal civil or criminal action has been filed, a State cannot bring another action for the same violation; (5) striking the technical requirements for the risk assessment; (6) amending Sections 217 and 218 to clarify that civil penalties are calculated per security breach, per day and adding limitation on liability language; (7) amending the State Attorney General Enforcement provisions in Section 218 to clarify that if a Federal civil or criminal action has been filed, a State cannot bring another action for the same violation; and (8) clarifying the preemption provision in Section 219, so that the bill does not preempt the Gramm- Leach-Bliley Act, or the Health Insurance Portability and Accountability Act; (9) clarifying that the preemption provision governing State data breach laws applies only to the entities subject to the bill; (10) clarifying the GLB carve-outs for the data security program and data breach provisions in Sections 201 and 211; and (11) making other technical changes to the bill. Third, the Committee adopted by voice vote an amendment offered by Senator Grassley (JEN11A19) to amend the definition of ``exceeds authorized access'' in title 18, United States Code, section 1030, to exclude conduct that only involves violating a terms of use agreement, or other contractual agreement governing the use of a non-government computer. Fourth, when the Committee resumed consideration of the bill on September 22, 2011, Senator Grassley offered an amendment (ALB11652) to add a mandatory minimum sentence to the damage of critical infrastructure computers offense in Section 109 of the bill. The amendment was accepted on a roll call vote. The vote record is as follows: Tally: 11 Yeas, 7 Nays Yeas (11): Feinstein (D-CA), Schumer (D-NY), Whitehouse (D-RI), Klobuchar (D-MN), Grassley (R-IA), Hatch (R-UT), Kyl (R-AZ), Sessions (D-AL), Graham (R-SC), Cornyn (R-TX), and Coburn (R-OK). Nays (7): Leahy (D-VT), Kohl (D-WI), Durbin (D-IL), Franken (D- MN), Coons (D-DE), Blumenthal (D-CT), and Lee (R-UT). Fifth, the Committee adopted by voice vote a second degree amendment offered by Senator Franken (HEN11688) to Senator Grassley's amendment (HEN11637) that added a data minimization requirement to the data security program requirements in the bill. Sixth, the Committee rejected by voice vote an amendment offered by Senator Grassley (HEN11637) that would have struck the data security program requirements in the bill. Seventh, Senator Grassley offered an amendment (ALB11646) to prohibit State Attorneys General from retaining private counsel on a contingency fee basis to enforce the civil enforcement provisions in the bill. The amendment was rejected on a roll call vote. The vote record is as follows: Tally: 7 Yeas, 11 Nays Yeas (7): Feinstein (D-CA), Grassley (R-IA), Hatch (R-UT), Kyl (R-AZ), Sessions (D-AL), Cornyn (R-TX), and Lee (R-UT). Nays (11): Leahy (D-VT), Kohl (D-WI), Schumer (D-NY), Durbin (D-IL), Whitehouse (D-RI), Klobuchar (D-MN), Franken (D-MN), Coons (D-DE), Blumenthal (D-CT), Graham (R-SC), and Coburn (R-OK). The Committee then voted to report the Personal Data Privacy and Security Act of 2011, as amended, favorably to the Senate. The Committee proceeded by roll call vote as follows: Tally: 10 Yeas, 8 Nays Yeas (10): Leahy (D-VT), Kohl (D-WI), Feinstein (D-CA), Schumer (D-NY), Durbin (D-IL), Whitehouse (D-RI), Klobuchar (D- MN), Franken (D-MN), Coons (D-DE), and Blumenthal (D- CT). Nays (8): Grassley (R-IA), Hatch (R-UT), Kyl (R-AZ), Sessions (R-AL), Graham (R-SC), Cornyn (R-TX), Lee (R-UT), and Coburn (R-OK). III. Section-by-Section Summary of the Bill Section 1--Short title This section provides that the legislation may be cited as the ``Personal Data Privacy and Security Act of 2011.'' Section 2--Findings Section 2 provides Congressional findings on the threats posed by data security breaches and cybercrime. Section 3--Definitions Section 3 contains the definitions used in the bill. TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY Section 101--Organized criminal activity in connection with unauthorized access to personally identifiable information Section 101 amends 18 U.S.C. Sec. 1961(1) to add violations of the Computer Fraud and Abuse Act to the definition of racketeering activity. This change would increase certain penalties, and make it easier for the Government to prosecute certain organized criminal groups who engage in computer network attacks. Section 102--Concealment of security breaches involving personally identifiable information Section 102 makes it a crime for a person who knows of a security breach which requires notice to individuals under Title II of this Act, and who is under obligation to provide such notice, to intentionally and willfully conceal the fact of, or information related to, that security breach. Punishment is either a fine under Title 18, or imprisonment of up to 5 years, or both. Section 103--Penalties for fraud and related activity in connection with computers Section 103 amends title 18, United States Code, section 1030(c) to streamline and enhance the penalty structure under section 1030. Section 104--Trafficking in passwords Section 104 expands the scope of the offense for trafficking in passwords under title 18, United States Code, section 1030(a)(6) to include passwords used to access a protected government or non-government computer, and to include any other means of unauthorized access to a government computer. Section 105--Conspiracy and attempted computer fraud offenses Section 105 amends title 18, United States Code, section 1030(b) to clarify that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses. Section 106--Criminal and civil forfeiture for fraud and related activity in connection with computers Section 106 amends title 18, United States Code, sections 1030(i) and (j) to clarify the criminal forfeiture provision in section 1030 and to create a civil forfeiture provision to provide the procedures governing civil forfeiture, to clarify that the proceeds that may be forfeited under section 1030 are gross proceeds, as opposed to net proceeds, and to allow for the forfeiture of real property used to facilitate section 1030 offenses. Section 107--Limitations on civil actions Section 107 amends title 18, United States Code, section 1030(g) to preclude civil claims based exclusively on conduct that involves a violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement. The purpose of the amendment is to prevent civil claims based on innocuous conduct. Section 108--Reporting of certain criminal cases Section 108 adds a new reporting requirement to section 1030, requiring that the Attorney General annually report to Congress on the number of criminal cases brought under section 1030(a) in which the defendant either exceeded authorized access to a non-governmental computer, or accessed a non- governmental computer without authorization, and in which the sole basis for the Government determining that access to the non-governmental computer was unauthorized, or in excess of authorization, was that the defendant violated a contractual obligation or agreement with a service provider or employer. The purpose of the provision is to address concerns that the Government could bring criminal cases under section 1030 for relatively innocuous conduct, such as violating a terms of use agreement. Section 109--Damage to critical infrastructure computers Section 109 adds a new criminal provision to tile 18 specifically making it a felony to damage a computer that manages or controls national defense, national security, transportation, public health and safety, or other critical infrastructure systems or information. Violations are subject to a fine and/or imprisonment of at least three years and up to 20 years. TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION SUBTITLE A--A DATA PRIVACY AND SECURITY PROGRAM Section 201--Purpose and applicability of data privacy and security program Section 201 addresses the data privacy and security requirements of Section 202 for business entities that compile, access, use, process, license, distribute, analyze or evaluate personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Section 201 exempts from the data privacy and security requirements of Section 202 businesses already subject to, and complying with, similar data privacy and security requirements under GLB and implementing regulations, as well as examination for compliance by Federal functional regulators as defined in GLB, and HIPPA regulated entities. Section 202--Requirements for a data privacy and security program Section 202 requires covered business entities to create a data privacy and security program to protect and secure sensitive data. The requirements for the data security program are modeled after those established by the Office of the Comptroller of the Currency for financial institutions in its Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. Sec. 30.6 Appendix B (2005). A data privacy and security program must be designed to ensure security and confidentiality of personal records, protect against anticipated threats and hazards to the security and integrity of personal electronic records, protect against unauthorized access and use of personal records, and ensure proper back-up storage and disposal of personally identifiable information. In addition, Section 202 requires a covered business entity to: (1) regularly assess, manage and control risks to improve its data privacy and security program; (2) provide employee training to implement its data privacy and security program; (3) conduct tests to identify system vulnerabilities; (4) ensure that overseas service providers retained to handle personally identifiable information, but which are not covered by the provisions of this Act, take reasonable steps to secure that data; and (5) periodically assess its data privacy and security program to ensure that the program addresses current threats. Section 202 also requires that the data security program include measures that allow the data broker (1) to track who has access to sensitive personally identifiable information maintained by the data broker and (2) to ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information. Section 203--Enforcement Section 203 gives the Federal Trade Commission the right to bring an enforcement action for violations of Sections 201 and 202 in Subtitle A. Business entities that violate sections 201 and 202 are subject to a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation. Intentional and willful violations of these sections are subject to an additional civil penalty of $5,000 per violation, per day and an additional maximum penalty of $500,000 per violation. This section also grants States the right to bring civil actions on behalf of their residents in U.S. district courts, and requires States to give advance notice of such court proceedings to the FTC, where practicable. There is no private right of action under this subtitle. Section 204--Relation to other laws Section 204 preempts State laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information. The requirements referred to in this Section are the same requirements set forth in Section 202. SUBTITLE B--SECURITY BREACH NOTIFICATION Section 211--Notice to individuals Section 211 requires that a business entity or Federal agency give notice to an individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, compromised, following the discovery of a data security breach. The notice required under Section 211 must be made without unreasonable delay and no more than 60 days after the discovery of the breach, unless extended by the Federal Trade Commission. Section 211(b) requires that a business entity or Federal agency that does not own or license the information compromised as a result of a data security breach notify the owner or licensee of the data. The owner or licensee of the data would then provide the notice to individuals as required under this Section. However, agreements between owners, licensees and third parties regarding the obligation to provide notice under Section 211 are preserved. In addition, Section 211(b) provides that service providers who only transmit or route electronic data that is subject to a security breach must notify the owner of the data of the security breach. The owner of the data has the obligation to notify the individuals whose data was breached. Section 212(d) allows the Secret Service or FBI to delay the notice required under Section 211, if notice would impede a criminal investigation, or harm national security. The delay period is for 30 days, unless extended by law enforcement. Section 212--Exemptions Section 212 provides for certain exemptions to the notice requirements under Section 211, for national security and law enforcement purposes, a safe harbor, and financial fraud programs. Section 212(a) allows the Secret Service, or Federal Bureau of Investigation to prevent notice if the providing of such notice would reveal sensitive sources and methods, impede a criminal investigation, or damage national security. Section 212(b) exempts a business entity or Federal agency from providing notice, if the business or Federal agency conducts a risk assessment and determines that there is no significant risk that the security breach will result in harm or fraud to the individuals whose sensitive personally identifiable information has been compromised. The business entity or Federal agency must notify the Federal Trade Commission of the results of the risk assessment within 45 days of the security breach and if the Federal Trade Commission concurs with the determination, notice is not required. Under Section 212(b) a rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable means that there is no significant risk of harm, or fraud. The provision also provides certain requirements for the risk assessment and states that a failure to satisfy these requirements, or submitting a risk assessment with false information, constitutes a violation of the provision. Section 212(c) also provides a financial fraud prevention exemption from the notice requirement, if a business entity has a program to block the fraudulent use of information--such as credit card numbers--to avoid fraudulent transactions. Debit cards and other financial instruments are not covered by this exemption. Section 213--Methods of notice Section 213 provides that notice to individuals may be given in writing to the individuals' last known address, by telephone or via email notice, if the individual has consented to email notice. Media notice is also required if the number of residents in a particular State whose information was, or is reasonably believed to have been compromised exceeds 5,000 individuals. Section 214--Content of notification Section 214 requires that the notice detail the nature of the personally identifiable information that has been compromised by the data security beach, a toll free number to contact the business entity or Federal agency that suffered the breach, and the toll free numbers and addresses of major credit reporting agencies. Section 214 also preserves the right of States to require that additional information about victim protection assistance be included in the notice. Section 215--Coordination of notification with credit reporting agencies Section 215 requires that, for situations where notice of a data security breach is required for 5,000 or more individuals, a business entity or Federal agency must also provide advance notice of the breach to consumer reporting agencies. Section 216--Notice to law enforcement Section 216 requires that the Secretary of Homeland Security designate a Federal Government entity to receive all of the notices (law enforcement, risk assessment and national security) required under Sections 212 and 216 within 60 days of the enactment of the Act. The Section further requires that business entities and Federal agencies notify this Federal entity of the fact that a security breach has occurred as promptly as possible, but at least 72 hours before notice is given to individuals and no less than 10 days after discovery of the security breach, if the data security breach involves: (1) more than 5,000 individuals; (2) a database that contains information about more than 500,000 individuals; (3) a Federal Government database; or (4) individuals known to be Federal Government employees or contractors involved in national security or law enforcement. The entity designated by the Secretary of Homeland Security is responsible for promptly notifying Federal law enforcement agencies, including the Secret Service, FBI and FTC, of the data security breach. The FTC, in consultation with the Attorney General and Secretary of Homeland Security, shall promulgate regulations to clarify the reporting required by this section and to adjust the thresholds. Section 217--Enforcement Section 217 provides that the Attorney General and Federal Trade Commission may bring a civil action to recover penalties for violations of the notification requirements in Subtitle B. Violators are subject to a civil penalty of up to $11,000 per day, per security breach. There is a maximum penalty cap of $1 million per security breach. Intentional or willful conduct is subject to an additional penalty of up to $11,000 per day, per security breach, with a maximum penalty of an additional $1 million. The provision also requires that the Department of Justice and FTC coordinate enforcement of this provision and also coordinate with other Federal enforcement agencies as warranted. Section 218--Enforcement by State Attorneys General Section 218 allows State Attorneys General to bring a civil action in U.S. district court to enforce Subtitle B. The Attorney General may stay, or intervene in, any State action. Section 219--Effect on Federal and State law Section 219 preempts State laws on breach notification, with the exception of State laws regarding providing consumers with information about victim protection assistance that is available to consumers in a particular State. Because the breach notification requirements in the bill do not apply to State and local government entities, this provision does not preempt State or local laws regarding the obligations of State and local government entities to provide notice of a data security breach. Section 220--Reporting on risk assessment exemptions Section 220 requires that, no later than 18 months after enactment, the Federal Trade Commission report to Congress on the number and nature of data security breach notices invoking the risk assessment exemption and that the Secret Service and FBI report to Congress on the number and nature of data security breaches subject to the national security and law enforcement exemptions. Section 221--Effective date Subtitle B takes effect 90 days after the date of enactment of the Personal Data Privacy and Security Act. TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT Section 301--Budget compliance Section 301 contains the language required to comply with the Pay-As-You-Go Act. IV. Congressional Budget Office Cost Estimate The Committee sets forth, with respect to the bill, S. 1151, the following estimate and comparison prepared by the Director of the Congressional Budget Office under section 402 of the Congressional Budget Act of 1974: October 27, 2011. Hon. Patrick J. Leahy, Chairman, Committee on the Judiciary, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 1151, the Personal Data Privacy and Security Act of 2011. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are Matthew Pickford (for federal costs), and Marin Randall (for the impact on the private sector). Sincerely, Douglas W. Elmendorf. Enclosure. S. 1151--Personal Data Privacy and Security Act of 2011 Summary: S. 1151 would establish new federal crimes relating to unauthorized access to sensitive personal information. The bill also would require most federal agencies and businesses that collect, transmit, store, or use such personal information to establish a data privacy and security program and to notify any individuals whose information has been unlawfully accessed. Assuming appropriation of the necessary amounts, CBO estimates that implementing S. 1151 would cost $14 million over the 2012-2016 period. Enacting S. 1151 could increase civil and criminal penalties and could affect direct spending by agencies not funded through annual appropriations; therefore, pay-as- you-go procedures apply. CBO estimates, however, that any changes to revenues and net direct spending would be negligible. S. 1151 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that the cost of complying with the requirements would be small and would not exceed the threshold established in UMRA ($71 million in 2011, adjusted annually for inflation). S. 1151 also would impose several private-sector mandates. Much of the private sector already complies with many of the bill's requirements. However, a large number of entities in the private sector would need to implement new or enhanced security standards if the bill is enacted. Consequently, CBO estimates that the aggregate direct cost of the mandates in the bill would probably exceed the annual threshold established in UMRA for private-sector mandates ($142 million in 2011, adjusted annually for inflation) in at least one of the first five years the mandates are in effect. Estimated cost to the Federal Government: The estimated budgetary impact of S. 1151 is shown in the following table. The costs of this legislation fall within budget functions 050 (national defense), 370 (commerce and housing credit), 750 (administration of justice), 800 (general government), and other budget functions that contain salaries and expenses. ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------------- 2012 2013 2014 2015 2016 2012-2016 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level........................... 3 3 3 3 3 15 Estimated Outlays....................................... 2 3 3 3 3 14 ---------------------------------------------------------------------------------------------------------------- Basis of estimate: For this estimate, CBO assumes that the bill will be enacted early in 2012, that the necessary amounts will be provided each year, and that spending will follow historical patterns for similar programs. Spending subject to appropriation Most of the provisions of the bill would codify the current practices of the federal government regarding data security and procedures for notifying individuals whose personal information may have been disclosed. In general, a data breach occurs when sensitive, protected, or confidential information is copied, transmitted, viewed, or stolen by someone not authorized to do so. The federal government is one of the largest providers, collectors, consumers, and disseminators of personal information in the United States. Although CBO cannot anticipate the number or extent of breaches, a significant breach of security involving a major collector of personal information, such as the Internal Revenue Service or the Social Security Administration, could involve millions of individuals and result in significant costs to notify those individuals of such a breach. Existing laws generally do not require federal agencies to notify affected individuals of such security breaches; however, agencies that have experienced security breaches have generally provided such notification. Therefore, CBO expects that codifying this practice would probably not lead to a significant increase in spending. The legislation also would require a business entity or federal agency--under certain circumstances--to notify the Department of Homeland Security that a security breach has occurred but would permit entities or agencies to apply to the federal government for a delay or exemption from the requirements if the personal data were encrypted or similarly protected or if notification would threaten national security. Other provisions of the bill would require the Federal Trade Commission (FTC) to develop and enforce regulations to implement the bill's new requirements for data security programs and policies. Finally, S. 1151 would require federal agencies to provide several reports to the Congress, which would include the number and type of data breaches. Based on information from the Department of Homeland Security, the Federal Bureau of Investigation, the FTC, and other agencies with a significant information technology presence, CBO estimates that additional investigative and administrative work under the bill would cost about $3 million annually, subject to the availability of appropriated funds. Direct spending and revenues S. 1151 would establish new federal crimes relating to unauthorized access to sensitive personal information. Enacting the bill could increase collections of civil and criminal fines for violations of the bill's provisions. CBO estimates that any additional collections would not be significant because of the relatively small number of additional cases likely to result. Civil fines are recorded as revenues. Criminal fines are recorded as revenues, deposited in the Crime Victims Fund, and subsequently spent without further appropriation. Pay-As-You-Go considerations: The Statutory Pay-As-You-Go Act of 2010 establishes budget-reporting and enforcement procedures for legislation affecting direct spending or revenues. CBO estimates that enacting S. 1151 would have a negligible effect on direct spending and revenues. Estimated impact on state, local, and tribal governments: S. 1151 contains intergovernmental mandates as defined in UMRA because it would explicitly preempt laws in at least 46 States regarding the treatment of personal information and impose notification requirements and limitations on State Attorneys General. Because the limits on State authority would impose no duties with costs and because the notification requirements would result in minimal additional spending, CBO estimates that the costs of the mandates would be small and would not exceed the threshold established in UMRA for intergovernmental mandates ($71 million in 2011, adjusted annually for inflation). Estimated impact on the private sector: S. 1151 would impose several private-sector mandates as defined in UMRA by:Requiring certain business entities that handle personally identifiable information for 10,000 or more individuals to establish and maintain a data privacy and security program; Requiring any business entity engaged in interstate commerce to notify individuals if a security breach occurs in which such individuals' sensitive personally identifiable information is compromised; Requiring providers of electronic communication services to inform any user that initiated transmission of data on their network if they become aware of a data breach; and Limiting existing rights to seek damages against a person if the only basis for the suit is the violation of a contractual obligations involving the use of computers or access to personal information. The majority of businesses already comply with data security standards and breach notification procedures similar to many of the bill's requirements. However, some of the requirements in the bill would impose new standards for data maintenance and security on a large number of entities in the private sector. Consequently, CBO estimates that the aggregate direct cost of all the mandates in the bill would probably exceed the annual threshold established in UMRA for private- sector mandates ($142 million in 2011, adjusted annually for inflation) in at least one of the first five years the mandates are in effect. Data privacy and security requirements Subtitle A of title II would require businesses engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more individuals to establish and maintain a program for data privacy and security. The program would be designed to protect against both unauthorized access and any anticipated vulnerabilities. Business entities would be required to conduct periodic risk assessments to identify such vulnerabilities and assess possible security risks in establishing the program. Additionally, businesses would have to train their employees in implementing the data security program. The bill would direct the FTC to develop rules that identify privacy and security requirements for the business entities covered under subtitle A. Some businesses would be exempt from the requirements of subtitle A. Those include certain financial institutions that are subject to the data security requirements under the Gramm-Leach-Bliley Act, entities that are subject to the data security requirements of the Health Insurance Portability and Accountability Act, and providers of electronic communications services to the extent that they are exclusively engaged in the temporary storage, transmission, or routing of data. The cost per entity of the data privacy and security requirements would depend on the rules to be established by the FTC, the size of the entity, and its current ability to secure, record, and monitor access to data, as well as on the amount of sensitive, personally identifiable information maintained by the entity. The majority of States already have laws requiring business entities to utilize data security programs, and it is the current practice of many businesses to use security measures to protect sensitive data. However, some of the new standards for data security in the bill could impose additional costs on a large number of private-sector entities. For example, under the bill, businesses covered under subtitle A would be required to enhance their security standards to include the ability to trace access and transmission of all records containing sensitive personally identifiable information. The current industry standard on data security has not reached that level. According to industry experts, information on a particular individual can be collected from several places and, for large companies, can be accessed by thousands of people from several different locations. The ability to trace each transaction involving data containing personally identifiable information would require a significant enhancement of data management hardware and software for the majority of businesses. Further, the bill's definition of sensitive personally identifiable information is broader than the current industry standard. This definition would significantly increase the number of entities that would be required to implement new or enhanced data security standards. The aggregate cost of implementing such changes could be substantial. Notification of security breaches Subtitle B of title II would require business entities engaged in interstate commerce that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information to notify individuals in the event of a security breach if the individuals' sensitive, personally identifiable information is compromised. Entities would be able to notify individuals using written letters, the telephone, or email. If a business does not own or license the information, it would have to notify the owner or licensee of the information following a breach. A notice in major media outlets serving a State or jurisdiction also would have to be provided for any breach of more than 5,000 residents' records within a particular State. In addition, businesses would be required to notify other entities and agencies in the event of a large security breach. Entities that experience the breach of such data would have to notify the affected victims and consumer reporting agencies if the breach involves more than 5,000 individuals. The bill, however, would exempt business entities from the notification requirements under certain circumstances. According to industry sources, the sensitive personally identifiable information of millions of individuals is illegally accessed or otherwise breached every year. However, according to those sources, 46 states already have laws requiring notification in the event of a security breach. In addition, it is the standard practice of most business entities to notify individuals if a security breach occurs. Therefore, CBO estimates that the notification requirements would not impose significant additional costs on businesses. The subtitle also contains a provision requiring providers of electronic communication services (such as Internet service providers) to inform the entity that began a transmission of information using their systems if they become aware that a breach of sensitive personally identifiable information has occurred. This would constitute a mandate on those service providers. The cost to inform business entities of a breach would probably be small. Elimination of existing rights of action Title I would eliminate certain existing rights of action against individuals for violating contractual agreements involving the use of computers or access to personal information. Currently, a lawsuit may be filed against an individual for exceeding authorized access (obtaining or altering information without the proper authorization) and computer fraud if that individual violates the terms of a related contractual agreement. The bill would eliminate any right of action alleging someone has exceeded authorized access or committed computer fraud when the only basis for the suit is the violation of a related agreement. Because there are few such cases, CBO estimates that the cost of the mandate would be minimal. Estimate prepared by: Federal costs: Department of Homeland Security--Jason Wheelock; Federal Trade Commission--Susan Willie; U.S. Secret Service--Mark Grabowicz; Other Federal agencies--Matthew Pickford. Impact on State, local, and Tribal Governments: Elizabeth Cove Delisle. Impact on the private sector: Marin Randall. Estimate approved by: Theresa Gullo, Deputy Assistant Director for Budget Analysis. V. Regulatory Impact Evaluation In compliance with rule XXVI of the Standing Rules of the Senate, the Committee finds that no significant regulatory impact will result from the enactment of S. 1151. VI. Conclusion The Personal Data Privacy and Security Act of 2011, S. 1151, provides greatly needed privacy protections to American consumers and businesses, to ensure that all Americans have the tools necessary to protect themselves from identity theft and other data security risks. This legislation will also ensure that the most effective mechanisms and technologies for dealing with the underlying problem of lax data security are implemented by the Nation's businesses to help prevent data breaches from occurring in the first place. The passage and enactment of this important privacy legislation is long overdue. VII. Additional and Minority Views ADDITIONAL VIEWS FROM SENATOR COONS I was pleased to support the Personal Data Privacy and Security Act of 2011, which will bolster the security of sensitive personal data held by companies and improve notice to consumers in the event of a data breach. In this age of digital commerce, the stakes surrounding data security are high and will only increase. This legislation will help promote consumer trust and corporate accountability. As I mentioned during Committee consideration, I believe the bill could be further improved if the preemption standards were strengthened. In particular, I believe it is counterproductive to subject banks and financial services entities already regulated under the Gramm-Leach-Bliley Act to a patchwork of differing or conflicting state laws governing data breach and consumer notice. Accordingly, as this bill moves forward to full Senate consideration, I will work to ensure that the preemption provisions in S. 1151 are broadened to establish uniform preemption of state laws where Congress has established a national regime for data security and breach notification. Christopher A. Coons. MINORITY VIEWS FROM SENATORS GRASSLEY, KYL, SESSIONS, GRAHAM, CORNYN, AND COBURN This legislation seeks a solution to a real problem, but it fails to deliver. Protecting an individual's sensitive personal identifying information, recognizing vulnerabilities to information and providing notification when a breach of information has occurred must be addressed. We support a clear, uniform, national standard that directs when notice to consumers and law enforcement should be provided. Consumers should have access to alerts identifying threats that pose a significant risk of identity theft. When appropriate notice is given, consumers can work with other entities to limit risk and protect their identity. This also means that businesses will possess the ability to minimize risk and protect their consumers' sensitive personal information from any further threats. Yet at the same time, we must not numb a consumer's senses to risk notification. Legislation should not encourage or foster an environment where the default response from a business is to always issue notice. Requiring notice for trivial security incidents will lead to over-notification, which in turn will create broad apathy as consumers are inundated with inconsequential warnings. Moreover, the security breach that does threaten an individual's identity may be ignored. While the purpose of this bill is to protect individuals, the effect will be the exact opposite as consumers will suffer due to constant notification. Additionally, the financial and bureaucratic costs associated with this bill will burden small and medium sized businesses at exactly the wrong time. We know that excessive government regulation has a detrimental effect on businesses, imposing heavy burdens on small business which must comply or face substantial liability penalties. Such regulations may have the effect of bankrupting these businesses. During these difficult economic times and unemployment northward of 9%, this costly legislation is not prudent. While we commend the Chairman's efforts on this particular subject, we cannot support S. 1151 at this time. We believe it is counterproductive to our shared goal of consumer protection, as it will lead to consumer over-notification, increased financial costs due to new regulations, while imposing excessive liability penalties for failure to comply, ultimately leading to further job losses throughout the economy. BACKGROUND Identity theft is a problem for both consumers and businesses. This problem intensifies as criminals become increasingly sophisticated at breaching businesses' security systems in order to obtain sensitive information. This threat is not just limited to private business but to the government as well. Business and government work to understand past and present incidents so as to prevent future attacks. Law enforcement at the federal, state and local levels work together and with private business to enhance controls, protect information, and improve cooperation should a breach occur. Private businesses, which ultimately bear the major cost of fraud resulting from an attack, have spent billions of dollars to strengthen data security, seeking ways to stop fraud before it happens. Underlying the need for a uniform, federal standard is the expansive growth of State government activity on this matter. Since 2002, 46 states and the District of Columbia have enacted laws that seek to prevent identity theft, while requiring businesses who suffer a data breach to provide notice to consumers detailing the risk to their sensitive personal information.\1\ Moreover, the trend continues this year as 14 states have introduced legislation that expands the scope of the laws, creating new and additional notification requirements as well as new penalties for those responsible for a breach.\2\ Due to the ever changing differences between the various state laws, there is a need for a single, uniform, federal standard. --------------------------------------------------------------------------- \1\National Conference of State Legislatures, State Security Breach Notification Laws, http://www.ncsl.org/Default.aspx?TabId=13489 (last visited Oct. 31, 2011). \2\National Conference of State Legislatures, Security Breach Legislation 2011, http://www.ncsl.org/default.aspx?tabid=22295 (last visited Oct. 31, 2011). --------------------------------------------------------------------------- However, as Congress works to craft legislation we must ensure there are tools in place to assist consumers in protecting themselves should a breach occur. It is important that consumers know when their information is compromised so they can obtain resources in order to protect themselves. For notice to be effective, consumers should be notified when their sensitive personal information is compromised in a way that jeopardizes their identities. Otherwise, over-notification will lead to consumer apathy and, therefore, will expose consumers to greater risk. MANDATED ``ONE SIZE FITS ALL'' DATA PRIVACY AND SECURITY PROGRAMS Section 202 of this bill creates a prescriptive, one size fits all data security program requirement that businesses with sensitive personal information of more than 5,000 individuals must follow. Many small businesses, which can easily acquire data on more than 5,000 individuals, will be unduly burdened, facing increased compliance costs that may force a small business to close its doors. Moreover, this burden becomes greater given the bill's expanded definition of sensitive personally identifiable information in section 3. Instead, we believe a more flexible approach should be provided to businesses, appropriate to the size and nature of the respective business. We agree that businesses should have a plan in place to ensure the safety of sensitive information. Unfortunately, rather than avoid the pitfalls of over regulation, which is a legitimate concern to many businesses already facing economic hardships, this bill adds to the problem. The Congressional Budget Office recognizes this fact in its cost estimate contained in this report. It is disappointing that this bill fails to recognize that there are tremendous differences and other factors present with various businesses. This bill fails to take into account those differences in two ways. First, this bill applies complex requirements from Congress to all businesses that exceed current industry practices. For example, over the span of almost seven pages, section 202 lists detailed requirements for a personal data privacy and security program that must be implemented. A business must perform risk assessments, risk management and control, and training and vulnerability testing, among other requirements. A small business with one or two employees, that finds itself subject to these requirements, must take the time to be sure it is complying with these requirements, otherwise it will be subject to exorbitant liability penalties. In addition to the specific requirements set forth in this bill, the checklist for compliance is not complete. Section 202 punts to the Federal Trade Commission the authority to add further, ever changing, requirements for businesses that must have data privacy and security programs in place. The Federal Trade Commission, through a routine rulemaking process, can add ``any other administrative, technical, or physical safeguards'' deemed necessary. Again, ever changing rules will unduly burden small and medium sized businesses that not only must comply with the congressional requirements, but new requirements from the federal bureaucracy. The combination of congressional and agency requirements will unduly harm small businesses. We recognize, as do others, that increased government regulation can suppress a business's ability to survive and grow. As the Congressional Budget Office cost estimate contained in this report points out, the new requirements in section 202 go beyond the scope of the security measures many businesses currently have in place. Imposing new requirements that exceed the industry standard, coupled with Federal Trade Commission rulemaking of those requirements and an expansive definition of sensitive personally identifiable information, will create substantial costs to businesses already struggling against over regulation and a weak economy. Before a bill on this matter becomes law, it is important that the requirements in section 202 are reexamined in order to avoid what would be a legislative nightmare for many businesses. OVER-NOTIFICATION This bill provides in section 211 a default rule that notice should always be given to consumers of any breach, ``following the discovery'' of a security breach. Only if after conducting a risk assessment, under section 212(b), may a business entity be exempt from providing notice. The burden that is placed on businesses will inevitably lead to consumer over-notification. As discussed above, the bill's definition of sensitive personally identifiable information is broader than the current industry standard. This means breached information that otherwise would not previously have required notice due to its inability to pose a risk of identity theft, will now require consumer notification. The costs associated with the risk assessment, which must be coordinated with bureaucrats at the Federal Trade Commission, will exact a high toll on small businesses that are not differentiated in any manner from large businesses. Rather than face high liability penalties for failure to comply, the result will be simply to provide notification for trivial incidents that will have the effect of desensitizing the public, while also punishing the business which is a victim as well. The ``safe harbor'' provision in section 212(b) attempts to limit instances where notification is required. However, the end result will remain the same due to the way this provision is drafted. Rather than risk the penalties for failure to notify, a business will in most instances err on the side of caution and give notice. Again, the bill's default rule is that notice should always be given following the discovery of a security breach. However, an entity can perform a risk assessment, in consultation with the Federal Trade Commission, to determine that there is ``no significant risk that a security breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm'' to the individuals whose personal information was subject to the breach. Thus, a business must make the determination that in no instance could there be a significant risk of ``identity theft, economic loss or harm, or physical harm.'' Rather than play offense against a breach, a business will always find itself on defense. The business will try and anticipate several steps into the future to determine whether to provide notice. This is an impossible task which renders the risk assessment worthless as there may always be an unknown and unforeseen risk that cannot be predicted. A business will therefore do what is in its best interest, which may not necessarily be in an individual consumer's best interest, and issue notice whenever a security incident occurs. Unfortunately, there is no relief for a weary business faced with making a determination whether notice is required, while trying to limit any further security incidents. In order to perform a risk assessment and take advantage of the safe harbor, a business must consult with the Federal Trade Commission, another layer in the bureaucratic minefield, which must be informed of a business's decision to invoke the safe harbor following the risk assessment. If the Federal Trade Commission ``does not indicate, in writing, within 10 business days from receipt of the decision, that notice should be given[,]'' then no notice is required. However, it is not unreasonable to anticipate the exact opposite effect occurring as a result of this provision. Instead, it is reasonable to question whether the Federal Trade Commission will be able to process the potentially high number of risk assessment results that will inundate its office as a result of this bill's mandate. This is because the expansive definition of sensitive personally identifiable information, along with the trigger for when notice should be provided, will inevitably lead to greater notification and risk assessment reports. Unless the Federal Trade Commission operates efficiently and timely when reviewing risk assessments, then the risk of over-notification will only continue to rise. An over worked Commission staffer may face a quickly approaching 10-day deadline and choose to err on the side of caution and instruct a business to provide notice. Rather than attempt to limit notification to security breaches that pose a significant risk of identity theft, S. 1151 will create serious over-notification problems which will desensitize consumers and lead to widespread apathy. A business must always give notice unless after performing a risk assessment in consultation with the Federal Trade Commission it is determined there is no significant risk of ``identity theft, economic loss or harm, or physical harm.'' The initial decision a business will make is whether it is beneficial to jump through the risk assessment hoops, which will involve dealing with a federal agency, and instead simply issue notice. Assuming a business does decide to try and invoke the safe harbor, it is quite possible that an over-burdened Federal Trade Commission will simply instruct a business to issue notice. Rather than placing a default rule that notice must always be given, unless a risk assessment determines otherwise, perhaps a better approach would be to require notice only when there is a significant risk of identity theft. This subtle burden shifting may work to eliminate all but those notifications that pose the greatest threat to a consumer's sensitive personal information. EXCESSIVE PENALTIES Another troubling aspect of this bill is its excessive penalties. Under section 203, businesses that make a mistake in complying with the requirements of sections 201 and 202 may be held liable at a rate of ``$5,000 per violation per day while such violation exists with a maximum of $500,000 per violation.'' Section 202 imposes no less than seven requirements on businesses, not counting the numerous subsections. A mistake in compliance with any one of those requirements is a potential violation, running at a rate of $5,000 per day. Moreover, that business would likely be facing arguments by government attorneys that its conduct was willful or intentional, thereby deserving an additional penalty of up to $500,000 more. Under sections 217 and 218, if a business makes a mistake in providing notice to a person whose information may have been compromised, that business will be facing a penalty of ``$11,000 per day per security breach'' up to $1 million. That business will also be facing arguments by government attorneys that its conduct was intentional or willful, deserving an additional penalty of up to $1 million. The Chairman has made an effort to address the problem of ``stacked damages,'' which existed in the original version of his bill. The potential for stacked damages increases the amount of the already excessive penalties. By his manager's amendment, the Chairman has inserted ``penalty limits'' into the enforcement sections of the bill. For example, under section 203, ``the total sum of civil penalties assessed against a business entity for all violations . . . resulting from the same or related acts or omissions shall not exceed $500,000, unless such conduct is found to be willful or intentional.'' The purpose of these ``penalty limit[ation]'' provisions is to prevent the situation where a business makes a mistake which results in it ``violating'' all seven requirements under section 202 and thereby facing liability at a rate of $35,000 per day, and up to $3.5 million. Under the ``penalty limit[ation]'' provision, if a business makes multiple mistakes, as part of the same conduct, it will be facing a potential penalty of $5,000 per day, up to $500,000. Similarly, under sections 217 and 218, if a business suffers a security breach and makes a mistake in notifying ten individuals, whose information was compromised, that business will be facing penalties of $11,000 per day, up to $ 1 million. It will not be facing a potential penalty of $110,000 per day and up to $10 million. The ``penalty limit[ation]'' provisions and some of the other changes made by the Chairman are a step in the right direction. Hopefully, the changes signal a willingness to further refine this bill, which covers a significant and complex issue. However, in its current form, the bill's penalties remain excessive, especially when applied to small and medium sized businesses. Many businesses facing these penalties will be forced into bankruptcy. Remarkably, during the debate on this bill, the majority never expressed any concern about bankrupting businesses or that the businesses facing these excessive penalties are victims of a crime as their computers will have been hacked. This is a disturbing omission given that as of September 2011, 14 million Americans were unemployed and another 9.3 million were underemployed.\3\ --------------------------------------------------------------------------- \3\Bureau of Labor Statistics, U.S. Department of Labor, News Release, ``The Employment Situation--September 2011'' (Oct. 7, 2011) (available at http://www.bls.gov/news.release/pdf/empsit.pdf) (last visited Oct. 31, 2011). --------------------------------------------------------------------------- In addition to facing these excessive penalties, businesses will be forced to hire defense attorneys, who are well versed in computer and cybersecurity issues. There are only a handful of law firms that are fully versed in the subject matter, and which have the experience and manpower to defend a business in a lawsuit filed by the Department of Justice, the Federal Trade Commission and/or State Attorneys General. Those few multinational or large businesses that might consider defending themselves will spend money on attorneys, computer experts and litigation costs, as opposed to hiring new employees and creating jobs. Our concerns are not a matter of protecting businesses that have committed wrongs. We strongly believe that it is important to protect our citizens from identity theft. However, our approach must be fair and balanced. And again, it should not be forgotten that we are talking about businesses that have made a ``mistake'' in complying with this law. Consequently, the amount of a penalty should be a reasonable deterrent. It should not be destructive. Indeed, during these difficult economic times, Congress should be helping businesses to create jobs, not passing legislation that has the real potential to bankrupt businesses and kill jobs. ETHICAL ISSUES Another troubling aspect of this bill is the fact that it allows State Attorneys Generals to hire private law firms on a contingency fee basis to enforce it. This raises serious ethical concerns. A neutral and impartial government is a fundamental requirement for due process. Employing trial lawyers on a contingency fee basis will result in governmental power being wielded by lawyers primarily interested in benefiting themselves, rather than in doing justice. At the very minimum, the appearance of State Attorneys General handing out valuable contracts with a chance for private attorneys to receive contingency fees is disconcerting. As former Alabama Attorney General Bill Pryor (now a judge on the U.S. Court of Appeals for the Eleventh Circuit) once explained that ``[t]hese [contingency] contracts . . . create the potential for outrageous windfalls or even outright corruption for political supporters of the officials who negotiated the contracts.''\4\ --------------------------------------------------------------------------- \4\William H. Pryor, Jr., Curbing the Abuses of Government Lawsuits Against Industries, Speech Before the American Legislative Exchange Council, Aug. 11, 1999, at 8. --------------------------------------------------------------------------- Personal financial interest should not affect the judgment of an attorney representing the government. The faith and trust of the public in the government's fair and impartial use of its powers is critical to our system of government. Accordingly, an attorney who represents the government must be neutral and impartial, with no personal or financial stake in the case. Neutral and impartial justice is not merely a goal. It is a matter of well-established federal and state law. An Executive Order forbids the federal government from hiring private attorneys on a contingency basis.\5\ Also, 28 U.S.C. Sec. 528 disqualifies any employee of the Department of Justice from participating in case that may result in a personal, financial, or political conflict of interest, or the appearance thereof. --------------------------------------------------------------------------- \5\Exec. Order No. 13433, 72 Fed. Reg. 28441 (May 16, 2007). --------------------------------------------------------------------------- The practice of hiring trial lawyers on a contingency fee basis should be ended altogether and it certainly should not be extended into this new law. Accordingly, Senator Grassley offered Amendment ALB11646 to the bill. That amendment would have prohibited State Attorneys General from hiring private law firms on a contingency fee basis to enforce this new federal law. Contrary to the claims of the majority, this issue is not a matter of states' rights. Nor is it a question of states with budget problems needing to hire trial lawyers on a contingent fee basis. This issue is a matter of basic and fundamental ethics and it is a matter of due process. The focus of this bill should be about creating a reasonable national standard to protect Americans from identity theft. It should not be about creating revenue for trial lawyers. Senator Grassley's amendment should have been adopted. MULTIPLE LAWSUITS Another concern with the enforcement provisions is the likelihood that they will breed multiple lawsuits against businesses, which are all based on the same mistake or conduct. Specifically, under the bill as introduced, a business could have been subjected to lawsuits by the Department of Justice or the Federal Trade Commission and anywhere between one and fifty States Attorneys General. No small or medium size business could defend against that onslaught, let alone survive it. The Chairman's manager's amendment begins to address this problem by providing that if the Department of Justice or Federal Trade Commission commences an enforcement action, ``no attorney general of a State may bring an action for a violation . . . that resulted from the same or related acts or omissions against a defendant named in the Federal criminal proceeding or civil action. . . .'' The purpose of this provision is to prevent businesses from having to defend against lawsuits by both the Federal and State governments. If there is an enforcement action, there should only be one lawsuit and preferably, it should be a federal enforcement action. These provisions in sections 203 and 218 of the bill are a step in the right direction. To fully address the issue, the bill should be amended to also require state lawsuits to be withdrawn with prejudice, if the Department of Justice or Federal Trade Commission commences an enforcement action after one or more State Attorneys General files a lawsuit. In the end, all of the concerns about the enforcement and liability provisions are well-founded and must be resolved before we can support this bill. To further address multiple lawsuits, this bill amends the Computer Fraud and Abuse Act to bar civil claims and criminal charges resulting from a violation of a ``Term of Service Agreement'' with a non-government employer. This amendment is intended to bar all contract-based CFAA litigation, except when based on a government employment contract, while allowing the Department of Justice to bring charges under 18 U.S.C. 1030 when based on other evidence. CRIMINAL PROVISIONS The bill does establish a new criminal offense for damage to a critical infrastructure computer system such as electrical power grids, water supply systems and nuclear power plants. Unfortunately, the majority report blatantly mischaracterizes the provision of the bill passed by the Committee, which includes an amendment Senator Grassley offered that imposes a mandatory minimum sentence of three years' imprisonment for the newly created crime of aggravated damage to a critical infrastructure computer. The majority, while noting that the Chairman opposed the mandatory minimum, fails to mention that the President himself included that mandatory minimum in the cyber-security bill he proposed to the Congress earlier this year. The Chairman's original draft of S. 1151 removed the President's proposed mandatory minimum for a violation of aggravated damage to a critical infrastructure computer. Senator Grassley offered his amendment to recognize the serious nature of a cyber-attack damaging critical infrastructure and restore the mandatory minimum in line with the President's proposal. Furthermore, during Associate Deputy Attorney General James A. Baker's testimony, in his appearance before the Committee on September 7, 2011, he explicitly endorsed, on behalf of the DOJ, the three-year mandatory minimum. Thus, in support of the President and with DOJ's endorsement, the Committee voted in favor of the Grassley amendment by a vote of 11-7. In an attempt to diminish the significance of this vote, the majority characterizes the 7 votes in opposition to the amendment as ``bi-partisan,'' because one Republican member voted against it. It is far more noteworthy, however, that four members of the Chairman's party agreed with Senator Grassley and his Republican colleagues. CONCLUSION Protecting an individual's sensitive personally identifiable information is of the utmost importance. However, this must be done in a way that will ensure individuals are notified when there are actual threats to their identity. Unfortunately, this bill fails to accomplish this goal as individuals will find their email inboxes full every morning with notifications of security incidents that a business issues for fear of violating one of the requirements in this bill. The prescriptive regulation and high penalties will likely end up forcing some businesses to shut their doors. As drafted, this bill punishes businesses, while providing no real benefit for consumers. Charles E. Grassley. Jon Kyl. Jeff Sessions. Lindsey Graham. John Cornyn. Tom Coburn. VIII. Changes to Existing Law Made by the Bill, as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new material is printed in italic, existing law in which no change is proposed is shown in roman): UNITED STATES CODE TITLE 18--CRIMES AND CRIMINAL PROCEDURE PART I--CRIMES * * * * * * * CHAPTER 47--FRAUD AND FALSE STATEMENTS * * * * * * * 1001. Statements or entries generally 1002. Possession of false papers to defraud United States 1003. Demands against the United States 1004. Certification of checks 1005. Bank entries, reports and transactions 1006. Federal credit institution entries, reports and transactions 1007. Federal Deposit Insurance Corporation transactions 1010. Department of Housing and Urban Development and Federal Housing Administration transactions 1011. Federal land bank mortgage transactions 1012. Department of Housing and Urban Development transactions 1013. Farm loan bonds and credit bank debentures 1014. Loan and credit applications generally; renewals and discounts; crop insurance 1015. Naturalization, citizenship and alien registry 1016. Acknowledgement of appearance or oath 1017. Government seals wrongfully used and instruments wrongfully sealed 1018. Official certificates or writings 1019. Certificates by consular officers 1020. Highway projects 1021. Title records 1022. Delivery of certificate, voucher, receipt for military or naval property 1023. Insufficient delivery of money or property for military or naval service 1024. Purchase or receipt of military, naval, or veterans facilities property 1025. False pretenses on high seas and other waters 1026. Compromise, adjustment, or cancellation of farm indebtedness 1027. False statements and concealment of facts in relation to documents required by the Employee Retirement Income Security Act of 1974 1028. Fraud and related activity in connection with identification documents, authentication features, and information 1028A. Aggravated identity theft 1029. Fraud and related activity in connection with access devices 1030. Fraud and related activity in connection with computers 1030A. Aggravated damage to a critical infrastructure computer. 1031. Major fraud against the United States 1032. Concealment of assets from conservator, receiver, or liquidating agent 1033. Crimes by or affecting persons engaged in the business of insurance whose activities affect interstate commerce 1034. Civil penalties and injunctions for violations of section 1033 1035. False statements relating to health care matters 1036. Entry by false pretenses to any real property, vessel, or aircraft of the United States or secure area of any airport or seaport 1037. Fraud and related activity in connection with electronic mail 1038. False information and hoaxes 1039. Fraud and related activity in connection with obtaining confidential phone records information of a covered entity 1040. Fraud in connection with major disaster or emergency benefits 1041. Concealment of security breaches involving sensitive personally identifiable information * * * * * * * SEC. 1030A. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE COMPUTER. (a) Definitions.--In this section-- (1) the terms ``computer'' and ``damage'' have the meanings given such terms in section 1030; and (2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- (A) gas and oil production, storage, and delivery systems; (B) water supply systems; (C) telecommunication networks; (D) electrical power delivery systems; (E) finance and banking systems; (F) emergency services; (G) transportation systems and services; and (H) government operations that provide essential services to the public (b) Offense.--It shall be unlawful to, during and in relation to a felony violation of section 1030, intentionally cause or attempt to cause damage to a critical infrastructure computer, and such damage results in (or, in the case of an attempt, would, if completed have resulted in) the substantial impairment-- (1) of the operation of the critical infrastructure computer; or (2) of the critical infrastructure associated with the computer. (c) Penalty.--Any person who violates subsection (b) shall be fined under this title, imprisoned for not less than 3 years nor more than 20 years, or both. (d) Consecutive Sentence.--Notwithstanding any other provision of law-- (1) a court shall not place on probation any person convicted of a violation of this section; (2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony violation section 1030; (3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and (4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28. * * * * * * * SEC. 1041. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION. * * * * * * * (a) In General.--Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the Personal Data Privacy and Security Act of 2011, intentionally and willfully conceals the fact of such security breach, shall, in the event that such security breach results in economic harm to any individual in the amount of $1,000 or more, be fined under this tile or imprisoned for not more than 5 years, or both. (b) Person Defined.--For purposes of subsection (a), the term ``person'' has the same meaning as in section 1030(e)(12) of title 18, United States Code. (c) Notice Requirement.--Any person seeking an exemption under section 212(b) of the Personal Data Privacy and Security Act of 2011 shall be immune from prosecution under this section if the Federal Trade Commission does not indicate, in writing, that such notice be given under section 212(b)(3) of such Act. * * * * * * * (a) Whoever-- (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-- (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer; (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States; (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1- year period; (5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. [(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if-- (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States;] (6) knowingly and with intent to defraud traffics (as defined in section 1029) in-- (A) any password or similar information through which a protected computer as defined in subparagraphs (A) and (B) of subsection (e)(2) may be accessed without authorization; or (B) any means of access through which a protected computer as defined in subsection (e)(2)(A) may be accessed without authorization; (7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any-- (A) threat to cause damage to a protected computer; (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion; shall be punished as provided in subsection (c) of this section. (b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section. [(c) The punishment for an offense under subsection (a) or (b) of this section is-- [(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and [(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; [(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; [(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if-- [(i) the offense was committed for purposes of commercial advantage or private financial gain; [(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or [(iii) the value of the information obtained exceeds $5,000; and [(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; [(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and [(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; [(4)(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of-- [(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)-- [(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; [(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; [(III) physical injury to any person; [(IV) a threat to public health or safety; [(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or [(VI) damage affecting 10 or more protected computers during any 1-year period; or [(ii) an attempt to commit an offense punishable under this subparagraph; [(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of-- [(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or [(ii) an attempt to commit an offense punishable under this subparagraph; [(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of-- [(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5) that occurs after a conviction for another offense under this section; or [(ii) an attempt to commit an offense punishable under this subparagraph; [(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of-- [(i) an offense or an attempt to commit an offense under subsection (a) (5)(C) that occurs after a conviction for another offense under this section; or [(ii) an attempt to commit an offense punishable under this subparagraph; [(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both; [(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or [(G) a fine under this title, imprisonment for not more than 1 year, or both, for-- [(i) any other offense under subsection (a)(5); or [(ii) an attempt to commit an offense punishable under this subparagraph.] (c) The punishment for an offense under subsection (a) or (b) of this section is-- (1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; (2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under paragraph (a)(2) of this section, if-- (i) the offense was committed for purposes of commercial advantage or private financial gain; (ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or (iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; (3) a fine under this title or imprisonment for not more than 1 year, or both, in the case of an offense under subsection (a)(3) of this section; (4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; (5)(A) except as provided in subparagraph (D), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- (i) loss to 1 or more persons during any 1- year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; (v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or (vi) damage affecting 10 or more protected computers during any 1-year period; (B) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; (C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or (D) a fine under this title, imprisonment for not more than 1 year, or both, for another offense under subsection (a)(5); (6) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or (7) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section. * * * * * * * (e) As used in this section-- (1) the term ``computer'' means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term ``protected computer'' means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; (3) the term ``State'' includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States; (4) the term ``financial institution'' means-- (A) an institution, with deposits insured by the Federal Deposit Insurance Corporation; (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank; (C) a credit union with accounts insured by the National Credit Union Administration; (D) a member of the Federal home loan bank system and any home loan bank; (E) any institution of the Farm Credit System under the Farm Credit Act of 1971; (F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934; (G) the Securities Investor Protection Corporation; (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act; (5) the term ``financial record'' means information derived from any record held by a Financial institution pertaining to a customer's relationship with the financial institution; (6) the term ``exceeds authorized access'' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or [alter;] alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized; (7) the term ``department of the United States'' means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5; (8) the term ``damage'' means any impairment to the integrity or availability of data, a program, a system, or information; (9) the term ``government entity'' includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any State, province, municipality, or other political subdivision of a foreign country; (10) the term ``conviction'' shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer; (11) the term ``loss'' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and (12) the term ``person'' means any individual, firm, corporation, educational institution financial institution, governmental entity, or legal or other entity. * * * * * * * (g)(1) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. (2) No action may be brought under this subsection if a violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, constitutes the sole basis for determining that access to the protected computer is unauthorized, or in excess of authorization. * * * * * * * [(i)(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States--] [(A) such person's interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and [(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation. [(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.] (i) Criminal Forfeiture.-- (1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- (A) such person's interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and (B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. (2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. [(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them: [(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section. [(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section.] (j) Civil Forfeiture.-- (1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: (A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. (B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. (2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 of title 18, United States Code, relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) of title 18, United States Code, shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General. (k) Reporting Certain Criminal Cases.--Not later than 1 year after the date of the enactment of this Act, and annually thereafter, the Attorney General shall report to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives the number of criminal cases brought under subsection (a) that involve conduct in which-- (1) the defendant-- (A) exceeded authorized access to a non- governmental computer; or (B) accessed a non-governmental computer without authorization; and (2) the sole basis for the Government determining that access to the non-governmental computer was unauthorized, or in excess of authorization was that the defendant violated a contractual obligation or agreement with a service provider or employer, such as an acceptable use policy or terms of service agreement. * * * * * * * CHAPTER 96--RACKETEER INFLUENCED AND CORRUPT ORGANIZATIONS * * * * * * * SEC. 1961. DEFINITIONS. As used in this chapter-- (1) ``racketeering activity'' means (A) any act or threat involving murder, kidnapping, gambling, arson, robbery, bribery, extortion, dealing in obscene matter, or dealing in a controlled substance or listed chemical (as defined in section 102 of the Controlled Substances Act), which is chargeable under State law and punishable by imprisonment for more than one year; (B) any act which is indictable under any of the following provisions of title 18, United States Code: Section 201 (relating to bribery), section 224 (relating to sports bribery), sections 471, 472, and 473 (relating to counterfeiting), section 659 (relating to theft from interstate shipment) if the act indictable under section 659 is felonious, section 664 (relating to embezzlement from pension and welfare funds), sections 891-894 (relating to extortionate credit transactions), section 1028 (relating to fraud and related activity in connection with identification documents), section 1029 (relating to fraud and related activity in connection with access devices), section 1030 (relating to fraud and related activity in connection with computers) if the act is a felony, section 1084 (relating to the transmission of gambling information), section 1341 (relating to mail fraud), section 1343 (relating to wire fraud), section 1344 (relating to financial institution fraud), section 1425 (relating to the procurement of citizenship or nationalization unlawfully), section 1426 (relating to the reproduction of naturalization or citizenship papers), section 1427 (relating to the sale of naturalization or citizenship papers), sections 1461-1465 (relating to obscene matter), section 1503 (relating to obstruction of justice), section 1510 (relating to obstruction of criminal investigations), section 1511 (relating to the obstruction of State or local law enforcement), section 1512 (relating to tampering with a witness, victim, or an informant), section 1513 (relating to retaliating against a witness, victim, or an informant), section 1542 (relating to false statement in application and use of passport), section 1543 (relating to forgery or false use of passport), section 1544 (relating to misuse of passport), section 1546 (relating to fraud and misuse of visas, permits, and other documents), sections 1581-1592 (relating to peonage, slavery, and trafficking in persons)., section 1951 (relating to interference with commerce, robbery, or extortion), section 1952 (relating to racketeering), section 1953 (relating to interstate transportation of wagering paraphernalia), section 1954 (relating to unlawful welfare fund payments), section 1955 (relating to the prohibition of illegal gambling businesses), section 1956 (relating to the laundering of monetary instruments), section 1957 (relating to engaging in monetary transactions in property derived from specified unlawful activity), section 1958 (relating to use of interstate commerce facilities in the commission of murder-for-hire), section 1960 (relating to illegal money transmitters), sections 2251, 2251A, 2252, and 2260 (relating to sexual exploitation of children), sections 2312 and 2313 (relating to interstate transportation of stolen motor vehicles), sections 2314 and 2315 (relating to interstate transportation of stolen property), section 2318 (relating to trafficking in counterfeit labels for phone records computer programs or computer program documentation or packaging and copies of motion pictures or other audiovisual works), section 2319 (relating to criminal infringement of a copyright), section 2319A (relating to unauthorized fixation of and trafficking in sound recordings and music videos of live musical performances), section 2320 (relating to trafficking in goods or services bearing counterfeit marks), section 2321 (relating to trafficking in certain motor vehicles or motor vehicle parts), sections 2341-2346 (relating to trafficking in contraband cigarettes), sections 2421-24 (relating to white slave traffic), sections 175-178 (relating to biological weapons), sections 229- 229F (relating to chemical weapons), section 831 (relating to nuclear materials), (C) any act which is indictable under title 29, United States Code, section 186 (dealing with restrictions on payments and loans to labor organizations) or section 501(c) (relating to embezzlement from union funds), (D) any offense involving fraud connected with a case under title 11 (except a case under section 157 of this title), fraud in the sale of securities, or the felonious manufacture, importation, receiving, concealment, buying, selling, or otherwise dealing in a controlled substance or listed chemical (as defined in section 102 of the Controlled Substances Act), punishable under any law of the United States, (E) any act which is indictable under the Currency and Foreign Transactions Reporting Act, (F) any act which is indictable under the Immigration and Nationality Act, section 274 (relating to bringing in and harboring certain aliens), section 277 (relating to aiding or assisting certain aliens to enter the United States), or section 278 (relating to importation of alien for immoral purpose) if the act indictable under such section of such Act was committed for the purpose of financial gain, or (G) any act that is indictable under any provision listed in section 2332b(g)(5)(B); * * * * * * *