[Senate Report 112-91]
[From the U.S. Government Publishing Office]
Calendar No. 181
112th Congress Report
SENATE
1st Session 112-91
======================================================================
PERSONAL DATA PRIVACY AND SECURITY ACT OF 2011
_______
November 7, 2011.--Ordered to be printed
_______
Mr. Leahy, from the Committee on the Judiciary,
submitted the following
R E P O R T
together with
ADDITIONAL AND MINORITY VIEWS
[To accompany S. 1151]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to which was referred the
bill (S. 1151), to prevent and mitigate identity theft, to
ensure privacy, to provide notice of security breaches, and to
enhance criminal penalties, law enforcement assistance, and
other protections against security breaches, fraudulent access,
and misuse of personally identifiable information, having
considered the same, reports favorably thereon, with an
amendment, and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Background and Purpose of the Personal Data Privacy and Security
Act of 2011......................................................2
II. History of the Bill and Committee Consideration.................10
III. Section-by-Section Summary of the Bill..........................13
IV. Congressional Budget Office Cost Estimate.......................19
V. Regulatory Impact Evaluation....................................24
VI. Conclusion......................................................24
VII. Additional and Minority Views...................................25
VIII.Changes to Existing Law Made by the Bill, as Reported...........35
I. Background and Purpose of the Personal Data Privacy and Security Act
of 2011
A. SUMMARY
Advanced technologies, combined with the realities of the
post-
9/11 digital era, have created strong incentives and
opportunities for collecting and selling personal information
about ordinary Americans. Today, private sector and
governmental entities alike routinely traffic in billions of
electronic personal records about Americans. Americans rely on
this data to facilitate financial transactions, provide
services, prevent fraud, screen employees, investigate crimes,
and find loved ones. The Government also relies upon this
information to enhance national security and to combat crime.
The growing market for personal information has also become
a treasure trove that is both valuable and vulnerable to
identity thieves. As a result, the consequences of a data
security breach can be quite serious. For Americans caught up
in the endless cycle of watching their credit unravel, undoing
the damage caused by security breaches and identity theft can
become a time-consuming and lifelong endeavor. In addition,
while identity theft is a major privacy concern for most
Americans, the use and collection of personal data by
Government agencies can have an even greater impact on
Americans' privacy. The loss or theft of Government data can
potentially expose ordinary citizens, Government employees, and
members of the armed services alike to national security and
personal security threats.
Despite these well-known dangers, the Nation's privacy laws
lag far behind the capabilities of technology and the cunning
of identity thieves. The Personal Data Privacy and Security Act
of 2011 is a comprehensive privacy bill that seeks to close
this privacy gap by establishing meaningful national standards
for providing notice of data security breaches, and by
addressing the underlying problem of lax data security to make
it less likely for data security breaches to occur in the first
place.
B. THE GROWING PROBLEM OF DATA SECURITY BREACHES AND IDENTITY THEFT
Since the Personal Data Privacy and Security Act was first
reported by the Judiciary Committee in November 2005, more than
535 million records containing sensitive personal information
have been involved in data security breaches, according to the
Privacy Rights Clearinghouse.\1\ For example, during the spring
of 2011, Sony disclosed several major data breaches involving
its PlayStation Network, Qriocity music and video service and
Sony Online Entertainment service, exposing the sensitive
personal information of more than 101 million users.\2\ In
another high-profile data security breach, a computer hacker
penetrated the databases of the online marketing firm Epsilon,
compromising name and email address information about the
customers of scores of major U.S. businesses, including Target,
Citigroup, and Walgreen, and affecting the privacy of millions
of U.S. consumers.\3\
---------------------------------------------------------------------------
\1\See ``Privacy Rights Clearinghouse Chronology of Data
Breaches,'' available at http://www.privacyrights.org/.
\2\``Sony Data Breach Tally Rises to 101 Million,'' eWeek.com, May
3, 2011.
\3\``Fact box: U.S. data breach hits Target, Marriott customers,''
Reuters/MSNBC, April 4, 2011.
---------------------------------------------------------------------------
In January 2009, Heartland Payment Systems, one of the
Nation's leading processors of credit and debit card
transactions, announced that its processing system records
containing more than 130 million credit card accounts had been
breached by hackers. In January 2007, mega-retailer TJX
disclosed that it suffered a data breach affecting at least
45.7 million credit and debit cards.\4\ These data breaches
follow many other major commercial data breaches, including
breaches at ChoicePoint and LexisNexis.
---------------------------------------------------------------------------
\4\``Breach of data at TJX is called the biggest ever, Stolen
numbers put at 45.7 million,'' Boston Globe, March 29, 2007.
---------------------------------------------------------------------------
Federal Government agencies, and even the Congress, have
not been immune to data security breaches. In June 2011,
computer hackers affiliated with the hacker group known as Lulz
Security breached the United States Senate website.\5\ In
February 2009, the Federal Aviation Administration revealed
that computer hackers breached one of its servers and stole
sensitive personal information concerning 45,000 current and
former FAA employees.\6\ In June 2008, Walter Reed Medical
Center reported that the personal information of 1,000 Military
Health System beneficiaries may have been improperly disclosed
through the unauthorized sharing of data.\7\ In May 2006, the
Department of Veterans Affairs lost an unsecured laptop
computer hard drive containing the health records and other
sensitive personal information of approximately 26.5 million
veterans and their spouses.\8\ And, in May, 2007, the
Transportation Security Administration (TSA) reported that the
personal and financial records of 100,000 TSA employees were
lost after a computer hard drive was reported missing from the
Agency's headquarters, exposing the Department of Homeland
Security to potential national security risks.\9\
---------------------------------------------------------------------------
\5\``Hackers Break into Senate Computers,'' Reuters, June 14, 2011.
\6\``FAA Breach Heightens Cybersecurity Concerns,'' Federal
Computer Week, February 23, 2009.
\7\``Walter Reed: Data Breach at Military Hospitals,'' The
Associated Press, June 3, 2008.
\8\See Testimony of the Honorable James Nicholson, Secretary of
Veterans Affairs, before the House Committee on Government Reform, June
8, 2006.
\9\See ``TSA seeks hard drive, personal data for 100,000,'' USA
Today, May 5, 2007; see also, the Federal Times, ``Union Sues TSA over
loss of data on employees,'' May 9, 2007.
---------------------------------------------------------------------------
The steady wave of data security breaches in recent years
is a window into a broader, more challenging trend. Insecure
databases are now low-hanging fruit for hackers looking to
steal identities and commit fraud. Lax data security is also a
threat to American businesses. The President's report on
Cyberspace Policy Review noted that industry estimates of
losses from data theft of intellectual property in 2008 alone
range as high as $1 trillion.\10\ Because data security
breaches adversely affect many segments of the American
community, a meaningful solution to this growing problem must
carefully balance the interests and needs of consumers,
business, and the Government.
---------------------------------------------------------------------------
\10\``President's Report on Cyberspace Policy Review,'' May 29,
2009, at page 2. A recent report to Congress by the Office of the
National Counterintelligence Executive also found that cyber-espionage
conducted by, among others, China and Russia has resulted in the theft
of tens of billions of dollars of trade secrets, technology and
intellectual property from U.S. Government and private computer systems
each year. See ``Foreign Spies Stealing U.S. Economic Secrets in
Cyberspace, Report to Congress on Foreign Economic Collection and
Industrial Espionage, 2009-2011,'' October, 2011.
---------------------------------------------------------------------------
C. THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2011
The Personal Data Privacy and Security Act of 2011 takes
several meaningful and important steps to balance the interests
and needs of consumers, business, and the Government in order
to better protect Americans sensitive personal data. This
legislation is supported by a wide range of consumer, business,
and government organizations.
1. Data security program
The bill recognizes that, in the Information Age, any
company that wants to be trusted by the public must earn that
trust by vigilantly protecting the information that it uses and
collects. The bill takes important steps to accomplish this
goal by requiring that companies that have databases with
sensitive personal information on more than 10,000 Americans
establish and implement a data privacy and security program.
There are exemptions to this requirement for companies already
subject to and in compliance with data security requirements
under the Gramm-Leach-Bliley (GLB) Act and the Health
Information Portability and Accountability (HIPAA) Act. Section
202(a)(4)(C) directs companies to consider data minimization as
part of their data security program planning process.
Eliminating personal data that is no longer needed is a crucial
and basic element of good data security practice. By contrast,
retaining sensitive data that is no longer needed for a
business purpose unnecessarily creates rich targets for data
breaches and identity theft.\11\
---------------------------------------------------------------------------
\11\For example, one of the recent breaches suffered by Sony
included the financial information of tens of thousands of individuals
held on an ``outdated'' database that the company retained but no
longer used. This practice put the outdated data at an even greater
risk of breach, because little attention was given to the safekeeping
of the data.
---------------------------------------------------------------------------
In addition, in light of the largely passive role of
certain service providers that provide electronic data
transmission, routing, intermediate and transient storage, or
connections services with respect to sensitive personally
identifiable information, the bill assigns limited obligations
to such businesses. In the bill, the term ``service provider''
is defined as a business entity that provides electronic data
transmission, routing, intermediate and transient storage, or
connections to its system or network for sensitive personally
identifiable information on an undifferentiated basis from
other information that such entity transmits, routes, or
stores, or for which such entity provides connections. Section
201(b)(3) of the bill exempts such service providers from the
data security program requirements in the bill, to the extent
that the service provider is exclusively engaged in the
transmission, routing, or temporary, intermediate, or transient
storage of that communication. By ``exclusively,'' the
Committee intends that a service provider is exempt only to the
extent it is engaged in the activities of a service provider as
defined by the bill. The Committee also recognizes that a
service provider may also be engaged in activities that are
covered by the bill and does not intend that that an entity
would lose the service provider exemption for its purely
service provider functions.\12\
---------------------------------------------------------------------------
\12\The Committee notes that with respect to section 202(d) of the
bill, the ``providers of services'' under this provision are not the
same entities as the ``service providers'' defined by the bill. The
entities subject to this provision are persons or entities other than
service providers, with whom a business entity contracts for services
other than the services or functions of a service provider. This
provision does not impose any obligation on service providers to enter
into contracts or implement or maintain the requirements of section 201
or 202 or subtitle B.
---------------------------------------------------------------------------
2. Notice
Second, because American consumers should know when they
are at risk of identity theft or other harms because of a data
security breach, the bill also requires that business entities
and Federal agencies promptly notify affected individuals and
law enforcement when a data security breach occurs. Armed with
such knowledge, consumers can take steps to protect themselves,
their families, and their personal and financial well-being.
Additionally, law enforcement can also take the steps needed to
mitigate or thwart a cyberattack. Notice to individuals must be
provided within 60 days following discovery of the security
breach, unless delayed by the Federal Trade Commission, or
Federal law enforcement. The trigger for notice to individuals
is ``significant risk of identity theft, economic loss or harm,
or physical harm,'' and this trigger includes appropriate
checks and balances to prevent over-notification and
underreporting of data security breaches.
In this regard, the bill recognizes that there are harms
other than identity theft that can result from a data security
breach, including harm from other financial crimes, stalking,
and other criminal activity. Consequently, the bill adopts a
trigger of ``significant risk of identity theft, economic loss
or harm, or physical harm, rather than a weaker trigger of
``significant risk of identity theft,'' for the notice
requirement for individuals in the legislation. There are
exemptions to the notice requirements for individuals for
national security and law enforcement reasons, as well as an
exemption to this requirement for credit card companies that
have effective fraud-prevention programs.\13\ The bill also
includes a safe harbor exemption from the notice requirement if
the business entity or agency that suffered the security breach
concludes, after conducting a risk assessment, that no
significant risk of identity theft, economic harm or loss, or
physical harm exists and the FTC concurs with that
determination. The bill contemplates that a reasonable delay of
notice could include the time necessary for a victimized
business or agency to conduct a risk assessment under Section
212(b).
---------------------------------------------------------------------------
\13\Some have incorrectly argued that S. 1151 will result in over-
notification of consumers and in a lack of clarity for business. To the
contrary, the bill contains meaningful checks and balances, including
the risk assessment and financial fraud prevention provisions in
Section 212, to prevent over-notification and the underreporting of
data security breaches. The risk assessment provision in Section 212
furthermore, provides businesses with an opportunity to fully evaluate
data security breaches when they occur, to determine whether notice
should be provided to consumers. In addition, the bill compliments and
properly builds upon other Federal statutes governing data privacy and
security to ensure clarity for business in this area. For example, to
avoid conflicting obligations regarding the bill's data security
program requirements, Section 201(c) specifically exempts financial
institutions that are already subject to, and complying with, the data
privacy and security requirements under GLB, as well as HIPAA-regulated
entities. The bill also builds upon existing Federal laws and guidance,
such as the data security protections established by the Office of the
Comptroller of the Currency for financial institutions.
---------------------------------------------------------------------------
In addition, to strengthen the tools available to law
enforcement to investigate data security breaches, combat
identity theft and protect cybersecurity, the bill also
requires that business entities and Federal agencies notify a
new Government office to be established by the Secretary of the
Department of Homeland Security of certain major security
breaches that are likely to affect law enforcement or national
security. Such notice to law enforcement is to be provided
within 10 days following discovery of the security breach and
at least 72 hours before providing notice to individuals. The
new Government office will be responsible for disseminating the
information that it receives to the Secret Service, FBI and the
Federal Trade Commission (FTC), and to other Federal
enforcement agencies as warranted. This notice will provide law
enforcement with a valuable head start in pursuing the
perpetrators of cyber intrusions and identity theft. The bill
also empowers the FTC, Secret Service and FBI to obtain
additional information about the data breach from business
entities and Federal agencies to determine whether notice of
the breach should be given to consumers.
This notice mechanism also gives businesses and agencies
certainty as to their legal obligation to provide notice and
prevents them from sending notices when they are unnecessary,
which over time, could result in consumers ignoring such
notices. The notice of breach provisions for electronic health
records that Congress enacted in the American Reinvestment and
Recovery Act (ARRA) apply to information that is accessed or
disclosed from personal health records. The notice of breach
provisions in this bill are not intended to preempt the notice
requirements established by ARRA.
The bill also recognizes the benefits of separating the
notice obligations of owners of sensitive personally
identifiable information and third parties who use and manage
sensitive personally identifiable information on the owner's
behalf. The bill imposes an obligation on third parties that
suffer a data security breach to notify the owners or licensees
of the sensitive personally identifiable information, who
would, in turn, notify consumers. If the owner or licensee of
the data gives notice of the breach to the consumer, then the
breached third party does not have to give notice. The bill
also states that it does not abrogate any agreement between a
breached entity and a data owner or licensee to provide the
required notice in the event of a breach. Separating the notice
obligations between data owners and licensees, and third
parties, will encourage data owners and licensees to address
the notice obligation in agreements with third parties and will
help to ensure that consumers will receive timely notice from
the entity with which they have a direct relationship. However,
this notice can only be effective if the entity that suffers
the breach, and any other third parties, provide to the entity
who will give the notice complete and timely information about
the nature and scope of the breach and the identity of the
entity breached.
As discussed above, the bill assigns limited obligations to
service providers when solely engaging in certain conduct
involving the transmission, routing, intermediate and transient
storage, or when connecting to a system or network. A service
provider's breach notification obligations under subtitle B of
title II are exclusively set out in Section 211(b)(4) of the
bill, which provides that if a service provider becomes aware
of a security breach of data in electronic form containing
sensitive personal information that is owned or possessed by
another business entity that connects to or uses the service
provider's system or network for the purpose of transmitting,
routing, or providing intermediate or transient storage of such
data, the service provider is only required to notify the
business entity who initiated the connection, transmission,
routing, or storage. Such notice is required only in those
cases where such business entity reasonably can be identified.
3. Enforcement
Third, the legislation also establishes tough, but fair,
enforcement provisions to punish those who fail to notify
consumers of a data security breach, or to maintain a data
security program. The bill makes it a crime for any individual,
with knowledge of the obligation to provide notice of a
security breach, to intentionally and willfully conceal the
breach that subsequently causes economic harm to consumers.
Violators of this provision are subject to a criminal fine
under title 18, or imprisonment of up to five years, or both.
This provision is no more onerous than criminal provisions for
other types of fraudulent conduct that cause similar harm to
individuals.
The bill also contains strong but fair civil enforcement
provisions. The bill authorizes the Secret Service, FBI and the
FTC to investigate data security breaches and to provide
guidance to companies that have been the victim of a data
security breach on their notice obligations under the bill. The
bill also authorizes the FTC to bring a civil enforcement
action for violations of the data security program requirements
in the bill and to recover a civil penalty of not more than
$5,000 per violation, per day and a maximum penalty of $500,000
per violation. Double penalties may be recovered for
intentional and willful violations of these requirements. The
bill provides that the determination about the amount of the
civil penalty is to be made by the court. The bill also allows
State Attorneys General to bring civil actions to recover these
civil penalties in United States District Court. However if the
FTC initiates a civil action to recover penalties, the bill
also prohibits State Attorneys General from commencing another
civil action against the same defendant, based on the same or
related violations.
In addition, the bill contains strong, but fair civil
enforcement provisions for the requirements to provide notice
of a security breach. The bill authorizes the FTC and the
Attorney General of the United States to bring a civil
enforcement action to recover a civil penalty of up to $11,000
per day per security breach and a maximum penalty of $1,000,000
for violation of the security breach notice requirements.
Double penalties may be recovered for intentional and willful
violations. The bill provides that the determination about the
amount of the civil penalty is to be made by the court. The
bill also allows State Attorneys General to bring civil actions
to recover these civil penalties in United States District
Court. However, if the Attorney General or the FTC initiates a
civil action to recover penalties, the bill prohibits State
Attorneys General from commencing another civil action against
the same defendant, based on the same or related violations.
It is not uncommon for Congress to authorize both Federal
and State regulators to enforce Federal consumer protection
laws. In fact, Federal antitrust laws, the CAN-SPAM Act
(Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003), and the Communications Act of 1934 also
authorize State Attorneys General to seek damages or to enjoin
further Federal law violations. The State enforcement
provisions in this bill are modeled after those laws.
4. Preemption
The legislation also carefully balances the need for
Federal uniformity in certain data privacy laws and the
important role of States as leaders on privacy issues. Section
204 of the bill (relation to other laws) preempts State laws
with respect to requirements for administrative, technical, and
physical safeguards for the protection of sensitive personally
identifying information. These requirements are the same
requirements set forth in Section 202 of the bill. Section
204(b) of the bill also makes clear that the data security
requirements in the bill do not preempt the Gramm-Leach-Bliley
Act or that law's implementing regulations, including those
regulations adopted or enforced by States.
Section 219 of the bill (effect on Federal and State laws)
also preempts State laws on breach notification for entities
that are subject to the bill. The Committee intends for this
provision to preempt State data breach laws only with respect
to the business entities and Federal agencies covered by the
bill. However, in recognition of the important role that the
States have played in developing breach notification, the bill
carves out an exception to preemption for State laws regarding
providing consumers with information about victim protection
assistance that is provided for by the State.
In addition, Section 219 of the bill provides that the
notice requirements in the bill supersede ``any provision of
law of any State relating to notification of a security breach,
except as provided in Section 214(b) of the bill.'' The bill's
subtitle on security breach notification applies to ``any
agency, or business entity engaged in interstate commerce,''
and the term ``agency'' is defined in the bill by referencing
section 551 of title 5, United States Code, which pertains to
Federal Governmental entities. As a result, the security breach
notification requirements in the bill have no application to
State and local governmental entities, and the Committee does
not intend for this provision to preempt or displace State laws
that address obligations of State and local governmental
entities to provide notice of a security breach.
Gramm-Leach-Bliley Act-covered and Health Insurance
Portability and Accountability Act-covered entities are not
subject to the bill. Consequently, the preemption provisions in
the bill similarly do not apply to those entities. It is
possible, however, that other Federal laws that govern these
entities could preempt State law.
5. Criminal provisions
Developing a comprehensive strategy for cybersecurity that
includes a response to cybercrime remains a pressing challenge.
For this reason, the bill includes, among other things, several
cybercrime provisions that update the Computer Fraud and Abuse
Act, so that this law remains a viable tool for law enforcement
to respond to emerging cyber threats.
First, the bill creates a new criminal offense for causing
damage to a critical infrastructure computer that manages or
controls national defense, national security, transportation,
public health and safety, or other critical infrastructure
systems. This new offense includes a three-year mandatory
minimum sentence. The mandatory minimum sentence drew
bipartisan opposition from several Judiciary Committee members
during the Committee's consideration of the provision. In
particular, Chairman Leahy expressed concern that the mandatory
minimum sentence would lead to unfair sentencing results, while
not adding any deterrence value.\14\
---------------------------------------------------------------------------
\14\Full Committee Markup of the Personal Data Privacy and Security
Act of 2011, S. 1151, 112th Cong. (2011) [hereinafter Markup]
(statement of Sen. Patrick Leahy, Chairman, S. Comm. on the Judiciary).
---------------------------------------------------------------------------
Second, the bill amends title 18, United States Code,
section 1961(1) to add violations of the Computer Fraud and
Abuse Act to the definition of racketeering activity. This
update to the law will make it easier for the Government to
prosecute certain organized criminal groups that engage in
computer network attacks.
Third, Section 102 of the bill also makes it a crime for a
person who knows of a security breach which requires notice to
individuals under the bill, and who is under obligation to
provide such notice, to intentionally and willfully conceal the
fact of, or information related to, that security breach.
Punishment is either a fine under title 18, or imprisonment of
up to 5 years, or both.
Fourth, the bill contains several other amendments to the
Computer Fraud and Abuse Act. Section 103 amends title 18,
United States Code, section 1030(c), to streamline and enhance
the penalty structure under section 1030. Section 104 expands
the scope of the offense for trafficking in passwords under
section 1030(a)(6) to include passwords used to access a
protected Government or non-government computer. Section 105
amends section 1030(b) to clarify that both conspiracy and
attempt to commit a computer hacking offense are subject to the
same penalties as completed, substantive offenses. Section 106
amends 1030(i) and (j) to clarify the criminal forfeiture
provision in section 1030 and to create a civil forfeiture
provision to provide the procedures governing civil forfeiture.
To address civil liberties concerns about the scope of the
Computer Fraud and Abuse Act, the bill amends the Computer
Fraud and Abuse Act to exclude from criminal liability conduct
that exclusively involves a violation of a contractual
obligation or agreement, such as an acceptable use policy, or
terms of service agreement. In particular, the definition for
``exceeds authorization'' in the statute is amended by the bill
to exclude conduct solely involving a violation of a
contractual agreement. The purpose of this amendment is to make
clear that Congress does not intend for the Department of
Justice to pursue criminal prosecutions under that statue for
conduct solely involving a violation of a terms of use
agreement or contractual agreement involving a private, non-
government computer. The Committee does not, however, intend to
prohibit the Department of Justice from using evidence of such
contractual violations to support a charge under 1030, when
coupled with other evidence.
During the Judiciary Committee hearing, several Members of
the Committee, including the Chairman, raised concerns about
the Justice Department's decision to bring criminal charges in
United States v. Lori Drew, which involved a Computer Fraud and
Abuse Act charge based solely upon a violation of a MySpace
terms of service agreement.\15\ In his testimony before the
Committee, Associate Deputy Attorney General James Baker
responded to concerns about the Drew prosecution by noting that
the case was an anomaly. Specifically, Mr. Baker noted that if
Congress responded to the Drew case by ``restricting the
statute [by prohibiting claims bases solely upon a violation of
terms of use or contractual agreements] . . . [that] would make
it difficult or impossible to deter and address serious insider
threats through prosecution.'' In addition, Mr. Baker cautioned
against treating violations of contractual agreements in
cyberspace any differently from violations of such agreements
in other context. For example, he noted the fact that law
enforcement can prosecute an employee who acts in violation of
an office policy. Mr. Baker conceded that the Department of
Justice would not appeal the court's decision to overturn the
conviction in the Drew case.
---------------------------------------------------------------------------
\15\In the Drew case, Ms. Drew was alleged to have violated a
MySpace terms of service agreement by creating a false user identity,
which she used to bully a teenager. The teenager later committed
suicide. A jury found Ms. Drew guilty of a misdemeanor violation of the
Computer Fraud and Abuse Act, because she exceeded the authorization to
use MySpace. A Federal judge subsequently overturned the jury's
misdemeanor conviction. United States v. Lori Drew, No CR 08-0582-GW
(C.D. Cal. Aug. 28, 2009). In doing so, the court concluded that
permitting a violation of a website's terms of service to constitute an
intentional access of a computer without authorization or exceeding
authorization under the Computer Fraud and Abuse Act would ``result in
transforming section 1030(a)(2)(C) into an overwhelmingly overbroad
enactment that would convert a multitude of otherwise innocent Internet
users into misdemeanant criminals.'' Id. at 29. The Justice Department
did not appeal the decision.
---------------------------------------------------------------------------
Finally, to further address this issue, Section 107 of the
bill amends section 1030(g) to preclude civil claims based
exclusively on conduct that involves a violation of a
contractual obligation or agreement, such as an acceptable use
policy or terms of service agreement. Section 108 also adds a
new reporting requirement to section 1030 that requires that
the Attorney General annually report to Congress on the number
of criminal cases brought under section 1030(a) in which the
sole basis for the Government determining that access to the
non-governmental computer was unauthorized, or in excess of
authorization, was that the defendant violated a contractual
obligation or agreement.
II. History of the Bill and Committee Consideration
A. INTRODUCTION OF THE BILL
Chairman Leahy introduced the Personal Data Privacy and
Security Act of 2011 on June 7, 2011. This privacy bill is
cosponsored by Senators Schumer, Cardin, Franken and
Blumenthal.
This legislation is very similar to the Personal Data
Privacy and Security Act of 2009, S. 1490, which Senator Leahy
introduced on July 22, 2009, the Personal Data Privacy and
Security Act of 2007, S. 495, which Senators Leahy and Specter
introduced on July 6, 2007, and to the Personal Data Privacy
and Security Act of 2005, S. 1789, which Senators Leahy and
Specter introduced on September 29, 2005. The Judiciary
Committee favorably reported S. 1490 by a bipartisan vote of 14
Yeas and 5 Nays on November 5, 2009; S. 495 on May 3, 2007, by
voice vote and S. 1789 on November 17, 2005, by a bipartisan
vote of 13 to 5.
The Committee has held two hearings related to S. 1151. On
June 21, 2011, the Judiciary Committee's Subcommittee on Crime
and Terrorism held a hearing entitled, ``Cybersecurity:
Evaluating the Administration's Proposals.'' This hearing
examined the data breach and cybercrime proposals contained in
the Obama administration's legislative package on
cybersecurity. The following witnesses testified at this
hearing: The Honorable Jim Langevin (D-RI), Member, United
States House of Representatives; James A. Baker, Associate
Deputy Attorney General, U.S. Department of Justice; Greg
Schaffer, Acting Deputy Under Secretary, National Protection
and Programs Directorate, Department of Homeland Security; and
Ari Schwartz, Senior Internet Policy Advisor, National
Institute of Standards and Technology (NIST), U.S. Department
of Commerce.
On September, 7, 2011, the Judiciary Committee held a
hearing entitled, ``Cybercrime: Updating the Computer Fraud and
Abuse Act to Protect Cyberspace and Combat Emerging Threats.''
This hearing examined the cybercrime proposals contained in the
Obama administration's cybersecurity proposal, including the
criminal proposals contained in S. 1151. The following
witnesses testified at this hearing: James A. Baker, Esq.,
Associate Deputy Attorney General, U.S. Department of Justice
and Pablo A. Martinez, Deputy Special Agent in Charge, Criminal
Investigative Division, and United States Secret Service.
B. COMMITTEE CONSIDERATION
On September 7, 2011, S. 1151 was placed on the Judiciary
Committee's agenda. The Committee considered this legislation
on September 15 and 22, 2011.
During the Committee's consideration of S. 1151, six
amendments to the bill were offered and five amendments were
adopted by the Committee:
First, the Committee adopted, without objection, a complete
substitute bill for S. 1151 (ALB11637), which Chairman Leahy
offered. The substitute bill made several changes to the bill,
including (1) striking the data broker and Government use
titles in the bill; (2) adding a new criminal provision making
it a felony to intentionally damage a critical infrastructure
computer; (3) adding a knowledge requirement and economic harm
requirement in the amount of at least $1,000 to the criminal
provision on concealment of a security breach; (4) clarifying
that the definition of security breach excludes public records
and information obtained from public records; (5) modifying the
trigger for breach notice to ``substantial risk of identity
theft, economic loss or harm, or physical harm''; (6)
clarifying that enforcement actions brought by State Attorneys
General may only be brought in U.S. District Court; and (7)
making technical corrections to the bill.
Second, the Committee adopted, without objection, a
manager's amendment (ALB11713) to S. 1151 which Chairman Leahy
also offered. The manager's amendment made several changes to
the bill, including: (1) adopting an amendment filed by Senator
Grassley (HEN11631) to strike language authorizing the Federal
Trade Commission to modify the definition for sensitive
personally identifiable information in the bill through
rulemaking; (2) making several technical changes to Section
202(d) regarding service providers; (3) adding limitation on
liability language; (4) amending the State Attorney General
Enforcement provisions in Section 203 to clarify that if a
Federal civil or criminal action has been filed, a State cannot
bring another action for the same violation; (5) striking the
technical requirements for the risk assessment; (6) amending
Sections 217 and 218 to clarify that civil penalties are
calculated per security breach, per day and adding limitation
on liability language; (7) amending the State Attorney General
Enforcement provisions in Section 218 to clarify that if a
Federal civil or criminal action has been filed, a State cannot
bring another action for the same violation; and (8) clarifying
the preemption provision in Section 219, so that the bill does
not preempt the Gramm- Leach-Bliley Act, or the Health
Insurance Portability and Accountability Act; (9) clarifying
that the preemption provision governing State data breach laws
applies only to the entities subject to the bill; (10)
clarifying the GLB carve-outs for the data security program and
data breach provisions in Sections 201 and 211; and (11) making
other technical changes to the bill.
Third, the Committee adopted by voice vote an amendment
offered by Senator Grassley (JEN11A19) to amend the definition
of ``exceeds authorized access'' in title 18, United States
Code, section 1030, to exclude conduct that only involves
violating a terms of use agreement, or other contractual
agreement governing the use of a non-government computer.
Fourth, when the Committee resumed consideration of the
bill on September 22, 2011, Senator Grassley offered an
amendment (ALB11652) to add a mandatory minimum sentence to the
damage of critical infrastructure computers offense in Section
109 of the bill. The amendment was accepted on a roll call
vote. The vote record is as follows:
Tally: 11 Yeas, 7 Nays
Yeas (11): Feinstein (D-CA), Schumer (D-NY), Whitehouse (D-RI),
Klobuchar (D-MN), Grassley (R-IA), Hatch (R-UT), Kyl
(R-AZ), Sessions (D-AL), Graham (R-SC), Cornyn (R-TX),
and Coburn (R-OK).
Nays (7): Leahy (D-VT), Kohl (D-WI), Durbin (D-IL), Franken (D-
MN), Coons (D-DE), Blumenthal (D-CT), and Lee (R-UT).
Fifth, the Committee adopted by voice vote a second degree
amendment offered by Senator Franken (HEN11688) to Senator
Grassley's amendment (HEN11637) that added a data minimization
requirement to the data security program requirements in the
bill.
Sixth, the Committee rejected by voice vote an amendment
offered by Senator Grassley (HEN11637) that would have struck
the data security program requirements in the bill.
Seventh, Senator Grassley offered an amendment (ALB11646)
to prohibit State Attorneys General from retaining private
counsel on a contingency fee basis to enforce the civil
enforcement provisions in the bill. The amendment was rejected
on a roll call vote. The vote record is as follows:
Tally: 7 Yeas, 11 Nays
Yeas (7): Feinstein (D-CA), Grassley (R-IA), Hatch (R-UT), Kyl
(R-AZ), Sessions (D-AL), Cornyn (R-TX), and Lee (R-UT).
Nays (11): Leahy (D-VT), Kohl (D-WI), Schumer (D-NY), Durbin
(D-IL), Whitehouse (D-RI), Klobuchar (D-MN), Franken
(D-MN), Coons (D-DE), Blumenthal (D-CT), Graham (R-SC),
and Coburn (R-OK).
The Committee then voted to report the Personal Data
Privacy and Security Act of 2011, as amended, favorably to the
Senate. The Committee proceeded by roll call vote as follows:
Tally: 10 Yeas, 8 Nays
Yeas (10): Leahy (D-VT), Kohl (D-WI), Feinstein (D-CA), Schumer
(D-NY), Durbin (D-IL), Whitehouse (D-RI), Klobuchar (D-
MN), Franken (D-MN), Coons (D-DE), and Blumenthal (D-
CT).
Nays (8): Grassley (R-IA), Hatch (R-UT), Kyl (R-AZ), Sessions
(R-AL), Graham (R-SC), Cornyn (R-TX), Lee (R-UT), and
Coburn (R-OK).
III. Section-by-Section Summary of the Bill
Section 1--Short title
This section provides that the legislation may be cited as
the ``Personal Data Privacy and Security Act of 2011.''
Section 2--Findings
Section 2 provides Congressional findings on the threats
posed by data security breaches and cybercrime.
Section 3--Definitions
Section 3 contains the definitions used in the bill.
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
Section 101--Organized criminal activity in connection with
unauthorized access to personally identifiable information
Section 101 amends 18 U.S.C. Sec. 1961(1) to add violations
of the Computer Fraud and Abuse Act to the definition of
racketeering activity. This change would increase certain
penalties, and make it easier for the Government to prosecute
certain organized criminal groups who engage in computer
network attacks.
Section 102--Concealment of security breaches involving personally
identifiable information
Section 102 makes it a crime for a person who knows of a
security breach which requires notice to individuals under
Title II of this Act, and who is under obligation to provide
such notice, to intentionally and willfully conceal the fact
of, or information related to, that security breach. Punishment
is either a fine under Title 18, or imprisonment of up to 5
years, or both.
Section 103--Penalties for fraud and related activity in connection
with computers
Section 103 amends title 18, United States Code, section
1030(c) to streamline and enhance the penalty structure under
section 1030.
Section 104--Trafficking in passwords
Section 104 expands the scope of the offense for
trafficking in passwords under title 18, United States Code,
section 1030(a)(6) to include passwords used to access a
protected government or non-government computer, and to include
any other means of unauthorized access to a government
computer.
Section 105--Conspiracy and attempted computer fraud offenses
Section 105 amends title 18, United States Code, section
1030(b) to clarify that both conspiracy and attempt to commit a
computer hacking offense are subject to the same penalties as
completed, substantive offenses.
Section 106--Criminal and civil forfeiture for fraud and related
activity in connection with computers
Section 106 amends title 18, United States Code, sections
1030(i) and (j) to clarify the criminal forfeiture provision in
section 1030 and to create a civil forfeiture provision to
provide the procedures governing civil forfeiture, to clarify
that the proceeds that may be forfeited under section 1030 are
gross proceeds, as opposed to net proceeds, and to allow for
the forfeiture of real property used to facilitate section 1030
offenses.
Section 107--Limitations on civil actions
Section 107 amends title 18, United States Code, section
1030(g) to preclude civil claims based exclusively on conduct
that involves a violation of a contractual obligation or
agreement, such as an acceptable use policy or terms of service
agreement. The purpose of the amendment is to prevent civil
claims based on innocuous conduct.
Section 108--Reporting of certain criminal cases
Section 108 adds a new reporting requirement to section
1030, requiring that the Attorney General annually report to
Congress on the number of criminal cases brought under section
1030(a) in which the defendant either exceeded authorized
access to a non-governmental computer, or accessed a non-
governmental computer without authorization, and in which the
sole basis for the Government determining that access to the
non-governmental computer was unauthorized, or in excess of
authorization, was that the defendant violated a contractual
obligation or agreement with a service provider or employer.
The purpose of the provision is to address concerns that the
Government could bring criminal cases under section 1030 for
relatively innocuous conduct, such as violating a terms of use
agreement.
Section 109--Damage to critical infrastructure computers
Section 109 adds a new criminal provision to tile 18
specifically making it a felony to damage a computer that
manages or controls national defense, national security,
transportation, public health and safety, or other critical
infrastructure systems or information. Violations are subject
to a fine and/or imprisonment of at least three years and up to
20 years.
TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
SUBTITLE A--A DATA PRIVACY AND SECURITY PROGRAM
Section 201--Purpose and applicability of data privacy and security
program
Section 201 addresses the data privacy and security
requirements of Section 202 for business entities that compile,
access, use, process, license, distribute, analyze or evaluate
personally identifiable information in electronic or digital
form on 10,000 or more U.S. persons. Section 201 exempts from
the data privacy and security requirements of Section 202
businesses already subject to, and complying with, similar data
privacy and security requirements under GLB and implementing
regulations, as well as examination for compliance by Federal
functional regulators as defined in GLB, and HIPPA regulated
entities.
Section 202--Requirements for a data privacy and security program
Section 202 requires covered business entities to create a
data privacy and security program to protect and secure
sensitive data. The requirements for the data security program
are modeled after those established by the Office of the
Comptroller of the Currency for financial institutions in its
Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, 12 C.F.R. Sec. 30.6 Appendix B (2005).
A data privacy and security program must be designed to
ensure security and confidentiality of personal records,
protect against anticipated threats and hazards to the security
and integrity of personal electronic records, protect against
unauthorized access and use of personal records, and ensure
proper back-up storage and disposal of personally identifiable
information. In addition, Section 202 requires a covered
business entity to: (1) regularly assess, manage and control
risks to improve its data privacy and security program; (2)
provide employee training to implement its data privacy and
security program; (3) conduct tests to identify system
vulnerabilities; (4) ensure that overseas service providers
retained to handle personally identifiable information, but
which are not covered by the provisions of this Act, take
reasonable steps to secure that data; and (5) periodically
assess its data privacy and security program to ensure that the
program addresses current threats. Section 202 also requires
that the data security program include measures that allow the
data broker (1) to track who has access to sensitive personally
identifiable information maintained by the data broker and (2)
to ensure that third parties or customers who are authorized to
access this information have a valid legal reason for accessing
or acquiring the information.
Section 203--Enforcement
Section 203 gives the Federal Trade Commission the right to
bring an enforcement action for violations of Sections 201 and
202 in Subtitle A. Business entities that violate sections 201
and 202 are subject to a civil penalty of not more than $5,000
per violation, per day and a maximum penalty of $500,000 per
violation. Intentional and willful violations of these sections
are subject to an additional civil penalty of $5,000 per
violation, per day and an additional maximum penalty of
$500,000 per violation. This section also grants States the
right to bring civil actions on behalf of their residents in
U.S. district courts, and requires States to give advance
notice of such court proceedings to the FTC, where practicable.
There is no private right of action under this subtitle.
Section 204--Relation to other laws
Section 204 preempts State laws relating to administrative,
technical, and physical safeguards for the protection of
sensitive personally identifying information. The requirements
referred to in this Section are the same requirements set forth
in Section 202.
SUBTITLE B--SECURITY BREACH NOTIFICATION
Section 211--Notice to individuals
Section 211 requires that a business entity or Federal
agency give notice to an individual whose sensitive personally
identifiable information has been, or is reasonably believed to
have been, compromised, following the discovery of a data
security breach. The notice required under Section 211 must be
made without unreasonable delay and no more than 60 days after
the discovery of the breach, unless extended by the Federal
Trade Commission.
Section 211(b) requires that a business entity or Federal
agency that does not own or license the information compromised
as a result of a data security breach notify the owner or
licensee of the data. The owner or licensee of the data would
then provide the notice to individuals as required under this
Section. However, agreements between owners, licensees and
third parties regarding the obligation to provide notice under
Section 211 are preserved. In addition, Section 211(b) provides
that service providers who only transmit or route electronic
data that is subject to a security breach must notify the owner
of the data of the security breach. The owner of the data has
the obligation to notify the individuals whose data was
breached.
Section 212(d) allows the Secret Service or FBI to delay
the notice required under Section 211, if notice would impede a
criminal investigation, or harm national security. The delay
period is for 30 days, unless extended by law enforcement.
Section 212--Exemptions
Section 212 provides for certain exemptions to the notice
requirements under Section 211, for national security and law
enforcement purposes, a safe harbor, and financial fraud
programs.
Section 212(a) allows the Secret Service, or Federal Bureau
of Investigation to prevent notice if the providing of such
notice would reveal sensitive sources and methods, impede a
criminal investigation, or damage national security.
Section 212(b) exempts a business entity or Federal agency
from providing notice, if the business or Federal agency
conducts a risk assessment and determines that there is no
significant risk that the security breach will result in harm
or fraud to the individuals whose sensitive personally
identifiable information has been compromised. The business
entity or Federal agency must notify the Federal Trade
Commission of the results of the risk assessment within 45 days
of the security breach and if the Federal Trade Commission
concurs with the determination, notice is not required. Under
Section 212(b) a rebuttable presumption exists that the use of
encryption technology, or other technologies that render the
sensitive personally identifiable information indecipherable
means that there is no significant risk of harm, or fraud. The
provision also provides certain requirements for the risk
assessment and states that a failure to satisfy these
requirements, or submitting a risk assessment with false
information, constitutes a violation of the provision.
Section 212(c) also provides a financial fraud prevention
exemption from the notice requirement, if a business entity has
a program to block the fraudulent use of information--such as
credit card numbers--to avoid fraudulent transactions. Debit
cards and other financial instruments are not covered by this
exemption.
Section 213--Methods of notice
Section 213 provides that notice to individuals may be
given in writing to the individuals' last known address, by
telephone or via email notice, if the individual has consented
to email notice. Media notice is also required if the number of
residents in a particular State whose information was, or is
reasonably believed to have been compromised exceeds 5,000
individuals.
Section 214--Content of notification
Section 214 requires that the notice detail the nature of
the personally identifiable information that has been
compromised by the data security beach, a toll free number to
contact the business entity or Federal agency that suffered the
breach, and the toll free numbers and addresses of major credit
reporting agencies. Section 214 also preserves the right of
States to require that additional information about victim
protection assistance be included in the notice.
Section 215--Coordination of notification with credit reporting
agencies
Section 215 requires that, for situations where notice of a
data security breach is required for 5,000 or more individuals,
a business entity or Federal agency must also provide advance
notice of the breach to consumer reporting agencies.
Section 216--Notice to law enforcement
Section 216 requires that the Secretary of Homeland
Security designate a Federal Government entity to receive all
of the notices (law enforcement, risk assessment and national
security) required under Sections 212 and 216 within 60 days of
the enactment of the Act. The Section further requires that
business entities and Federal agencies notify this Federal
entity of the fact that a security breach has occurred as
promptly as possible, but at least 72 hours before notice is
given to individuals and no less than 10 days after discovery
of the security breach, if the data security breach involves:
(1) more than 5,000 individuals; (2) a database that contains
information about more than 500,000 individuals; (3) a Federal
Government database; or (4) individuals known to be Federal
Government employees or contractors involved in national
security or law enforcement. The entity designated by the
Secretary of Homeland Security is responsible for promptly
notifying Federal law enforcement agencies, including the
Secret Service, FBI and FTC, of the data security breach. The
FTC, in consultation with the Attorney General and Secretary of
Homeland Security, shall promulgate regulations to clarify the
reporting required by this section and to adjust the
thresholds.
Section 217--Enforcement
Section 217 provides that the Attorney General and Federal
Trade Commission may bring a civil action to recover penalties
for violations of the notification requirements in Subtitle B.
Violators are subject to a civil penalty of up to $11,000 per
day, per security breach. There is a maximum penalty cap of $1
million per security breach. Intentional or willful conduct is
subject to an additional penalty of up to $11,000 per day, per
security breach, with a maximum penalty of an additional $1
million. The provision also requires that the Department of
Justice and FTC coordinate enforcement of this provision and
also coordinate with other Federal enforcement agencies as
warranted.
Section 218--Enforcement by State Attorneys General
Section 218 allows State Attorneys General to bring a civil
action in U.S. district court to enforce Subtitle B. The
Attorney General may stay, or intervene in, any State action.
Section 219--Effect on Federal and State law
Section 219 preempts State laws on breach notification,
with the exception of State laws regarding providing consumers
with information about victim protection assistance that is
available to consumers in a particular State. Because the
breach notification requirements in the bill do not apply to
State and local government entities, this provision does not
preempt State or local laws regarding the obligations of State
and local government entities to provide notice of a data
security breach.
Section 220--Reporting on risk assessment exemptions
Section 220 requires that, no later than 18 months after
enactment, the Federal Trade Commission report to Congress on
the number and nature of data security breach notices invoking
the risk assessment exemption and that the Secret Service and
FBI report to Congress on the number and nature of data
security breaches subject to the national security and law
enforcement exemptions.
Section 221--Effective date
Subtitle B takes effect 90 days after the date of enactment
of the Personal Data Privacy and Security Act.
TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT
Section 301--Budget compliance
Section 301 contains the language required to comply with
the Pay-As-You-Go Act.
IV. Congressional Budget Office Cost Estimate
The Committee sets forth, with respect to the bill, S.
1151, the following estimate and comparison prepared by the
Director of the Congressional Budget Office under section 402
of the Congressional Budget Act of 1974:
October 27, 2011.
Hon. Patrick J. Leahy,
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 1151, the Personal
Data Privacy and Security Act of 2011.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Matthew
Pickford (for federal costs), and Marin Randall (for the impact
on the private sector).
Sincerely,
Douglas W. Elmendorf.
Enclosure.
S. 1151--Personal Data Privacy and Security Act of 2011
Summary: S. 1151 would establish new federal crimes
relating to unauthorized access to sensitive personal
information. The bill also would require most federal agencies
and businesses that collect, transmit, store, or use such
personal information to establish a data privacy and security
program and to notify any individuals whose information has
been unlawfully accessed.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing S. 1151 would cost $14 million over
the 2012-2016 period. Enacting S. 1151 could increase civil and
criminal penalties and could affect direct spending by agencies
not funded through annual appropriations; therefore, pay-as-
you-go procedures apply. CBO estimates, however, that any
changes to revenues and net direct spending would be
negligible.
S. 1151 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that
the cost of complying with the requirements would be small and
would not exceed the threshold established in UMRA ($71 million
in 2011, adjusted annually for inflation).
S. 1151 also would impose several private-sector mandates.
Much of the private sector already complies with many of the
bill's requirements. However, a large number of entities in the
private sector would need to implement new or enhanced security
standards if the bill is enacted. Consequently, CBO estimates
that the aggregate direct cost of the mandates in the bill
would probably exceed the annual threshold established in UMRA
for private-sector mandates ($142 million in 2011, adjusted
annually for inflation) in at least one of the first five years
the mandates are in effect.
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 1151 is shown in the following table.
The costs of this legislation fall within budget functions 050
(national defense), 370 (commerce and housing credit), 750
(administration of justice), 800 (general government), and
other budget functions that contain salaries and expenses.
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-------------------------------------------------------
2012 2013 2014 2015 2016 2012-2016
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level........................... 3 3 3 3 3 15
Estimated Outlays....................................... 2 3 3 3 3 14
----------------------------------------------------------------------------------------------------------------
Basis of estimate: For this estimate, CBO assumes that the
bill will be enacted early in 2012, that the necessary amounts
will be provided each year, and that spending will follow
historical patterns for similar programs.
Spending subject to appropriation
Most of the provisions of the bill would codify the current
practices of the federal government regarding data security and
procedures for notifying individuals whose personal information
may have been disclosed. In general, a data breach occurs when
sensitive, protected, or confidential information is copied,
transmitted, viewed, or stolen by someone not authorized to do
so. The federal government is one of the largest providers,
collectors, consumers, and disseminators of personal
information in the United States. Although CBO cannot
anticipate the number or extent of breaches, a significant
breach of security involving a major collector of personal
information, such as the Internal Revenue Service or the Social
Security Administration, could involve millions of individuals
and result in significant costs to notify those individuals of
such a breach. Existing laws generally do not require federal
agencies to notify affected individuals of such security
breaches; however, agencies that have experienced security
breaches have generally provided such notification. Therefore,
CBO expects that codifying this practice would probably not
lead to a significant increase in spending.
The legislation also would require a business entity or
federal agency--under certain circumstances--to notify the
Department of Homeland Security that a security breach has
occurred but would permit entities or agencies to apply to the
federal government for a delay or exemption from the
requirements if the personal data were encrypted or similarly
protected or if notification would threaten national security.
Other provisions of the bill would require the Federal Trade
Commission (FTC) to develop and enforce regulations to
implement the bill's new requirements for data security
programs and policies. Finally, S. 1151 would require federal
agencies to provide several reports to the Congress, which
would include the number and type of data breaches.
Based on information from the Department of Homeland
Security, the Federal Bureau of Investigation, the FTC, and
other agencies with a significant information technology
presence, CBO estimates that additional investigative and
administrative work under the bill would cost about $3 million
annually, subject to the availability of appropriated funds.
Direct spending and revenues
S. 1151 would establish new federal crimes relating to
unauthorized access to sensitive personal information. Enacting
the bill could increase collections of civil and criminal fines
for violations of the bill's provisions. CBO estimates that any
additional collections would not be significant because of the
relatively small number of additional cases likely to result.
Civil fines are recorded as revenues. Criminal fines are
recorded as revenues, deposited in the Crime Victims Fund, and
subsequently spent without further appropriation.
Pay-As-You-Go considerations: The Statutory Pay-As-You-Go
Act of 2010 establishes budget-reporting and enforcement
procedures for legislation affecting direct spending or
revenues. CBO estimates that enacting S. 1151 would have a
negligible effect on direct spending and revenues.
Estimated impact on state, local, and tribal governments:
S. 1151 contains intergovernmental mandates as defined in UMRA
because it would explicitly preempt laws in at least 46 States
regarding the treatment of personal information and impose
notification requirements and limitations on State Attorneys
General. Because the limits on State authority would impose no
duties with costs and because the notification requirements
would result in minimal additional spending, CBO estimates that
the costs of the mandates would be small and would not exceed
the threshold established in UMRA for intergovernmental
mandates ($71 million in 2011, adjusted annually for
inflation).
Estimated impact on the private sector: S. 1151 would
impose several private-sector mandates as defined in UMRA by:
Requiring certain business entities that
handle personally identifiable information for 10,000
or more individuals to establish and maintain a data
privacy and security program;
Requiring any business entity engaged in
interstate commerce to notify individuals if a security
breach occurs in which such individuals' sensitive
personally identifiable information is compromised;
Requiring providers of electronic
communication services to inform any user that
initiated transmission of data on their network if they
become aware of a data breach; and
Limiting existing rights to seek damages
against a person if the only basis for the suit is the
violation of a contractual obligations involving the
use of computers or access to personal information.
The majority of businesses already comply with data
security standards and breach notification procedures similar
to many of the bill's requirements. However, some of the
requirements in the bill would impose new standards for data
maintenance and security on a large number of entities in the
private sector. Consequently, CBO estimates that the aggregate
direct cost of all the mandates in the bill would probably
exceed the annual threshold established in UMRA for private-
sector mandates ($142 million in 2011, adjusted annually for
inflation) in at least one of the first five years the mandates
are in effect.
Data privacy and security requirements
Subtitle A of title II would require businesses engaging in
interstate commerce that involves collecting, accessing,
transmitting, using, storing, or disposing of sensitive
personally identifiable information in electronic or digital
form on 10,000 or more individuals to establish and maintain a
program for data privacy and security. The program would be
designed to protect against both unauthorized access and any
anticipated vulnerabilities. Business entities would be
required to conduct periodic risk assessments to identify such
vulnerabilities and assess possible security risks in
establishing the program. Additionally, businesses would have
to train their employees in implementing the data security
program.
The bill would direct the FTC to develop rules that
identify privacy and security requirements for the business
entities covered under subtitle A. Some businesses would be
exempt from the requirements of subtitle A. Those include
certain financial institutions that are subject to the data
security requirements under the Gramm-Leach-Bliley Act,
entities that are subject to the data security requirements of
the Health Insurance Portability and Accountability Act, and
providers of electronic communications services to the extent
that they are exclusively engaged in the temporary storage,
transmission, or routing of data.
The cost per entity of the data privacy and security
requirements would depend on the rules to be established by the
FTC, the size of the entity, and its current ability to secure,
record, and monitor access to data, as well as on the amount of
sensitive, personally identifiable information maintained by
the entity. The majority of States already have laws requiring
business entities to utilize data security programs, and it is
the current practice of many businesses to use security
measures to protect sensitive data. However, some of the new
standards for data security in the bill could impose additional
costs on a large number of private-sector entities.
For example, under the bill, businesses covered under
subtitle A would be required to enhance their security
standards to include the ability to trace access and
transmission of all records containing sensitive personally
identifiable information. The current industry standard on data
security has not reached that level. According to industry
experts, information on a particular individual can be
collected from several places and, for large companies, can be
accessed by thousands of people from several different
locations. The ability to trace each transaction involving data
containing personally identifiable information would require a
significant enhancement of data management hardware and
software for the majority of businesses. Further, the bill's
definition of sensitive personally identifiable information is
broader than the current industry standard.
This definition would significantly increase the number of
entities that would be required to implement new or enhanced
data security standards. The aggregate cost of implementing
such changes could be substantial.
Notification of security breaches
Subtitle B of title II would require business entities
engaged in interstate commerce that use, access, transmit,
store, dispose of, or collect sensitive personally identifiable
information to notify individuals in the event of a security
breach if the individuals' sensitive, personally identifiable
information is compromised. Entities would be able to notify
individuals using written letters, the telephone, or email. If
a business does not own or license the information, it would
have to notify the owner or licensee of the information
following a breach. A notice in major media outlets serving a
State or jurisdiction also would have to be provided for any
breach of more than 5,000 residents' records within a
particular State. In addition, businesses would be required to
notify other entities and agencies in the event of a large
security breach.
Entities that experience the breach of such data would have
to notify the affected victims and consumer reporting agencies
if the breach involves more than 5,000 individuals. The bill,
however, would exempt business entities from the notification
requirements under certain circumstances.
According to industry sources, the sensitive personally
identifiable information of millions of individuals is
illegally accessed or otherwise breached every year. However,
according to those sources, 46 states already have laws
requiring notification in the event of a security breach. In
addition, it is the standard practice of most business entities
to notify individuals if a security breach occurs. Therefore,
CBO estimates that the notification requirements would not
impose significant additional costs on businesses.
The subtitle also contains a provision requiring providers
of electronic communication services (such as Internet service
providers) to inform the entity that began a transmission of
information using their systems if they become aware that a
breach of sensitive personally identifiable information has
occurred. This would constitute a mandate on those service
providers. The cost to inform business entities of a breach
would probably be small.
Elimination of existing rights of action
Title I would eliminate certain existing rights of action
against individuals for violating contractual agreements
involving the use of computers or access to personal
information. Currently, a lawsuit may be filed against an
individual for exceeding authorized access (obtaining or
altering information without the proper authorization) and
computer fraud if that individual violates the terms of a
related contractual agreement. The bill would eliminate any
right of action alleging someone has exceeded authorized access
or committed computer fraud when the only basis for the suit is
the violation of a related agreement. Because there are few
such cases, CBO estimates that the cost of the mandate would be
minimal.
Estimate prepared by: Federal costs: Department of Homeland
Security--Jason Wheelock; Federal Trade Commission--Susan
Willie; U.S. Secret Service--Mark Grabowicz; Other Federal
agencies--Matthew Pickford.
Impact on State, local, and Tribal Governments: Elizabeth
Cove Delisle.
Impact on the private sector: Marin Randall.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
V. Regulatory Impact Evaluation
In compliance with rule XXVI of the Standing Rules of the
Senate, the Committee finds that no significant regulatory
impact will result from the enactment of S. 1151.
VI. Conclusion
The Personal Data Privacy and Security Act of 2011, S.
1151, provides greatly needed privacy protections to American
consumers and businesses, to ensure that all Americans have the
tools necessary to protect themselves from identity theft and
other data security risks. This legislation will also ensure
that the most effective mechanisms and technologies for dealing
with the underlying problem of lax data security are
implemented by the Nation's businesses to help prevent data
breaches from occurring in the first place. The passage and
enactment of this important privacy legislation is long
overdue.
VII. Additional and Minority Views
ADDITIONAL VIEWS FROM SENATOR COONS
I was pleased to support the Personal Data Privacy and
Security Act of 2011, which will bolster the security of
sensitive personal data held by companies and improve notice to
consumers in the event of a data breach. In this age of digital
commerce, the stakes surrounding data security are high and
will only increase. This legislation will help promote consumer
trust and corporate accountability.
As I mentioned during Committee consideration, I believe
the bill could be further improved if the preemption standards
were strengthened. In particular, I believe it is
counterproductive to subject banks and financial services
entities already regulated under the Gramm-Leach-Bliley Act to
a patchwork of differing or conflicting state laws governing
data breach and consumer notice. Accordingly, as this bill
moves forward to full Senate consideration, I will work to
ensure that the preemption provisions in S. 1151 are broadened
to establish uniform preemption of state laws where Congress
has established a national regime for data security and breach
notification.
Christopher A. Coons.
MINORITY VIEWS FROM SENATORS GRASSLEY, KYL, SESSIONS, GRAHAM, CORNYN,
AND COBURN
This legislation seeks a solution to a real problem, but it
fails to deliver. Protecting an individual's sensitive personal
identifying information, recognizing vulnerabilities to
information and providing notification when a breach of
information has occurred must be addressed. We support a clear,
uniform, national standard that directs when notice to
consumers and law enforcement should be provided. Consumers
should have access to alerts identifying threats that pose a
significant risk of identity theft. When appropriate notice is
given, consumers can work with other entities to limit risk and
protect their identity. This also means that businesses will
possess the ability to minimize risk and protect their
consumers' sensitive personal information from any further
threats.
Yet at the same time, we must not numb a consumer's senses
to risk notification. Legislation should not encourage or
foster an environment where the default response from a
business is to always issue notice. Requiring notice for
trivial security incidents will lead to over-notification,
which in turn will create broad apathy as consumers are
inundated with inconsequential warnings. Moreover, the security
breach that does threaten an individual's identity may be
ignored. While the purpose of this bill is to protect
individuals, the effect will be the exact opposite as consumers
will suffer due to constant notification.
Additionally, the financial and bureaucratic costs
associated with this bill will burden small and medium sized
businesses at exactly the wrong time. We know that excessive
government regulation has a detrimental effect on businesses,
imposing heavy burdens on small business which must comply or
face substantial liability penalties. Such regulations may have
the effect of bankrupting these businesses. During these
difficult economic times and unemployment northward of 9%, this
costly legislation is not prudent.
While we commend the Chairman's efforts on this particular
subject, we cannot support S. 1151 at this time. We believe it
is counterproductive to our shared goal of consumer protection,
as it will lead to consumer over-notification, increased
financial costs due to new regulations, while imposing
excessive liability penalties for failure to comply, ultimately
leading to further job losses throughout the economy.
BACKGROUND
Identity theft is a problem for both consumers and
businesses. This problem intensifies as criminals become
increasingly sophisticated at breaching businesses' security
systems in order to obtain sensitive information. This threat
is not just limited to private business but to the government
as well. Business and government work to understand past and
present incidents so as to prevent future attacks. Law
enforcement at the federal, state and local levels work
together and with private business to enhance controls, protect
information, and improve cooperation should a breach occur.
Private businesses, which ultimately bear the major cost of
fraud resulting from an attack, have spent billions of dollars
to strengthen data security, seeking ways to stop fraud before
it happens.
Underlying the need for a uniform, federal standard is the
expansive growth of State government activity on this matter.
Since 2002, 46 states and the District of Columbia have enacted
laws that seek to prevent identity theft, while requiring
businesses who suffer a data breach to provide notice to
consumers detailing the risk to their sensitive personal
information.\1\ Moreover, the trend continues this year as 14
states have introduced legislation that expands the scope of
the laws, creating new and additional notification requirements
as well as new penalties for those responsible for a breach.\2\
Due to the ever changing differences between the various state
laws, there is a need for a single, uniform, federal standard.
---------------------------------------------------------------------------
\1\National Conference of State Legislatures, State Security Breach
Notification Laws, http://www.ncsl.org/Default.aspx?TabId=13489 (last
visited Oct. 31, 2011).
\2\National Conference of State Legislatures, Security Breach
Legislation 2011, http://www.ncsl.org/default.aspx?tabid=22295 (last
visited Oct. 31, 2011).
---------------------------------------------------------------------------
However, as Congress works to craft legislation we must
ensure there are tools in place to assist consumers in
protecting themselves should a breach occur. It is important
that consumers know when their information is compromised so
they can obtain resources in order to protect themselves. For
notice to be effective, consumers should be notified when their
sensitive personal information is compromised in a way that
jeopardizes their identities. Otherwise, over-notification will
lead to consumer apathy and, therefore, will expose consumers
to greater risk.
MANDATED ``ONE SIZE FITS ALL'' DATA PRIVACY AND SECURITY PROGRAMS
Section 202 of this bill creates a prescriptive, one size
fits all data security program requirement that businesses with
sensitive personal information of more than 5,000 individuals
must follow. Many small businesses, which can easily acquire
data on more than 5,000 individuals, will be unduly burdened,
facing increased compliance costs that may force a small
business to close its doors. Moreover, this burden becomes
greater given the bill's expanded definition of sensitive
personally identifiable information in section 3. Instead, we
believe a more flexible approach should be provided to
businesses, appropriate to the size and nature of the
respective business.
We agree that businesses should have a plan in place to
ensure the safety of sensitive information. Unfortunately,
rather than avoid the pitfalls of over regulation, which is a
legitimate concern to many businesses already facing economic
hardships, this bill adds to the problem. The Congressional
Budget Office recognizes this fact in its cost estimate
contained in this report. It is disappointing that this bill
fails to recognize that there are tremendous differences and
other factors present with various businesses. This bill fails
to take into account those differences in two ways.
First, this bill applies complex requirements from Congress
to all businesses that exceed current industry practices. For
example, over the span of almost seven pages, section 202 lists
detailed requirements for a personal data privacy and security
program that must be implemented. A business must perform risk
assessments, risk management and control, and training and
vulnerability testing, among other requirements. A small
business with one or two employees, that finds itself subject
to these requirements, must take the time to be sure it is
complying with these requirements, otherwise it will be subject
to exorbitant liability penalties.
In addition to the specific requirements set forth in this
bill, the checklist for compliance is not complete. Section 202
punts to the Federal Trade Commission the authority to add
further, ever changing, requirements for businesses that must
have data privacy and security programs in place. The Federal
Trade Commission, through a routine rulemaking process, can add
``any other administrative, technical, or physical safeguards''
deemed necessary. Again, ever changing rules will unduly burden
small and medium sized businesses that not only must comply
with the congressional requirements, but new requirements from
the federal bureaucracy. The combination of congressional and
agency requirements will unduly harm small businesses.
We recognize, as do others, that increased government
regulation can suppress a business's ability to survive and
grow. As the Congressional Budget Office cost estimate
contained in this report points out, the new requirements in
section 202 go beyond the scope of the security measures many
businesses currently have in place. Imposing new requirements
that exceed the industry standard, coupled with Federal Trade
Commission rulemaking of those requirements and an expansive
definition of sensitive personally identifiable information,
will create substantial costs to businesses already struggling
against over regulation and a weak economy. Before a bill on
this matter becomes law, it is important that the requirements
in section 202 are reexamined in order to avoid what would be a
legislative nightmare for many businesses.
OVER-NOTIFICATION
This bill provides in section 211 a default rule that
notice should always be given to consumers of any breach,
``following the discovery'' of a security breach. Only if after
conducting a risk assessment, under section 212(b), may a
business entity be exempt from providing notice. The burden
that is placed on businesses will inevitably lead to consumer
over-notification. As discussed above, the bill's definition of
sensitive personally identifiable information is broader than
the current industry standard. This means breached information
that otherwise would not previously have required notice due to
its inability to pose a risk of identity theft, will now
require consumer notification. The costs associated with the
risk assessment, which must be coordinated with bureaucrats at
the Federal Trade Commission, will exact a high toll on small
businesses that are not differentiated in any manner from large
businesses. Rather than face high liability penalties for
failure to comply, the result will be simply to provide
notification for trivial incidents that will have the effect of
desensitizing the public, while also punishing the business
which is a victim as well.
The ``safe harbor'' provision in section 212(b) attempts to
limit instances where notification is required. However, the
end result will remain the same due to the way this provision
is drafted. Rather than risk the penalties for failure to
notify, a business will in most instances err on the side of
caution and give notice. Again, the bill's default rule is that
notice should always be given following the discovery of a
security breach. However, an entity can perform a risk
assessment, in consultation with the Federal Trade Commission,
to determine that there is ``no significant risk that a
security breach has resulted in, or will result in, identity
theft, economic loss or harm, or physical harm'' to the
individuals whose personal information was subject to the
breach. Thus, a business must make the determination that in no
instance could there be a significant risk of ``identity theft,
economic loss or harm, or physical harm.'' Rather than play
offense against a breach, a business will always find itself on
defense. The business will try and anticipate several steps
into the future to determine whether to provide notice. This is
an impossible task which renders the risk assessment worthless
as there may always be an unknown and unforeseen risk that
cannot be predicted. A business will therefore do what is in
its best interest, which may not necessarily be in an
individual consumer's best interest, and issue notice whenever
a security incident occurs.
Unfortunately, there is no relief for a weary business
faced with making a determination whether notice is required,
while trying to limit any further security incidents. In order
to perform a risk assessment and take advantage of the safe
harbor, a business must consult with the Federal Trade
Commission, another layer in the bureaucratic minefield, which
must be informed of a business's decision to invoke the safe
harbor following the risk assessment. If the Federal Trade
Commission ``does not indicate, in writing, within 10 business
days from receipt of the decision, that notice should be
given[,]'' then no notice is required. However, it is not
unreasonable to anticipate the exact opposite effect occurring
as a result of this provision. Instead, it is reasonable to
question whether the Federal Trade Commission will be able to
process the potentially high number of risk assessment results
that will inundate its office as a result of this bill's
mandate. This is because the expansive definition of sensitive
personally identifiable information, along with the trigger for
when notice should be provided, will inevitably lead to greater
notification and risk assessment reports. Unless the Federal
Trade Commission operates efficiently and timely when reviewing
risk assessments, then the risk of over-notification will only
continue to rise. An over worked Commission staffer may face a
quickly approaching 10-day deadline and choose to err on the
side of caution and instruct a business to provide notice.
Rather than attempt to limit notification to security
breaches that pose a significant risk of identity theft, S.
1151 will create serious over-notification problems which will
desensitize consumers and lead to widespread apathy. A business
must always give notice unless after performing a risk
assessment in consultation with the Federal Trade Commission it
is determined there is no significant risk of ``identity theft,
economic loss or harm, or physical harm.'' The initial decision
a business will make is whether it is beneficial to jump
through the risk assessment hoops, which will involve dealing
with a federal agency, and instead simply issue notice.
Assuming a business does decide to try and invoke the safe
harbor, it is quite possible that an over-burdened Federal
Trade Commission will simply instruct a business to issue
notice. Rather than placing a default rule that notice must
always be given, unless a risk assessment determines otherwise,
perhaps a better approach would be to require notice only when
there is a significant risk of identity theft. This subtle
burden shifting may work to eliminate all but those
notifications that pose the greatest threat to a consumer's
sensitive personal information.
EXCESSIVE PENALTIES
Another troubling aspect of this bill is its excessive
penalties. Under section 203, businesses that make a mistake in
complying with the requirements of sections 201 and 202 may be
held liable at a rate of ``$5,000 per violation per day while
such violation exists with a maximum of $500,000 per
violation.'' Section 202 imposes no less than seven
requirements on businesses, not counting the numerous
subsections. A mistake in compliance with any one of those
requirements is a potential violation, running at a rate of
$5,000 per day. Moreover, that business would likely be facing
arguments by government attorneys that its conduct was willful
or intentional, thereby deserving an additional penalty of up
to $500,000 more.
Under sections 217 and 218, if a business makes a mistake
in providing notice to a person whose information may have been
compromised, that business will be facing a penalty of
``$11,000 per day per security breach'' up to $1 million. That
business will also be facing arguments by government attorneys
that its conduct was intentional or willful, deserving an
additional penalty of up to $1 million.
The Chairman has made an effort to address the problem of
``stacked damages,'' which existed in the original version of
his bill. The potential for stacked damages increases the
amount of the already excessive penalties. By his manager's
amendment, the Chairman has inserted ``penalty limits'' into
the enforcement sections of the bill. For example, under
section 203, ``the total sum of civil penalties assessed
against a business entity for all violations . . . resulting
from the same or related acts or omissions shall not exceed
$500,000, unless such conduct is found to be willful or
intentional.''
The purpose of these ``penalty limit[ation]'' provisions is
to prevent the situation where a business makes a mistake which
results in it ``violating'' all seven requirements under
section 202 and thereby facing liability at a rate of $35,000
per day, and up to $3.5 million. Under the ``penalty
limit[ation]'' provision, if a business makes multiple
mistakes, as part of the same conduct, it will be facing a
potential penalty of $5,000 per day, up to $500,000. Similarly,
under sections 217 and 218, if a business suffers a security
breach and makes a mistake in notifying ten individuals, whose
information was compromised, that business will be facing
penalties of $11,000 per day, up to $ 1 million. It will not be
facing a potential penalty of $110,000 per day and up to $10
million.
The ``penalty limit[ation]'' provisions and some of the
other changes made by the Chairman are a step in the right
direction. Hopefully, the changes signal a willingness to
further refine this bill, which covers a significant and
complex issue. However, in its current form, the bill's
penalties remain excessive, especially when applied to small
and medium sized businesses. Many businesses facing these
penalties will be forced into bankruptcy.
Remarkably, during the debate on this bill, the majority
never expressed any concern about bankrupting businesses or
that the businesses facing these excessive penalties are
victims of a crime as their computers will have been hacked.
This is a disturbing omission given that as of September 2011,
14 million Americans were unemployed and another 9.3 million
were underemployed.\3\
---------------------------------------------------------------------------
\3\Bureau of Labor Statistics, U.S. Department of Labor, News
Release, ``The Employment Situation--September 2011'' (Oct. 7, 2011)
(available at http://www.bls.gov/news.release/pdf/empsit.pdf) (last
visited Oct. 31, 2011).
---------------------------------------------------------------------------
In addition to facing these excessive penalties, businesses
will be forced to hire defense attorneys, who are well versed
in computer and cybersecurity issues. There are only a handful
of law firms that are fully versed in the subject matter, and
which have the experience and manpower to defend a business in
a lawsuit filed by the Department of Justice, the Federal Trade
Commission and/or State Attorneys General. Those few
multinational or large businesses that might consider defending
themselves will spend money on attorneys, computer experts and
litigation costs, as opposed to hiring new employees and
creating jobs.
Our concerns are not a matter of protecting businesses that
have committed wrongs. We strongly believe that it is important
to protect our citizens from identity theft. However, our
approach must be fair and balanced. And again, it should not be
forgotten that we are talking about businesses that have made a
``mistake'' in complying with this law. Consequently, the
amount of a penalty should be a reasonable deterrent. It should
not be destructive. Indeed, during these difficult economic
times, Congress should be helping businesses to create jobs,
not passing legislation that has the real potential to bankrupt
businesses and kill jobs.
ETHICAL ISSUES
Another troubling aspect of this bill is the fact that it
allows State Attorneys Generals to hire private law firms on a
contingency fee basis to enforce it. This raises serious
ethical concerns. A neutral and impartial government is a
fundamental requirement for due process. Employing trial
lawyers on a contingency fee basis will result in governmental
power being wielded by lawyers primarily interested in
benefiting themselves, rather than in doing justice. At the
very minimum, the appearance of State Attorneys General handing
out valuable contracts with a chance for private attorneys to
receive contingency fees is disconcerting. As former Alabama
Attorney General Bill Pryor (now a judge on the U.S. Court of
Appeals for the Eleventh Circuit) once explained that ``[t]hese
[contingency] contracts . . . create the potential for
outrageous windfalls or even outright corruption for political
supporters of the officials who negotiated the contracts.''\4\
---------------------------------------------------------------------------
\4\William H. Pryor, Jr., Curbing the Abuses of Government Lawsuits
Against Industries, Speech Before the American Legislative Exchange
Council, Aug. 11, 1999, at 8.
---------------------------------------------------------------------------
Personal financial interest should not affect the judgment
of an attorney representing the government. The faith and trust
of the public in the government's fair and impartial use of its
powers is critical to our system of government. Accordingly, an
attorney who represents the government must be neutral and
impartial, with no personal or financial stake in the case.
Neutral and impartial justice is not merely a goal. It is a
matter of well-established federal and state law. An Executive
Order forbids the federal government from hiring private
attorneys on a contingency basis.\5\ Also, 28 U.S.C. Sec. 528
disqualifies any employee of the Department of Justice from
participating in case that may result in a personal, financial,
or political conflict of interest, or the appearance thereof.
---------------------------------------------------------------------------
\5\Exec. Order No. 13433, 72 Fed. Reg. 28441 (May 16, 2007).
---------------------------------------------------------------------------
The practice of hiring trial lawyers on a contingency fee
basis should be ended altogether and it certainly should not be
extended into this new law. Accordingly, Senator Grassley
offered Amendment ALB11646 to the bill. That amendment would
have prohibited State Attorneys General from hiring private law
firms on a contingency fee basis to enforce this new federal
law. Contrary to the claims of the majority, this issue is not
a matter of states' rights. Nor is it a question of states with
budget problems needing to hire trial lawyers on a contingent
fee basis.
This issue is a matter of basic and fundamental ethics and
it is a matter of due process. The focus of this bill should be
about creating a reasonable national standard to protect
Americans from identity theft. It should not be about creating
revenue for trial lawyers. Senator Grassley's amendment should
have been adopted.
MULTIPLE LAWSUITS
Another concern with the enforcement provisions is the
likelihood that they will breed multiple lawsuits against
businesses, which are all based on the same mistake or conduct.
Specifically, under the bill as introduced, a business could
have been subjected to lawsuits by the Department of Justice or
the Federal Trade Commission and anywhere between one and fifty
States Attorneys General. No small or medium size business
could defend against that onslaught, let alone survive it.
The Chairman's manager's amendment begins to address this
problem by providing that if the Department of Justice or
Federal Trade Commission commences an enforcement action, ``no
attorney general of a State may bring an action for a violation
. . . that resulted from the same or related acts or omissions
against a defendant named in the Federal criminal proceeding or
civil action. . . .'' The purpose of this provision is to
prevent businesses from having to defend against lawsuits by
both the Federal and State governments. If there is an
enforcement action, there should only be one lawsuit and
preferably, it should be a federal enforcement action.
These provisions in sections 203 and 218 of the bill are a
step in the right direction. To fully address the issue, the
bill should be amended to also require state lawsuits to be
withdrawn with prejudice, if the Department of Justice or
Federal Trade Commission commences an enforcement action after
one or more State Attorneys General files a lawsuit. In the
end, all of the concerns about the enforcement and liability
provisions are well-founded and must be resolved before we can
support this bill.
To further address multiple lawsuits, this bill amends the
Computer Fraud and Abuse Act to bar civil claims and criminal
charges resulting from a violation of a ``Term of Service
Agreement'' with a non-government employer. This amendment is
intended to bar all contract-based CFAA litigation, except when
based on a government employment contract, while allowing the
Department of Justice to bring charges under 18 U.S.C. 1030
when based on other evidence.
CRIMINAL PROVISIONS
The bill does establish a new criminal offense for damage
to a critical infrastructure computer system such as electrical
power grids, water supply systems and nuclear power plants.
Unfortunately, the majority report blatantly mischaracterizes
the provision of the bill passed by the Committee, which
includes an amendment Senator Grassley offered that imposes a
mandatory minimum sentence of three years' imprisonment for the
newly created crime of aggravated damage to a critical
infrastructure computer. The majority, while noting that the
Chairman opposed the mandatory minimum, fails to mention that
the President himself included that mandatory minimum in the
cyber-security bill he proposed to the Congress earlier this
year.
The Chairman's original draft of S. 1151 removed the
President's proposed mandatory minimum for a violation of
aggravated damage to a critical infrastructure computer.
Senator Grassley offered his amendment to recognize the serious
nature of a cyber-attack damaging critical infrastructure and
restore the mandatory minimum in line with the President's
proposal. Furthermore, during Associate Deputy Attorney General
James A. Baker's testimony, in his appearance before the
Committee on September 7, 2011, he explicitly endorsed, on
behalf of the DOJ, the three-year mandatory minimum.
Thus, in support of the President and with DOJ's
endorsement, the Committee voted in favor of the Grassley
amendment by a vote of 11-7. In an attempt to diminish the
significance of this vote, the majority characterizes the 7
votes in opposition to the amendment as ``bi-partisan,''
because one Republican member voted against it. It is far more
noteworthy, however, that four members of the Chairman's party
agreed with Senator Grassley and his Republican colleagues.
CONCLUSION
Protecting an individual's sensitive personally
identifiable information is of the utmost importance. However,
this must be done in a way that will ensure individuals are
notified when there are actual threats to their identity.
Unfortunately, this bill fails to accomplish this goal as
individuals will find their email inboxes full every morning
with notifications of security incidents that a business issues
for fear of violating one of the requirements in this bill. The
prescriptive regulation and high penalties will likely end up
forcing some businesses to shut their doors. As drafted, this
bill punishes businesses, while providing no real benefit for
consumers.
Charles E. Grassley.
Jon Kyl.
Jeff Sessions.
Lindsey Graham.
John Cornyn.
Tom Coburn.
VIII. Changes to Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
material is printed in italic, existing law in which no change
is proposed is shown in roman):
UNITED STATES CODE
TITLE 18--CRIMES AND CRIMINAL PROCEDURE
PART I--CRIMES
* * * * * * *
CHAPTER 47--FRAUD AND FALSE STATEMENTS
* * * * * * *
1001. Statements or entries generally
1002. Possession of false papers to defraud United States
1003. Demands against the United States
1004. Certification of checks
1005. Bank entries, reports and transactions
1006. Federal credit institution entries, reports and transactions
1007. Federal Deposit Insurance Corporation transactions
1010. Department of Housing and Urban Development and Federal Housing
Administration transactions
1011. Federal land bank mortgage transactions
1012. Department of Housing and Urban Development transactions
1013. Farm loan bonds and credit bank debentures
1014. Loan and credit applications generally; renewals and discounts;
crop insurance
1015. Naturalization, citizenship and alien registry
1016. Acknowledgement of appearance or oath
1017. Government seals wrongfully used and instruments wrongfully sealed
1018. Official certificates or writings
1019. Certificates by consular officers
1020. Highway projects
1021. Title records
1022. Delivery of certificate, voucher, receipt for military or naval
property
1023. Insufficient delivery of money or property for military or naval
service
1024. Purchase or receipt of military, naval, or veterans facilities
property
1025. False pretenses on high seas and other waters
1026. Compromise, adjustment, or cancellation of farm indebtedness
1027. False statements and concealment of facts in relation to documents
required by the Employee Retirement Income Security Act of
1974
1028. Fraud and related activity in connection with identification
documents, authentication features, and information 1028A.
Aggravated identity theft
1029. Fraud and related activity in connection with access devices
1030. Fraud and related activity in connection with computers
1030A. Aggravated damage to a critical infrastructure computer.
1031. Major fraud against the United States
1032. Concealment of assets from conservator, receiver, or liquidating
agent
1033. Crimes by or affecting persons engaged in the business of
insurance whose activities affect interstate commerce
1034. Civil penalties and injunctions for violations of section 1033
1035. False statements relating to health care matters
1036. Entry by false pretenses to any real property, vessel, or aircraft
of the United States or secure area of any airport or seaport
1037. Fraud and related activity in connection with electronic mail
1038. False information and hoaxes
1039. Fraud and related activity in connection with obtaining
confidential phone records information of a covered entity
1040. Fraud in connection with major disaster or emergency benefits
1041. Concealment of security breaches involving sensitive personally
identifiable information
* * * * * * *
SEC. 1030A. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE COMPUTER.
(a) Definitions.--In this section--
(1) the terms ``computer'' and ``damage'' have the
meanings given such terms in section 1030; and (2) the
term `critical infrastructure computer' means a
computer that manages or controls systems or assets
vital to national defense, national security, national
economic security, public health or safety, or any
combination of those matters, whether publicly or
privately owned or operated, including--
(A) gas and oil production, storage, and
delivery systems;
(B) water supply systems;
(C) telecommunication networks;
(D) electrical power delivery systems;
(E) finance and banking systems;
(F) emergency services;
(G) transportation systems and services; and
(H) government operations that provide
essential services to the public
(b) Offense.--It shall be unlawful to, during and in
relation to a felony violation of section 1030, intentionally
cause or attempt to cause damage to a critical infrastructure
computer, and such damage results in (or, in the case of an
attempt, would, if completed have resulted in) the substantial
impairment--
(1) of the operation of the critical infrastructure
computer; or
(2) of the critical infrastructure associated with
the computer.
(c) Penalty.--Any person who violates subsection (b) shall
be fined under this title, imprisoned for not less than 3 years
nor more than 20 years, or both.
(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
(1) a court shall not place on probation any person
convicted of a violation of this section;
(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section
shall run concurrently with any other term of
imprisonment, including any term of imprisonment
imposed on the person under any other provision of law,
including any term of imprisonment imposed for the
felony violation section 1030;
(3) in determining any term of imprisonment to be
imposed for a felony violation of section 1030, a court
shall not in any way reduce the term to be imposed for
such crime so as to compensate for, or otherwise take
into account, any separate term of imprisonment imposed
or to be imposed for a violation of this section; and
(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the
court at the same time on that person for an additional
violation of this section, provided that such
discretion shall be exercised in accordance with any
applicable guidelines and policy statements issued by
the United States Sentencing Commission pursuant to
section 994 of title 28.
* * * * * * *
SEC. 1041. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE
PERSONALLY IDENTIFIABLE INFORMATION.
* * * * * * *
(a) In General.--Whoever, having knowledge of a security
breach and of the fact that notice of such security breach is
required under title II of the Personal Data Privacy and
Security Act of 2011, intentionally and willfully conceals the
fact of such security breach, shall, in the event that such
security breach results in economic harm to any individual in
the amount of $1,000 or more, be fined under this tile or
imprisoned for not more than 5 years, or both.
(b) Person Defined.--For purposes of subsection (a), the
term ``person'' has the same meaning as in section 1030(e)(12)
of title 18, United States Code.
(c) Notice Requirement.--Any person seeking an exemption
under section 212(b) of the Personal Data Privacy and Security
Act of 2011 shall be immune from prosecution under this section
if the Federal Trade Commission does not indicate, in writing,
that such notice be given under section 212(b)(3) of such Act.
* * * * * * *
(a) Whoever--
(1) having knowingly accessed a computer without
authorization or exceeding authorized access, and by
means of such conduct having obtained information that
has been determined by the United States Government
pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons
of national defense or foreign relations, or any
restricted data, as defined in paragraph y of section
11 of the Atomic Energy Act of 1954, with reason to
believe that such information so obtained could be used
to the injury of the United States, or to the advantage
of any foreign nation willfully communicates, delivers,
transmits, or causes to be communicated, delivered, or
transmitted, or attempts to communicate, deliver,
transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to
receive it, or willfully retains the same and fails to
deliver it to the officer or employee of the United
States entitled to receive it;
(2) intentionally accesses a computer without
authorization or exceeds authorized access, and thereby
obtains--
(A) information contained in a financial
record of a financial institution, or of a card
issuer as defined in section 1602(n) of title
15, or contained in a file of a consumer
reporting agency on a consumer, as such terms
are defined in the Fair Credit Reporting Act
(15 U.S.C. 1681 et seq.);
(B) information from any department or agency
of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access
any nonpublic computer of a department or agency of the
United States, accesses such a computer of that
department or agency that is exclusively for the use of
the Government of the United States or, in the case of
a computer not exclusively for such use, is used by or
for the Government of the United States and such
conduct affects that use by or for the Government of
the United States;
(4) knowingly and with intent to defraud, accesses a
protected computer without authorization, or exceeds
authorized access, and by means of such conduct
furthers the intended fraud and obtains anything of
value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and
the value of such use is not more than $5,000 in any 1-
year period;
(5)(A) knowingly causes the transmission of a
program, information, code, or command, and as a result
of such conduct, intentionally causes damage without
authorization, to a protected computer;
(B) intentionally accesses a protected computer
without authorization, and as a result of such conduct,
recklessly causes damage; or
(C) intentionally accesses a protected computer
without authorization, and as a result of such conduct,
causes damage and loss.
[(6) knowingly and with intent to defraud traffics
(as defined in section 1029) in any password or similar
information through which a computer may be accessed
without authorization, if--
(A) such trafficking affects interstate or
foreign commerce; or
(B) such computer is used by or for the
Government of the United States;]
(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in--
(A) any password or similar information
through which a protected computer as defined
in subparagraphs (A) and (B) of subsection
(e)(2) may be accessed without authorization;
or
(B) any means of access through which a
protected computer as defined in subsection
(e)(2)(A) may be accessed without
authorization;
(7) with intent to extort from any person any money
or other thing of value, transmits in interstate or
foreign commerce any communication containing any--
(A) threat to cause damage to a protected
computer;
(B) threat to obtain information from a
protected computer without authorization or in
excess of authorization or to impair the
confidentiality of information obtained from a
protected computer without authorization or by
exceeding authorized access; or
(C) demand or request for money or other
thing of value in relation to damage to a
protected computer, where such damage was
caused to facilitate the extortion;
shall be punished as provided in subsection (c) of this
section.
(b) Whoever conspires to commit or attempts to commit an
offense under subsection (a) of this section shall be punished
as provided for the completed offense in subsection (c) of this
section.
[(c) The punishment for an offense under subsection (a) or
(b) of this section is--
[(1)(A) a fine under this title or imprisonment for
not more than ten years, or both, in the case of an
offense under subsection (a)(1) of this section which
does not occur after a conviction for another offense
under this section, or an attempt to commit an offense
punishable under this subparagraph; and
[(B) a fine under this title or imprisonment for not
more than twenty years, or both, in the case of an
offense under subsection (a)(1) of this section which
occurs after a conviction for another offense under
this section, or an attempt to commit an offense
punishable under this subparagraph;
[(2)(A) except as provided in subparagraph (B), a
fine under this title or imprisonment for not more than
one year, or both, in the case of an offense under
subsection (a)(2), (a)(3), or (a)(6) of this section
which does not occur after a conviction for another
offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
[(B) a fine under this title or imprisonment for not
more than 5 years, or both, in the case of an offense
under subsection (a)(2), or an attempt to commit an
offense punishable under this subparagraph, if--
[(i) the offense was committed for purposes
of commercial advantage or private financial
gain;
[(ii) the offense was committed in
furtherance of any criminal or tortious act in
violation of the Constitution or laws of the
United States or of any State; or
[(iii) the value of the information obtained
exceeds $5,000; and
[(C) a fine under this title or imprisonment for not
more than ten years, or both, in the case of an offense
under subsection (a)(2), (a)(3) or (a)(6) of this
section which occurs after a conviction for another
offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
[(3)(A) a fine under this title or imprisonment for
not more than five years, or both, in the case of an
offense under subsection (a)(4) or (a)(7) of this
section which does not occur after a conviction for
another offense under this section, or an attempt to
commit an offense punishable under this subparagraph;
and
[(B) a fine under this title or imprisonment for not
more than ten years, or both, in the case of an offense
under subsection (a)(4) or (a)(7) of this section which
occurs after a conviction for another offense under
this section, or an attempt to commit an offense
punishable under this subparagraph;
[(4)(A) except as provided in subparagraphs (E) and
(F), a fine under this title, imprisonment for not more
than 5 years, or both, in the case of--
[(i) an offense under subsection (a)(5)(B),
which does not occur after a conviction for
another offense under this section, if the
offense caused (or, in the case of an attempted
offense, would, if completed, have caused)--
[(I) loss to 1 or more persons during
any 1-year period (and, for purposes of
an investigation, prosecution, or other
proceeding brought by the United States
only, loss resulting from a related
course of conduct affecting 1 or more
other protected computers) aggregating
at least $5,000 in value;
[(II) the modification or impairment,
or potential modification or
impairment, of the medical examination,
diagnosis, treatment, or care of 1 or
more individuals;
[(III) physical injury to any person;
[(IV) a threat to public health or
safety;
[(V) damage affecting a computer used
by or for an entity of the United
States Government in furtherance of the
administration of justice, national
defense, or national security; or
[(VI) damage affecting 10 or more
protected computers during any 1-year
period; or
[(ii) an attempt to commit an offense
punishable under this subparagraph;
[(B) except as provided in subparagraphs (E) and (F),
a fine under this title, imprisonment for not more than
10 years, or both, in the case of--
[(i) an offense under subsection (a)(5)(A),
which does not occur after a conviction for
another offense under this section, if the
offense caused (or, in the case of an attempted
offense, would, if completed, have caused) a
harm provided in subclauses (I) through (VI) of
subparagraph (A)(i); or
[(ii) an attempt to commit an offense
punishable under this subparagraph;
[(C) except as provided in subparagraphs (E) and (F),
a fine under this title, imprisonment for not more than
20 years, or both, in the case of--
[(i) an offense or an attempt to commit an
offense under subparagraphs (A) or (B) of
subsection (a)(5) that occurs after a
conviction for another offense under this
section; or
[(ii) an attempt to commit an offense
punishable under this subparagraph;
[(D) a fine under this title, imprisonment for not
more than 10 years, or both, in the case of--
[(i) an offense or an attempt to commit an
offense under subsection (a) (5)(C) that occurs
after a conviction for another offense under
this section; or
[(ii) an attempt to commit an offense
punishable under this subparagraph;
[(E) if the offender attempts to cause or knowingly
or recklessly causes serious bodily injury from conduct
in violation of subsection (a)(5)(A), a fine under this
title, imprisonment for not more than 20 years, or
both;
[(F) if the offender attempts to cause or knowingly
or recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title,
imprisonment for any term of years or for life, or
both; or
[(G) a fine under this title, imprisonment for not
more than 1 year, or both, for--
[(i) any other offense under subsection
(a)(5); or
[(ii) an attempt to commit an offense
punishable under this subparagraph.]
(c) The punishment for an offense under subsection (a) or
(b) of this section is--
(1) a fine under this title or imprisonment for not
more than 20 years, or both, in the case of an offense
under subsection (a)(1) of this section;
(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3
years, or both, in the case of an offense under
subsection (a)(2); or
(B) a fine under this title or imprisonment for not
more than ten years, or both, in the case of an offense
under paragraph (a)(2) of this section, if--
(i) the offense was committed for purposes of
commercial advantage or private financial gain;
(ii) the offense was committed in the
furtherance of any criminal or tortious act in
violation of the Constitution or laws of the
United States, or of any State; or
(iii) the value of the information obtained,
or that would have been obtained if the offense
was completed, exceeds $5,000;
(3) a fine under this title or imprisonment for not
more than 1 year, or both, in the case of an offense
under subsection (a)(3) of this section;
(4) a fine under this title or imprisonment of not
more than 20 years, or both, in the case of an offense
under subsection (a)(4) of this section;
(5)(A) except as provided in subparagraph (D), a fine
under this title, imprisonment for not more than 20
years, or both, in the case of an offense under
subsection (a)(5)(A) of this section, if the offense
caused--
(i) loss to 1 or more persons during any 1-
year period (and, for purposes of an
investigation, prosecution, or other proceeding
brought by the United States only, loss
resulting from a related course of conduct
affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
(ii) the modification or impairment, or
potential modification or impairment, of the
medical examination, diagnosis, treatment, or
care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety;
(v) damage affecting a computer used by, or
on behalf of, an entity of the United States
Government in furtherance of the administration
of justice, national defense, or national
security; or
(vi) damage affecting 10 or more protected
computers during any 1-year period;
(B) a fine under this title, imprisonment for not
more than 10 years, or both, in the case of an offense
under subsection (a)(5)(B), if the offense caused a
harm provided in clause (i) through (vi) of
subparagraph (A) of this subsection;
(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title,
imprisonment for any term of years or for life, or
both; or
(D) a fine under this title, imprisonment for not
more than 1 year, or both, for another offense under
subsection (a)(5);
(6) a fine under this title or imprisonment for not
more than 10 years, or both, in the case of an offense
under subsection (a)(6) of this section; or
(7) a fine under this title or imprisonment for not
more than 10 years, or both, in the case of an offense
under subsection (a)(7) of this section.
* * * * * * *
(e) As used in this section--
(1) the term ``computer'' means an electronic,
magnetic, optical, electrochemical, or other high speed
data processing device performing logical, arithmetic,
or storage functions, and includes any data storage
facility or communications facility directly related to
or operating in conjunction with such device, but such
term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other
similar device;
(2) the term ``protected computer'' means a
computer--
(A) exclusively for the use of a financial
institution or the United States Government,
or, in the case of a computer not exclusively
for such use, used by or for a financial
institution or the United States Government and
the conduct constituting the offense affects
that use by or for the financial institution or
the Government; or
(B) which is used in or affecting interstate
or foreign commerce or communication, including
a computer located outside the United States
that is used in a manner that affects
interstate or foreign commerce or communication
of the United States;
(3) the term ``State'' includes the District of
Columbia, the Commonwealth of Puerto Rico, and any
other commonwealth, possession or territory of the
United States;
(4) the term ``financial institution'' means--
(A) an institution, with deposits insured by
the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the
Federal Reserve including any Federal Reserve
Bank;
(C) a credit union with accounts insured by
the National Credit Union Administration;
(D) a member of the Federal home loan bank
system and any home loan bank;
(E) any institution of the Farm Credit System
under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the
Securities and Exchange Commission pursuant to
section 15 of the Securities Exchange Act of
1934;
(G) the Securities Investor Protection
Corporation;
(H) a branch or agency of a foreign bank (as
such terms are defined in paragraphs (1) and
(3) of section 1(b) of the International
Banking Act of 1978); and
(I) an organization operating under section
25 or section 25(a) of the Federal Reserve Act;
(5) the term ``financial record'' means information
derived from any record held by a Financial institution
pertaining to a customer's relationship with the
financial institution;
(6) the term ``exceeds authorized access'' means to
access a computer with authorization and to use such
access to obtain or alter information in the computer
that the accesser is not entitled so to obtain or
[alter;] alter, but does not include access in
violation of a contractual obligation or agreement,
such as an acceptable use policy or terms of service
agreement, with an Internet service provider, Internet
website, or non-government employer, if such violation
constitutes the sole basis for determining that access
to a protected computer is unauthorized;
(7) the term ``department of the United States''
means the legislative or judicial branch of the
Government or one of the executive departments
enumerated in section 101 of title 5;
(8) the term ``damage'' means any impairment to the
integrity or availability of data, a program, a system,
or information;
(9) the term ``government entity'' includes the
Government of the United States, any State or political
subdivision of the United States, any foreign country,
and any State, province, municipality, or other
political subdivision of a foreign country;
(10) the term ``conviction'' shall include a
conviction under the law of any State for a crime
punishable by imprisonment for more than 1 year, an
element of which is unauthorized access, or exceeding
authorized access, to a computer;
(11) the term ``loss'' means any reasonable cost to
any victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring
the data, program, system, or information to its
condition prior to the offense, and any revenue lost,
cost incurred, or other consequential damages incurred
because of interruption of service; and
(12) the term ``person'' means any individual, firm,
corporation, educational institution financial
institution, governmental entity, or legal or other
entity.
* * * * * * *
(g)(1) Any person who suffers damage or loss by reason of a
violation of this section may maintain a civil action against
the violator to obtain compensatory damages and injunctive
relief or other equitable relief. A civil action for a
violation of this section may be brought only if the conduct
involves 1 of the factors set forth in subclauses (I), (II),
(III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a
violation involving only conduct described in subsection
(c)(4)(A)(i)(I) are limited to economic damages. No action may
be brought under this subsection unless such action is begun
within 2 years of the date of the act complained of or the date
of the discovery of the damage. No action may be brought under
this subsection for the negligent design or manufacture of
computer hardware, computer software, or firmware.
(2) No action may be brought under this subsection if a
violation of a contractual obligation or agreement, such as an
acceptable use policy or terms of service agreement,
constitutes the sole basis for determining that access to the
protected computer is unauthorized, or in excess of
authorization.
* * * * * * *
[(i)(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition to
any other sentence imposed and irrespective of any provision of
State law, that such person forfeit to the United States--]
[(A) such person's interest in any personal property
that was used or intended to be used to commit or to
facilitate the commission of such violation; and
[(B) any property, real or personal, constituting or
derived from, any proceeds that such person obtained,
directly or indirectly, as a result of such violation.
[(2) The criminal forfeiture of property under this
subsection, any seizure and disposition thereof, and any
judicial proceeding in relation thereto, shall be governed by
the provisions of section 413 of the Comprehensive Drug Abuse
Prevention and Control Act of 1970 (21 U.S.C. 853), except
subsection (d) of that section.]
(i) Criminal Forfeiture.--
(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted
of conspiracy to violate this section, shall order, in
addition to any other sentence imposed and irrespective
of any provision of State law, that such person forfeit
to the United States--
(A) such person's interest in any property,
real or personal, that was used, or intended to
be used, to commit or facilitate the commission
of such violation; and
(B) any property, real or personal,
constituting or derived from any gross
proceeds, or any property traceable to such
property, that such person obtained, directly
or indirectly, as a result of such violation.
(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of
the property, and any related judicial or
administrative proceeding, shall be governed by the
provisions of section 413 of the Comprehensive Drug
Abuse Prevention and Control Act of 1970 (21 U.S.C.
853), except subsection (d) of that section.
[(j) For purposes of subsection (i), the following shall be
subject to forfeiture to the United States and no property
right shall exist in them:
[(1) Any personal property used or intended to be
used to commit or to facilitate the commission of any
violation of this section, or a conspiracy to violate
this section.
[(2) Any property, real or personal, which
constitutes or is derived from proceeds traceable to
any violation of this section, or a conspiracy to
violate this section.]
(j) Civil Forfeiture.--
(1) The following shall be subject to forfeiture to
the United States and no property right, real or
personal, shall exist in them:
(A) Any property, real or personal, that was
used, or intended to be used, to commit or
facilitate the commission of any violation of
this section, or a conspiracy to violate this
section.
(B) Any property, real or personal,
constituting or derived from any gross proceeds
obtained directly or indirectly, or any
property traceable to such property, as a
result of the commission of any violation of
this section, or a conspiracy to violate this
section.
(2) Seizures and forfeitures under this subsection
shall be governed by the provisions in chapter 46 of
title 18, United States Code, relating to civil
forfeitures, except that such duties as are imposed on
the Secretary of the Treasury under the customs laws
described in section 981(d) of title 18, United States
Code, shall be performed by such officers, agents and
other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.
(k) Reporting Certain Criminal Cases.--Not later than 1
year after the date of the enactment of this Act, and annually
thereafter, the Attorney General shall report to the Committee
on the Judiciary of the Senate and the Committee on the
Judiciary of the House of Representatives the number of
criminal cases brought under subsection (a) that involve
conduct in which--
(1) the defendant--
(A) exceeded authorized access to a non-
governmental computer; or
(B) accessed a non-governmental computer
without authorization; and
(2) the sole basis for the Government determining
that access to the non-governmental computer was
unauthorized, or in excess of authorization was that
the defendant violated a contractual obligation or
agreement with a service provider or employer, such as
an acceptable use policy or terms of service agreement.
* * * * * * *
CHAPTER 96--RACKETEER INFLUENCED AND CORRUPT ORGANIZATIONS
* * * * * * *
SEC. 1961. DEFINITIONS.
As used in this chapter--
(1) ``racketeering activity'' means (A) any act or
threat involving murder, kidnapping, gambling, arson,
robbery, bribery, extortion, dealing in obscene matter,
or dealing in a controlled substance or listed chemical
(as defined in section 102 of the Controlled Substances
Act), which is chargeable under State law and
punishable by imprisonment for more than one year; (B)
any act which is indictable under any of the following
provisions of title 18, United States Code: Section 201
(relating to bribery), section 224 (relating to sports
bribery), sections 471, 472, and 473 (relating to
counterfeiting), section 659 (relating to theft from
interstate shipment) if the act indictable under
section 659 is felonious, section 664 (relating to
embezzlement from pension and welfare funds), sections
891-894 (relating to extortionate credit transactions),
section 1028 (relating to fraud and related activity in
connection with identification documents), section 1029
(relating to fraud and related activity in connection
with access devices), section 1030 (relating to fraud
and related activity in connection with computers) if
the act is a felony, section 1084 (relating to the
transmission of gambling information), section 1341
(relating to mail fraud), section 1343 (relating to
wire fraud), section 1344 (relating to financial
institution fraud), section 1425 (relating to the
procurement of citizenship or nationalization
unlawfully), section 1426 (relating to the reproduction
of naturalization or citizenship papers), section 1427
(relating to the sale of naturalization or citizenship
papers), sections 1461-1465 (relating to obscene
matter), section 1503 (relating to obstruction of
justice), section 1510 (relating to obstruction of
criminal investigations), section 1511 (relating to the
obstruction of State or local law enforcement), section
1512 (relating to tampering with a witness, victim, or
an informant), section 1513 (relating to retaliating
against a witness, victim, or an informant), section
1542 (relating to false statement in application and
use of passport), section 1543 (relating to forgery or
false use of passport), section 1544 (relating to
misuse of passport), section 1546 (relating to fraud
and misuse of visas, permits, and other documents),
sections 1581-1592 (relating to peonage, slavery, and
trafficking in persons)., section 1951 (relating to
interference with commerce, robbery, or extortion),
section 1952 (relating to racketeering), section 1953
(relating to interstate transportation of wagering
paraphernalia), section 1954 (relating to unlawful
welfare fund payments), section 1955 (relating to the
prohibition of illegal gambling businesses), section
1956 (relating to the laundering of monetary
instruments), section 1957 (relating to engaging in
monetary transactions in property derived from
specified unlawful activity), section 1958 (relating to
use of interstate commerce facilities in the commission
of murder-for-hire), section 1960 (relating to illegal
money transmitters), sections 2251, 2251A, 2252, and
2260 (relating to sexual exploitation of children),
sections 2312 and 2313 (relating to interstate
transportation of stolen motor vehicles), sections 2314
and 2315 (relating to interstate transportation of
stolen property), section 2318 (relating to trafficking
in counterfeit labels for phone records computer
programs or computer program documentation or packaging
and copies of motion pictures or other audiovisual
works), section 2319 (relating to criminal infringement
of a copyright), section 2319A (relating to
unauthorized fixation of and trafficking in sound
recordings and music videos of live musical
performances), section 2320 (relating to trafficking in
goods or services bearing counterfeit marks), section
2321 (relating to trafficking in certain motor vehicles
or motor vehicle parts), sections 2341-2346 (relating
to trafficking in contraband cigarettes), sections
2421-24 (relating to white slave traffic), sections
175-178 (relating to biological weapons), sections 229-
229F (relating to chemical weapons), section 831
(relating to nuclear materials), (C) any act which is
indictable under title 29, United States Code, section
186 (dealing with restrictions on payments and loans to
labor organizations) or section 501(c) (relating to
embezzlement from union funds), (D) any offense
involving fraud connected with a case under title 11
(except a case under section 157 of this title), fraud
in the sale of securities, or the felonious
manufacture, importation, receiving, concealment,
buying, selling, or otherwise dealing in a controlled
substance or listed chemical (as defined in section 102
of the Controlled Substances Act), punishable under any
law of the United States, (E) any act which is
indictable under the Currency and Foreign Transactions
Reporting Act, (F) any act which is indictable under
the Immigration and Nationality Act, section 274
(relating to bringing in and harboring certain aliens),
section 277 (relating to aiding or assisting certain
aliens to enter the United States), or section 278
(relating to importation of alien for immoral purpose)
if the act indictable under such section of such Act
was committed for the purpose of financial gain, or (G)
any act that is indictable under any provision listed
in section 2332b(g)(5)(B);
* * * * * * *
�