Cybercrime Review: CFAA amendments, new criminal statute proposed in Senator Leahy’s bill

On Wednesday, Senator Patrick Leahy (D-Vt.) introduced the Personal Data Privacy and Security Act of 2014. Senator Leahy’s bill, first introduced back in 2005, intends to "better protect[] Americans from the growing threats of data breaches and identity theft,” according to a press release issued by the Senator.

Included within the bill are amendments to the Computer Fraud and Abuse Act (18 U.S.C. § 1030). Senator Leahy stated that the bill “includes the Obama administration’s proposal [full text] to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties, as the underlying offenses.” The bulk of Senator Leahy’s amendments to the CFAA occur in Title I: Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security (Sections 101 through 110). These changes would include adding the CFAA under the Racketeer Influenced and Corrupt Organizations (RICO) Act (Section 101),  maximizing penalties under the CFAA (Section 103), and clarifying that both "conspiracy" and "attempt" to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses (Section 105), just to name a few.

Also added within the bill would be a new criminal statute: 18 U.S.C. § 1041 Concealment of security breaches involving sensitive personally identifiable information. According to Senator Leahy, the new statute would provide "tough criminal penalties for anyone who would intentionally and willfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers.” According to the section-by-section summary, the new statute would

makes it a crime for a person who knows of a security breach which requires notice to individuals under Title II of this Act, and who is under obligation to provide such notice, to intentionally and willfully conceal the fact of, or information related to, that security breach.So in addition to adding a strict security breach notification law (Section 211 - 221), Senator Leahy's bill would create criminal penalties for intentionally and willfully concealing the security breach or "information realted to" that breach.

Overall, the bill contains a number of amendments that would be of interest to anyone in the information privacy or security field. Senator Leahy has made a section-by-section outline of the bill available, as well as the bill's full text.

http://www.cybercrimereview.com/2014/01/cfaa-amendments-new-criminal-statute.html?m=1