A bill has been introduced in the United States Congress to shore up penalties and provide additional funding for fighting cyber crimes. The bill, HR 2290 in the 110th Congress, expands the scope of 18 USC 1030, entitled “fraud and related activity in connection with computers.” That section provides ramifications, both civil and criminal, for unauthorized computer access. The proposed bill would expand and redefine several portions of 1030 to allow for greater enforcement of cybercrimes.
First, 1030(a)(2) would prevent an unauthorized user from obtaining “(D) a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer.” This means that liability would attach if someone accessed your bank account details, social security number or similar electronic identification information via unauthorized access to a protected computer.
The bill also expands the use of full interstate and foreign commerce power for criminal penalties. The current version of 1030 requires that the conduct involve an interstate or foreign communication, which typically requires communications traveling between different states or countries. The bill would amend this provision to require that the communication only “affect” interstate commerce. This expands the applicability of 1030 to communications occurring within the same state, for example.
The proposed legislation also requires that damages or fines shall be any benefits obtained as a result of the conduct. If a hacker stole $10,000 via a protected computer that would be the amount of the fine, in addition to any jail time or other ramifications.
Furthermore, damage affecting ten or more protected computers during any 1-year period would now be actionable, in addition to previous provisions, which required $5,000 or more to one person in one year, or “clear and present dangers” such as personal safety or injury or threats to public safety. This is a particularly good provision because it addresses some of the most prevalent cyber security problems such as phishing, spamming and spyware. Now, if as few as 10 computers are affected in interstate commerce Section 1030 would be a tool against a wrongdoer.
The bill also expressly defines any activity under 1030 to be a “racketeering activity” under RICO, expands liability to conspirators, and expands the cyber extortion provisions of 1030. Finally, the bill provides $10,000,000 to the Director of the United States Secret Service, $10,000,000 to the Attorney General for the Criminal Division of the Department of Justice and $10,000,000 to the Director of the Federal Bureau of Investigation for purposes of stepping up enforcement of cybercrime.
Bottom Line: The proposed Cyber-Security Enhancement Act of 2007 is an excellent bill that would make simple changes to existing law but would allow for powerful new legal tools to combat cyber crime. While presently in the early stages of House consideration Congress would be wise to give this bill the attention that it deserves as it moves through the chambers.