The Committee on the Judiciary, to which was referred
the bill (S. 982) to amend the Computer Fraud and Abuse Act, having considered
the same, reports favorably thereon with an amendment in the nature of
a substitute and recommends that the bill, as amended, do pass.
|II. Legislative history|
|III. Committee action|
|IV. Section-by-section analysis|
|V. Regulatory impact statement|
|VI. Cost estimate|
|VII. Changes in existing law|
The amendment is as follows:
Strike all after the enacting clause and insert the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the "National Information
Infrastructure Protection Act of 1996''.
SEC. 2. COMPUTER CRIME.
Section 1030 of title 18, United States Code, is amended--
(1) in subsection (a)--
(A) in paragraph (1)--
(A) in paragraph (1), by
striking "such subsection'' each place that term appears and inserting
(B) in paragraph (2)--
(3) in subsection (d), by inserting "subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of'' before "this section.'';
(4) in subsection (e)--
(A) in paragraph (2)--
(C) in paragraph (7), by
striking the period at the end and inserting"; and''; and
(D) by adding at the end the following new paragraphs:
(5) in subsection (g)--
(B) by striking "of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb)'' and inserting "involving damage as defined in subsection (e)(8)(A)''.
The Leahy-Kyl-Grassley amendment to the
National Information Infrastructure (NII) Protection Act, S. 982, would
strengthen the Computer Fraud and Abuse Act, 18 U.S.C. 1030, by closing
gaps in the law to protect better the confidentiality, integrity, and security
of computer data and networks.
The Computer Fraud and Abuse Act was originally enacted in 1984 to provide a clear statement of proscribed activity concerning computers to the law enforcement community, those who own and operate computers and those tempted to commit crimes by unauthorized access to computers. Rather than having to ``boot-strap'' enforcement efforts against computer crime by relying on statutory restrictions designed for other offenses, the Computer Fraud and Abuse statute, 18 U.S.C. 1030, set forth in a single statute computer-related offenses. This first Federal computer crime statute made it a felony to access classified information in a computer without authorization and a misdemeanor to access financial records or credit histories in financial institutions or to trespass into a Government computer.
In succeeding years, the statute has been significantly amended only twice, in 1986 and 1994. In its current form, this statute generally prohibits the unauthorized use of computers to obtain classified or private financial record information, to trespass in Federal Government computers, to commit frauds, or to transmit harmful computer viruses. It also prohibits fraudulent trafficking in computer access passwords. Gaps in coverage remain under this statutory scheme. Specifically, the law provides criminal penalties for persons who, without or in excess of authorization, access any computer to obtain classified information or financial record information from a financial institution or consumer reporting agency, or who access a "Federal interest computer'' to further an intended fraud. A "Federal interest computer'' is defined to include Federal Government and financial institution computers and computers located in different States that are "used in committing the offense.''
The privacy protection coverage of the statute has two significant gaps. First, omitted from the statute's coverage is information on any civilian or State and local government computers, since the prohibition on unauthorized computer access to obtain nonclassified information extends only to computers used by financial institutions or by the Federal Government when the perpetrator is an outsider. The second gap is the significant limitation on the privacy protection given to information held on Federal Government computers. Specifically, the prohibition only applies to outsiders who gain unauthorized access to Federal Government computers, and not to Government employees who abuse their computer access privileges to obtain Government information that may be sensitive and confidential.
Likewise, omitted from the fraud protection coverage of the statute is protection for the loss of computer time resulting from computer trespasses. The 1986 amendments to the statute created the "computer use'' exception to section 1030(a)(4), even though this Committee "agree[d] that lost computer time resulting form repeated or sustained trespasses can reach a level of seriousness sufficient to warrant Federal prosecution.'' Senate Judiciary Committee report No. 99 432, 99th Cong., 2d sess., at p. 10 (1986). At the time of the 1986 amendments, such fraudulent computer usage was considered prosecutable under another section 1030(a)(5), when the lost computer time resulted from intentional damage to the computer.
The current statute also penalizes any person who uses a computer in interstate commerce or communications to cause the transmission of a computer virus or other harmful computer program. Omitted from the coverage of this "computer damage'' provision are Government and financial institution computers not used in interstate communications, such as intrastate local area networks used by Government agencies that contain sensitive and confidential information. Also omitted are computers used in foreign communications or commerce, despite the fact that hackers are often foreign-based. For example, the 1994 intrusion into the Rome Laboratory at Grifess Air Force Base in New York, was perpetrated by a 16-year-old hacker in the United Kingdom. More recently, in March 1996, the Justice Department tracked down a young Argentinean man who had broken into Harvard University's computers from Buenos Aires and used those computers as a staging ground to hack into many other computer sites, including the Defense Department and NASA.
On June 29, 1995, Senators Kyl, Leahy, and Grassley introduced the NII Protection Act, S. 982. At hearings in both the House of Representatives and the Senate, representatives from Federal law enforcement agencies expressed the need for, and their support of, this bill. Specifically, Attorney General Janet Reno discussed the provisions of S. 982 in her October 30, 1995, responses to written questions in connection with the June 27, 1995, Judiciary Committee oversight hearing of the Department of Justice; Federal Bureau of Investigation Director Louis Freeh testified about S. 982 during the February 28, 1996, joint hearing with the Select Committee on Intelligence and the Judiciary Committee on economic espionage; and U.S. Secret Service Deputy Assistant Director of Investigations Robert Rasor testified about S. 982 during the October 11, 1995, hearing of the House Committee on Banking and Financial Services Subcommittee on domestic and International Monetary Policy.
As intended when the law was originally enacted, the Computer Fraud and Abuse statute facilitates addressing in a single statute the problem of computer crime, rather than identifying and amending every potentially applicable statute affected by advances in computer technology. As computers continue to proliferate in businesses and homes, and new forms of computer crimes emerge, Congress must remain vigilant to ensure that the Computer Fraud and Abuse statute is up-to-date and provides law enforcement with the necessary legal framework to fight computer crime. The NII Protection Act will likely not represent the last amendment to this statute, but is necessary and constructive legislation to deal with the current increase in computer crime.
On June 13, 1996, the Committee on the Judiciary first considered the NII Protection Act, S. 982, as an amendment made by Senators Leahy, Kyl, and Grassley to H.R. 1533, a bill to amend title 18, United States Code, to increase the penalty for escaping from a Federal prison. At that time, with a quorum present, by voice vote, the Committee unanimously accepted the Leahy-Kyl-Grassley amendment to H.R. 1533, and unanimously ordered H.R. 1533, so amended, favorably reported.
On August 1, 1996, the Committee on the
Judiciary, with a quorum present, again accepted an amendment in the nature
of a substitute to S. 982 offered by Senator Leahy, on behalf of himself
and Senators Kyl and Grassley. The amendment included the provisions in
the S. 982, as introduced, with one modification. As discussed in more
detail below, the amendment inserted the word ``nonpublic'' before ``computer
of a department or agency'' in section 2(1)(C)(I) of the bill. The Leahy-Kyl-Grassley
amendment was accepted by voice vote, and the Committee, also by voice
vote, then unanimously ordered S. 982, as amended, favorably reported.
DETAILED DISCUSSION OF THE NII PROTECTION ACT
The bill amends five of the prohibited acts in, and adds a new prohibited act to, 18 U.S.C. 1030(a). Each of the amended provisions is discussed below.
and addition to prohibited acts
As amended, section 1030(a)(1) prohibits anyone from knowingly accessing a computer, without, or in excess of, authorization, and obtaining classified national defense, foreign relations information, or restricted data under the Atomic Energy Act, with reason to believe the information could be used to the injury of the United States or the advantage of a foreign country, and willfully communicating, delivering or transmitting, or causing the same, or willfully retaining the information and failing to deliver it to the appropriate Government agent. The amendment specifically covers the conduct of a person who deliberately breaks into a computer without authority, or an insider who exceeds authorized access, and thereby obtains classified information and then communicates the information to another person, or retains it without delivering it to the proper authorities.
Although there is considerable overlap between 18 U.S.C. 793(e) and section 1030(a)(1), as amended by the NII Protection Act, the two statutes would not reach exactly the same conduct. Section 1030(a)(1) would target those persons who deliberately break into a computer to obtain properly classified Government secrets then try to peddle those secrets to others, including foreign governments. In other words, unlike existing espionage laws prohibiting the theft and peddling of Government secrets to foreign agents, section 1030(a)(1) would require proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information. In this sense then, it is the use of the computer which is being proscribed, not the unauthorized possession of, access to, or control over the classified information itself.
(B) Subsection 1030(a)(2)--Protection of financial, Government and other computer information The bill would amend section 1030(a)(2) to increase protection for the privacy and confidentiality of computer information. Section 1030(a)(2) currently gives special protection only to information on the computer systems of financial institutions and consumer reporting agencies, because of their significance to our country's economy and the privacy of our citizens. Yet, increasingly computer systems provide the vital backbone to many other industries, such as transportation, power supply systems, and telecommunications. The bill would amend section 1030(a)(2) and extend its coverage to information held on (1) Federal Government computers and (2) computers used in interstate or foreign commerce on communications, if the conduct involved an interstate or foreign communication.
As amended, section 1030(a)(2) would penalize those
who intentionally access computers without, or in excess of, authorization
to obtain government information and, where appropriate,
information held on private computers. "Information'' as used in this subsection
includes information stored in intangible form. Moreover, the term "obtaining
information'' includes merely reading it. There is no requirement that
the information be copied or transported. This is critically important
because, in an electronic environment, information can be "stolen'' without
asportation, and the original usually remains intact. This interpretation
of "obtaining information'' is consistent with congressional intent expressed
as follows in connection with 1986 amendments to the Computer Fraud and
The seriousness of a breach in confidentiality depends, in considerable part, on the value of the information taken, or on what is planned for the information after it is obtained. Thus, the statutory penalties are structured to provide that obtaining information of minimal value is only a misdemeanor, but obtaining valuable information, or misusing information in other more serious ways, is a felony.
The sentencing scheme for section 1030(a)(2) is part of a broader effort to ensure that sentences for section 1030 violations adequately reflect the nature of the offense. Thus, under the bill, the harshest penalties are reserved for those who obtain classified information that could be used to injure the United States or assist a foreign state. Those who improperly use computers to obtain other types of information--such as financial records, nonclassified Government information, and information of nominal value from private individuals or companies--face only misdemeanor penalties, unless the information is used for commercial advantage, private financial gain or to commit any criminal or tortious act.
For example, individuals who intentionally break into, or abuse their authority to use, a computer and thereby obtain information of minimal value of $5,000 or less, would be subject to a misdemeanor penalty. The crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.
The terms "for purposes of commercial advantage or private financial gain'' and ``for the purpose of committing any criminal or tortious act'' are taken from the copyright statute (17 U.S.C. 506(a)) and the wiretap statute (18 U.S.C. 2511(1)(d)), respectively, and are intended to have the same meaning as in those statutes.
Some conduct may violate more than one
subsection of section 1030(a)(2). For example, a particular Government
computer might be covered by both sections 1030(a)(2)(B) and (a)(2)(C).
This overlap serves to eliminate legal issues that may arise if the provisions
were mutually exclusive. Conceivably, in a given case, it may not be clear
whether information taken from a Government contractor's computer constitutes
"information from any department or agency of the United States'' under
section 1030(a)(2)(B), but the offense might still be chargeable under
section 1030(a)(2)(C) if the elements of that subsection are satisfied.
Similarly, there may be some overlap between section 1030(a)(2) and 18
U.S.C. 641 (relating to the theft and conversion of public money, records
or property), but the former does not preempt the latter.
(D) Subsection 1030(a)(4)--Increased penalties for significant unauthorized use of computers The bill amends 18 U.S.C. 1030(a)(4) to ensure that sanctions apply when the fraudulent use of a computer without, or in excess of, authority is significant. The current statute penalizes, with fines and up to 5 years' imprisonment, knowingly accessing a computer with the intent to defraud and by means of such conduct furthering the fraud and obtaining anything of value. This provision contains a "computer use'' exception that exempts fraudulent conduct to obtain only the use of the computer. While every trespass in a computer should not be converted into a felony scheme to defraud, a blanket exception for "computer use'' is too broad. Hackers, for example, have broken into Cray supercomputers for the purpose of running password cracking programs, sometimes amassing computer time worth far more than $5,000. In light of the large expense to the victim caused by some of these trespassing incidents, the amendment would limit the "computer use'' exception to cases where the stolen computer use involved less than $5,000 during any one-year period.
(E) Subsection 1030(a)(5)--Protection from damage to computers The bill amends subsection 1030 (a)(5) to further protect computers and computer systems covered by the statute from damage both by outsiders, who gain access to a computer without authorization, and by insiders, who intentionally damage a computer. The law currently protects computers or computer systems from damage caused by either outside hackers or malicious insiders "through means of a computer used in interstate commerce or communications.'' Senator Leahy was the principal sponsor of the 1994 amendment to subsection 1030(a)(5), which was intended to broaden the reach of the provision by replacing the term "federal interest computer'' with the term "computer used in interstate commerce or communication.'' The latter term is broader because the definition of "federal interest computer'' in section 1030(e)(2)(B) covers a computer "which is one of two or more computers used in committing the offense, not all of which are located in the same State.'' This meant that hackers who attacked other computers in their own State were not subject to Federal jurisdiction, notwithstanding the fact that their actions may have severely affected interstate or foreign commerce. For example, individuals who attack telephone switches may disrupt interstate and foreign calls. The 1994 change remedied that defect. The definition of Federal interest computer, however, actually covered more than simply interstate activity. More specifically, section 1030(e)(2)(A) covered, generically, computers belonging to the U.S. Government or financial institutions, or those used by such entities on a nonexclusive basis if the conduct constituting the offense affected the Government's operation or the financial institution's operation of such computer. By changing section 1030(a)(5) from ``federal interest computer'' to ``computer used in interstate commerce or communication'' in the 1994 amendment, Congress inadvertently eliminated Federal protection for those Government and financial institution computers not used in interstate communications. For example, the integrity and availability of classified information contained in an intrastate local area network may not have been protected under the 1994 version of section 1030(a)(5), although its confidentiality continued to be protected under section 1030(a)(1).
Thus, the current provision falls short of protecting government and financial institution computers from intrusive codes, such as computer "viruses'' or "worms.'' Generally, hacker intrusions that inject "worms'' or "viruses'' into a government or financial institution computer system which is not used in interstate communications is not a Federal offense. The NII Protection Act would change that limitation and extend Federal protection from intentionally damaging viruses to government and financial institution computers, even if they are not used in interstate communications.
Specifically, as amended, subsection 1030(a)(5)(A) would penalize, with a fine and up to 5 years' imprisonment, anyone who knowingly causes the transmission of a program, information, code or command and intentionally causes damage to a protected computer. This would cover anyone who intentionally damages a computer, regardless of whether they were an outsider or an insider otherwise authorized to access the computer. Subsection 1030(a)(5)(B) would penalize, with a fine and up to 5 years' imprisonment, anyone who intentionally accesses a protected computer without authorization and, as a result of that trespass, recklessly causes damage. This would cover outsiders hackers into a computer who recklessly cause damage. Finally, subsection 1030(a)(5)(C) would impose a misdemeanor penalty, of a fine and up to 1 year imprisonment, for intentionally accessing a protected computer without authorization and, as a result of that trespass, causing damage. This would cover outside hackers into a computer who negligently or accidentally cause damage.
In sum, under the bill, insiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage. By contrast, outside hackers who break into a computer could be punished for any intentional, reckless, or other damage they cause by their trespass.
The rationale for this difference in treatment deserves explanation. Although those who intentionally damage a system, without authority, should be punished regardless of whether they are authorized users, it is equally clear that anyone who knowingly invades a system without authority and causes significant loss to the victim should be punished as well, even when the damage caused is not intentional. In such cases, it is the intentional act of trespass that makes the conduct criminal. To provide otherwise is to openly invite hackers to break into computer systems, safe in the knowledge that no matter how much damage they cause, it is no crime unless that damage was either intentional or reckless. Rather than send such a dangerous message (and deny victims any relief), it is better to ensure that section 1030(a)(5) criminalizes all computer trespass, as well as intentional damage by insiders, albeit at different levels of severity.
The 1994 amendment required both "damage'' and ``loss,'' but it is not always clear what constitutes "damage.'' For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information is damaged. Nonetheless, this conduct allows the intruder to accumulate valid user passwords to the system, requires all system users to change their passwords, and requires the system administrator to devote resources to resecuring the system. Thus, although there is arguably no "damage,'' the victim does suffer "loss.'' If the loss to the victim meets the required monetary threshold, the conduct should be criminal, and the victim should be entitled to relief.
The bill therefore defines "damage'' in new subsection 1030(e)(8), with a focus on the harm that the law seeks to prevent. As in the past, the term "damage'' will require either significant financial losses under section 1030(e)(8)(A), or potential impact on medical treatment under section 1030(e)(8)(B). The bill addresses two other concerns: causing physical injury to any person under new section 1030(e)(8)(C), and threatening the public health or safety under new section 1030(e)(8)(D). As the NII and other network infrastructures continue to grow, computers will increasingly be used for access to critical services such as emergency response systems and air traffic control, and will be critical to other systems which we cannot yet anticipate. Thus, the definition of "damage'' is amended to be sufficiently broad to encompass the types of harm against which people should be protected. The bill also amends the civil penalty provision under section 1030(g) to be consistent with the amendments to section 1030(a)(5). The amendment to section 1030(g) provides that victims of computer abuse can maintain a civil action against the violator to obtain compensatory damages, injunctive relief, or other equitable relief. Damages are limited to economic damages, unless the defendant violated section 1030(a)(5)(A) or section 1030(a)(5)(B); that is, unless the actor intentionally caused damage, or recklessly caused damage while trespassing in a computer.
(F) Subsection 1030(a)(7)--Protection from threats directed against computers The bill would add a new subsection (a)(7) to section 1030 to address a new and emerging problem of computer-age blackmail. This is a high-tech variation on old fashioned extortion. According to the Department of Justice, threats have been made against computer systems in several instances. One can imagine situations in which hackers penetrate a system, encrypt a database and then demand money for the decoding key. This new provision would ensure law enforcement's ability to prosecute modern-day blackmailers, who threaten to harm or shut down computer networks unless their extortion demands are met.
The Attorney General explained in written responses to questions of
Senator Leahy on October 30, 1995:
The bill amends 18 U.S.C. 1030(c) to increase penalties for those who have previously violated any subsection of section 1030(a). The current statute subjects recidivists to enhanced penalties only if they violated the same subsection twice. For example, a person who violates the current statute by committing fraud by computer under subsection 1030(a)(4) and later commits another computer crime offense by intentionally destroying medical records under subsection 1030(a)(5), is not treated as a recidivist because his conduct violated two separate subsections of section 1030. The amendment provides that anyone who is convicted twice of committing a computer offense under subsection 1030(a) would be subjected to enhanced penalties. The penalty provisions in section 1030(c) are also changed to reflect modifications to the prohibited acts, as discussed above.
(3) Subsection 1030(d)--Jurisdiction of Secret Service
The bill amends subsection 1030(d) to grant the U.S. Secret Service authority to investigate offenses only under subsections (a)(2) (A) and (B), (a)(3), (a)(4), (a)(5) and (a)(6). The current statute grants the Secret Service authority to investigate any offense under section 1030, subject to agreement between the Attorney General and the Secretary of the Treasury. The new crimes proposed in the bill, however, do not fall under the Secret Service's traditional jurisdiction. Specifically, proposed subsection 1030(a)(2)(C) addresses gaps in 18 U.S.C. 2314 (interstate transportation of stolen property), and proposed section 1030(a)(7) addresses gaps in 18 U.S.C. 1951 (the Hobbs Act) and 875 (interstate threats). These statutes are within the jurisdiction of the Federal Bureau of Investigation, which should retain exclusive jurisdiction over these types of offenses, even when they are committed by computer.
(4) Subsection 1030(e)--New definitions
The NII Protection Act strikes the current definition of "Federal interest computer'' and adds new definitions for "protected computer,'' "damage,'' and "government entity.'' The bill would amend subsection 1030(e)(2) by replacing the term "Federal interest computer'' with the ew term "protected computer'' and a new definition. The new definition of "protected computer'' would modify the current description in subsection 1030(e)(2)(A) of computers used by financial institutions or the U.S. Government, to make clear that if the computers are not exclusively used by those entities, the computers are protected if the offending conduct affects the use by or for a financial institution or the Government. The new definition also replaces the current limitation in subsection 1030(e)(2)(B) of "Federal interest computer'' being "one of two or more computers used in committing the offense, not all of which are located in the same State.'' Instead, "protected computer'' would include computers "used in interstate or foreign commerce or communications.'' Thus, hackers who steal information or computer usage from computers in their own State would be subject to this law, under amended section 1030(a)(4), if the requisite damage threshold is met and the computer is used in interstate commerce or foreign commerce or communications. The term "damage'' in new subsection 1030(e)(8), as used in the proposed amendment of subsection 1030(a)(5), would mean any impairment to the integrity or availability of data, information, program or system which (A) causes loss of more than $5,000 during any 1-year period; (B) modifies or impairs the medical examination, diagnosis or treatment of a person; (C) causes physical injury to any person; or (D) threatens the public health or safety. The term "government entity'' in new subsection 1030(e)(9), as used in the new proposed subsection 1030(a)(7), would be defined to include the U.S. Government, any State or political subdivision thereof, any foreign country, and any state, provincial, municipal, or other political subdivision of a foreign country.
(5) Subsection 1030(g)--Civil actions
The bill amends the civil penalty provision in subsection 1030(g) to reflect the proposed changes in subsection 1030(a)(5). The 1994 amendments to the act authorized certain victims of computer abuse to maintain civil actions against violators to obtain compensatory damages, injunctive relief, or other equitable relief, with damages limited to economic damages, unless the violator modified or impaired the medical examination, diagnosis or treatment of a person. Under the bill, damages recoverable in civil actions by victims of computer abuse would be limited to economic losses for violations causing losses of $5,000 or more during any 1-year period. No limit on damages would be imposed for violations that modified or impaired the medical examination, diagnosis or treatment of a person; caused physical injury to any person; or threatened the public health or safety.
Pursuant to paragraph 11(b), rule XXVI
of the Standing Rules of the Senate, the Committee, after due consideration,
concludes that Senate bill 982 will not have direct regulatory impact.
Congressional Budget Office,
Washington, DC, August 6, 1996.
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
Enacting S. 982 could affect direct spending and receipts. Therefore, pay-as-you-go procedures would apply to this bill. If you wish further details on this estimate, we will be pleased to provide them.
James L. Blum
(For June E. O'Neill).
2. Bill title: National Information Infrastructure Protection Act of 1996.
3. Bill status: As reported by the Senate Committee on the Judiciary on August 2, 1996.
4. Bill purpose: S. 982 would make various amendments to the laws that protect the confidentiality, integrity, and security of computer systems and the information maintained on such systems. In particular, the bill would amend existing statutes relating to five computer-related crimes and would add a new statute making the interstate transmission of threats directed against computers or computer systems a federal crime.
5. Estimated cost to the Federal Government: CBO estimates that enacting S. 982 would not have any significant budgetary impact. Although the legislation could affect direct spending and receipts, we estimate that any such changes would be negligible.
6. Basis of estimate: Based on information from the U.S. Sentencing Commission, CBO expects that enacting S. 982 could increase the number of prosecutions brought by the federal government and could increase governmental receipts from penalties for committing computer-related crimes. Fewer than 50 persons are convicted of existing computer-related crimes each year and CBO does not expect that the caseload under S. 982 would increase significantly. Thus, CBO estimates that the Justice Department would not need significant additional resources to enforce the provisions of the bill. Furthermore, CBO estimates that any increase in prison time served by people prosecuted under the statutes affected by S. 982 would be negligible and that the government would collect less than $500,000 a year in additional fines. Such fines are recorded in the budget as governmental receipts, deposited in the Crime Victims Fund, and spent in the following year. Because the increase in direct spending would be the same as the amount of fines collected with a one-year lag, the additional direct spending also would be less than $500,000 a year.
7. Pay-as-you-go considerations: Section 252 of the Balanced Budget and Emergency Deficit Control Act of 1985 sets up pay-as-you-go procedures for legislation affecting direct spending or receipts through 1998. S. 982 would establish new fines and increase some existing ones. CBO expects that any additional receipts would be negligible and thus the pay-as-you-go impact of this bill, as shown in the following table, also would be negligible.
|Change in outlays||
|Change in receipts||
9. Estimated impact on the private sector: This bill would impose no new private-sector mandates as defined in Public Law 104 4.
10. Previous CBO estimate: On July 25, 1996, CBO transmitted a cost estimate for H.R. 1533, the Sexual Offender Tracking and Identification Act of 1996, as reported by the Senate Committee on the Judiciary on June 13, 1996. Section 13 of H.R. 1533 is identical to S. 982. The other provisions of H.R. 1533, as approved by the Senate Committee on the Judiciary, were not included in S. 982.
11. Estimate prepared by: Federal cost estimate: Susanne S. Mehlman and Stephanie Weiner. Impact on State, local, and tribal governments: Leo Lex. Impact on the private sector: Matthew Eyles.
12. Estimate approved by: Robert A. Sunshine (for Paul N. Van de Water,
Assistant Director for Budget Analysis).
In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the changes in existing law made by the bill, as reported by the committee, are shown as follows (existing law proposed to be omitted is enclosed in bold brackets, new matter is printed in italic, and existing law with no changes is printed in roman):
UNITED STATES CODE
* * * * * * *
TITLE 18--CRIMES AND CRIMINAL PROCEDURE
* * * * * * *
CHAPTER 47--FRAUD AND FALSE STATEMENTS
* * * * * * *
1030. Fraud and related activity in connection with computers
(4) knowingly and with intent to defraud, accesses a Federal interest protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)(A) through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under such subsection this section, or an attempt to commit an offense punishable under this subparagraph; and
(2)(A) a fine under this title or imprisonment for not more than one
year, or both, in the case of an offense under subsection (a)(2), (a)(3),
(a)(5)(C), or (a)(6) of this section which does not occur after a conviction
for another offense under [such subsection] this section, or an attempt
to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(2) if--
(1) the term "computer'' means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term Federal interest protected computer means a
(B) which is one of two or more computers used in committing the offense,
not all of which are located in the same State (B) which is used
in interstate or foreign commerce or communication;
(4) the term "financial institution'' means--
(6) the term "exceeds authorized access'' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter; and
(7) the term "department of the United States'' means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5.; and
(8) the term "damage'' means any impairment to the integrity or availability
of data, a program, a system, or information that--
(g) any person who suffers damage or loss by reason of a violation of the section ,other than a violation of subsection (a)(5)(B), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) involving damage under subsection (e)(8)(A) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under section 1030(a)(5) of title 18, United States Code.