Dueling cybercrime bills: House to focus on breach notifications

By on

The U.S. House of Representatives is unlikely to take up a tough identity theft law passed by the Senate last month before considering a broader measure proposed by the chairman of the House Judiciary Committee, a committee counsel has told SCMagazineUS.com.

The U.S. House of Representatives is unlikely to take up a tough identity theft law passed by the Senate last month before considering a broader measure proposed by the chairman of the House Judiciary Committee, a committee counsel has told SCMagazineUS.com.

While the House Judiciary Committee may hold a hearing on the subject of identity theft before the end of the year, it is not expected to vote this month on the the Identity Theft Enforcement and Restitution Act of 2007 (S. 2168), which would permit victims of identity theft to seek compensation and make it easier for federal prosecutors to target individuals deploying botnets, according to Ameer Gopalani, counsel to the Judiciary Committee's Crime, Terrorism and Homeland Security subcommittee.

Gopalani said the focus of the House committee hearing would be H.R. 4175, which was introduced by Judiciary Committee chairman Rep. John Conyers (D.-Mich.) last month, a few days before S. 2168, co-sponsored by Sens. Patrick Leahy (D.-R.I.) and Arlen Spector (R.-Pa.), was passed by unanimous consent in the Senate. The Senate bill was referred to the House Judiciary Committee on December 4.

The Conyers bill, entitled The Privacy and Cybercrime Enforcement Act of 2007, requires companies to provide notice to the U.S. Secret Service or the FBI of major security breaches involving sensitive personally identifiable information. The bill defines a major security breach as involving identification of 10,000 or more individuals, breaches of databases owned by the federal government, or breaches that reveal the identity of federal employees or contractors involved in national security and/or law enforcement.

The Conyers bill imposes a penalty of five years in prison for anyone failing to provide notification of a major breach, and it requires the Secret Service and FBI to publish breach notifications in the Federal Register.

According to Gopalani, H.R. 4175 tracks closely with S. 495, the Personal Data Privacy and Security Act of 2007, an earlier version of S. 2168, which was introduced by Sen. Leahy in February, but not acted on by the Senate. Like the Conyers bill, S. 495 also makes it a federal crime to knowingly conceal security breaches involving unauthorized access to personally identifiable information.

The bill approved by the Senate last month seeks to close a loophole in the current federal criminal law, which sets a $5,000 aggregate damage threshold for prosecuting unauthorized access to computers, but does not facilitate prosecution of bot herders due to the minimal damage they inflict on individual computers. The current law forces prosecutors to identify numerous botnet victims (owners of zombie computers) and tally the damage done to each.

S. 2168 eliminates that monetary threshold  and sets the standard as damage affecting 10 or more computers, which should make it much easier to for prosecutors to target   bot herders. Another provision of the bill would permit prosecution of individuals who steal personal information from a computer located in the same state as the attacker's computer. Today, federal courts' jurisdiction extends only to attacks involving interstate or foreign communication.



See original article on scmagazineus.com
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?