I just read about a new law signed at the end of September, 2008, by U.S. President Bush, H.R. 5983; the “Identity Theft Enforcement and Restitution Act of 2008” which is under Title II.
Basically is it now easier for law enforcement to punish identity thieves that commit their crimes via computerized methods. And, something new, it specifies the victim of cybercrime should be awarded money for their damages and time lost as a result of cybercrime.
Violators are subject to fines and criminal penalties, including jail time up to life in prison.
It is worth pointing out that this law only covers the issue of going after cybercriminals and their possible sanctions. It does not cover how organizations need to ensure appropriate safeguards and security programs are in place.
Here’s the full text (sorry, I didn’t want to take the extra time to make this look pretty)…
“SEC. 201. SHORT TITLE.
This title may be cited as the ‘Identity Theft Enforcement and Restitution Act of 2008’.
SEC. 202. CRIMINAL RESTITUTION.
Section 3663(b) of title 18, United States Code, is amended–
(1) in paragraph (4), by striking ‘; and’ and inserting a semicolon;
(2) in paragraph (5), by striking the period at the end and inserting ‘; and’; and
(3) by adding at the end the following:
‘(6) in the case of an offense under sections 1028(a)(7) or 1028A(a) of this title, pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.’.
SEC. 203. ENSURING JURISDICTION OVER THE THEFT OF SENSITIVE IDENTITY INFORMATION.
Section 1030(a)(2)(C) of title 18, United States Code, is amended by striking ‘if the conduct involved an interstate or foreign communication’.
SEC. 204. MALICIOUS SPYWARE, HACKING AND KEYLOGGERS.
(a) In General- Section 1030 of title 18, United States Code, is amended–
(1) in subsection (a)(5)–
(A) by striking subparagraph (B); and
(B) in subparagraph (A)–
(i) by striking ‘(A)(i) knowingly’ and inserting ‘(A) knowingly’;
(ii) by redesignating clauses (ii) and (iii) as subparagraphs (B) and (C), respectively; and
(iii) in subparagraph (C), as so redesignated–
(I) by inserting ‘and loss’ after ‘damage’; and
(II) by striking ‘; and’ and inserting a period;
(2) in subsection (c)–
(A) in paragraph (2)(A), by striking ‘(a)(5)(A)(iii),’;
(B) in paragraph (3)(B), by striking ‘(a)(5)(A)(iii),’;
(C) by amending paragraph (4) to read as follows:
‘(4)(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of–
‘(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)–
‘(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
‘(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
‘(III) physical injury to any person;
‘(IV) a threat to public health or safety;
‘(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
‘(VI) damage affecting 10 or more protected computers during any 1-year period; or
‘(ii) an attempt to commit an offense punishable under this subparagraph;
‘(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of–
‘(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or
‘(ii) an attempt to commit an offense punishable under this subparagraph;
‘(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of–
‘(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5) that occurs after a conviction for another offense under this section; or
‘(ii) an attempt to commit an offense punishable under this subparagraph;
‘(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of–
‘(i) an offense or an attempt to commit an offense under subsection (a)(5)(C) that occurs after a conviction for another offense under this section; or
‘(ii) an attempt to commit an offense punishable under this subparagraph;
‘(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both;
‘(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or
‘(G) a fine under this title, imprisonment for not more than 1 year, or both, for–
‘(i) any other offense under subsection (a)(5); or
‘(ii) an attempt to commit an offense punishable under this subparagraph.’; and
(D) by striking paragraph (5); and
(3) in subsection (g)–
(A) in the second sentence, by striking ‘in clauses (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B)’ and inserting ‘in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)’; and
(B) in the third sentence, by striking ‘subsection (a)(5)(B)(i)’ and inserting ‘subsection (c)(4)(A)(i)(I)’.
(b) Conforming Changes- Section 2332b(g)(5)(B)(i) of title 18, United States Code, is amended by striking ‘1030(a)(5)(A)(i) resulting in damage as defined in 1030(a)(5)(B)(ii) through (v)’ and inserting ‘1030(a)(5)(A) resulting in damage as defined in 1030(c)(4)(A)(i)(II) through (VI)’.
SEC. 205. CYBER-EXTORTION.
Section 1030(a)(7) of title 18, United States Code, is amended to read as follows:
‘(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any–
‘(A) threat to cause damage to a protected computer;
‘(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
‘(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;’.
SEC. 206. CONSPIRACY TO COMMIT CYBER-CRIMES.
Section 1030(b) of title 18, United States Code, is amended by inserting ‘conspires to commit or’ after ‘Whoever’.
SEC. 207. USE OF FULL INTERSTATE AND FOREIGN COMMERCE POWER FOR CRIMINAL PENALTIES.
Section 1030(e)(2)(B) of title 18, United States Code, is amended by inserting ‘or affecting’ after ‘which is used in’.
SEC. 208. FORFEITURE FOR SECTION 1030 VIOLATIONS.
Section 1030 of title 18, United States Code, is amended by adding at the end the following:
‘(i)(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States–
‘(A) such person’s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and
‘(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.
‘(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.
‘(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:
‘(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section.
‘(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section’.
SEC. 209. DIRECTIVE TO UNITED STATES SENTENCING COMMISSION.
(a) Directive- Pursuant to its authority under section 994(p) of title 28, United States Code, and in accordance with this section, the United States Sentencing Commission shall review its guidelines and policy statements applicable to persons convicted of offenses under sections 1028, 1028A, 1030, 2511, and 2701 of title 18, United States Code, and any other relevant provisions of law, in order to reflect the intent of Congress that such penalties be increased in comparison to those currently provided by such guidelines and policy statements.
(b) Requirements- In determining its guidelines and policy statements on the appropriate sentence for the crimes enumerated in subsection (a), the United States Sentencing Commission shall consider the extent to which the guidelines and policy statements may or may not account for the following factors in order to create an effective deterrent to computer crime and the theft or misuse of personally identifiable data:
(1) The level of sophistication and planning involved in such offense.
(2) Whether such offense was committed for purpose of commercial advantage or private financial benefit.
(3) The potential and actual loss resulting from the offense including–
(A) the value of information obtained from a protected computer, regardless of whether the owner was deprived of use of the information; and
(B) where the information obtained constitutes a trade secret or other proprietary information, the cost the victim incurred developing or compiling the information.
(4) Whether the defendant acted with intent to cause either physical or property harm in committing the offense.
(5) The extent to which the offense violated the privacy rights of individuals.
(6) The effect of the offense upon the operations of an agency of the United States Government, or of a State or local government.
(7) Whether the offense involved a computer used by the United States Government, a State, or a local government in furtherance of national defense, national security, or the administration of justice.
(8) Whether the offense was intended to, or had the effect of, significantly interfering with or disrupting a critical infrastructure.
(9) Whether the offense was intended to, or had the effect of, creating a threat to public health or safety, causing injury to any person, or causing death.
(10) Whether the defendant purposefully involved a juvenile in the commission of the offense.
(11) Whether the defendant’s intent to cause damage or intent to obtain personal information should be disaggregated and considered separately from the other factors set forth in USSG 2B1.1(b)(14).
(12) Whether the term ‘victim’ as used in USSG 2B1.1, should include individuals whose privacy was violated as a result of the offense in addition to individuals who suffered monetary harm as a result of the offense.
(13) Whether the defendant disclosed personal information obtained during the commission of the offense.
(c) Additional Requirements- In carrying out this section, the United States Sentencing Commission shall–
(1) assure reasonable consistency with other relevant directives and with other sentencing guidelines;
(2) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;
(3) make any conforming changes to the sentencing guidelines; and
(4) assure that the guidelines adequately meet the purposes of sentencing as set forth in section 3553(a)(2) of title 18, United States Code”
Tags: awareness and training, cybercrime, identity theft, Information Security, IT compliance, IT training, law, policies and procedures, privacy training, risk management, security training