CFAA Draft Intended to Bring Stakeholders to Table, House Judiciary Says
The House Judiciary Committee is circulating a discussion draft of a bill aimed at modernizing the Computer Fraud and Abuse Act (CFAA), a committee spokeswoman confirmed Tuesday. The aide said the draft was being circulated by staffers “to all stakeholders in an effort to bring everyone to the table to make any necessary changes or improvements to the proposal.” The draft, which would increase criminal financial penalties and jail time for those found guilty of certain computer crimes, was harshly criticized by Demand Progress, an Internet advocacy group founded by the late activist Aaron Swartz, who committed suicide during his prosecution for CFAA violations.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The legislation would increase criminal penalties for those who use computers to commit crimes that cause physical injury, death or threaten public health or safety. The discussion draft creates penalties for attacks against computers that control or manage critical infrastructure systems including gas and oil production, water supply, telecom networks, electrical power, finance, emergency services, transportation and government operations. Penalties would also be increased for computer crimes intended for financial gain, or the theft of information valued at more than $5,000. The bill would create a National Cyber Investigative Joint Task Force, which it said would lead and coordinate the nation’s cyberthreat investigations.
The bill would create new data breach notification requirements for entities which transmit personal information. The legislation would cover most commercial entities that acquire, maintain, store, or utilize personal information, with some exemptions. The discussion draft also includes third-party entities that maintain, store or process data in electronic form on behalf of a covered entity.
The discussion draft is a “giant leap in the wrong direction and demonstrates a disturbing lack of understanding about computers, the Internet and the modern economy,” said Demand Progress Executive Director David Segal. “Already the outdated [CFAA] is used by overzealous lawyers to prosecute routine computer activity,” he said in a news release. “If enacted this proposal could end computer security research in the United States and drive innovation and creativity overseas.”
Demand Progress plans to fight the proposal and “redouble our efforts to educate members of Congress and the general public about the innovation-killing Computer Fraud and Abuse Act,” Segal said. Demand Progress’s Swartz committed suicide in January before his trial for downloading a large archive of subscription academic articles. Rep. Zoe Lofgren, D-Calif., who is also crafting legislation aimed at reforming the CFAA in Swartz’s name, did not immediately respond to our request for comment.