of the

United States of America

AT THE SECOND SESSION

Begun and held at the City of Washington on Wednesday, the twenty-third day of January, two thousand and two

An Act

To authorize funding for computer and network security research and development and research fellowship programs, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the “Cyber Security Research and Development Act”.

SEC. 2. FINDINGS.

The Congress finds the following:

(1) Revolutionary advancements in computing and communications technology have interconnected government, commercial, scientific, and educational infrastructures-including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services-in a vast, interdependent physical and electronic network.

(2) Exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure.

(3) A Department of Defense Joint Task Force concluded after a 1997 United States information warfare exercise that the results “clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure”.

(4) Computer security technology and systems implementation lack-

(A) sufficient long term research funding;

(B) adequate coordination across Federal and State government agencies and among government, academia, and industry; and

(C) sufficient numbers of outstanding researchers in the field.

(5) Accordingly, Federal investment in computer and network security research and development must be significantly increased to-

(A) improve vulnerability assessment and technological and systems solutions;

(B) expand and improve the pool of information security professionals, including researchers, in the United States workforce; and

(C) better coordinate information sharing and collaboration among industry, government, and academic research projects.

(6) While African-Americans, Hispanics, and Native Americans constitute 25 percent of the total United States workforce and 30 percent of the college-age population, members of these minorities comprise less than 7 percent of the United States computer and information science workforce.

SEC. 3. DEFINITIONS.

In this Act:

(1) DIRECTOR.-The term “Director” means the Director of the National Science Foundation.

(2) INSTITUTION OF HIGHER EDUCATION.-The term “institution of higher education” has the meaning given that term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).

SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.

(a) COMPUTER AND NETWORK SECURITY RESEARCH GRANTS.-

(1) IN GENERAL.-The Director shall award grants for basic research on innovative approaches to the structure of computer and network hardware and software that are aimed at enhancing computer security. Research areas may include-

(A) authentication, cryptography, and other secure data communications technology;

(B) computer forensics and intrusion detection;

(C) reliability of computer and network applications, middleware, operating systems, control systems, and communications infrastructure;

(D) privacy and confidentiality;

(E) network security architecture, including tools for security administration and analysis;

(F) emerging threats;

(G) vulnerability assessments and techniques for quantifying risk;

(H) remote access and wireless security; and

(I) enhancement of law enforcement ability to detect, investigate, and prosecute cyber-crimes, including those that involve piracy of intellectual property.

(2) MERIT REVIEW; COMPETITION.-Grants shall be awarded under this section on a merit-reviewed competitive basis.

(3) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection-

(A) $35,000,000 for fiscal year 2003;

(B) $40,000,000 for fiscal year 2004;

(C) $46,000,000 for fiscal year 2005;

(D) $52,000,000 for fiscal year 2006; and

(E) $60,000,000 for fiscal year 2007.

(b) COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.-

(1) IN GENERAL.-The Director shall award multiyear grants, subject to the availability of appropriations, to institutions of higher education, nonprofit research institutions, or consortia thereof to establish multidisciplinary Centers for Computer and Network Security Research. Institutions of higher education, nonprofit research institutions, or consortia thereof receiving such grants may partner with 1 or more government laboratories or for-profit institutions, or other institutions of higher education or nonprofit research institutions.

(2) MERIT REVIEW; COMPETITION.-Grants shall be awarded under this subsection on a merit-reviewed competitive basis.

(3) PURPOSE.-The purpose of the Centers shall be to generate innovative approaches to computer and network security by conducting cutting-edge, multidisciplinary research in computer and network security, including the research areas described in subsection (a)(1).

(4) APPLICATIONS.-An institution of higher education, nonprofit research institution, or consortia thereof seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-

(A) the research projects that will be undertaken by the Center and the contributions of each of the participating entities;

(B) how the Center will promote active collaboration among scientists and engineers from different disciplines, such as computer scientists, engineers, mathematicians, and social science researchers;

(C) how the Center will contribute to increasing the number and quality of computer and network security researchers and other professionals, including individuals from groups historically underrepresented in these fields; and

(D) how the center will disseminate research results quickly and widely to improve cyber security in information technology networks, products, and services.

(5) CRITERIA.-In evaluating the applications submitted under paragraph (4), the Director shall consider, at a minimum-

(A) the ability of the applicant to generate innovative approaches to computer and network security and effectively carry out the research program;

(B) the experience of the applicant in conducting research on computer and network security and the capacity of the applicant to foster new multidisciplinary collaborations;

(C) the capacity of the applicant to attract and provide adequate support for a diverse group of undergraduate and graduate students and postdoctoral fellows to pursue computer and network security research; and

(D) the extent to which the applicant will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions, and the role the partners will play in the research undertaken by the Center.

(6) ANNUAL MEETING.-The Director shall convene an annual meeting of the Centers in order to foster collaboration and communication between Center participants.

(7) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated for the National Science Foundation to carry out this subsection-

(A) $12,000,000 for fiscal year 2003;

(B) $24,000,000 for fiscal year 2004;

(C) $36,000,000 for fiscal year 2005;

(D) $36,000,000 for fiscal year 2006; and

(E) $36,000,000 for fiscal year 2007.

SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK

SECURITY PROGRAMS.

(a) COMPUTER AND NETWORK SECURITY CAPACITY BUILDING GRANTS.-

(1) IN GENERAL.-The Director shall establish a program to award grants to institutions of higher education (or consortia thereof) to establish or improve undergraduate and master’s degree programs in computer and network security, to increase the number of students, including the number of students from groups historically underrepresented in these fields, who pursue undergraduate or master’s degrees in fields related to computer and network security, and to provide students with experience in government or industry related to their computer and network security studies.

(2) MERIT REVIEW.-Grants shall be awarded under this subsection on a merit-reviewed competitive basis.

(3) USE OF FUNDS.-Grants awarded under this subsection shall be used for activities that enhance the ability of an institution of higher education (or consortium thereof) to provide high-quality undergraduate and master’s degree programs in computer and network security and to recruit and retain increased numbers of students to such programs. Activities may include-

(A) revising curriculum to better prepare undergraduate and master’s degree students for careers in computer and network security;

(B) establishing degree and certificate programs in computer and network security;

(C) creating opportunities for undergraduate students to participate in computer and network security research projects;

(D) acquiring equipment necessary for student instruction in computer and network security, including the installation of testbed networks for student use;

(E) providing opportunities for faculty to work with local or Federal Government agencies, private industry, nonprofit research institutions, or other academic institutions to develop new expertise or to formulate new research directions in computer and network security;

(F) establishing collaborations with other academic institutions or academic departments that seek to establish, expand, or enhance programs in computer and network security;

(G) establishing student internships in computer and network security at government agencies or in private industry;

(H) establishing collaborations with other academic institutions to establish or enhance a web-based collection of computer and network security courseware and laboratory exercises for sharing with other institutions of higher education, including community colleges;

(I) establishing or enhancing bridge programs in computer and network security between community colleges and universities; and

(J) any other activities the Director determines will accomplish the goals of this subsection.

(4) SELECTION PROCESS.-

(A) APPLICATION.-An institution of higher education (or a consortium thereof) seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum-

(i) a description of the applicant’s computer and network security research and instructional capacity, and in the case of an application from a consortium of institutions of higher education, a description of the role that each member will play in implementing the proposal;

(ii) a comprehensive plan by which the institution or consortium will build instructional capacity in computer and information security;

(iii) a description of relevant collaborations with government agencies or private industry that inform the instructional program in computer and network security;

(iv) a survey of the applicant’s historic student enrollment and placement data in fields related to computer and network security and a study of potential enrollment and placement for students enrolled in the proposed computer and network security program; and

(v) a plan to evaluate the success of the proposed computer and network security program, including post-graduation assessment of graduate school and job placement and retention rates as well as the relevance of the instructional program to graduate study and to the workplace.

(B) AWARDS.-

(i) The Director shall ensure, to the extent practicable, that grants are awarded under this subsection in a wide range of geographic areas and categories of institutions of higher education, including minority serving institutions.

(ii) The Director shall award grants under this subsection for a period not to exceed 5 years.

(5) ASSESSMENT REQUIRED.-The Director shall evaluate the program established under this subsection no later than 6 years after the establishment of the program. At a minimum, the Director shall evaluate the extent to which the program achieved its objectives of increasing the quality and quantity of students, including students from groups historically underrepresented in computer and network security related disciplines, pursuing undergraduate or master’s degrees in computer and network security.

(6) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection-

(A) $15,000,000 for fiscal year 2003;

(B) $20,000,000 for fiscal year 2004;

(C) $20,000,000 for fiscal year 2005;

(D) $20,000,000 for fiscal year 2006; and

(E) $20,000,000 for fiscal year 2007.

(b) SCIENTIFIC AND ADVANCED TECHNOLOGY ACT OF 1992.-

(1) GRANTS.-The Director shall provide grants under the Scientific and Advanced Technology Act of 1992 (42 U.S.C. 1862i) for the purposes of section 3(a) and (b) of that Act, except that the activities supported pursuant to this subsection shall be limited to improving education in fields related to computer and network security.

(2) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection-

(A) $1,000,000 for fiscal year 2003;

(B) $1,250,000 for fiscal year 2004;

(C) $1,250,000 for fiscal year 2005;

(D) $1,250,000 for fiscal year 2006; and

(E) $1,250,000 for fiscal year 2007.

(c) GRADUATE TRAINEESHIPS IN COMPUTER AND NETWORK SECURITY RESEARCH.-

(1) IN GENERAL.-The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs for graduate students who pursue computer and network security research leading to a doctorate degree by providing funding and other assistance, and by providing graduate students with research experience in government or industry related to the students’ computer and network security studies.

(2) MERIT REVIEW.-Grants shall be provided under this subsection on a merit-reviewed competitive basis.

(3) USE OF FUNDS.-An institution of higher education shall use grant funds for the purposes of-

(A) providing traineeships to students who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are pursuing research in computer or network security leading to a doctorate degree;

(B) paying tuition and fees for students receiving traineeships under subparagraph (A);

(C) establishing scientific internship programs for students receiving traineeships under subparagraph (A) in computer and network security at for-profit institutions, nonprofit research institutions, or government laboratories; and

(D) other costs associated with the administration of the program.

(4) TRAINEESHIP AMOUNT.-Traineeships provided under paragraph (3)(A) shall be in the amount of $25,000 per year, or the level of the National Science Foundation Graduate Research Fellowships, whichever is greater, for up to 3 years.

(5) SELECTION PROCESS.-An institution of higher education seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-

(A) the instructional program and research opportunities in computer and network security available to graduate students at the applicant’s institution; and

(B) the internship program to be established, including the opportunities that will be made available to students for internships at for-profit institutions, nonprofit research institutions, and government laboratories.

(6) REVIEW OF APPLICATIONS.-In evaluating the applications submitted under paragraph (5), the Director shall consider-

(A) the ability of the applicant to effectively carry out the proposed program;

(B) the quality of the applicant’s existing research and education programs;

(C) the likelihood that the program will recruit increased numbers of students, including students from groups historically underrepresented in computer and network security related disciplines, to pursue and earn doctorate degrees in computer and network security;

(D) the nature and quality of the internship program established through collaborations with government laboratories, nonprofit research institutions, and for-profit institutions;

(E) the integration of internship opportunities into graduate students’ research; and

(F) the relevance of the proposed program to current and future computer and network security needs.

(7) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection-

(A) $10,000,000 for fiscal year 2003;

(B) $20,000,000 for fiscal year 2004;

(C) $20,000,000 for fiscal year 2005;

(D) $20,000,000 for fiscal year 2006; and

(E) $20,000,000 for fiscal year 2007.

(d) GRADUATE RESEARCH FELLOWSHIPS PROGRAM SUPPORT.- Computer and network security shall be included among the fields of specialization supported by the National Science Foundation’s Graduate Research Fellowships program under section 10 of the National Science Foundation Act of 1950 (42 U.S.C. 1869).

(e) CYBER SECURITY FACULTY DEVELOPMENT TRAINEESHIP PROGRAM.-

(1) IN GENERAL.-The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs to enable graduate students to pursue academic careers in cyber security upon completion of doctoral degrees.

(2) MERIT REVIEW; COMPETITION.-Grants shall be awarded under this section on a merit-reviewed competitive basis.

(3) APPLICATION.-Each institution of higher education desiring to receive a grant under this subsection shall submit  an application to the Director at such time, in such manner, and containing such information as the Director shall require.

(4) USE OF FUNDS.-Funds received by an institution of higher education under this paragraph shall-

(A) be made available to individuals on a meritreviewed competitive basis and in accordance with the requirements established in paragraph (7);

(B) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at an institution of higher education for the duration of the graduate traineeship, and shall include, in addition, an annual living stipend of $25,000; and

(C) be provided to individuals for a duration of no more than 5 years, the specific duration of each graduate traineeship to be determined by the institution of higher education, on a case-by-case basis.

(5) REPAYMENT.-Each graduate traineeship shall-

(A) subject to paragraph (5)(B), be subject to full repayment upon completion of the doctoral degree according to a repayment schedule established and administered by the institution of higher education;

(B) be forgiven at the rate of 20 percent of the total amount of the graduate traineeship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and

(C) be monitored by the institution of higher education receiving a grant under this subsection to ensure compliance with this subsection.

(6) EXCEPTIONS.-The Director may provide for the partial or total waiver or suspension of any service obligation or payment by an individual under this section whenever compliance by the individual is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.

(7) ELIGIBILITY.-To be eligible to receive a graduate traineeship under this section, an individual shall-

(A) be a citizen, national, or lawfully admitted permanent resident alien of the United States; and

(B) demonstrate a commitment to a career in higher education.

(8) CONSIDERATION.-In making selections for graduate traineeships under this paragraph, an institution receiving a grant under this subsection shall consider, to the extent possible, a diverse pool of applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as the technical dimensions of cyber security.

(9) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this paragraph $5,000,000 for each of fiscal years 2003 through 2007.

SEC. 6. CONSULTATION.

In carrying out sections 4 and 5, the Director shall consult with other Federal agencies.

SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK SECURITY.

Section 3(a) of the National Science Foundation Act of 1950 (42 U.S.C. 1862(a)) is amended-

(1) by striking “and” at the end of paragraph (6);

(2) by striking “Congress.” in paragraph (7) and inserting “Congress ; and”; and

(3) by adding at the end the following:

“(8) to take a leading role in fostering and supporting research and education activities to improve the security of networked information systems.”.

SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY  PROGRAMS.

(a) RESEARCH PROGRAM.-The National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is amended-

(1) by moving section 22 to the end of the Act and redesignating it as section 32; and

(2) y inserting after section 21 the following new section:

“SEC. 22. RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS

“(a) ESTABLISHMENT.-The Director shall establish a program of assistance to institutions of higher education that enter into partnerships with for-profit entities to support research to improve the security of computer systems. The partnerships may also include government laboratories and nonprofit research institutions. The program shall-

“(1) include multidisciplinary, long-term research;

“(2) include research directed toward addressing needs identified through the activities of the Computer System Security and Privacy Advisory Board under section 20(f); and

“(3) promote the development of a robust research community working at the leading edge of knowledge in subject areas relevant to the security of computer systems by providing support for graduate students, post-doctoral researchers, and senior researchers.

“(b) FELLOWSHIPS.-

“(1) POST-DOCTORAL RESEARCH FELLOWSHIPS.-The Director is authorized to establish a program to award post-doctoral research fellowships to individuals who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act.

“(2) SENIOR RESEARCH FELLOWSHIPS.-The Director is authorized to establish a program to award senior research fellowships to individuals seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act. Senior research fellowships shall be made available for established researchers at institutions of higher education who seek to change research fields and pursue studies related to the security of computer systems.

“(3) ELIGIBILITY.-

“(A) IN GENERAL.-To be eligible for an award under this subsection, an individual shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require.

“(B) STIPENDS.-Under this subsection, the Director is authorized to provide stipends for post-doctoral research fellowships at the level of the Institute’s Post Doctoral Research Fellowship Program and senior research fellowships at levels consistent with support for a faculty member in a sabbatical position.

“(c) AWARDS; APPLICATIONS.-

“(1) IN GENERAL.-The Director is authorized to award grants or cooperative agreements to institutions of higher education to carry out the program established under subsection (a). No funds made available under this section shall be made available directly to any for-profit partners.

“(2) ELIGIBILITY.-To be eligible for an award under this section, an institution of higher education shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-

“(A) the number of graduate students anticipated to participate in the research project and the level of support to be provided to each;

“(B) the number of post-doctoral research positions included under the research project and the level of support to be provided to each;

“(C) the number of individuals, if any, intending to change research fields and pursue studies related to the security of computer systems to be included under the research project and the level of support to be provided to each; and

“(D) how the for-profit entities, nonprofit research institutions, and any other partners will participate in developing and carrying out the research and education agenda of the partnership.

“(d) PROGRAM OPERATION.-

“(1) MANAGEMENT.-The program established under subsection (a) shall be managed by individuals who shall have both expertise in research related to the security of computer systems and knowledge of the vulnerabilities of existing computer systems. The Director shall designate such individuals as program managers.

“(2) MANAGERS MAY BE EMPLOYEES.-Program managers designated under paragraph (1) may be new or existing employees of the Institute or individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970, except that individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970 shall not directly manage such employees.

“(3) MANAGER RESPONSIBILITY.-Program managers designated under paragraph (1) shall be responsible for-

“(A) establishing and publicizing the broad research goals for the program;

“(B) soliciting applications for specific research projects to address the goals developed under subparagraph (A);

“(C) selecting research projects for support under the program from among applications submitted to the Institute, following consideration of-

“(i) the novelty and scientific and technical merit of the proposed projects;

“(ii) the demonstrated capabilities of the individual or individuals submitting the applications to successfully carry out the proposed research;

“(iii) the impact the proposed projects will have on increasing the number of computer security researchers;

“(iv) the nature of the participation by for-profit entities and the extent to which the proposed projects address the concerns of industry; and

“(v) other criteria determined by the Director, based on information specified for inclusion in applications under subsection (c); and

“(D) monitoring the progress of research projects supported under the program.

“(4) REPORTS.-The Director shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science annually on the use and responsibility of individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970 who are performing duties under subsection (d).

“(e) REVIEW OF PROGRAM.-

“(1) PERIODIC REVIEW.-The Director shall periodically review the portfolio of research awards monitored by each program manager designated in accordance with subsection (d). In conducting those reviews, the Director shall seek the advice of the Computer System Security and Privacy Advisory Board, established under section 21, on the appropriateness of the research goals and on the quality and utility of research projects managed by program managers in accordance with subsection (d).

“(2) COMPREHENSIVE 5-YEAR REVIEW.-The Director shall also contract with the National Research Council for a comprehensive review of the program established under subsection (a) during the 5th year of the program. Such review shall include an assessment of the scientific quality of the research conducted, the relevance of the research results obtained to the goals of the program established under subsection (d)(3)(A), and the progress of the program in promoting the development of a substantial academic research community working at the leading edge of knowledge in the field. The Director shall submit to Congress a report on the results of the review under this paragraph no later than 6 years after the initiation of the program.

“(f) DEFINITIONS.-In this section:

“(1) COMPUTER SYSTEM.-The term ‘computer system’ has the meaning given that term in section 20(d)(1).

“(2) INSTITUTION OF HIGHER EDUCATION.-The term ‘institution of higher education’ has the meaning given that term in section 101

(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).”.

(b) AMENDMENT OF COMPUTER SYSTEM DEFINITION.-Section 20(d)(1)(B)(i) of National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)(1)(B)(i)) is amended to read as follows:

“(i) computers and computer networks;”.

(c) CHECKLISTS FOR GOVERNMENT SYSTEMS.-

(1) IN GENERAL.-The Director of the National Institute of Standards and Technology shall develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government.

(2) PRIORITIES FOR DEVELOPMENT; EXCLUDED SYSTEMS.- The Director of the National Institute of Standards and Technology may establish priorities for the development of checklists under this paragraph on the basis of the security risks associated with the use of the system, the number of agencies that use a particular system, the usefulness of the checklist to Federal agencies that are users or potential users of the system, or such other factors as the Director determines to be appropriate. The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any computer hardware or software system for which the Director of the National Institute of Standards and Technology determines that the development of a checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the inutility or impracticability of developing a checklist for the system.

(3) DISSEMINATION OF CHECKLISTS.-The Director of the National Institute of Standards and Technology shall make any checklist developed under this paragraph for any computer hardware or software system available to each Federal agency that is a user or potential user of the system.

(4) AGENCY USE REQUIREMENTS.-The development of a checklist under paragraph (1) for a computer hardware or software system does not-

(A) require any Federal agency to select the specific settings or options recommended by the checklist for the system;

(B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system;

(C) represent an endorsement of any such system by the Director of the National Institute of Standards and Technology; nor

(D) preclude any Federal agency from procuring or deploying other computer hardware or software systems for which no such checklist has been developed.

(d) FEDERAL AGENCY INFORMATION SECURITY PROGRAMS.-

(1) IN GENERAL.-In developing the agencywide information security program required by section 3534(b) of title 44, United States Code, an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection (c) of this section-

(A) shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and

(B) may treat the explanation as if it were a portion of the agency’s annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31, United States Code).

(2) LIMITATION.-Paragraph (1) does not apply to any computer hardware or software system for which the National Institute of Standards and Technology does not have responsibility under section 20(a)(3) of the National Institute of Standards and Technology Act (15 U.S.C.278g-3(a)(3)).

SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended by adding at the end the following new subsection:

“(e) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the Secretary $1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year 2004 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues, including research needs, related to computer security, privacy, and cryptography and, as appropriate, to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects.”.

SEC. 10. INTRAMURAL SECURITY RESEARCH.

Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by redesignating subsection (e) as subsection (f), and by inserting after subsection (d) the following:

“(e) INTRAMURAL SECURITY RESEARCH.-As part of the research activities conducted in accordance with subsection (b)(4), the Institute shall-

“(1) conduct a research program to address emerging technologies associated with assembling a networked computer system from components while ensuring it maintains desired security properties;

“(2) carry out research associated with improving the security of real-time computing and communications systems for use in process control; and

“(3) carry out multidisciplinary, long-term, high-risk research on ways to improve the security of computer systems.”.

SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology-

(1) for activities under section 22 of the National Institute of Standards and Technology Act, as added by section 8 of this Act-

(A) $25,000,000 for fiscal year 2003;

(B) $40,000,000 for fiscal year 2004;

(C) $55,000,000 for fiscal year 2005;

(D) $70,000,000 for fiscal year 2006;

(E) $85,000,000 for fiscal year 2007; and

(2) for activities under section 20(f) of the National Institute of Standards and Technology Act, as added by section 10 of this Act-

(A) $6,000,000 for fiscal year 2003;

(B) (B) $6,200,000 for fiscal year 2004;

(C) $6,400,000 for fiscal year 2005;

(D) $6,600,000 for fiscal year 2006; and

(E) $6,800,000 for fiscal year 2007.

SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK SECURITY IN CRITICAL INFRASTRUCTURES.

(a) STUDY.-Not later than 3 months after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall enter into an arrangement with the National Research Council of the National Academy of Sciences to conduct a study of the vulnerabilities of the Nation’s network infrastructure and make recommendations for appropriate improvements. The Na-tional Research Council shall-

(1) review existing studies and associated data on the architectural, hardware, and software vulnerabilities and interdependencies in United States critical infrastructure networks;

(2) identify and assess gaps in technical capability for robust critical infrastructure network security and make recommendations for research priorities and resource requirements; and

(3) review any and all other essential elements of computer and network security, including security of industrial process controls, to be determined in the conduct of the study.

(b) REPORT.-The Director of the National Institute of Standards and Technology shall transmit a report containing the results of the study and recommendations required by subsection (a) to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science not later than 21 months after the date of enactment of this Act.

(c) SECURITY.-The Director of the National Institute of Standards and Technology shall ensure that no information that is classified is included in any publicly released version of the report required by this section.

(d) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology for the purposes of carrying out this section, $700,000.

SEC. 13. COORDINATION OF FEDERAL CYBER SECURITY RESEARCH AND DEVELOPMENT

The Director of the National Science Foundation and the Director of the National Institute of Standards and Technology shall coordinate the research programs authorized by this Act or pursuant to amendments made by this Act. The Director of the Office of Science and Technology Policy shall work with the Director of the National Science Foundation and the Director of the National Institute of Standards and Technology to ensure that programs authorized by this Act or pursuant to amendments made by this Act are taken into account in any government-wide cyber security research effort.

SEC. 14. OFFICE OF SPACE COMMERCIALIZATION.

Section 8(a) of the Technology Administration Act of 1998 (15 U.S.C. 1511e(a)) is amended by inserting “the Technology Administration of” after “within”.

SEC. 15. TECHNICAL CORRECTION OF NATIONAL CONSTRUCTION SAFETY TEAM ACT.

Section 2(c)(1)(d) of the National Construction Safety Team Act is amended by striking “section 8;” and inserting “section 7;”.

SEC. 16. GRANT ELIGIBILITY REQUIREMENTS AND COMPLIANCE WITH IMMIGRATION LAWS.

(a) IMMIGRATION STATUS.-No grant or fellowship may be awarded under this Act, directly or indirectly, to any individual who is in violation of the terms of his or her status as a nonimmigrant under section 101(a)(15)(F), (M), or (J) of the Immigration and Nationality Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)).

(b) ALIENS FROM CERTAIN COUNTRIES.-No grant or fellowship may be awarded under this Act, directly or indirectly, to any alien from a country that is a state sponsor of international terrorism, as defined under section 306(b) of the Enhanced Border Security and VISA Entry Reform Act (8 U.S.C. 1735(b)), unless the Secretary of State determines, in consultation with the Attorney General and the heads of other appropriate agencies, that such alien does not pose a threat to the safety or national security of the United States.

(c) NON-COMPLYING INSTITUTIONS.-No grant or fellowship may be awarded under this Act, directly or indirectly, to any institution of higher education or non-profit institution (or consortia thereof) that has-

(1) materially failed to comply with the recordkeeping and reporting requirements to receive nonimmigrant students or exchange visitor program participants under section 101(a)(15)(F), (M), or (J) of the Immigration and Nationality Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)), or section 641 of the Illegal Immigration Reform and Responsibility Act of 1996 (8 U.S.C. 1372), as required by section 502 of the Enhanced Border Security and VISA Entry Reform Act (8 U.S.C. 1762); or

(2) been suspended or terminated pursuant to section 502(c) of the Enhanced Border Security and VISA Entry Reform Act (8 U.S.C 1762(c)).

SEC. 17. REPORT ON GRANT AND FELLOWSHIP PROGRAMS.

Within 24 months after the date of enactment of this Act, the Director, in consultation with the Assistant to the President for National Security Affairs, shall submit to Congress a report reviewing this Act to ensure that the programs and fellowships are being awarded under this Act to individuals and institutions of higher education who are in compliance with the Immigration and Nationality Act (8 U.S.C. 1101 et seq.) in order to protect our national security.

Speaker of the House of Representatives.

Vice President of the United States and

President of the Senate.

Computer Fraud and Abuse Act (18 USC 1030)

COMPUTER FRAUD AND ABUSE STATUTE

‘ 1030. Fraud and related activity in connection with computers

(a) Whoever

(1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(3) intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government’s operation of such computer,

(4) knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer;

shall be punished as provided in subsection (c) of this section.

(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby

(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; or

(B) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if

(A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States;

(B) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (c) The punishment for an offense under subsection (a) or (b) of this section is

(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

(2)(A) a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(1) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph.

(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section

(1) the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

(2) the term “federal interest computer” means a computer (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution’s operation or the Government’s operation of such computer; or (B) which is one of two or more computers used in committing the offense, not all of which are located in the same State;

(3) the term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;

(4) the term “financial institution” means

(A) an institution with deposits insured by the Federal Deposit Insurance Corporation;

(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;

(C) a credit union with accounts insured by the National Credit Union Administration;

(D) a member of the Federal home loan bank system and any home loan bank;

(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;

(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;

(G) the Securities Investor Protection Corporation;

(H) a branch or agency of a foreign bank (as such terrns are defined in paragraphs (1) and (3) of section l (b) of the International Banking Act of 1978); and (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act.

(5) the term “financial record” means information derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution;

(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; and

(7) the term “department of the United States” means the legislative or judicial branch of Government or one of the executive departments enumerated in section 101 of title 5.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States. (Added Pub.L. 98-473, Title II, ‘ 2102(a), Oct. 12,1984,98 Stat. 2190, and amended Pub.L.99-474, ‘ 2, Oct. 16,1986, 100 Stat. 1213; Pub.L. 100-690, Title VII, ‘ 7065 Nov. 18, 1988, 102 Stat. 4404; Pub.L. 101-73, Titie IX, ‘ 962(aX5), Aug. 9, 1989 103 Stat. 502- Pub.L. 101-647, Title XII, ‘ 1205(e), Titie XXV, ‘ 2597(j), Title XXXV, ‘ 3533, Nov. 29, 1990, 104 Stat. 4831, 4910, 4925.)

Editorial Notes

References in Text. Reference to “paragraph y of section 11 of the Atomic Energy Act of 1954″, referred to in subsec. (a)(1) is classified to section 2014(y) of Title 42, Public Health and Welfare.

The Fair Credit Reporting Act, referred to in subsec. (a)(2), is Title VI of Pub.L. 90-321 as added by Pub. L. 91-508, Title VI, Oct. 26, 1970, 84 Stat. 1127, which is classified to subchapter III (‘ 1681 et seq.) of chapter 41 of Title 15, Commerce and Trade.

The Farm Credit Act of 1971, referred to in subsec. (e)(4)(E), is Pub.L. 92- 181, Dec. 10, 1971, 85 Stat. 585, as amended, which is classified generally to chapter 23 (section 2001 et seq.) of Title 12, Banks and Banking. For complete classification of this Act to the Code, see Short Title note set out under section 2001 of Title 12 and Tables.

Section 15 of the Securities Exchange Act of 1934, referred to in subsec. (e)(4)(F), is classified to section 78O of Title 15 Commerce and Trade. Section i(b) of the International Banking Act of 1978 referred to in subsec. (e)(4)(H), is classified to section 310i of Title 12, Banks and Banking. Section 25 of the Federal Reserve Act, referred to in subsec. (e)(4)(I), is classified to subchapter I (section 601 et seq.) of chapter 6 of Title 12. Section 25(a) of the Federal Resenre Act, referred to in subsec. (e)(4)(I), is classified to subchapter II (seceion 611 et seq.) of chapter 6 of Title 12. Separability of Provisions. If any provision of Pub.L. 101-73 or the application thereof to any person or circumstance is held invalid, the remainder of Pub.L. 101-73 and the application of the provision to other persons not similarly situated or to other circumstances not to be affected thereby, see section 1221 of Pub.L. 101-73, set out as a note under section 1811 of Title 12, Banks and Banking.

Reports of Prosecutions. Section 2103 of Pub.L. 98-473, Oct. 12, 1984, 98 Stat. 2192, provided: “The Attorney General shall report to the Congress annually, during the first three years following the date of the enactment of this joint resolution [Oct. 12, 1984], concerning prosecutions under the sections of title 18 of the United States Code added by this chapter.”

S.1124

One Hundred Fourth Congress of the United States of America

AT THE SECOND SESSION

Begun and held at the City of Washington on Wednesday,

the third day of January, one thousand nine hundred and ninety-six

An Act

To authorize appropriations for fiscal year 1996 for military

activities of the Department of Defense, for military construction,

and for defense activities of the Department of Energy, to

prescribe personnel strengths for such fiscal year for the Armed

Forces, to reform acquisition laws and information technology

management of the Federal Government, and for other purposes.

Be it enacted by the Senate and House of

Representatives of the United States of America in Congress

assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `National Defense Authorization Act

for Fiscal Year 1996?.

SEC. 2. ORGANIZATION OF ACT INTO DIVISIONS; TABLE OF CONTENTS.

(a) DIVISIONS- This Act is organized into five divisions as

follows:

(1) Division A Department of Defense Authorizations.

(2) Division B Military Construction Authorizations.

(3) Division C Department of Energy National Security

Authorizations and Other Authorizations.

(4) Division D Federal Acquisition Reform.

(5) Division E Information Technology Management Reform.

DIVISION E INFORMATION TECHNOLOGY MANAGEMENT REFORM

Sec. 5001. Short title.

Sec. 5002. Definitions.

TITLE LI RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

SUBTITLE A GENERAL AUTHORITY

Sec. 5101. Repeal of central authority of the Administrator of

General Services.

SUBTITLE B DIRECTOR OF THE OFFICE OF MANAGEMENT AND BUDGET

Sec. 5111. Responsibility of Director.

Sec. 5112. Capital planning and investment control.

Sec. 5113. Performance-based and results-based management.

SUBTITLE C EXECUTIVE AGENCIES

Sec. 5121. Responsibilities.

Sec. 5122. Capital planning and investment control.

Sec. 5123. Performance and results-based management.

Sec. 5124. Acquisitions of information technology.

Sec. 5125. Agency Chief Information Officer.

Sec. 5126. Accountability.

Sec. 5127. Significant deviations.

Sec. 5128. Interagency support.

SUBTITLE D OTHER RESPONSIBILITIES

Sec. 5131. Responsibilities regarding efficiency, security, and

privacy of Federal computer systems.

Sec. 5132. Sense of Congress.

SUBTITLE E NATIONAL SECURITY SYSTEMS

Sec. 5141. Applicability to national security systems.

Sec. 5142. National security system defined.

TITLE LII PROCESS FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

Sec. 5201. Procurement procedures.

Sec. 5202. Incremental acquisition of information technology.

TITLE LIII INFORMATION TECHNOLOGY ACQUISITION PILOT PROGRAMS

SUBTITLE A CONDUCT OF PILOT PROGRAMS

Sec. 5301. Authority to conduct pilot programs.

Sec. 5302. Evaluation criteria and plans.

Sec. 5303. Report.

Sec. 5304. Recommended legislation.

Sec. 5305. Rule of construction.

SUBTITLE B SPECIFIC PILOT PROGRAMS

Sec. 5311. Share-in-savings pilot program.

Sec. 5312. Solutions-based contracting pilot program.

TITLE LIV ADDITIONAL INFORMATION RESOURCES MANAGEMENT MATTERS

Sec. 5401. On-line multiple award schedule contracting.

Sec. 5402. Identification of excess and surplus computer equipment.

Sec. 5403. Access of certain information in information systems to

the directory established under section 4101 of title 44, United

States Code.

TITLE LV PROCUREMENT PROTEST AUTHORITY OF THE COMPTROLLER GENERAL

Sec. 5501. Period for processing protests.

Sec. 5502. Availability of funds following GAO resolution of

challenge to contracting action.

TITLE LVI CONFORMING AND CLERICAL AMENDMENTS

Sec. 5601. Amendments to title 10, United States Code.

Sec. 5602. Amendments to title 28, United States Code.

Sec. 5603. Amendment to title 31, United States Code.

Sec. 5604. Amendments to title 38, United States Code.

Sec. 5605. Provisions of title 44, United States Code, relating to

paperwork reduction.

Sec. 5606. Amendment to title 49, United States Code.

Sec. 5607. Other laws.

Sec. 5608. Clerical amendments.

TITLE LVII EFFECTIVE DATE, SAVINGS PROVISIONS, AND RULES OF CONSTRUCTION

Sec. 5701. Effective date.

Sec. 5702. Savings provisions.

Sec. 5703. Rules of construction.

SEC. 3. CONGRESSIONAL DEFENSE COMMITTEES DEFINED.

For purposes of this Act, the term `congressional defense

committees’ means

(1) the Committee on Armed Services and the Committee on

Appropriations of the Senate; and

(2) the Committee on National Security and the Committee on

Appropriations of the House of Representatives.

SEC. 4. EXTENSION OF TIME FOR SUBMISSION OF REPORTS.

In the case of any provision of this Act, or any amendment made

by a provision of this Act, requiring the submission of a report to

Congress (or any committee of Congress), that report shall be

submitted not later than the later of

(1) the date established for submittal of the report in such

provision or amendment; or

(2) the date that is 45 days after the date of the enactment

of this Act.

TITLE XIII-CHILDREN’S ONLINE PRIVACY PROTECTION

SEC. 1301. SHORT TITLE.

This title may be cited as the “Children’s Online Privacy Protection Act of 1998″.

SEC. 1302. DEFINITIONS.

In this title:

(1) CHILD.-The term “child” means an individual under the age of 13.

(2) OPERATOR.-The term “operator”-

(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce-

(i) among the several States or with 1 or more foreign nations;

(ii) in any territory of the United States or in the District of Columbia, or between any such territory and-

(I) another such territory; or

(II) any State or foreign nation; or

(iii) between the District of Columbia and any State, territory, or foreign nation; but

(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

(3) COMMISSION.-The term “Commission” means the Federal Trade Commission.

(4) DISCLOSURE.-The term “disclosure” means, with respect to personal information-

(A) the release of personal information collected from a child in identifiable form by an operator for any purpose, except where such information is provided to a person other than the operator who provides support for the internal operations of the website and does not disclose or use that information for any other purpose; and

(B) making personal information collected from a child by a website or online service directed to children or with actual knowledge that such information was collected from a child, publicly available in identifiable form, by any means including by a public posting, through the Internet, or through-

(i) a home page of a website;

(ii) a pen pal service;

(iii) an electronic mail service;

(iv) a message board; or

(v) a chat room.

(5) FEDERAL AGENCY.-The term “Federal agency” means an agency, as that term is defined in section 551(1) of title 5, United States Code.

(6) INTERNET.-The term “Internet” means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/ Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

(7) PARENT.-The term “parent” includes a legal guardian.

(8) PERSONAL INFORMATION.-The term “personal information” means individually identifiable information about an individual collected online, including-

(A) a first and last name;

(B) a home or other physical address including street name and name of a city or town;

(C) an e-mail address;

(D) a telephone number;

(E) a Social Security number;

(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or

(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.

(9) VERIFIABLE PARENTAL CONSENT.-The term “verifiable parental consent” means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.

(10) WEBSITE OR ONLINE SERVICE DIRECTED TO CHILDREN.-

(A) IN GENERAL.-The term “website or online service directed to children” means-

(i) a commercial website or online service that is targeted to children; or

(ii) that portion of a commercial website or online service that is targeted to children.

(B) LIMITATION.-A commercial website or online service, or a portion of a commercial website or online service, shall not be deemed directed to children solely for referring or linking to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

(11) PERSON.-The term “person” means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

(12) ONLINE CONTACT INFORMATION.-The term “online contact information” means an e-mail address or an-other substantially similar identifier that permits direct contact with a person online.

SEC. 1303. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN CONNECTION WITH THE COLLECTION AND USE OF PERSONAL INFORMATION FROM AND ABOUT CHILDREN ON THE INTERNET.

U.S. Copyright Office Summary

December 1998

INTRODUCTION

The Digital Millennium Copyright Act (DMCA)1 was signed into law by President Clinton on October 28, 1998. The legislation implements two 1996 World Intellectual Property Organization (WIPO) treaties: the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. The DMCA also addresses a number of other significant copyright-related issues.

The DMCA is divided into five titles:

• Title I, the “WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998,” implements the WIPO treaties.
• Title II, the “Online Copyright Infringement Liability Limitation Act,” creates limitations on the liability of online service providers for copyright infringement when engaging in certain types of activities.
• Title III, the “Computer Maintenance Competition Assurance Act,” creates an exemption for making a copy of a computer program by activating a computer for purposes of maintenance or repair.
• Title IV contains six miscellaneous provisions, relating to the functions of the Copyright Office, distance education, the exceptions in the Copyright Act for libraries and for making ephemeral recordings, “webcasting” of sound recordings on the Internet, and the applicability of collective bargaining agreement obligations in the case of transfers of rights in motion pictures.
• Title V, the “Vessel Hull Design Protection Act,” creates a new form of protection for the design of vessel hulls.

This memorandum summarizes briefly each title of the DMCA. It provides merely an overview of the law’s provisions; for purposes of length and readability  a significant amount of detail has been omitted. A complete understanding of any provision of the DMCA requires reference to the text of the legislation itself.

TITLE I: WIPO TREATY IMPLEMENTATION

Title I implements the WIPO treaties. First, it makes certain technical amendments to U.S. law, in order to provide appropriate references and links to the treaties. Second, it creates two new prohibitions in Title 17 of the U.S. Code-one on circumvention of technological measures used by copyright owners to protect their works and one on tampering with copyright management information-and adds civil remedies and criminal penalties for violating the prohibitions. In addition, Title I requires the U.S. Copyright Office to perform two joint studies with the National Telecommunications and Information Administration of the Department of Commerce (NTIA).

Technical Amendments

National Eligibility

The WIPO Copyright Treaty (WCT) and the WIPO Performances and Phonograms Treaty (WPPT) each require member countries to provide protection to certain works from other member countries or created by nationals of other member countries. That protection must be no less favorable than that accorded to domestic works.

Section 104 of the Copyright Act establishes the conditions of eligibility for protection under U.S. law for works from other countries. Section 102(b) of the DMCA amends section 104 of the Copyright Act and adds new definitions to section 101 of the Copyright Act in order to extend the protection of U.S. law to those works required to be protected under the WCT and the WPPT.

Restoration of Copyright Protection

Both treaties require parties to protect preexisting works from other member countries that have not fallen into the public domain in the country of origin through the expiry of the term of protection. A similar obligation is contained in both the Berne Convention and the TRIPS Agreement. In 1995 this obligation was implemented in the Uruguay Round Agreements Act, creating a new section 104A in the Copyright Act to restore protection to works from Berne or WTO member countries that are still protected in the country of origin, but fell into the public domain in the United States in the past because of a failure to comply with formalities that then existed in U.S. law, or due to a lack of treaty relations. Section 102(c) of the DMCA amends section 104A to restore copyright protection in the same circumstances to works from WCT and WPPT member countries.

Registration as a Prerequisite to Suit

The remaining technical amendment relates to the prohibition in both treaties against conditioning the exercise or enjoyment of rights on the fulfillment of formalities. Section 411(a) of the Copyright Act requires claims to copyright to be registered with the Copyright Office before a lawsuit can be initiated by the copyright owner, but exempts many foreign works in order to comply with existing treaty obligations under the Berne Convention. Section 102(d) of the DMCA amends section 411(a) by broadening the exemption to cover all foreign works.

Technological Protection and Copyright Management Systems

Each of the WIPO treaties contains virtually identical language obligating member states to prevent circumvention of technological measures used to protect copyrighted works, and to prevent tampering with the integrity of copyright management information. These obligations serve as technological adjuncts to the exclusive rights granted by copyright law. They provide legal protection that the international copyright community deemed critical to the safe and efficient exploitation of works on digital networks.

Circumvention of Technological Protection Measures

General approach

Article 11 of the WCT states:

Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.

Article 18 of the WPPT contains nearly identical language.

Section 103 of the DMCA adds a new chapter 12 to Title 17 of the U.S. Code. New section 1201 implements the obligation to provide adequate and effective protection against circumvention of technological measures used by copyright owners to protect their works.

Section 1201 divides technological measures into two categories: measures that prevent unauthorized access to a copyrighted work and measures that prevent unauthorized copying2 of a copyrighted work. Making or selling devices or services that are used to circumvent either category of technological measure is prohibited in certain circumstances, described below. As to the act of circumvention in itself, the provision prohibits circumventing the first category of technological measures, but not the second.

This distinction was employed to assure that the public will have the continued ability to make fair use of copyrighted works. Since copying of a work may be a fair use under appropriate circumstances, section 1201 does not prohibit the act of circumventing a technological measure that prevents copying. By contrast, since the fair use doctrine is not a defense to the act of gaining unauthorized access to a work, the act of circumventing a technological measure in order to gain access is prohibited.

Section 1201 proscribes devices or services that fall within any one of the following three categories:

• they are primarily designed or produced to circumvent;
• they have only limited commercially significant purpose or use other than to circumvent; or
• they are marketed for use in circumventing.

No mandate

Section 1201 contains language clarifying that the prohibition on circumvention devices does not require manufacturers of consumer electronics, telecommunications or computing equipment to design their products affirmatively to respond to any particular technological measure. (Section 1201(c)(3)). Despite this general ‘no mandate’ rule, section 1201(k) does mandate an affirmative response for one particular type of technology: within 18 months of enactment, all analog videocassette recorders must be designed to conform to certain defined technologies, commonly known as Macrovision, currently in use for preventing unauthorized copying of analog videocassettes and certain analog signals. The provision prohibits rightholders from applying these specified technologies to free television and basic and extended basic tier cable broadcasts.

Savings clauses

Section 1201 contains two general savings clauses. First, section 1201(c)(1) states that nothing in section 1201 affects rights, remedies, limitations or defenses to copyright infringement, including fair use. Second, section 1201(c)(2) states that nothing in section 1201 enlarges or diminishes vicarious or contributory copyright infringement.

Exceptions

Finally, the prohibitions contained in section 1201 are subject to a number of exceptions. One is an exception to the operation of the entire section, for law enforcement, intelligence and other governmental activities. (Section 1201(e)). The others relate to section 1201(a), the provision dealing with the category of technological measures that control access to works.

The broadest of these exceptions, section 1201(a)(1)(B)-(E), establishes an ongoing administrative rule-making proceeding to evaluate the impact of the prohibition against the act of circumventing such access-control measures. This conduct prohibition does not take effect for two years. Once it does, it is subject to an exception for users of a work which is in a particular class of works if they are or are likely to be adversely affected by virtue of the prohibition in making noninfringing uses. The applicability of the exemption is determined through a periodic rulemaking by the Librarian of Congress, on the recommendation of the Register of Copyrights, who is to consult with the Assistant Secretary of Commerce for Communications and Information.

The six additional exceptions are as follows:

1.    Nonprofit library, archive and educational institution exception (section 1201(d)). The prohibition on the act of circumvention of access control measures is subject to an exception that permits nonprofit libraries, archives and educational institutions to circumvent solely for the purpose of making a good faith determination as to whether they wish to obtain authorized access to the work.

2.    Reverse engineering (section 1201(f)). This exception permits circumvention, and the development of technological means for such circumvention, by a person who has lawfully obtained a right to use a copy of a computer program for the sole purpose of identifying and analyzing elements of the program necessary to achieve interoperability with other programs, to the extent that such acts are permitted under copyright law.

3.    Encryption research (section 1201(g)). An exception for encryption research permits circumvention of access control measures, and the development of the technological means to do so, in order to identify flaws and vulnerabilities of encryption technologies.

4.    Protection of minors (section 1201(h)). This exception allows a court applying the prohibition to a component or part to consider the necessity for its incorporation in technology that prevents access of minors to material on the Internet.

5.    Personal privacy (section 1201(i)). This exception permits circumvention when the technological measure, or the work it protects, is capable of collecting or disseminating personally identifying information about the online activities of a natural person.

6.    Security testing (section 1201(j)). This exception permits circumvention of access control measures, and the development of technological means for such circumvention, for the purpose of testing the security of a computer, computer system or computer network, with the authorization of its owner or operator.

Each of the exceptions has its own set of conditions on its applicability, which are beyond the scope of this summary.<–>

TRANSACTIONS ACT (1999)

Drafted by the

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

and by it

APPROVED AND RECOMMENDED FOR ENACTMENT

IN ALL THE STATES

at its

ANNUAL CONFERENCE

MEETING IN ITS ONE-HUNDRED-AND-EIGHTH YEAR

IN DENVER, COLORADO

JULY 23 – 30, 1999

WITH PREFATORY NOTE AND COMMENTS

Copyright© 1999

By

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

1/20/00

UNIFORM ELECTRONIC TRANSACTIONS ACT (1999)

The Committee that acted for the National Conference of Commissioners on Uniform State Laws in preparing the Uniform Electronic Transactions Act (1999) was as follows:

PATRICIA BRUMFIELD FRY, University of North Dakota, School of Law, P.O. Box 9003,

Grand Forks, ND 58201, Chair

STEPHEN Y. CHOW, 30th Floor, One Beacon St., Boston, MA 02108

KENNETH W. ELLIOTT, City Place Building, 22nd Floor, 204 N. Robinson Avenue,

Oklahoma City, OK 73102

HENRY DEEB GABRIEL, JR., Loyola University, School of Law, 526 Pine Street, New Orleans,

LA 70118

BION M. GREGORY, Office of Legislative Counsel, State Capitol, Suite 3021, Sacramento,

CA 95814-4996

JOSEPH P. MAZUREK, Office of the Attorney General, P.O. Box 201401, 215 N. Sanders,

Helena, MT 59620

PAMELA MEADE SARGENT, P.O. Box 846, Abingdon, VA 24212

D. BENJAMIN BEARD, University of Idaho, College of Law, 6th and Rayburn, Moscow,

ID 83844-2321, Reporter

EX OFFICIO

GENE N. LEBRUN, P.O. Box 8250, 9th Floor, 909 St. Joseph Street, Rapid City, SD 57709,

President

HENRY M. KITTLESON, P.O. Box 32092, 92 Lake Wire Drive, Lakeland, FL 33802,

Division Chair

AMERICAN BAR ASSOCIATION ADVISORS

C. ROBERT BEATTIE, Plaza VII, 45 S. 7th Street, Suite 3400, Minneapolis, MN 55402-1609,

Business Law Section

AMELIA H. BOSS, Tmple University, School of Law, 1719 N. Broad Street, Philadelphia,

PA 19122, Advisor

THOMAS J. SMEDINGHOFF, 130 E. Randolph Drive, Suite 3500, Chicago, IL 60601,

Science and Technology Section

EXECUTIVE DIRECTOR

FRED H. MILLER, University of Oklahoma, College of Law, 300 Timberdell Road, Norman,

OK 73019, Executive Director

WILLIAM J. PIERCE, 1505 Roxbury Road, Ann Arbor, MI 48104, Executive Director Emeritus

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

211 E. Ontario Street, Suite 1300

Chicago, Illinois 60611

312/915-0195

UNIFORM ELECTRONIC TRANSACTIONS ACT (1999)

PREFATORY NOTE

With the advent of electronic means of communication and information transfer, business models and methods for doing business have evolved to take advantage of the speed, efficiencies, and cost benefits of electronic technologies. These developments have occurred in the face of existing legal barriers to the legal efficacy of records and documents which exist solely in electronic media. Whether the legal requirement that information or an agreement or contract must be contained or set forth in a pen and paper writing derives from a statute of frauds affecting the enforceability of an agreement, or from a record retention statute that calls for keeping the paper record of a transaction, such legal requirements raise real barriers to the effective use of electronic media.

One striking example of electronic barriers involves so called check retention statutes in every State. A study conducted by the Federal Reserve Bank of Boston identified more than 2500 different state laws which require the retention of canceled checks by the issuers of those checks. These requirements not only impose burdens on the issuers, but also effectively restrain the ability of banks handling the checks to automate the process. Although check truncation is validated under the Uniform Commercial Code, if the bank’s customer must store the canceled paper check, the bank will not be able to deal with the item through electronic transmission of the information. By establishing the equivalence of an electronic record of the information, the Uniform Electronic Transactions Act (UETA) removes these barriers without affecting the underlying legal rules and requirements.

It is important to understand that the purpose of the UETA is to remove barriers to electronic commerce by validating and effectuating electronic records and signatures. It is NOT a general contracting statute - the substantive rules of contracts remain unaffected by UETA. Nor is it a digital signature statute. To the extent that a State has a Digital Signature Law, the UETA is designed to support and compliment that statute.

A. Scope of the Act and Procedural Approach. The scope of this Act provides coverage which sets forth a clear framework for covered transactions, and also avoids unwarranted surprises for unsophisticated parties dealing in this relatively new media. The clarity and certainty of the scope of the Act have been obtained while still providing a solid legal framework that allows for the continued development of innovative technology to facilitate electronic transactions.

With regard to the general scope of the Act, the Act’s coverage is inherently limited by the definition of “transaction.” The Act does not apply to all writings and signatures, but only to electronic records and signatures relating to a transaction, defined as those interactions between people relating to business, commercial and governmental affairs. In general, there are few writing or signature requirements imposed by law on many of the “standard” transactions that had been considered for exclusion. A good example relates to trusts, where the general rule on creation of a trust imposes no formal writing requirement. Further, the writing requirements in other contexts derived from governmental filing issues. For example, real estate transactions were considered potentially troublesome because of the need to file a deed or other instrument for protection against third parties. Since the efficacy of a real estate purchase contract, or even a deed, between the parties is not affected by any sort of filing, the question was raised why these transactions should not be validated by this Act if done via an electronic medium. No sound reason was found. Filing requirements fall within Sections 17-19 on governmental records. An exclusion of all real estate transactions would be particularly unwarranted in the event that a State chose to convert to an electronic recording system, as many have for Article 9 financing statement filings under the Uniform Commercial Code.

The exclusion of specific Articles of the Uniform Commercial Code reflects the recognition that, particularly in the case of Articles 5, 8 and revised Article 9, electronic transactions were addressed in the specific contexts of those revision processes. In the context of Articles 2 and 2A the UETA provides the vehicle for assuring that such transactions may be accomplished and effected via an electronic medium. At such time as Articles 2 and 2A are revised the extent of coverage in those Articles/Acts may make application of this Act as a gap-filling law desirable. Similar considerations apply to the recently promulgated Uniform Computer Information Transactions Act (“UCITA”).

The need for certainty as to the scope and applicability of this Act is critical, and makes any sort of a broad, general exception based on notions of inconsistency with existing writing and signature requirements unwise at best. The uncertainty inherent in leaving the applicability of the Act to judicial construction of this Act with other laws is unacceptable if electronic transactions are to be facilitated.

Finally, recognition that the paradigm for the Act involves two willing parties conducting a transaction electronically, makes it necessary to expressly provide that some form of acquiescence or intent on the part of a person to conduct transactions electronically is necessary before the Act can be invoked. Accordingly, Section 5 specifically provides that the Act only applies between parties that have agreed to conduct transactions electronically. In this context, the construction of the term agreement must be broad in order to assure that the Act applies whenever the circumstances show the parties intention to transact electronically, regardless of whether the intent rises to the level of a formal agreement.

B. Procedural Approach. Another fundamental premise of the Act is that it be minimalist and procedural. The general efficacy of existing law in an electronic context, so long as biases and barriers to the medium are removed, validates this approach. The Act defers to existing substantive law. Specific areas of deference to other law in this Act include: (1) the meaning and effect of “sign” under existing law, (2) the method and manner of displaying, transmitting and formatting information in Section 8, (3) rules of attribution in Section 9, and (4) the law of mistake in Section 10.

The Act’s treatment of records and signatures demonstrates best the minimalist approach that has been adopted. Whether a record is attributed to a person is left to law outside this Act. Whether an electronic signature has any effect is left to the surrounding circumstances and other law. These provisions are salutary directives to assure that records and signatures will be treated in the same manner, under currently existing law, as written records and manual signatures.

The deference of the Act to other substantive law does not negate the necessity of setting forth rules and standards for using electronic media. The Act expressly validates electronic records, signatures and contracts. It provides for the use of electronic records and information for retention purposes, providing certainty in an area with great potential in cost savings and efficiency. The Act makes clear that the actions of machines (“electronic agents”) programmed and used by people will bind the user of the machine, regardless of whether human review of a particular transaction has occurred. It specifies the standards for sending and receipt of electronic records, and it allows for innovation in financial services through the implementation of transferable records. In these ways the Act permits electronic transactions to be accomplished with certainty under existing substantive rules of law.<–>

(Last Revisions or Amendments Completed Year 2002)

drafted by the

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

and by it

APPROVED AND RECOMMENDED FOR ENACTMENT

IN ALL THE STATES

at its

ANNUAL CONFERENCE

MEETING IN ITS ONE-HUNDRED-AND-ELEVENTH YEAR

TUCSON, ARIZONA

JULY 26 – AUGUST 2, 2002

WITH PREFATORY NOTE AND COMMENTS

Copyright © 2002

By

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

October 15, 2002

UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT

(Amended 2000, 2002)

The Committee that acted for the National Conference of Commissioners on Uniform State Laws in preparing the Uniform Computer Information Transactions Act is as follows:

CARLYLE C. RING, JR., 1401 H. Street, N.W., Suite 500, Washington, DC 20005, Chair

JOHN A. CHANIN, 715 S. Washington Street, Apartment B13, Alexandria, VA 22314

STEPHEN Y. CHOW, One Beacon Street, 30th Floor, Boston, MA 02108

PATRICIA BRUMFIELD FRY, University of Missouri School of Law, Missouri Avenue & Conley Avenue, Columbia, MO 65211

THOMAS T. GRIMSHAW, Suite 3800, 1700 Lincoln Street, Denver, CO 80203

LEON M. McCORKLE, JR., P.O. Box 387, Dublin, OH 43017-0387

THOMAS J. McCRACKEN, JR., Room 600, 134 N. LaSalle Street, Chicago, IL 60602

JAMES C. McKAY, JR., Office of Corporation Counsel, 6th Floor South, 441 4th Street, N.W., Washington, DC 20001

BRUCE MUNSON, Revisor of Statutes Bureau, Suite 800, 131 W. Wilson Street, Madison, WI 53703

RAYMOND T. NIMMER, University of Houston, Law Center, 4800 Calhoun, Houston, TX 77204,

EX OFFICIO

K. KING BURNETT, P.O. Box 910, Salisbury, MD 21803, President

BARRY H. EVENCHICK, 354 Eisenhower Pkwy., Livingston, NJ 07039, Division Chair

AMERICAN BAR ASSOCIATION ADVISORS

DONALD A. COHN, 14 Gale Lane, Greenville, DE 19807, Co-Advisor

GEORGE L. GRAFF, 30th Floor, 399 Park Avenue, New York, NY 10022, Co-Advisor

EXECUTIVE DIRECTOR

WILLIAM H. HENNING, University of Missouri-Columbia, School of Law, 313 Hulston Hall,

Columbia, MO 65211, Executive Director

WILLIAM J. PIERCE, 1505 Roxbury Road, Ann Arbor, MI 48104, Executive Director Emeritus

Copies of this Act may be obtained from:

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

211 E. Ontario Street, Suite 1300

Chicago, Illinois 60611

312/915-0195

UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT

“A commercial contract code for computer information transactions”

Prefatory Note

Once land ownership and agrarian production were primary sources of wealth and income in our economy, and contracts for the exchange of horses and grain dominated the commercial landscape. Following the industrial revolution, manufactured goods assumed center stage. In the 1930s Llewellyn recognized that this change required revisions to the law of sales, so that its rules were relevant to the new economy. The result was UCC Article 2. Despite initially strong resistance, Article 2 won universal acceptance, for it reflected the reality of economic change and its implications for contract law.

Our economy has experienced another fundamental change, with information products and services now driving increased productivity and growth. Accompanying this change is a widely diverse and rich array of methods for distributing and tailoring digital information to the modern marketplace. Contracts underlie both the creation and distribution of such information. However, legal rules that are not relevant to commercial practice or that are uncertain in application inhibit contracting or raise transaction costs. UCITA was drafted in response to this fundamental economic change and need for clarity in the law.

Article 2 served as both a model and a point of departure for UCITA. Like Article 2, UCITA covers a variety of transactions, many of which take place solely between merchants. Article 2 governs sales of jet planes as well as toasters, not to mention the large-scale acquisition of jet and toaster parts. UCITA governs access by Fortune 500 businesses to sophisticated databases as well as distribution of software to the general public; it also covers custom software development and the acquisition of various rights in multimedia products.

Both UCITA and Article 2 are based upon the principle of freedom of contract: with limited exceptions, the terms and effect of a contract can be varied by agreement. Most provisions of both statutes are default rules, applicable only if the parties do not specify some other rule. Although one could try to fashion a contract code that regulates comprehensively rather than permitting such flexibility, it is hard to imagine such an approach being compatible with a vibrant market economy. Even if one succeeded in making the regulations stick, the effect would be to hinder rather than facilitate commerce. On the other hand, as noted, without certain default rules, contracting and thus legal rights remain unclear.

To be sure, not every term of a contract should be enforced. UCITA follows Article 2 in providing a standard of unconscionability for courts to employ in policing contract terms.

UCITA goes beyond Article 2 in authorizing courts to strike down over-reaching language those conflicts with fundamental public policy. It also goes beyond Article 2 and other existing law in furthering licensee interests by prohibiting electronic self-help under this statute (Section 816) and by excluding enforcement of “no-reverse-engineering” clauses in some cases. See Section 118. Compare Bowers v. Baystate Technologies, Inc., 302 F.3d 1334 (Fed Cir. 2002).

UCITA provides that common law doctrines such as fraud and duress remain effective and that applicable consumer protection law governs. UCITA does not alter competition or antitrust law. It does not change trade secret law, intellectual property law, or substantive consumer law. It deals only with contracts.

As Llewellyn recognized in drafting Article 2, contract law must be tailored to the type of transactions that it covers. Just as a body of law based on images of the sale of horses was not relevant a half century ago to sales of manufactured goods, so today a body of law based on images of the sale of manufactured goods ill fits licenses and other transactions in computer information. Rules based on an antiquated view of the transactional world do not give coherent guidance to courts or to transacting parties.

UCITA is the first uniform contract law designed to deal specifically with the new information economy. Transactions in computer information involve different expectations, different industry practices, and different policies from transactions in goods. For example, in a sale of goods, the buyer owns what it buys and has exclusive rights in that subject matter (e.g., the toaster that has been purchased). In contrast, someone that acquires a copy of computer information may or may not own that copy, but in any case rarely obtains all rights associated with the information. See DSC Communications Corp. v. Pulse Communications, Inc., 170 F.3d 1354 (Fed. Cir. 1999), cert. den. 528 U.S. 923 (1999). What rights are acquired or withheld depends on what the contract says. This point only is implicit in Article 2 for goods such as books; UCITA makes it explicit for the information economy where, unlike in the case of a book, the contract (license) is the product. See Specht v. Netscape Communications Corp., – F.3d -,

2002 WL 31166784 n. 13 (Fed. Cir. 2002); SOS, Inc. v. Payday, Inc., 886 F.2d 1084 (9th Cir. 1989).

Licensing is one way in which computer information is tailored to the information marketplace. Courts have enforced contract terms that, among other things:

• preclude commercial use
• preclude making copies grant access
• allow use throughout a site
• preclude distribution of copies for a fee
• preclude modification
• allow distribution only in specific way
• permit commercial use
• permit making multiple copies
• limit access
• limit use to a specific computer
• allow distribution of copies
• allow modification
• limit use to internal operations

Such contract terms have helped to create the wondrous array of products and services that characterizes our modern economy. Whether specific terms are appropriate for a given transaction or set of parties is fundamentally a marketplace issue.

As noted, in computer information transactions, license terms often define the product. A software product may be provided in the same form in two transactions, but in one case the user is authorized to make 100,000 copies and in the other merely to use a single copy at home. The value of the transaction inheres not in the tangible medium (if, indeed, any is used), but rather in the license grant terms. UCITA does not require that computer information products and services be licensed; it covers sales as well. But UCITA provides a coherent contract law framework for analyzing a license, which has been the dominant contractual framework for commerce in computer information.

Up to this point, a complex mix of common law and Article 2 has governed computer information transactions. The common law is frequently difficult to ascertain, and it varies widely among states. In addition, differences in the legal norms that have developed in different areas of information practice are producing unpredictable results as those areas converge. Article 2, while uniform, does not properly apply to many issues involved in transactions in computer information, and when it applies, it often does not provide appropriate guidance because of differences in subject matter and transactional frameworks.

The need for a coherent, uniform body of law has never been greater. Revolutions in telecommunications and computer technology have made geography increasingly irrelevant to modern commerce. The Internet enables small firms as well as large ones to provide products  and services throughout the country and around the world. Even as online systems have altered how many information transactions are performed, however, fundamental issues associated with contracting online remain unanswered. A modern contract law must give guidance on those issues. Failure to do so does not foster but rather impedes commerce in computer information.

The liberating promise of technology cannot be fully realized unless there is predictability in the legal rules that govern such transactions. This is the need that UCITA addresses. It clarifies and sets forth uniform legal principles applicable to computer information transactions. UCITA is a statute for our time.<–>

FIL-72-2000

November 2, 2000

TO:

CHIEF EXECUTIVE OFFICER AND COMPLIANCE OFFICER

SUBJECT:

Notice of Consumer Consent Requirements Applicable to the Electronic Delivery of Consumer

Disclosures

The Electronic Signatures in Global and National Commerce Act (E-Sign Act), signed into law on June 30, 2000, provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce. Subject to certain exceptions, the law’s effective date is October 1, 2000, with record retention requirements effective beginning March 1, 2001.

Included among the E-Sign Act’s provisions is a section addressing the use of electronic records for an institution that wishes to exclusively provide electronic disclosures to consumers in lieu of written disclosures. Specifically, Section 101(c)(1) of Title I allows a financial institution to issue electronic records to a consumer to satisfy any statute or regulation that requires such information to be in writing, after first obtaining the consumer’s affirmative consent. Before consent can be given, a consumer must be provided with information regarding:

• any right or option to receive a disclosure in paper form;
• whether the consent applies only to a particular transaction or to categories that may be provided during the course of the parties’ relationship;
• the right to withdraw consent to have records provided electronically, including any conditions, consequences, or fees associated with doing so. The institution must describe the procedures for withdrawing consent and for updating information needed to contact the consumer electronically;
• how the consumer may obtain a paper copy of the record upon request; and
• the hardware and software requirements for access to and retention of the electronic information.

Institutions currently providing electronic disclosures or statements to consumers (pursuant to final and/or interim rules issued by the Federal Reserve Board) should note that agreements reached with consumers prior to October 1, 2000, to deliver information electronically, are exempt from the requirements of Section 101(c)(1). However, for any agreements made with new or existing customers on or after October 1, 2000, the requirements of Section 101(c)(1) will supersede all other consumer consent procedures relating to the use of electronic disclosures set forth in other regulations.

Financial institutions should review any products delivered through electronic means and the systems that support them to ensure compliance with applicable provisions of the Act. Attached is a complete copy of the E-Sign Act. Title I contains details on the consumer consent provisions, specific exception to the requirements, and related definitions. For more information, please contact Eric L. Kooistra, Review Examiner in the Division of Compliance and Consumer Affairs, at (202) 942-3339 (e-mail Ekooistra@fdic.gov) or Robert A. Patrick, Counsel in the Legal Division, at (202) 898-3757 (e-mail RoPatrick@fdic.gov).

Stephen M. Cross

Director

Attachments: Electronic Signatures in Global and National Commerce Act

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC’s Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276- 6003 or 202-416-6940).

PUBLIC LAW 106-229-JUNE 30, 2000

ELECTRONIC SIGNATURES IN GLOBAL AND

NATIONAL COMMERCE ACT

PUBL229

An Act

To facilitate the use of electronic records and signatures in interstate or foreign commerce.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ‘‘Electronic Signatures in Global and National Commerce Act”.

TITLE I-ELECTRONIC RECORDS AND SIGNATURES IN COMMERCE

SEC. 101. GENERAL RULE OF VALIDITY.

(a)  IN GENERAL.-Notwithstanding any statute, regulation, or other rule of law (other than this title and title II), with respect to any transaction in or affecting interstate or foreign commerce-

(1)  a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and

(2)  a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

(b)  PRESERVATION OF RIGHTS AND OBLIGATIONS.-This title does not-

(1)  limit, alter, or otherwise affect any requirement imposed by a statute, regulation, or rule of law relating to the rights and obligations of persons under such statute, regulation, or rule of law other than a requirement that contracts or other records be written, signed, or in nonelectronic form; or

(2)  require any person to agree to use or accept electronic records or electronic signatures, other than a governmental agency with respect to a record other than a contract to which it is a party.

(c)  CONSUMER DISCLOSURES.-

(1)  CONSENT TO ELECTRONIC RECORDS.-Notwithstanding subsection (a), if a statute, regulation, or other rule of law requires that information relating to a transaction or transactions in or affecting interstate or foreign commerce be provided or made available to a consumer in writing, the use of an electronic record to provide or make available (whichever is required) such information satisfies the requirement that such information be in writing if-

(A)  the consumer has affirmatively consented to such use and has not withdrawn such consent;

(B)  the consumer, prior to consenting, is provided with a clear and conspicuous statement-

(i) informing the consumer of (I) any right or option of the consumer to have the record provided or made available on paper or in nonelectronic form, and (II) the right of the consumer to withdraw the consent to have the record provided or made available in an electronic form and of any conditions, consequences (which may include termination of the parties’ relationship), or fees in the event of such withdrawal;

(ii)  informing the consumer of whether the consent applies (I) only to the particular transaction which gave rise to the obligation to provide the record, or

(iii)  to identified categories of records that may be provided or made available during the course of the parties’ relationship;

(iv) describing the procedures the consumer must use to withdraw consent as provided in clause (i) and to update information needed to contact the consumer electronically; and

(v) informing the consumer (I) how, after the consent, the consumer may, upon request, obtain a paper copy of an electronic record, and (II) whether any fee will be charged for such copy;

(C) the consumer-

(i) prior to consenting, is provided with a statement of the hardware and software requirements for access to and retention of the electronic records; and

(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent; and

(D) after the consent of a consumer in accordance with subparagraph (A), if a change in the hardware or software requirements needed to access or retain electronic records creates a material risk that the consumer will not be able to access or retain a subsequent electronic record that was the subject of the consent, the person providing the electronic record-

(i)   provides the consumer with a statement of (I) the revised hardware and software requirements for access to and retention of the electronic records, and (II) the right to withdraw consent without the imposition of any fees for such withdrawal and without the imposition of any condition or consequence that was not disclosed under subparagraph (B)(i); and

(ii)   again complies with subparagraph (C).

(2)  OTHER RIGHTS.-

(A)  PRESERVATION OF CONSUMER PROTECTIONS.- Nothing in this title affects the content or timing of any disclosure or other record required to be provided or made available to any consumer under any statute, regulation, or other rule of law.

(B)  VERIFICATION OR ACKNOWLEDGMENT.-If a law that was enacted prior to this Act expressly requires a record to be provided or made available by a specified method that requires verification or acknowledgment of receipt, the record may be provided or made available electronically only if the method used provides verification or acknowledgment of receipt (whichever is required).

(3)  EFFECT OF FAILURE TO OBTAIN ELECTRONIC CONSENT OR CONFIRMATION OF CONSENT.-The legal effectiveness, validity, or enforceability of any contract executed by a consumer shall not be denied solely because of the failure to obtain electronic consent or confirmation of consent by that consumer in accordance with paragraph (1)(C)(ii).

(4)  PROSPECTIVE EFFECT.-Withdrawal of consent by a consumer shall not affect the legal effectiveness, validity, or enforceability of electronic records provided or made available to that consumer in accordance with paragraph (1) prior to implementation of the consumer’s withdrawal of consent. A consumer’s withdrawal of consent shall be effective within a reasonable period of time after receipt of the withdrawal by the provider of the record. Failure to comply with paragraph (1)(D) may, at the election of the consumer, be treated as a withdrawal of consent for purposes of this paragraph.

(5)  PRIOR CONSENT.-This subsection does not apply to any records that are provided or made available to a consumer who has consented prior to the effective date of this title to receive such records in electronic form as permitted by any statute, regulation, or other rule of law.

(6)  ORAL COMMUNICATIONS.-An oral communication or a recording of an oral communication shall not qualify as an electronic record for purposes of this subsection except as otherwise provided under applicable law.

(d)  RETENTION OF CONTRACTS AND RECORDS.-

(1)  ACCURACY AND ACCESSIBILITY.-If a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be retained, that requirement is met by retaining an electronic record of the information in the contract or other record that-

(A)  accurately reflects the information set forth in the contract or other record; and

(B)  remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.

(2)  EXCEPTION.-A requirement to retain a contract or other record in accordance with paragraph (1) does not apply to any information whose sole purpose is to enable the contract or other record to be sent, communicated, or received.

(3)  ORIGINALS.-If a statute, regulation, or other rule of law requires a contract or other record relating to a transaction in or affecting interstate or foreign commerce to be provided, available, or retained in its original form, or provides consequences if the contract or other record is not provided, available, or retained in its original form, that statute, regulation, or rule of law is satisfied by an electronic record that complies with paragraph (1).

(4)  CHECKS.-If a statute, regulation, or other rule of law requires the retention of a check, that requirement is satisfied by retention of an electronic record of the information on the front and back of the check in accordance with paragraph (1).

(e)  ACCURACY AND ABILITY TO RETAIN CONTRACTS AND OTHER RECORDS.-Notwithstanding subsection (a), if a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be in writing, the legal effect, validity, or enforceability of an electronic record of such contract or other record may be denied if such electronic record is not in a form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record.

(f)   PROXIMITY.-Nothing in this title affects the proximity required by any statute, regulation, or other rule of law with respect to any warning, notice, disclosure, or other record required to be posted, displayed, or publicly affixed.

(g)  NOTARIZATION AND ACKNOWLEDGMENT.-If a statute, regulation, or other rule of law requires a signature or record relating to a transaction in or affecting interstate or foreign commerce to be notarized, acknowledged, verified, or made under oath, that requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable statute, regulation, or rule of law, is attached to or logically associated with the signature or record.

(h)  ELECTRONIC AGENTS.-A contract or other record relating to a transaction in or affecting interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents so long as the action of any such electronic agent is legally attributable to the person to be bound.

(i)    INSURANCE.-It is the specific intent of the Congress that this title and title II apply to the business of insurance.

(j)    INSURANCE AGENTS AND BROKERS.-An insurance agent or broker acting under the direction of a party that enters into a contract by means of an electronic record or electronic signature may not be held liable for any deficiency in the electronic procedures agreed to by the parties under that contract if-

(1)  the agent or broker has not engaged in negligent, reckless, or intentional tortious conduct;

(2)  the agent or broker was not involved in the development or establishment of such electronic procedures; and

(3)  the agent or broker did not deviate from such procedures.

SEC. 102. EXEMPTION TO PREEMPTION.

(a)  IN GENERAL.-A State statute, regulation, or other rule of law may modify, limit, or supersede the provisions of section 101 with respect to State law only if such statute, regulation, or rule of law-

(1)  constitutes an enactment or adoption of the Uniform Electronic Transactions Act as approved and recommended for enactment in all the States by the National Conference of Commissioners on Uniform State Laws in 1999, except that any exception to the scope of such Act enacted by a State under section 3(b)(4) of such Act shall be preempted to the extent such exception is inconsistent with this title or title II, or would not be permitted under paragraph (2)(A)(ii) of this subsection; or

(2)  -

(A)  specifies the alternative procedures or requirements for the use or acceptance (or both) of electronic records or electronic signatures to establish the legal effect, validity, or enforceability of contracts or other records, if-

(i)  such alternative procedures or requirements are consistent with this title and title II; and

(ii) such alternative procedures or requirements do not require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures; and

(B)  if enacted or adopted after the date of the enactment of this Act, makes specific reference to this Act.

(b)  EXCEPTIONS FOR ACTIONS BY STATES AS MARKET PARTICIPANTS.- Subsection (a)(2)(A)(ii) shall not apply to the statutes, regulations, or other rules of law governing procurement by any State, or any agency or instrumentality thereof.

(c)  PREVENTION OF CIRCUMVENTION.-Subsection (a) does not permit a State to circumvent this title or title II through the imposition of nonelectronic delivery methods under section 8(b)(2) of the Uniform Electronic Transactions Act.<–>

HR 3162 RDS

107th CONGRESS

1st Session

H. R. 3162

IN THE SENATE OF THE UNITED STATES

October 24, 2001

Received

AN ACT

To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE AND TABLE OF CONTENTS.

(a) SHORT TITLE- This Act may be cited as the `Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001′. (b) TABLE OF CONTENTS- The table of contents for this Act is as follows:

Sec. 1. Short title and table of contents.

Sec. 2. Construction; severability.

TITLE I ENHANCING DOMESTIC SECURITY AGAINST TERRORISM

Sec. 101. Counterterrorism fund.

Sec. 102. Sense of Congress condemning discrimination against Arab and Muslim Americans.

Sec. 103. Increased funding for the technical support center at the Federal Bureau of Investigation.

Sec. 104. Requests for military assistance to enforce prohibition in certain emergencies.

Sec. 105. Expansion of National Electronic Crime Task Force Initiative.

Sec. 106. Presidential authority.

TITLE II ENHANCED SURVEILLANCE PROCEDURES

Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism.

Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.

Sec. 203. Authority to share criminal investigative information.

Sec. 204. Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications.

Sec. 205. Employment of translators by the Federal Bureau of Investigation.

Sec. 206. Roving surveillance authority under the Foreign Intelligence Surveillance Act of 1978.

Sec. 207. Duration of FISA surveillance of non-United States persons who are agents of a foreign power.

Sec. 208. Designation of judges.

Sec. 209. Seizure of voice-mail messages pursuant to warrants.

Sec. 210. Scope of subpoenas for records of electronic communications.

Sec. 211. Clarification of scope.

Sec. 212. Emergency disclosure of electronic communications to protect life and limb.

Sec. 213. Authority for delaying notice of the execution of a warrant.

Sec. 214. Pen register and trap and trace authority under FISA.

Sec. 215. Access to records and other items under the Foreign Intelligence Surveillance Act.

Sec. 216. Modification of authorities relating to use of pen registers and trap and trace devices.

Sec. 217. Interception of computer trespasser communications.

Sec. 218. Foreign intelligence information.

Sec. 219. Single-jurisdiction search warrants for terrorism.

Sec. 220. Nationwide service of search warrants for electronic evidence.

Sec. 221. Trade sanctions.

Sec. 222. Assistance to law enforcement agencies.

Sec. 223. Civil liability for certain unauthorized disclosures.

Sec. 224. Sunset.

Sec. 225. Immunity for compliance with FISA wiretap.

TITLE III INTERNATIONAL MONEY LAUNDERING ABATEMENT AND ANTI-TERRORIST FINANCING ACT OF 2001

Sec. 301. Short title.

Sec. 302. Findings and purposes.

Sec. 303. 4-year congressional review; expedited consideration.

Subtitle A International Counter Money Laundering and Related Measures

Sec. 311. Special measures for jurisdictions, financial institutions, or international transactions of primary money laundering concern.

Sec. 312. Special due diligence for correspondent accounts and private banking accounts.

Sec. 313. Prohibition on United States correspondent accounts with foreign shell banks.

Sec. 314. Cooperative efforts to deter money laundering.

Sec. 315. Inclusion of foreign corruption offenses as money laundering crimes.

Sec. 316. Anti-terrorist forfeiture protection.

Sec. 317. Long-arm jurisdiction over foreign money launderers.

Sec. 318. Laundering money through a foreign bank.

Sec. 319. Forfeiture of funds in United States interbank accounts.

Sec. 320. Proceeds of foreign crimes.

Sec. 321. Financial institutions specified in subchapter II of chapter 53 of title 31, United States code.

Sec. 322. Corporation represented by a fugitive.

Sec. 323. Enforcement of foreign judgments.

Sec. 324. Report and recommendation.

Sec. 325. Concentration accounts at financial institutions.

Sec. 326. Verification of identification.

Sec. 327. Consideration of anti-money laundering record.

Sec. 328. International cooperation on identification of originators of wire transfers.

Sec. 329. Criminal penalties.

Sec. 330. International cooperation in investigations of money laundering, financial crimes, and the finances of terrorist groups.

Subtitle B Bank Secrecy Act Amendments and Related Improvements

Sec. 351. Amendments relating to reporting of suspicious activities.

Sec. 352. Anti-money laundering programs.

Sec. 353. Penalties for violations of geographic targeting orders and certain recordkeeping requirements, and lengthening effective period of geographic targeting orders.

Sec. 354. Anti-money laundering strategy.

Sec. 355. Authorization to include suspicions of illegal activity in written employment references.

Sec. 356. Reporting of suspicious activities by securities brokers and dealers; investment company study.

Sec. 357. Special report on administration of bank secrecy provisions.

Sec. 358. Bank secrecy provisions and activities of United States intelligence agencies to fight international terrorism.

Sec. 359. Reporting of suspicious activities by underground banking systems.

Sec. 360. Use of authority of United States Executive Directors.

Sec. 361. Financial crimes enforcement network.

Sec. 362. Establishment of highly secure network.

Sec. 363. Increase in civil and criminal penalties for money laundering.

Sec. 364. Uniform protection authority for Federal Reserve facilities.

Sec. 365. Reports relating to coins and currency received in nonfinancial trade or business.

Sec. 366. Efficient use of currency transaction report system.

Subtitle C Currency Crimes and Protection

Sec. 371. Bulk cash smuggling into or out of the United States.

Sec. 372. Forfeiture in currency reporting cases.

Sec. 373. Illegal money transmitting businesses.

Sec. 374. Counterfeiting domestic currency and obligations.

Sec. 375. Counterfeiting foreign currency and obligations.

Sec. 376. Laundering the proceeds of terrorism.

Sec. 377. Extraterritorial jurisdiction.

TITLE IV PROTECTING THE BORDER

Subtitle A Protecting the Northern Border

Sec. 401. Ensuring adequate personnel on the northern border.

Sec. 402. Northern border personnel.

Sec. 403. Access by the Department of State and the INS to certain identifying information in the criminal history records of visa applicants and applicants for admission to the United States.

Sec. 404. Limited authority to pay overtime.

Sec. 405. Report on the integrated automated fingerprint identification system for ports of entry and overseas consular posts.

Subtitle B Enhanced Immigration Provisions

Sec. 411. Definitions relating to terrorism.

Sec. 412. Mandatory detention of suspected terrorists; habeas corpus; judicial review.

Sec. 413. Multilateral cooperation against terrorists.

Sec. 414. Visa integrity and security.

Sec. 415. Participation of Office of Homeland Security on Entry-Exit Task Force.

Sec. 416. Foreign student monitoring program.

Sec. 417. Machine readable passports.

Sec. 418. Prevention of consulate shopping.

Subtitle C Preservation of Immigration Benefits for Victims of Terrorism

Sec. 421. Special immigrant status.

Sec. 422. Extension of filing or reentry deadlines.

Sec. 423. Humanitarian relief for certain surviving spouses and children.

Sec. 424. `Age-out’ protection for children.

Sec. 425. Temporary administrative relief.

Sec. 426. Evidence of death, disability, or loss of employment.

Sec. 427. No benefits to terrorists or family members of terrorists.

Sec. 428. Definitions.

TITLE V REMOVING OBSTACLES TO INVESTIGATING TERRORISM

Sec. 501. Attorney General’s authority to pay rewards to combat terrorism.

Sec. 502. Secretary of State’s authority to pay rewards.

Sec. 503. DNA identification of terrorists and other violent offenders.

Sec. 504. Coordination with law enforcement.

Sec. 505. Miscellaneous national security authorities.

Sec. 506. Extension of Secret Service jurisdiction.

Sec. 507. Disclosure of educational records.

Sec. 508. Disclosure of information from NCES surveys.

TITLE VI PROVIDING FOR VICTIMS OF TERRORISM, PUBLIC SAFETY OFFICERS, AND THEIR FAMILIES

Subtitle A Aid to Families of Public Safety Officers

Sec. 611. Expedited payment for public safety officers involved in the prevention, investigation, rescue, or recovery efforts related to a terrorist attack.

Sec. 612. Technical correction with respect to expedited payments for heroic public safety officers.

Sec. 613. Public safety officers benefit program payment increase.

Sec. 614. Office of Justice programs.

Subtitle B Amendments to the Victims of Crime Act of 1984

Sec. 621. Crime victims fund.

Sec. 622. Crime victim compensation.

Sec. 623. Crime victim assistance.

Sec. 624. Victims of terrorism.

TITLE VII INCREASED INFORMATION SHARING FOR CRITICAL INFRASTRUCTURE PROTECTION

Sec. 711. Expansion of regional information sharing system to facilitate Federal-State-local law enforcement response related to terrorist attacks.

TITLE VIII STRENGTHENING THE CRIMINAL LAWS AGAINST TERRORISM

Sec. 801. Terrorist attacks and other acts of violence against mass transportation systems.

Sec. 802. Definition of domestic terrorism.

Sec. 803. Prohibition against harboring terrorists.

Sec. 804. Jurisdiction over crimes committed at U.S. facilities abroad.

Sec. 805. Material support for terrorism.

Sec. 806. Assets of terrorist organizations.

Sec. 807. Technical clarification relating to provision of material support to terrorism.

Sec. 808. Definition of Federal crime of terrorism.

Sec. 809. No statute of limitation for certain terrorism offenses.

Sec. 810. Alternate maximum penalties for terrorism offenses.

Sec. 811. Penalties for terrorist conspiracies.

Sec. 812. Post-release supervision of terrorists.

Sec. 813. Inclusion of acts of terrorism as racketeering activity.

Sec. 814. Deterrence and prevention of cyberterrorism.

Sec. 815. Additional defense to civil actions relating to preserving records in response to Government requests.

Sec. 816. Development and support of cybersecurity forensic capabilities.

Sec. 817. Expansion of the biological weapons statute.

TITLE IX IMPROVED INTELLIGENCE

Sec. 901. Responsibilities of Director of Central Intelligence regarding foreign intelligence collected under Foreign Intelligence Surveillance Act of 1978.

Sec. 902. Inclusion of international terrorist activities within scope of foreign intelligence under National Security Act of 1947.

Sec. 903. Sense of Congress on the establishment and maintenance of intelligence relationships to acquire information on terrorists and terrorist organizations.

Sec. 904. Temporary authority to defer submittal to Congress of reports on intelligence and intelligence-related matters.

Sec. 905. Disclosure to Director of Central Intelligence of foreign intelligence-related information with respect to criminal investigations.

Sec. 906. Foreign terrorist asset tracking center.

Sec. 907. National Virtual Translation Center.

Sec. 908. Training of government officials regarding identification and use of foreign intelligence.

TITLE X MISCELLANEOUS

Sec. 1001. Review of the department of justice.

Sec. 1002. Sense of congress.

Sec. 1003. Definition of `electronic surveillance’.

Sec. 1004. Venue in money laundering cases.

Sec. 1005. First responders assistance act.

Sec. 1006. Inadmissibility of aliens engaged in money laundering.

Sec. 1007. Authorization of funds for dea police training in south and central asia.

Sec. 1008. Feasibility study on use of biometric identifier scanning system with access to the fbi integrated automated fingerprint identification system at overseas consular posts and points of entry to the United States.

Sec. 1009. Study of access.

Sec. 1010. Temporary authority to contract with local and State governments for performance of security functions at United States military installations.

Sec. 1011. Crimes against charitable americans.

Sec. 1012. Limitation on issuance of hazmat licenses.

Sec. 1013. Expressing the sense of the senate concerning the provision of funding for bioterrorism preparedness and response.

Sec. 1014. Grant program for State and local domestic preparedness support.

Sec. 1015. Expansion and reauthorization of the crime identification technology act for antiterrorism grants to States and localities.

Sec. 1016. Critical infrastructures protection.

SEC. 2. CONSTRUCTION; SEVERABILITY.

Any provision of this Act held to be invalid or unenforceable by its terms, or as applied to any person or circumstance, shall be construed so as to give it the maximum effect permitted by law, unless such holding shall be one of utter invalidity or unenforceability, in which event such provision shall be deemed severable from this Act and shall not affect the remainder thereof or the application of such provision to other persons not similarly situated or to other, dissimilar circumstances.<–>

(a) SHORT TITLE.-This section may be cited as the “Cyber Security Enhancement Act of 2002”.

(b) AMENDMENT OF SENTENCING GUIDELINES RELATING TO CERTAIN COMPUTER CRIMES.-

(1) DIRECTIVE TO THE UNITED STATES SENTENCING COMMISSION.-Pursuant to its authority under section 994(p) of title 28, United States Code, and in accordance with this subsection, the United States Sentencing Commission shall review and, if appropriate, amend its guidelines and its policy statements applicable to persons convicted of an offense under section 1030 of title 18, United States Code.

(2) REQUIREMENTS.-In carrying out this subsection, the Sentencing Commission shall- (A) ensure that the sentencing guidelines and policy statements reflect the serious nature of the offenses described in paragraph (1), the growing incidence of such offenses, and the need for an effective deterrent and appropriate punishment to prevent such offenses;

(B) consider the following factors and the extent to which the guidelines may or may not account for them-

(i) the potential and actual loss resulting from the offense;

(ii) the level of sophistication and planning involved in the offense;

(iii) whether the offense was committed for purposes of commercial advantage or private financial benefit;

(iv) whether the defendant acted with malicious intent to cause harm in committing the offense;

(v) the extent to which the offense violated the privacy rights of individuals harmed;

(vi) whether the offense involved a computer used by the government in furtherance of national defense, national security, or the administration of justice;

(vii) whether the violation was intended to or had the effect of significantlyinterfering with or disrupting a critical infrastructure; and

(viii) whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person;

(C) assure reasonable consistency with other relevant directives and with other sentencing guidelines;

(D) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;

(E) make any necessary conforming changes to the sentencing guidelines; and

(F) assure that the guidelines adequately meet the purposes of sentencing as set forth in section 3553(a)(2) of title 18, United States Code.

(c) STUDY AND REPORT ON COMPUTER CRIMES.- Not later than May 1, 2003, the United States Sentencing Commission shall submit a brief report to Congress that explains any actions taken by the Sentencing Commission in response to this section and includes any recommendations the Commission may have regarding statutory penalties for offenses under section 1030 of title 18, United States Code.

(d) EMERGENCY DISCLOSURE EXCEPTION.-

(1) IN GENERAL.-Section 2702(b) of title 18, United States Code, is amended-

(A) in paragraph (5), by striking “or” at the end;

(B) in paragraph (6)(A), by inserting “or” at the end;

(C) by striking paragraph (6)(C); and

(D) by adding at the end the following: “(7) to a Federal, State, or local governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.”.

(2) REPORTING OF DISCLOSURES.-A government entity that receives a disclosure under section 2702(b) of title 18, United States Code, shall file, not later than 90 days after such disclosure, a report to the Attorney General stating the paragraph of that section under which the disclosure was made, the date of the disclosure, the entity to which the disclosure was made, the number of customers or subscribers to whom the information disclosed pertained, and the number of communications, if any, that were disclosed. The Attorney General shall publish all such reports into a single report to be submitted to Congress 1 year after the date of enactment of this Act.

(e) GOOD FAITH EXCEPTION.-Section 2520(d)(3) of title 18, United States Code, is amended by inserting “or 2511(2)(i)” after “2511(3)”.

(f) INTERNET ADVERTISING OF ILLEGAL DEVICES.- Section 2512(1)(c) of title 18, United States Code, is amended-

(1) by inserting “or disseminates by electronic means” after “or other publication”; and

(2) by inserting “knowing the content of the advertisement and” before “knowing or having reason to know”.

(g) STRENGTHENING PENALTIES.-Section 1030(c) of title 18, United States Code, is amended-

(1) by striking “and” at the end of paragraph (3);

(2) in each of subparagraphs (A) and (C) of paragraph (4), by inserting “except as provided in paragraph (5),” before “a fine under this title”;

(3) in paragraph (4)(C), by striking the period at the end and inserting “; and”; and

(4) by adding at the end the following:

“(5)(A) if the offender knowingly or recklessly causes or attempts to cause serious bodily injury from conduct in violation of subsection

(a)(5)(A)(i), a fine under this title or imprisonment for not more than 20 years, or both; and

“(B) if the offender knowingly or recklessly causes or attempts to cause death from conduct in violation of subsection (a)(5)(A)(i), a fine under this title or imprisonment for any term of years or for life, or both.”.

(h) PROVIDER ASSISTANCE.-

(1) SECTION 2703.-Section 2703(e) of title 18, United States Code, is amended by inserting “, statutory authorization” after “subpoena”.

(2) SECTION 2511.-Section 2511(2)(a)(ii) of title 18, United States Code, is amended by inserting “, statutory authorization,” after “court order” the last place it appears.

(i) EMERGENCIES.-Section 3125(a)(1) of title 18, United States Code, is amended-

(1) in subparagraph (A), by striking “or” at the end;

(2) in subparagraph (B), by striking the comma at the end and inserting a semicolon; and

(3) by adding at the end the following:

“(C) an immediate threat to a national security interest; or

“(D) an ongoing attack on a protected computer (as defined in section 1030) that constitutes a crime punishable by a term of imprisonment greater than one year;”.