A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz.
The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked, according to a copy obtained by The Hill.
Such measures could spark concern among advocates outraged over the death of Swartz, the 26-year-old Internet activist and computer programmer who killed himself earlier this year while facing a possible 35-year prison term for hacking. Advocates have called on Congress to make changes to what they say is a draconian law that led to too harsh a prosecution of Swartz.
Swartz faced a fine of up to $1 million and up to 35 years in prison for charges that he broke into a university computer network and stole more than four million academic articles from a subscription service. His family believes the charges contributed to Swartz’s death.
It’s unclear which Judiciary members are sponsoring the draft bill, which is unnamed. A House Judiciary Committee aide said the bill is still in the early drafting stage and is being circulated to stakeholders for their feedback on possible changes.
While the draft proposal increases the maximum sentence a judge can impose for computer crimes, the aide noted that it's still up to a judge to determine the length of a sentence.
The aide said the proposed changes in the bill would likely not have changed how a federal judge calculated Swartz's sentence under the federal sentencing guidelines.
Orin Kerr, a law professor at George Washington University, wrote in a blog post that the draft bill is similar to another measure Senate Judiciary Chairman Patrick Leahy (D-Vt.) introduced in Nov. 2011. Kerr was critical of Leahy's bill, arguing that it was written too broadly.
"In short, this is a step backward, not a step forward," Kerr writes about the new bill draft. "This is a proposal to give [Justice Department] what it wants, not to amend the CFAA in a way that would narrow it."
Momentum for cybersecurity legislation has increased in recent weeks amid alarms from top administration officials about hacker attacks on American companies and key infrastructure. Lawmakers and government officials have raised concern about reports of Chinese hackers siphoning valuable intellectual property and trade secrets from American companies.
Several House committees are teeing up bills that could come to the House floor as early as next month.
Key language in the draft bill would modify the Computer Fraud and Abuse Act to state that an attempt or conspiracy to conduct computer fraud or a related crime “is punishable to the same extent as a completed offense.”
It also proposes to amend the law so it would crack down on people who gain unauthorized access to a computer and obtain “sensitive or non-public information of an entity or another individual,” including “medical records, wills, diaries, private correspondence ... photographs of a sensitive and private nature, trade secrets, or sensitive or non-public commercial business information.”
People would also run afoul of the law if they gain unauthorized access to a computer and the offense involve information that “exceeds $5,000 in value.” Some concerns have been raised about how that threshold has been set and who determines the value of the accessed information.
Additionally, the draft bill would allow authorities to seize “real property used or intended to be used” to commit or facilitate a cyber crime.
The first section of the bill targets foreign economic espionage. It proposes to stiffen the penalties for hackers that steal intellectual property from U.S. companies by raising the statutory maximum punishment for economic espionage offenses to 20 years from 15 years.
The draft bill would also create a new section in the anti-hacking law that is focused on punishing those who attempt to cause damage or inflict damage on a computer that powers critical infrastructure, such as water supply systems or telecommunications networks. It would impose a maximum 30-year sentence; a person convicted of violating that section would be ineligible for probation.
The final section of the draft bill establishes a data breach notification standard, which tells companies when they need to notify consumers about data breaches on their computer systems. The White House has called for a federal data breach notification standard to replace the patchwork of laws used by various states.
The draft bill would require companies that acquire, store or use personal information to report a security breach to its customers within 14 days. That number is bracketed in the bill draft and is therefore subject to change.
If a company suffers a massive data breach, the draft bill would require them to notify the FBI or Secret Service within 72 hours. That number is also bracketed in the draft bill.
Additionally, third parties and service providers would be also required to notify a company about a breach.
This story was last updated at 6:03 p.m.