Cyber Security Enhancement Act (included as section 225 of the Homeland Security Act of 2002, Pub. L. No. 107-296).
The Act amended the USA PATRIOT Act to further loosen restrictions on Internet service providers (ISPs) as to when, and to whom, they can voluntarily release information about subscribers. The Act lowered the threshold for when ISPs may voluntarily divulge the content of communications. Now ISPs need only a “good faith” (instead of a “reasonable”) belief that there is an emergency involving danger (instead of “immediate” danger) of death or serious physical injury. The contents can be disclosed to “a Federal, state, or local governmental entity” (instead of a “law enforcement agency”).
Privacy Concerns Edit
Privacy advocates are especially concerned about the language added by the Act. EPIC notes, for example, that allowing the contents of Internet communications to be disclosed voluntarily to any governmental entity not only poses increased risk to personal privacy, but also is a poor security strategy. Another concern is that the law does not provide for judicial oversight of the use of these procedures.
Sentencing guidelines Edit
The Act also directed the U.S. Sentencing Commission to review and amend, if appropriate, guidelines and policy statements applicable to individuals convicted of offenses under the Computer Fraud and Abuse Act of 1986 (18 U.S.C. §1030). The Act requires the Commission, in carrying out the directive, to ensure that the relevant guidelines and policy statements reflect the serious nature and growing incidence of section 1030 offenses and the need for an effective deterrent and appropriate punishment. It also requires the Commission to consider the extent to which the following eight factors are or are not accounted for by the relevant guidelines:
- the potential and actual loss resulting from the offense;
- the level of sophistication and planning involved in the offense;
- whether the offense was committed for purposes of commercial advantage or private financial benefit;
- whether the defendant acted with malicious intent to cause harm in committing the offense;
- the extent to which the offense violated the privacy rights of individuals harmed;
- whether the offense involved a computer used by the government in furtherance of national defense, national security, or the administration of justice;
- whether the violation was intended to or had the effect of significantly interfering with or disrupting a critical infrastructure; and
- whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person.
Section 1030(a) violations are referred to four sentencing guidelines:
- §2B1.1 (Larceny, Embezzlement, and Other Forms of Theft; Offenses Involving Stolen Property; Property Damage or Destruction; Fraud and Deceit; Forgery; Offenses Involving Altered or Counterfeit Instruments Other than Counterfeit Bearer Obligations of the United States);
- §2B2.3 (Trespass);
- §2B3.2 (Extortion by Force or Threat of Injury or Serious Damage) and
- §2M3.2 (Gathering National Defense Information).
Convictions under sections 1030(a)(2) (unauthorized access to a computer to obtain information from a financial institution, the United States government or a protected computer); 1030(a)(4) (unauthorized access to a protected computer in furtherance of fraud); 1030(a)(5) (transmission of a program or code or unauthorized access resulting in damage); and 1030(a)(6) (trafficking in computer passwords) are all referenced to §2B1.1.
Convictions under section 1030(a)(1) (accessing and disseminating national defense or restricted information with reason to believe it could be used to the injury of the United States) are referred to §2M3.2.
Convictions under 18 U.S.C. § 1030(b) (attempts to commit violations of section 1030(a)) are referenced to §2X1.1 (Attempt, Solicitation, or Conspiracy).
- "U.S. Sentencing Commission" section: Increased Penalties for Cyber Security Offenses, at 2.