CFAA TIMELINE

This website contains a timeline of failed, passed, and in discussion amendments of the CFAA. The timeline can be view in 2d or 3d by clicking on the little circle in the bottom left hand corner of the page.

Categories;xNLx;;xNLx;Red events = H.R. Introduced;xNLx;;xNLx;Blue event = Passed House;xNLx;;xNLx;Green events = Became Law;xNLx;;xNLx;Orange events = S. Introduced;xNLx;;xNLx;Yellow events = Passed Senate;xNLx;;xNLx;Purple events = Resolving Differences

1984-03-18 22:59:03

H.R.5112 - COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE ACT OF 1984

Introduced by Rep. Hughes, William J. [D-NJ-2] on 3/13/1984 Status: Failed Summary Provides for an additional offense of using a computer without authorization with the intent to execute a scheme to defraud. Prohibits the unauthorized use of a computer when such conduct modifies or discloses information or prevents the use of such computer and obtains anything of value or creates a loss to another of a value of $5,000 or more during any one year. Grants authority to the U.S. Secret Service to investigate offenses under this Act. Definitions loss to another of a value of $5,000 or more during any one year Sentencing No attorney general reporting/ loss to another of a value of $5,000.00 or more during any one year was included/ no offense for attempted conspiracy/ and no increase in penalties

1984-05-08 22:59:03

H.R.5616 - COMPUTER TRESPASS ACT OF 1984

Introduced by Rep. Hughes, William J. [D-NJ-2] on 5/8/1984 Status: Failed Summary: New section of trespass in connection with computers. Makes it a criminal offense to knowingly access a computer without authorization or to access a computer with authorization for unauthorized purposes and obtain certain information classified under the Atomic Energy Act of 1954 or certain financial records covered by the Right to Financial Privacy Act of 1978. Prohibits the unauthorized use of a computer when such conduct modifies, destroys, discloses information or prevents the authorized use of a computer operated for or on behalf of the U.S. government. Makes it an offense to attempt to commit or to be a party to a conspiracy to commit such an offense." Grants authority to the U.S. Secret Service to investigate offenses under this Act. Requires the Attorney General to report annually to Congress about prosecutions under this Act during the first three years after its enactment. Sentencing: Increases the penalty for subsequent offenses Added increase in penalties/reports by the attorney general/ crime for attempted conspiracy/// removed $5,000 loss or more during any one year requirement

1984-05-21 22:59:03

H.R.5690 - ANTI-CRIME ACT OF 1984

Introduced by Rep. Rodino, Peter W., Jr. [D-NJ-10] on 5/21/1984 Status: Failed Summary: Establishes an additional offense of using a computer without authorization or using a computer with authorization for unauthorized purposes with the intent to execute a scheme to defraud, if such conduct obtains: (1) anything of value aggregating $5,000 or more, or creates a loss of $5,000 or more, during any year; (2) classified information; or (3) certain financial records. Prohibits the unauthorized use of a computer when such conduct modifies, destroys, discloses information or prevents the authorized use of a computer operated for or on behalf of the U.S. government. Makes it an offense to attempt to commit or to be a party to a conspiracy to commit such an offense. Grants authority to the U.S. Secret Service to investigate offenses under this Act. Requires the Attorney General to report annually to Congress about prosecutions under this Act during the first three years after its enactment. Sentencing: Increases the penalty for subsequent offenses. Reinstitutes the $5,000 loss threshold.

1984-07-25 22:59:03

S.2864 - COMPUTER FRAUD AND ABUSE ACT OF 1984

Introduced by Sen. Specter, Arlen [R-PA] on 7/25/1984 Status: Failed Summary: Amends the federal criminal code to establish a federal offense of using a computer without authorization or using a computer with authorization for unauthorized purposes with the intent to execute a scheme to defraud, if such conduct obtains: (1) anything of value aggregating $5,000 or more, or creates a loss of $5,000 or more, during any year; (2) classified information; or (3) certain financial records. Prohibits the unauthorized use of a computer when such conduct modifies, destroys, discloses information or prevents the authorized use of a computer operated for or on behalf of the U.S. government. Makes it an offense to attempt to commit or to be a party to a conspiracy to commit such an offense. Grants authority to the U.S. Secret Service to investigate offenses under this Act. Requires the Attorney General to report annually to Congress about prosecutions under this Act during the first three years after its enactment. Sentencing: Increases the penalty for subsequent offenses.

1984-09-17 22:59:03

H.J.RES.648 - COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE ACT OF 1984

Introduced by Rep. Whitten, Jamie L. [D-MS-1] on 09/17/1984 Status: Became law on 10/12/1984 The statute was first enacted in 1984 as the “Counterfeit Access Device and Computer Fraud and abuse Act of 1984”. Prior to 1984, law enforcement relied on mail and wire fraud statutes to fight computer crime. These types of statutes depended on interstate commerce and states did not have any significant remedies to combat computer-based crime. The 1984 Act was enacted for the narrow purpose of protecting computers used by the federal government. Even more limiting, it only provided protection against harm committed through unauthorized access, while offering no remedy for harms caused through authorized access. There was, therefore, a loophole where either: authorized persons caused harm to protected computer systems; or unauthorized persons gave codes or software to authorized persons who loaded them into their computers. Scope: Amends the federal Criminal Code to establish a new offense of fraud in connection with computers. Makes it a criminal offense to knowingly access a computer without authorization or to access a computer with authorization for unauthorized purposes and obtain certain information classified under the Atomic Energy Act of 1954 or certain financial records covered by the Right to Financial Privacy Act of 1978. Prohibits the unauthorized use of a computer when such conduct modifies, destroys, discloses information or prevents the authorized use of a computer operated for or on behalf of the U.S. government. Makes it an offense to attempt to commit or to be a party to a conspiracy to commit such an offense. Grants authority to the U.S. Secret Service to investigate offenses under this Act. Requires the Attorney General to report annually to Congress about prosecutions under this Act during the first three years after its enactment. Sentencing: Increases the penalty for subsequent offenses. Removes: $5,000 loss/ intent to defraud //Changes from intent to knowingly// Adds a required purpose.

1985-02-06 22:59:03

H.R.1001 - COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE ACT OF 1985

Introduced by Rep. Hughes, William J. [D-NJ-2] on 2/6/1985 Status: Failed Summary: Computer Fraud and Abuse Act of 1985 - Amends the federal criminal code to provide penalties for any person who accesses a computer without authorization or with authorization for purposes to which such authorization does not extend and either obtains anything or causes a loss of a value aggregating $5,000. No exemption for law enforcement agencies or intelligence activities// no change in the scienter requirement/ no change in definitions Sentencing: Establishes penalties for knowingly accessing a computer with the intent to defraud and by such conduct obtaining anything of value aggregating $5,000.

1986-04-30 22:59:03

H.R.4718 - COMPUTER FRAUD AND ABUSE ACT OF 1986

Introduced by Rep. Hughes, William J. [D-NJ-2] on 04/30/1986 Status: Became law on 10/16/1986 The extensive 1986 amendments gave the statute its current name: Computer Fraud and Abuse Act (“CFAA”). Congress expanded the statute's scope by modifying existing crimes, adding new offenses, changing intent requirements, and adding definitions. Several changes were made to remove accidental access and the use of legitimately obtained information from the CFAA's scope. Additionally, Congress added a subsection to define key terms and expand the definition of "federal interest computer." Despite the statute's increased scope, its premise remained the same and Congress kept the CFAA's jurisdiction limited to crimes involving a compelling federal interest. This was defined as including harm done to computers of the federal government or certain financial institutions, or where the crime itself was interstate in nature. Scope: ●Creates new federal criminal offenses of: (1) property theft by computer occurring as part of a scheme to defraud; (2) altering, damaging, or destroying information in, or preventing the authorized use of, a federal interest computer; and (3) trafficking in computer access passwords. ●Eliminates the special conspiracy provisions for computer crimes. (Such conspiracies shall be treated under the general federal conspiracy statutes.) ●Exempts authorized law enforcement or intelligence activities. Definitions: ●Amends the federal criminal code to change the scienter requirement from "knowingly" to "intentionally" for certain offenses regarding accessing the computer files of another. ●Revises the definition of "financial institution" to which the financial record provisions of computer fraud law apply. Applies such provisions to any financial records (including those of corporations and small businesses), not just those of individuals and certain partnerships. Sentencing: ●Modifies existing federal law regarding accessing federal computers. Makes the basic offense trespass. Removes criminal liability for exceeding (without the intent to defraud) authorized access to a federal computer in one's own department or agency. ●Amends penalty provisions to remove the cap on fines for certain computer crimes.

1989-03-06 22:59:03

H.R.1278 - FINANCIAL INSTITUTIONS REFORM, RECOVERY, AND ENFORCEMENT ACT OF 1989

Introduced by Rep. Gonzalez, Henry B. [D-TX-20] on 03/06/1989 Status: Became law on 08/09/1989 Scope: ●Expanded protection to additional financial institutions

1990-04-19 10:16:13

S.2476 - COMPUTER ABUSE AMENDMENTS ACT OF 1990

ntroduced by Sen. Leahy, Patrick J. [D-VT] on 4/19/1990 Status: Failed Summary: ●Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. ●Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: ●"Repeals provisions which exclude automated typewriters and typesetters, portable hand held calculators, and similar devices from the definition of ""computer."" ●Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that ""adversely"" affect such use." Sentencing: ●Makes such offense punishable by a fine and up to five years in prison. ●Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. ●Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1990-10-27 10:16:13

S.3266 - FINANCIAL INSTITUTIONS ANTI-FRAUD ENFORCEMENT ACT OF 1990

Introduced by Sen. Biden, Joseph R., Jr. [D-DE] on 10/27/1990 Status: Became law on 11/29/1990 Scope: ●Expanded protection to additional financial institutions

1991-06-06 10:16:13

S.1241 - BIDEN-THURMOND VIOLENT CRIME CONTROL ACT OF 1991

Introduced by Sen. Biden, Joseph R., Jr. [D-DE] on 6/6/1991 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Definitions: "Repeals provisions which exclude automated typewriters and typesetters, portable hand held calculators, and similar devices from the definition of ""computer."" Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that ""adversely"" affect such use." Sentencing: Makes such offense punishable by a fine and up to five years in prison. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage. Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act.

1991-06-18 10:16:13

S.1322 - COMPUTER ABUSE AMENDMENTS ACT OF 1991

Introduced by Sen. Leahy, Patrick J. [D-VT] on 6/18/1991 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: "Repeals provisions which exclude automated typewriters and typesetters, portable hand held calculators, and similar devices from the definition of ""computer."" Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that ""adversely"" affect such use." Sentencing: Makes such offense punishable by a fine and up to five years in prison. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1991-07-29 10:16:13

S.1579 - TELEPHONE DISCLOSURE AND DISPUTE RESOLUTION ACT

Introduced by Sen. Inouye, Daniel K. [D-HI] on 7/29/1991 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Requires the Attorney General and the Secretary of the Treasury to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use. Sentencing: Makes such offense punishable by a fine and up to five years in prison. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1991-09-23 10:16:13

H.R.3371 - VIOLENT CRIME CONTROL AND LAW ENFORCEMENT ACT OF 1991

Introduced by Rep. Brooks, Jack B. [D-TX-9] on 9/23/1991 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use. Sentencing: Makes such offense punishable by a fine and up to five years in prison. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1992-03-03 10:16:13

S.2305 - CRIME CONTROL ACT OF 1992

Introduced by Sen. Thurmond, Strom [R-SC] on 3/3/1992 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: Repeals provisions which exclude automated typewriters and typesetters, portable hand held calculators, and similar devices from the definition of ""computer." Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that ""adversely"" affect such use. Sentencing: Makes such offense punishable by a fine and up to five years in prison. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1992-10-05 10:16:13

S.3349 - BIDEN-THURMOND JUSTICE IMPROVEMENTS ACT

Introduced by Sen. Biden, Joseph R., Jr. [D-DE] on 10/5/1992 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use. Sentencing: Makes such offense punishable by a fine and up to five years in prison. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1992-10-06 10:16:13

H.R.6201 - BIDEN-THURMOND JUSTICE IMPROVEMENTS ACT

Introduced by Rep. Schumer, Charles E. [D-NY-10] on 10/6/1992 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Sets forth parallel provisions with respect to recklessly transmitting a destructive computer program or code. Makes such offense a misdemeanor, punishable by a fine and imprisonment for up to one year. Requires the Attorney General to report to the Congress annually during the first three years following the date of enactment of this Act concerning prosecutions under this Act. Definitions: Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use. Sentencing: Makes such offense punishable by a fine and up to five years in prison. Creates a civil cause of action for compensatory or injunctive relief for persons suffering damage or loss by virtue of a violation of this Act. Limits damages to economic damages, except for medical records violations. Sets a statute of limitations of two years from the date of the act complained of, or from the date of discovery of the damage.

1993-01-21 10:16:13

S.8 - CRIME CONTROL ACT OF 1993

Introduced by Sen. Hatch, Orrin G. [R-UT] on 1/21/1993 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period, or modifies or impairs the medical care of any individual. Sentencing: Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act.

1993-08-03 10:16:13

H.R.2847 - CRIME CONTROL ACT OF 1993

Introduced by Rep. Sensenbrenner, F. James, Jr. [R-WI-9] on 8/3/1993 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Makes it a misdemeanor to recklessly transmit a destructive computer program or code. Definitions: Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use. Sentencing: Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act.

1993-09-23 10:16:13

H.R. 3131 - VIOLENT CRIME CONTROL AND LAW ENFORCEMENT ACT OF 1993

Introduced by Rep. Brooks, Jack B. [D-TX-9] on 9/23/1993 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program, code, or command with intent to damage a computer system or information contained within a computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Makes it a misdemeanor to recklessly transmit a destructive computer program, code, or command. Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act. Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use.

1993-09-23 10:16:13

S.1488 - VIOLENT CRIME CONTROL AND LAW ENFORCEMENT ACT OF 1993

Introduced by Sen. Biden, Joseph R., Jr. [D-DE] on 9/23/1993 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of any individual. Makes it a misdemeanor to recklessly transmit a destructive computer program or code.

1993-10-26 10:16:13

H.R. 3355 - COMPUTER ABUSE AMENDMENTS ACT OF 1994

Introduced by Rep. Brooks, Jack B. [D-TX-9] on 10/26/1993 Status: Became law on 09/13/1994 Until 1994, the CFAA was the main federal computer crime statute. Under the original CFAA, only criminal penalties - specifically, fines and imprisonment - were available, but the Computer Abuse Amendments Act of 1994 (“CAAA”) added civil remedies such as compensatory damages and equitable or injunctive relief. The amendments also extended protection to incorporate damage or loss inflicted not only by outsiders, but also insiders or other authorized users, and further classified certain types of reckless conduct and intentional acts as criminal. Congress also amended the CFAA so that it protected any “computer used in interstate commerce or communication” rather than a “federal interest computer.” Congress’s purpose for the change was to include certain non-government computers that Congress believed warranted federal protection. While the CFAA pre–1994 was directed toward the unauthorized access of a computer system, the post–1994 statute broadened the prescribed range of conduct to include transmissions. The focus became the defendant's harmful intent and resulting harm, rather than on the technical concept of computer access and authorization, with the option for civil remedy. Scope: ●Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program, code, or command with intent to damage a computer system or information contained within a computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. ●Makes it a misdemeanor to recklessly transmit a destructive computer program, code, or command. ●Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act. ●Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use.

1993-11-01 10:16:13

S.1607 - VIOLENT CRIME CONTROL AND LAW ENFORCEMENT ACT OF 1993

Introduced by Sen. Biden, Joseph R., Jr. [D-DE] on 11/01/1993 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Makes it a misdemeanor to recklessly transmit a destructive computer program or code. Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act. Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use.

1995-12-21 10:16:13

S.1495 - CRIME PREVENTION ACT OF 1995

Introduced by Sen. Kyl, Jon [R-AZ] on 12/21/1995 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to penalize individuals who knowingly access a computer without authorization or exceeding authorized access and obtain: (1) certain restricted data or information (data) and, with reason to believe that such data could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicate, deliver, or transmit such data to any person not entitled to receive it or willfully retain and fail to deliver it to the U.S. officer or employee entitled to receive it; (2) information from any U.S. department or agency (department); or (3) information from any protected computer if the conduct involved an interstate or foreign communication. (Sec. 1303) Modifies such Act to penalize persons who intentionally, without authorization, access any computer of a U.S. department: (1) where such computer is exclusively for the use of the Government; or (2) where such conduct affects use by or for the Government. (Sec. 1304) Increases penalties for: (1) significant unauthorized use of a computer system; and (2) those who have previously violated such Act. (Sec. 1305) Modifies such Act to penalize individuals who, without authorization, intentionally or recklessly cause damage to a protected computer. (Sec. 1306) Makes unlawful the transmission in interstate or foreign commerce of threats directed against computers and computer networks with intent to extort any thing of value. (Sec. 1308) Revises such Act to limit damages to economic damages where the violation causes a loss of $1,000 or more during any one-year period (but sets no limit where damages are imposed for violations that modified or impaired, or potentially modified or impaired, the medical examination, diagnosis, or treatment of a person). (Sec. 1309) Repeals a requirement that the Attorney General and the Secretary of the Treasury report annually to the Congress concerning specified computer crime investigations and prosecutions. (Sec. 1310) Directs the Commission to review existing sentencing guideline levels for fraud and related activity in connection with computers and to amend such guidelines to ensure that individuals convicted of specified offenses under such Act are incarcerated for at least one year. (Sec. 1311) Provides for asset forfeiture for fraud and related activity in connection with computers.

1996-06-26 10:16:13

H.R. 3723 - NATIONAL INFORMATION INFRASTRUCTURE PROTECTION ACT OF 1996

Introduced by Rep. McCollum, Bill [R-FL-8] on 06/26/1996 Status: Became law on 10/11/1996 The National Information Infrastructure Protection Act (“NIIPA”) significantly amended the CFAA in 1996. Passed as part of the Economic Espionage Act, the NIIPA’s overall purpose is to bridge privacy gaps in the CFAA and address confidentiality, integrity, and security, of computer data and networks as Congress expressed a continued concern regarding the proliferation of worms, viruses, and other malicious codes. First, the NIIPA criminalized unauthorized access of computer files that would result in transmission of classified government information.4 Second, it prohibited the extraction of information from financial institutions, the US government, or private-sector computers that are used in interstate commerce. Third, it disallowed the intentional and unauthorized access of non-public computers in US governmental departments or agencies.5 Fourth, it banned accessing protected computers without permission for the purposes of defrauding or obtaining material of value, unless a defendant can prove the resulting damages amounted to less than $5,000. Other sections of NIIPA regulate hacking, forbid password trafficking with the intent to defraud, and intensified sentencing guidelines. Prior to NIIPA, only repeat offenders who committed the same crime were subject to enhanced sentences; however, NIIPA treats anyone who violates its provisions as a recidivist.6 Scope: ●Revises Federal criminal code provisions regarding fraud and related activity in connection with computers. Sets penalties with respect to anyone who having knowingly accessed a computer without authorization or exceeding authorized access, obtains specified restricted information or data and, with reason to believe that such information could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, or transmits it to any person not entitled to receive it (or causes or attempts such communication) or willfully retains it and fails to deliver it to the U.S. officer or employee entitled to receive it. Sentencing: ●Sets penalties for: (1) intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information from any U.S. department or agency, or from any protected computer if the conduct involved an interstate or foreign communication; (2) intentionally accessing, without authorization, any computer of a U.S. department or agency that is exclusively for use by or for the U.S. Government or, in the case of a computer not exclusively for such use, that is used by or for the U.S. Government if such conduct affects the use of the Government's operation of such computer; (3) knowingly, and with intent to defraud, accessing a protected computer without authorization or exceeding authorized access and furthering the intended fraud and obtaining anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any one-year period; (4) knowingly causing the transmission of a program, information, code, or command and, as a result, intentionally causing damage without authorization to a protected computer, intentionally accessing a protected computer without authorization and recklessly causing damage, or intentionally accessing a protected computer without authorization and causing damage; and (5) transmitting in interstate or foreign commerce any communication containing a threat to cause damage to a protected computer with intent to extort from any person or legal entity any thing of value. ●Increases penalties for fraud and related activity in connection with computers.

2000-04-13 10:16:13

S.2451 - A BILL TO INCREASE CRIMINAL PENALTIES FOR COMPUTER CRIMES, ESTABLISH A NATIONAL COMMISSION ON CYBERSECURITY, AND FOR OTHER PURPOSES

Introduced by Sen. Hutchison, Kay Bailey [R-TX] on 4/13/2000 Status: Failed Summary: Rewrites provisions of the Computer Fraud and Abuse Act of 1986 regarding fraud and related activity in connection with computers to: (1) broaden the scope of the Act (to repeal certain limitations on its scope and to include ""causing damage""); and (2) double the penalties for the commission of such fraud or related activity under various specified circumstances. Establishes the National Commission on Cybersecurity. Directs the Commission to study the incidents of computer crimes and the need for enhanced methods of combating computer crimes. Sets forth reporting requirements. Definitions: Redefines "damage" for purposes of the Act to include causing loss or interruption of service to the general public.

2000-04-13 10:16:13

S.2430 - INTERNET SECURITY ACT OF 2000

Introduced by Sen. Leahy, Patrick J. [D-VT] on 4/13/2000 Status: Failed Summary: Amends the Computer Fraud and Abuse Act of 1986 (the Act) to set forth penalties for unlawfully accessing to commit fraud, and damaging, a protected computer where that conduct: (1) causes a loss aggregating at least $5,000 in value during a one-year period to one or more individuals; (2) modifies or impairs the medical examination, diagnosis, treatment, or care of one or more individuals; (3) causes physical injury to any person; or (4) threatens public health or safety. Includes attempted offenses within the scope of the Act. Provides for the forfeiture to the United States of the offender's interest in any: (1) personal property used to commit or facilitate the offense; and (2) real or personal property that constitutes or is derived from proceeds traceable to a violation. Limits ""losses"" (currently, ""damages for violations involving damage"") to economic damages. Defines ""loss"" to include: (1) the reasonable costs to any victim of responding to the offense, conducting a damage assessment, and restoring the system and data; and (2) any lost revenue or costs incurred by the victim as a result of interruption of service. Specifies that property subject to forfeiture, any seizure and disposition of property, and any administrative or judicial proceeding in relation thereto shall be governed by the Comprehensive Drug Abuse Prevention and Control Act of 1970. (Sec. 3) Expresses the sense of Congress that: (1) acts that damage computers used in the delivery of critical infrastructure services pose a serious threat to public health and safety and have the potential to cause losses to victims; and (2) the Government should have jurisdiction to investigate acts affecting protected computers, even if the effects of such acts occur wholly outside the United States. (Sec. 4) Directs the United States Sentencing Commission to amend the federal sentencing guidelines to ensure that any individual convicted of a violation of the Act regarding the accessing of a protected computer under specified unlawful circumstances can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. (Sec. 5) Directs the court, with respect to any person convicted of trafficking in counterfeit computer labels, program documentation, or packaging, to order the forfeiture and destruction or other disposition of anything used to copy or produce the computer program or other item to which the counterfeit label was affixed. (Sec. 7) Rewrites federal criminal code provisions regarding pen registers and trap and trace devices to authorize the court, with respect to requests from an attorney for the Government or a State law enforcement or investigative officer, to enter an order authorizing the installation and use of such a device if the court finds that the information likely to be obtained is relevant to an ongoing criminal investigation. Requires that the use of the device be conducted in such a way as to minimize the recording or decoding of any electronic or other impulses that are not related to the dialing and signaling information utilized in processing by the service provider upon whom the order is served. (Sec. 8) Revises the definition of ""pen register"" to: (1) mean a device or process that records or decodes electronic or other impulses that identify the telephone numbers or electronic addresses dialed or otherwise transmitted by an instrument or facility from which a wire or electronic communication is transmitted and used for purposes of identifying the destination or termination of such communication by the service provider upon which the order is served; and (2) exclude any device or process used by a provider or customer of a wire or electronic communication service for billing or recording as an incident to billing for communications services or for cost accounting or other like purposes in the ordinary course of its business. (Sec. 9) Requires that the Attorney General's annual report to Congress regarding pen register and trap and trace devices include information concerning: (1) the period of interceptions authorized by the order and the number and duration of any extensions of the order; (2) the offense specified in the order, application, or extension; (3) the number of investigations involved; (4) the number and nature of the facilities affected; and (5) the identity of the applying investigative or law enforcement agency making the application and the person authorizing the order. (Sec. 10) Rewrites code provisions regarding the interception and disclosure of wire, oral, or electronic communications to permit a person acting under color of law to intercept: (1) a wire, oral, or electronic communication if such person is a party to the communication or if one of the parties to the communication has given prior consent to such interception; and (2) a wire or electronic communication if the transmission is causing harmful interference to a lawfully operating computer system, if any person who is not a provider of service to the public and who is authorized to use the facility from which the wire or electronic communication is to be intercepted has given prior consent to the interception, and if the interception is conducted only to the extent necessary to identify the source of the harmful interference. (Sec. 11) Requires the Attorney General's annual reports to the Administrative Office of the United States Courts to include the number of orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted. (Sec. 12) Directs the Assistant Attorney General for the Department of Justice's Office of Justice Programs to make a grant to each State to: (1) assist State and local law enforcement in enforcing State and local criminal laws relating to computer crime and in educating the public to prevent and identify computer crime; (2) assist in educating and training State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (3) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (4) facilitate and promote the sharing of federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multi-jurisdictional task forces. Sets forth provisions regarding use of grant amounts, required State assurances to be eligible to receive a grant, and matching funds. Authorizes appropriations. Authorizes the Attorney General to use amounts made available herein to make grants to Indian tribes.

2001-10-23 10:16:13

H.R.3162 - UNITING AND STRENGTHENING AMERICA BY PROVIDING APPROPRIATE TOOLS REQUIRED TO INTERCEPT AND OBSTRUCT TERRORISM (USA PATRIOT ACT) ACT OF 2001

Introduced by Rep. Sensenbrenner, F. James, Jr. [R-WI-9] on 10/23/2001 Status: Became law on 10/26/2001 The USA PATRIOT Act of 2001 was signed into law on October 26, 2001, just six weeks after the attacks of September 11, 2001. 25 The primary stated purposes of the USA PATRIOT Act are to "deter and punish terrorist acts in the United States and around the world [and] to enhance law enforcement investigatory tools … ." 31 The USA PATRIOT Act fulfills its purposes mainly by increasing the scope and penalties of pre-existing statutes. 32 Section 814 of the USA PATRIOT Act added subsections and amended existing provisions of the CFAA in a number of significant ways. Notably, the definitions of “protected computer”, “damage”, and “loss” were broadened; The effect of the change "is to prohibit and punish crimes under this section that cause minimal damage and to increase the punishment for crimes causing significant damage." 70 By extending the definition of "damages" and "protected computer," Congress has effectively given the United States Secret Service and other governmental agencies greater jurisdiction to investigate computer crimes. 78 The USA PATRIOT Act also strengthened the punishment 82 [932] [933] for violation or attempted violation 83 of subsection (a). TheAct "directs the U.S. Sentencing Commission to amend the U.S.S.G. to ensure that individuals convicted under 18 U.S.C. 1030 "can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment.'" 84 It also strengthened the punishment in part by stating that the word "conviction" includes any conviction under state law. 85 Scope: ●Included state law offenses as priors for sentencing. ●Allowed the aggregate damages to different computers over a year to count toward the $5,000 threshold. ●Deemed that perpetrators needed to only have general intent to cause damage, not a specific intent to cause damage or other specified harm over the $5,000 statutory damage threshold. ●Enhanced punishment for violations involving any amount of damage to a government computer involved in criminal justice or the military (not simply damage worth $5000). ●Included damage to foreign computers involved in US interstate commerce. Definitions: ●Added to the definition of "protected computers" any "computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." ●Broadened the definition of “damage” to prohibit and punish crimes that cause minimal damage and to increase the punishment for crimes causing significant damage. ●Broadened the definition of “loss” to explicitly include time spent investigating and responding. Sentencing: ●Raised the maximum penalty for violations from 5 years to 10 years for a first offense and from 10 years to 20 years for a second offense.

2002-06-24 10:16:13

H.R.5005 - CYBER SECURITY ENHANCEMENT ACT OF 2002

Introduced by Rep. Armey, Richard K. [R-TX-26] on 06/24/2002 Status: Became law on 11/25/2002 Sentencing: ●Increased penalties.

2008-05-01 10:16:13

H.R.5938 - IDENTITY THEFT ENFORCEMENT AND RESTITUTION ACT OF 2008

Introduced by Rep. Conyers, John, Jr. [D-MI-14] on 05/01/2008 Status: Became law on 9/26/2008 While the Patriot Act intensified the severity of violating core CFAA provisions, Congress has also recently tightened computer crimes laws to accommodate rapidly changing criminal threats. In 2007, for example, Congress passed The Identity Theft Enforcement and Restitution Act (“ITERA”), the most recent amendment to the CFAA. ITERA enhanced the CFAA by expanding the scope of what constitutes identity theft and allowing identity theft victims to recover greater costs associated with repairing the damage of identity theft.8 Some key provisions include eliminating the requirement that the defendant’s action must result in a loss exceeding $5,000, thereby making smaller offenses punishable, criminalizing conspiracy to commit computer hacking, and widening jurisdiction for cases involving theft of information from computers by eliminating the requirement that information must have been stolen through an interstate or foreign communication.9 Scope: ●Amends the federal criminal code to: (1) authorize criminal restitution orders in identity theft cases to compensate victims for the time spent to remediate the intended or actual harm incurred; (2) allow prosecution of computer fraud offenses for conduct not involving an interstate or foreign communication; (3) eliminate the requirement that damage to a victim's computer aggregate at least $5,000 before a prosecution can be brought for unauthorized access to a computer; (4) make it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution; (5) prohibit conspiracies to commit computer fraud; (6) expand interstate and foreign jurisdiction for prosecution of computer fraud offenses; and (7) impose criminal and civil forfeitures of property used to commit computer fraud offenses. Definitions: ●Expands the definition of "cyber-extortion" to include a demand for money in relation to damage to a protected computer, where such damage was caused to facilitate the extortion. Sentencing: ●Directs the U.S. Sentencing Commission to review its guidelines and policy statements for the sentencing of persons convicted of identity theft, computer fraud, illegal wiretapping, and unlawful access to stored information to reflect the intent of Congress that penalties for such offenses be increased.

2012-03-27 10:16:13

H.R.4263 - STRENGTHENING AND ENHANCING CYBERSECURITY BY USING RESEARCH, EDUCATION, INFORMATION, AND TECHNOLOGY ACT OF 2012 OR SECURE IT

Introduced by Rep. Bono Mack, Mary [R-CA-45] on 3/27/2012 Status: Failed Summary: ●Amends the Computer Fraud and Abuse Act to increase and further delineate the criminal penalties for computer fraud and related activities. Sentencing: ●Establishes an offense for aggravated damage to a public or private critical infrastructure computer that manages or controls systems or assets vital to national defense, national security, national economic security, or public health or safety.

2012-06-27 10:16:13

S.3342 - STRENGTHENING AND ENHANCING CYBERSECURITY BY USING RESEARCH, EDUCATION, INFORMATION, AND TECHNOLOGY ACT OF 2012 OR SECURE IT ACT OF 2012

Introduced by Sen. McCain, John [R-AZ] on 6/27/2012 Status: Failed Summary: ●Amends the Computer Fraud and Abuse Act to increase and further delineate the criminal penalties for computer fraud and related activities. Sentencing: ●Establishes an offense for aggravated damage to a public or private critical infrastructure computer that manages or controls systems or assets vital to national defense, national security, national economic security, or public health or safety.

2012-07-19 10:16:13

S.3414 - CYBERSECURITY ACT OF 2012 OR THE CSA2012

Introduced by Sen. Lieberman, Joseph I. [ID-CT] on 7/19/2012 Status: Failed Summary: ●Defines a ""cybersecurity crime"" as violation of a state or federal law relating to computer crimes, including any provision of the federal criminal code enacted or amended by the Computer Fraud and Abuse Act of 1986. ●Establishes a National Cybersecurity Council, to be chaired by the Secretary of Homeland Security (DHS) (the Secretary), to: (1) conduct sector-by-sector risk assessments; (2) identify categories of critical cyber infrastructure (CCI categories); (3) coordinate the adoption of private-sector recommended voluntary outcome-based cybersecurity practices; (4) establish an incentives-based voluntary cybersecurity program for critical infrastructure to encourage owners of critical infrastructure to adopt such practices; (5) develop procedures to inform critical infrastructure owners and operators of cyber threats, vulnerabilities, and consequences; and (6) provide any technical guidance or assistance requested by owners and operators. ●Directs the Council to designate an agency to: (1) conduct top-level cybersecurity assessments of cyber risks to critical infrastructure with voluntary participation from private sector entities; and (2) prioritize ongoing, sector-by-sector assessments beginning with sectors posing the greatest immediate risk. ●Requires the Council to submit each risk assessment to the President and appropriate federal agencies and congressional committees. ●Directs the Council to: (1) identify CCI categories within each sector of critical infrastructure and critical infrastructure owners within each category, and (2) establish a procedure for owners of critical cyber infrastructure to challenge the identification. ●Directs the Council to identify CCI categories as a critical cyber infrastructures only if damage or unauthorized access could reasonably result in: (1) the interruption of life-sustaining services (including energy, water, transportation, emergency services, or food) sufficient to cause a mass casualty event or mass evacuations; (2) catastrophic economic damage to the United States, including financial markets, transportation systems, or other systemic, long-term damage; or (3) severe degradation of national security. ●Requires the Council to establish procedures under which owners of critical cyber infrastructure shall report significant cyber incidents affecting critical cyber infrastructure. ●Provides for congressional review of critical cyber infrastructure determinations. ●Requires private sector coordinating councils (PSCC) within critical infrastructure sectors established by the National Infrastructure Protection Plan to propose cybersecurity practices to the Council. Directs the Council to adopt: (1) any proposed practices and any necessary amended or additional practices that adequately address identified cyber risks, and (2) practices pursuant to the Council's own assessment if a PSCC fails to submit proposals. ●Permits federal agencies with responsibilities for regulating the security of critical infrastructure to adopt such practices as mandatory requirements. Requires agencies that do not adopt the practices to report to Congress on the agency's reasoning, including a description of whether the agency is maintaining practices sufficient to effectively address cyber risks. ●Directs the Council to establish the Voluntary Cybersecurity Program for Critical Infrastructure under which owners of critical infrastructure certified to participate in the Program select and implement cybersecurity measures of their choosing that satisfy such cybersecurity practices in exchange for: (1) liability protection from punitive damages; (2) expedited security clearances; and (3) prioritized technical assistance, real-time cyber threat information, and public recognition. ●Prohibits any of the above provisions relating to the critical infrastructure public-private partnership from limiting the ability of a federal agency with responsibilities for regulating the security of critical infrastructure from requiring that the cybersecurity practices adopted by the Council be met. ●Directs the Secretary to establish a Critical Infrastructure Cyber Security Tip Line. ●Requires the Secretary to: (1) inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in catastrophic damage within the United States and the government of the country in which the information infrastructure is located of any cyber risks to such information infrastructure; and (2) coordinate with such governments and owners or operators regarding the implementation of measures to mitigate or remediate cyber risks. ●Amends the federal Information Security Management Act of 2002 (FISMA) to direct the Secretary to oversee the information security requirements of federal agencies. (Currently, the Director of the Office of Management and Budget [OMB] has such oversight authority and has administratively transferred certain responsibilities to DHS through an OMB memorandum.) Revises information security requirements for federal agencies and provides for continuous monitoring and streamlined reporting of cybersecurity risks. ●Maintains: (1) the President's oversight over national security systems; and (2) the delegation of authority to the Department of Defense (DOD), Central Intelligence Agency (CIA), and Director of National Intelligence (DNI) for specified defense and intelligence systems. ●Amends the Homeland Security Act of 2002 to consolidate existing DHS resources for cybersecurity within a National Center for Cybersecurity and Communications. Sets forth the duties of the Center, including managing efforts to secure, protect, and ensure the resiliency of the federal information infrastructure, supporting private sector efforts to protect such infrastructure, prioritizing efforts to address the most significant risks to the information infrastructure, and ensuring privacy protections. ●Requires the Center to be headed by a Director (appointed by the President with Senate confirmation) who reports to the Secretary. Directs the DNI to identify a Deputy Director with concurrence of the Secretary. ●Directs the Center to: (1) oversee the national security and emergency preparedness communications infrastructure, including the Office of Emergency Communications and the National Communications System; (2) develop a national incident response plan detailing the roles of federal agencies, state and local governments, and the private sector; and (3) consult with international partners. ● ●Requires the Center to establish procedures to: (1) ensure regular and timely sharing of cybersecurity information between and among federal and nonfederal entities, including cybersecurity centers, network and security operations centers, cybersecurity exchanges, and nonfederal entities responsible for such systems; and (2) share cybersecurity threat and vulnerability information by the federal government with owners and operators of the national information infrastructure. ●Prohibits federal entities from: (1) using certain voluntarily submitted information as evidence in regulatory enforcement actions; or (2) unless otherwise authorized by law, compelling a disclosure of information from a private entity or intercepting wire, oral, or electronic communications. ●Requires federal agencies, unless otherwise directed by the President, to immediately notify the Center of any incident affecting a national security system. ●Directs the Director of the Office of Science and Technology Policy to develop a national cybersecurity research and development plan to encourage the development of computer technologies and software to protect against evolving cyberthreats. ●Requires the National Science Foundation (NSF), Secretary, and Secretary of Commerce to establish a program for federal agencies to award grants to institutions of higher education or research and development nonprofit institutions to establish cybersecurity test beds capable of realistic modeling of real-time cyber attacks and defenses. ●Directs the NSF to establish cybersecurity research centers based at institutions of higher education and other entities. ●Requires the DHS and DOD to jointly establish academic and professional Centers of Excellence to protect critical infrastructure in conjunction with international academic and professional partners from countries that may include appropriate U.S. allies. ●Directs the NSF to establish a federal Cyber Scholarship-for-Service program. ●Directs the Secretary to develop and update periodically an acquisition risk management strategy including procedures to: (1) assess risks to the federal information infrastructure supply chain, (2) incorporate internationally recognized standards with input from the private sector, and (3) share threat information with the private sector. ●Amends federal information technology procurement laws to provide information security training to contracting officers and promote the acquisition of information security products through authorized channels or distributors of a supplier. ●Sets forth the responsibilities of the Department of State with respect to the coordination of international norms for cyberspace to be developed with other countries and the consideration of cybercrime in foreign policy and foreign assistance programs. ●Authorizes private entities to monitor and operate countermeasures to protect against cybersecurity threats on their own information systems and the information systems of a third party with such party's express prior consent. ●Permits private entities to disclose lawfully obtained cybersecurity threat indicators to other private entities for the sole purpose of protecting information systems. Sets forth requirements for safeguarding information that could be used to identify specific persons and prohibits the use of such information to gain an unfair competitive advantage. ●Directs the Secretary to establish a process for: (1) designating one or more civilian federal entities, private entities, or nonfederal government entities to serve as cybersecurity exchanges; and (2) sharing classified and unclassified cybersecurity threat indicators in as close to real time as possible with appropriate entities. ●Requires the Secretary to designate a civilian federal entity as the lead cybersecurity exchange for information sharing among federal entities and with state, local, tribal, and territorial governments, international partners, and private entities. ●Authorizes federal entities to disclose cybersecurity threat indicators to law enforcement if: (1) disclosure is permitted under procedures developed by the Secretary and approved by the Attorney General (DOJ) to protect privacy and civil liberties; and (2) the information pertains to a cybersecurity crime, an imminent threat of death or serious bodily harm, or a serious threat to minors, including sexual exploitation and threats to physical safety. ●Allows law enforcement to use such indicators only to: (1) protect information systems from a cybersecurity threat or investigate, prosecute, or disrupt a cybersecurity crime; or (2) protect individuals from imminent threats of death or serious bodily harm and minors from serious threats. Sentencing: ●Directs federal entities to develop and enforce appropriate sanctions for employees who conduct cybersecurity information activities outside the normal course of duties or in a manner inconsistent with their responsibilities or in contravention of procedures to protect privacy and civil liberties. ●Establishes a cause of action against the United States if a federal entity intentionally or willfully violates cybersecurity information laws or related regulations.

2012-09-19 10:16:13

S.3569 - CLOUD COMPUTING ACT OF 2012

Introduced by Sen. Klobuchar, Amy [D-MN] on 9/19/2012 Status: Failed Summary: ●Amends the Computer Fraud and Abuse Act to provide that each instance of unauthorized access of a cloud computing account, access of such an account in excess of authorization, or an attempt or conspiracy to access such an account without or in excess of authorization in violation of such Act shall constitute a separate offense. ●Establishes the value of the loss of the use of a computer, the value of the information obtained, and the value of the aggregated loss, for an offense involving unauthorized access to a protected computer that is part of a cloud computing service, as the greater of: (1) the value of the loss of use, information, or aggregated loss to one or more persons; or (2) the product obtained by multiplying $500 by the number of cloud computing accounts accessed. ●Directs the Secretary of State to work with international for a, such as the Organization for Economic Cooperation and Development (OECD), to advance the aims of ensuring interoperability between the provisions of this Act and other laws and policies of the United States and foreign countries. ●Requires, within 180 days after enactment of this Act and at least once each year for four years thereafter: (1) the Secretary to conduct a study on international cooperation regarding data privacy, retention, and security; and (2) the heads of specified federal agencies to submit to the Administrator of the Office of Electronic Government and Information Technology of the Office of Management and Budget (OMB) a three-year forecast of the agency's plans relating to the procurement of cloud computing services and support. Directs the Administrator to make each such forecast available to the public via an Internet website." Definitions: ●Defines: (1) "cloud computing account" as information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual; and (2) "cloud computing service" as a service that enables convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or interaction by the service provider.

2013-04-10 10:16:13

H.R.1468 - STRENGTHENING AND ENHANCING CYBERSECURITY BY USING RESEARCH, EDUCATION, INFORMATION, AND TECHNOLOGY ACT OF 2013 OR SECURE IT

Introduced by Rep. Blackburn, Marsha [R-TN-7] on 4/10/2013 Status: Failed Summary: ●Amends the Computer Fraud and Abuse Act to increase and further delineate the criminal penalties for computer fraud and related activities Sentencing: ●Establishes an offense for aggravated damage to a public or private critical infrastructure computer that manages or controls systems or assets vital to national defense, national security, national economic security, or public health or safety.

2013-06-20 10:16:13

H.R.2454 - AARON'S LAW ACT OF 2013

Introduced by Rep. Lofgren, Zoe [D-CA-19] on 6/20/2013 Status: Failed Definitions: ●Amends provisions of the Computer Fraud and Abuse Act (CFAA) prohibiting computer fraud to replace the phrase "exceeds authorized access" with "access without authorization," which is defined as obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information Sentencing: ●Modifies CFAA penalty provisions to: (1) limit the imposition of enhanced penalties to subsequent offenses under such Act (currently, additional penalties are allowed if there is a conviction for another offense) and to criminal acts punishable under federal or state law by a term of imprisonment for more than one year; and (2) require the determination of the value of information for enhanced penalty purposes to be made by reference to fair market value.

2013-06-20 10:16:13

S.1196 - AARON'S LAW ACT OF 2013

Introduced by Sen. Wyden, Ron [D-OR] on 6/20/2013 Status: Failed Definitions: ●Amends provisions of the Computer Fraud and Abuse Act (CFAA) prohibiting computer fraud to replace the phrase "exceeds authorized access" with "access without authorization," which is defined as obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information. Sentencing: ●Modifies CFAA penalty provisions to: (1) limit the imposition of enhanced penalties to subsequent offenses under such Act (currently, additional penalties are allowed if there is a conviction for another offense) and to criminal acts punishable under federal or state law by a term of imprisonment for more than one year; and (2) require the determination of the value of information for enhanced penalty purposes to be made by reference to fair market value.

2014-02-03 10:16:13

S.1984 - CREDIT CARD THEFT SENTENCING ACT OF 2014

Introduced by Sen. Kirk, Mark Steven [R-IL] on 2/3/2014 Status: Failed Sentencing: ●Amends the Computer Fraud and Abuse Act to set penalties of a fine, imprisonment for at least 25 years or for life, or both for intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information of 1 million or more credit card holders contained in a financial record of a financial institution or a card issuer, contained in a file of a consumer reporting agency on a consumer, from any federal agency, or from any protected computer

2015-04-21 10:16:13

H.R.1918 - AARON'S LAW ACT OF 2015

Introduced by Rep. Lofgren, Zoe [D-CA-19] on 4/21/2015 Status: In Progress Definitions: Amends provisions of the Computer Fraud and Abuse Act (CFAA) prohibiting computer fraud to replace the phrase "exceeds authorized access" with "access without authorization," which is defined as obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information. Sentencing: Modifies CFAA penalty provisions to: (1) limit the imposition of enhanced penalties to subsequent offenses under such Act (currently, additional penalties are allowed if there is a conviction for another offense) and to criminal acts punishable under federal or state law by a term of imprisonment for more than one year; and (2) require the determination of the value of information for enhanced penalty purposes to be made by reference to fair market value.

2015-04-21 10:16:13

S.1030 - AARON'S LAW ACT OF 2015

Introduced by Sen. Wyden, Ron [D-OR] on 4/21/2015 Status: In Progress Definitions: Amends provisions of the Computer Fraud and Abuse Act (CFAA) prohibiting computer fraud to replace the phrase "exceeds authorized access" with "access without authorization," which is defined as obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information. Sentencing: Modifies CFAA penalty provisions to: (1) limit the imposition of enhanced penalties to subsequent offenses under such Act (currently, additional penalties are allowed if there is a conviction for another offense) and to criminal acts punishable under federal or state law by a term of imprisonment for more than one year; and (2) require the determination of the value of information for enhanced penalty purposes to be made by reference to fair market value.

2017-01-08 01:25:23

S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017

Introduced by Sen. Mark R. Warner [D-VA]. This bill requires Internet-connected devices purchased by federal agencies to meet specified security requirements, including requirements that the devices (1) do not contain known security vulnerabilities or defects; (2) rely on software or firmware components capable of accepting properly authenticated and trusted updates from the vendor; (3) rely only on non-deprecated industry-standard protocols and technologies for certain functions; and (4) do not include fixed or hard-coded credentials.

2017-06-22 17:04:39

S.1405 - Federal Aviation Administration Reauthorization Act of 2017

Senator Jon Thune introduced the bill. This bill reauthorizes through FY2021 the Federal Aviation Administration (FAA) and specified FAA programs. The bill revises requirements for the airport improvement program and pilot program for passenger facility charges at nonhub airports. Forward Looking Investment in General Aviation, Hangars, and Tarmacs Act of 2017 or the FLIGHT Act of 2017 The Department of Transportation (DOT) shall implement an expedited and coordinated environmental review process for general aviation airport construction or improvement projects. DOT shall establish a public-private partnership program for building or improving hangars, businesses, or other facilities at: general aviation airports, and privately owned airports for public use that do not have scheduled air service. The Government Accountability Office shall review privacy issues and concerns associated with the operation of unmanned aircraft (drones) in the national airspace system. The FAA shall establish a process for the acceptance of risk-based, consensus safety standards for the safe integration of small drones into such system. DOT shall issue guidance for the operation of public drones. The FAA shall develop a plan for the deployment of technologies to detect and mitigate potential airspace safety threats posed by drones. Drone Operator Safety Act The bill amends the federal criminal code to make it a crime to operate a drone that knowingly or recklessly interferes with or disrupts the operation of an aircraft carrying one or more occupants in U.S. airspace. DOT shall establish a Safety Oversight and Certification Advisory Committee. The FAA shall take specified actions to improve airline passenger safety. Commercial Balloon Pilot Safety Act of 2017 The bill directs the FAA to revise federal regulations to apply medical certificate of physical fitness requirements that are applicable to pilot flight crewmembers to operators of air balloons. Fairness for Pilots Act The bill amends the Pilot's Bill of Rights to revise the authorization for appeal to a federal court by a substantially affected individual from a decision of the National Transportation Safety Board to uphold an adverse FAA order or final decision. The bill specifies the suspension or revocation of an airman certificate as the punitive civil action which may be appealed. A U.S. district court shall review de novo an FAA denial, suspension, or revocation of an airman certificate. The bill prescribes certain requirements with respect to improving passenger air service. Transparency Improvements and Compensation to Keep Every Ticketholder Safe Act of 2017 or the TICKETS Act The bill prescribes requirements to prohibit an air carrier from denying an air passenger from boarding a flight without the consent of the passenger cleared to board such flight unless such passenger presents a safety, security, or health risk, to oneself or others, or engages in obscene, disruptive, or unlawful behavior. The bill reauthorizes through FY2021 the essential air service program and the small community air service development program. NextGen Accountability Act The bill amends the FAA Modernization and Reform Act of 2012 to direct the FAA to establish annual NextGen (i.e., Next Generation Air Transportation System) performance goals for each of the national airspace system performance metrics to meet identified performance metric baselines with respect to NextGen projects. Saracini Aviation Safety Act of 2017 The FAA shall issue an order requiring the installation of a secondary cockpit barrier on each new aircraft that is manufactured for delivery to a U.S. passenger air carrier.

2018-07-31 10:37:49

S.3311 - Defending the Integrity of Voting Systems Act

Introduced by Sen. Richard Blumenthal [D-CT]. This bill amends the federal criminal code to broaden the definition of " protected computer," for purposes of computer fraud and abuse offenses, to include a computer that is part of a voting system.

2018-10-10 04:57:31

H.R.302 - FAA Reauthorization Act of 2018

Introduced by Rep. Brett Guthrie on 01/05/2017; Passed. This bill extends the liability insurance coverage of a state-licensed medical professional to another state when the professional provides medical services to an athlete, athletic team, or team staff member pursuant to a written agreement. Prior to providing such services, the medical professional must disclose to the insurer the nature and extent of the services. This extension of coverage does not apply at a health care facility or while a medical professional licensed in the state is transporting the injured individual to a health care facility.

2019-05-06 00:19:55

S.1321 - Defending the Integrity of Voting Systems Act

Introduced by Sen. Richard Blumenthal [D-CT]. This bill broadens the definition of "protected computer," for purposes of computer fraud and abuse offenses, to include a computer that is part of a voting system.

2019-06-12 12:39:27

H.R.3238 - Defending the Integrity of Voting Systems Act

Introduced by Rep. John Ratcliffe [R-TX-4]. This bill broadens the definition of "protected computer," for purposes of computer fraud and abuse offenses, to include a computer that is part of a voting system and (1) is used for a federal election, or (2) has moved in or otherwise affects interstate or foreign commerce.

CFAA TIMELINE

Launch
Copy this timeline Login to copy this timeline 3d Game mode

Contact us

We'd love to hear from you. Please send questions or feedback to the below email addresses.

Before contacting us, you may wish to visit our FAQs page which has lots of useful info on Tiki-Toki.

We can be contacted by email at: hello@tiki-toki.com.

You can also follow us on twitter at twitter.com/tiki_toki.

If you are having any problems with Tiki-Toki, please contact us as at: help@tiki-toki.com

Close

Edit this timeline

Enter your name and the secret word given to you by the timeline's owner.

3-40 true Name must be at least three characters
3-40 true You need a secret word to edit this timeline

Checking details

Please check details and try again

Go
Close