A high-ranking Democratic senator is trying to beef up the law that let prosecutors go after Internet activist Aaron Swartz.
Sen. Patrick Leahy (D-Vt.) on Wednesday introduced the Personal Data Privacy and Security Act, making it the fifth time since 2005 that the chairman of the powerful judiciary committee has brought the bill forward. The bill's key aim is to standardize the disclosure rules governing businesses that have been hacked.
"The recent data breach at Target ... is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation," Leahy said in a statement.
But the bill also contains provisions that would strengthen the Computer Fraud and Abuse Act, a law that critics say is already overly broad. Under the proposal, the CFAA would be updated to make attempted hacks, as well as conspiracies to hack, subject to the same punishments as successful cyber intrusions.
This would have major implications for cases involving cybercrime, as the CFAA is at the center of a handful of high-profile criminal cases. They include the one against Swartz, who downloaded vast numbers of essays from the academic repository JSTOR, and the former Reuters journalist Matthew Keys, who is accused of cooperating with the hacker group Anonymous to vandalize the Web site of a former employer.
Civil liberties advocates at the Electronic Frontier Foundation have lambasted the CFAA as "infamously problematic," arguing that the law's breadth allows prosecutors to punish people over issues unrelated to hacking.
This isn't the first time Leahy has attempted to modify the CFAA. In 2011, the senator proposed an amendment to more narrowly tailor the terms of the law. Legal scholar Orin Kerr said then, "Leahy’s proposal is such a modest step that it doesn’t solve the problem it aims to solve." The proposal would still have made it possible to prosecute simple violations of a company's terms of service.
Under the CFAA today, accessing a computer without permission carries a possible five-year jail sentence, in addition to fines. Repeat offenses bring the jail time up to 10 years each. Under Leahy's latest proposal, those same penalties would now apply to attempted hacking.
Other parts of the bill mandate that businesses develop policies on privacy and security. Hacked businesses, meanwhile, would be required to notify their customers of a breach within 60 days. In the case of a hacked business that simply handles sensitive information but doesn't own it, the data's owner would be responsible for alerting customers to the incident. The type of information covered under the bill would include names, Social Security numbers and birth dates, among other things.
Though various state laws exist to govern data breach notification, Leahy believes a national standard would streamline data hygiene practices. But his latest bill could also turn minor digital infractions into major ones.