Advanced Criminal Investigations and Intelligence Operations
Page 47
agency having such authority, have the authority to investigate
offenses under this section.
(2) The Federal Bureau of Investigation shall have primary author-
ity to investigate offenses under subsection (a)(1) for any cases
involving espionage, foreign counterintelligence, information
protected against unauthorized disclosure for reasons of national
defense or foreign relations, or Restricted Data (as that term is
defined in section 11y of the Atomic Energy Act of 1954 (42
U.S.C. 2014 (y)), except for offenses affecting the duties of the U.S.
Secret Service pursuant to section 3056 (a) of this title.
(3) Such authority shall be exercised in accordance with an agree-
ment which shall be entered into by the Secretary of the Treasury
and the Attorney General.
Appendix B: Computer Crime and Privacy Laws
347
(e) As used in this section—
(1) the term “computer” means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device per-
forming logical, arithmetic, or storage functions, and includes
any data storage facility or communications facility directly
related to or operating in conjunction with such device, but such
term does not include an automated typewriter or typesetter, a
portable hand held calculator, or other similar device;
(2) the term “protected computer” means a computer
(A) exclusively for the use of a financial institution or the
United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial institu-
tion or the United States Government and the conduct con-
stituting the offense affects that use by or for the financial
institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce
or communication, including a computer located outside
the United States that is used in a manner that affects
interstate or foreign commerce or communication of the
United States;
(3) the term “State” includes the District of Columbia, the
Commonwealth of Puerto Rico, and any other commonwealth,
possession or territory of the United States;
(4) the term “financial institution” means—
(A) an institution, with deposits insured by the Federal Deposit
Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve
including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit
Union Administration;
(D) a member of the Federal home loan bank system and any
home loan bank;
(E) any institution of the Farm Credit System under the Farm
Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities
Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are
defined in paragraphs (1) and (3) of section 1(b) of the
International Banking Act of 1978); and
(I) an organization operating under section 25 or section 25(a)
of the Federal Reserve Act;
348
Appendix B: Computer Crime and Privacy Laws
(5) the term “financial record” means information derived from
any record held by a financial institution pertaining to a cus-
tomer’s relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a com-
puter with authorization and to use such access to obtain or
alter information in the computer that the accesser is not enti-
tled so to obtain or alter;
(7) the term “department of the United States” means the legisla-
tive or judicial branch of the Government or one of the execu-
tive departments enumerated in section 101 of title 5;
(8) the term “damage” means any impairment to the integrity or
availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of the
United States, any State or political subdivision of the United
States, any foreign country, and any state, province, municipal-
ity, or other political subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under the law
of any State for a crime punishable by imprisonment for more
than 1 year, an element of which is unauthorized access, or
exceeding authorized access, to a computer;
(11) the term “loss” means any reasonable cost to any victim, includ-
ing the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or infor-
mation to its condition prior to the offense, and any revenue
lost, cost incurred, or other consequential damages incurred
because of interruption of service; and
(12) the term “person” means any individual, firm, corporation,
educational institution, financial institution, governmental
entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the
United States, a State, or a political subdivision of a State, or of an
intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of
this section may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief.
A civil action for a violation of this section may be brought only if
the conduct involves 1 of the factors set forth in subclauses (I), (II),
(III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation
involving only conduct described in subsection (c)(4)(A)(i)(I) are
limited to economic damages. No action may be brought under this
subsection unless such action is begun within 2 years of the date of
Appendix B: Computer Crime and Privacy Laws
349
the act complained of or the date of the discovery of the damage.
No action may be brought under this subsection for the negligent
design or manufacture of computer hardware, computer software,
or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report
to the Congress annually, during the first 3 years following the date
of the enactment of this subsection, concerning investigations and
prosecutions under subsection (a)(5).
(i)
(1) The court, in imposing sentence on any person convicted of a
violation of this section, or convicted of conspiracy to violate this
section, shall order, in addition to any other sentence imposed
and irrespective of any provision of State law, that such person
forfeit to the United States
(A) such person’s interest in any personal property that was
used or intended to be used to commit or to facilitate the
commission of such violation; and
(B) any property, real or personal, constituting or derive
d from,
any proceeds that such person obtained, directly or indirectly,
as a result of such violation.
(2) The criminal forfeiture of property under this subsection, any
seizure and disposition thereof, and any judicial proceeding in
relation thereto, shall be governed by the provisions of section 413
of the Comprehensive Drug Abuse Prevention and Control Act
of 1970 (21 U.S.C. 853), except subsection (d) of that section.
(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:
(1) Any personal property used or intended to be used to commit or
to facilitate the commission of any violation of this section, or a
conspiracy to violate this section.
(2) Any property, real or personal, which constitutes or is derived
from proceeds traceable to any violation of this section, or a
conspiracy to violate this section.
Children’s Online Privacy Act (15 U.S.C. §§ 6501–6506)
Chapter 91: Children’s Online Privacy Protection
• § 6501. Definitions
• § 6502. Regulation of Unfair and Deceptive Acts and Practices in
Connection with Collection and Use of Personal Information from
and about Children on the Internet
350
Appendix B: Computer Crime and Privacy Laws
• § 6503. Safe Harbors
• § 6504. Actions by States
• § 6505. Administration and Applicability
• § 6506. Review
§ 6501. Definitions
In this chapter:
(1) Child
The term “child” means an individual under the age of 13.
(2) Operator
The term “operator”—
(A) means any person who operates a website located on the
Internet or an online service and who collects or maintains per-
sonal information from or about the users of or visitors to such
website or online service, or on whose behalf such information
is collected or maintained, where such website or online ser-
vice is operated for commercial purposes, including any person
offering products or services for sale through that website or
online service, involving commerce—
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of
Columbia, or between any such territory and—
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory,
or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be
exempt from coverage under section 45 of this title.
(3) Commission
The term “Commission” means the Federal Trade Commission.
(4) Disclosure
The term “disclosure” means, with respect to personal
information—
(A) the release of personal information collected from a child in
identifiable form by an operator for any purpose, except where
such information is provided to a person other than the opera-
tor who provides support for the internal operations of the web-
site and does not disclose or use that information for any other
purpose; and
(B) making personal information collected from a child by a web-
site or online service directed to children or with actual knowl-
edge that such information was collected from a child, publicly
Appendix B: Computer Crime and Privacy Laws
351
available in identifiable form, by any means including by a
public posting, through the Internet, or through—
(i) a home page of a website;
(ii) a pen pal service;
(iii) an electronic mail service;
(iv) a message board; or
(v) a chat room.
(5) Federal agency
The term “Federal agency” means an agency, as that term is defined
in section 551 (1) of title 5.
(6)
Internet
The term “Internet” means collectively the myriad of computer and
telecommunications facilities, including equipment and operat-
ing software, which comprise the interconnected world-wide net-
work of networks that employ the Transmission Control Protocol/
Internet Protocol, or any predecessor or successor protocols to such
protocol, to communicate information of all kinds by wire or radio.
(7)
Parent
The term “parent” includes a legal guardian.
(8)
Personal information
The term “personal information” means individually identifiable
information about an individual collected online, including—
(A) a first and last name;
(B) a home or other physical address including street name and
name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) any other identifier that the Commission determines per-
mits the physical or online contacting of a specific indivi-
dual; or
(G) information concerning the child or the parents of that child
that the website collects online from the child and combines
with an identifier described in this paragraph.
(9) Verifiable parental consent
The term “verifiable parental consent” means any reasonable effort
(taking into consideration available technology), including a request
for authorization for future collection, use, and disclosure described
in the notice, to ensure that a parent of a child receives notice of the
operator’s personal information collection, use, and disclosure prac-
tices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information
before that information is collected from that child.
352
Appendix B: Computer Crime and Privacy Laws
(10) Website or online service directed to children
(A) In general
The term “website or online service directed to children”
means—
(i) a commercial website or online service that is targeted to
children; or
(ii) that portion of a commercial website or online service that
is targeted to children.
(B) Limitation
A commercial website or online service, or a portion of a
commercial website or online service, shall not be deemed
directed to children solely for referring or linking to a com-
mercial website or online service directed to children by using
information location tools, including a directory, index, ref-
erence, pointer, or hypertext link.
(11) Person
The term “person” means any individual, partnership, corporation,
trust, estate, cooperative, association, or other entity.
(12) Online contact information
The term “online contact information” means an e-mail address or
another substantially similar identifier that permits direct contact
with a person online.
§ 6502. Regulation of Unfair and Deceptive Acts and
Practices in Connection with Collection and
Use of Personal
Information from and about Children on the Internet
(a) Acts prohibited
(1) In general
It is unlawful for an operator of a website or online service
directed to children, or any operator that has actual knowl-
edge that it is collecting personal information from a child,
to collect personal information from a child in a manner that
violates the regulations prescribed under subsection (b) of this
section.
(2) Disclosure to parent protected
Notwithstanding paragraph (1), neither an operator of such a
website or online service nor the operator’s agent shall be held
to be liable under any Federal or State law for any disclosure
made in good faith and following reasonable procedures in
responding to a request for disclosure of personal information
under subsection (b)(1)(B)(iii) of this section to the parent of
a child.
Appendix B: Computer Crime and Privacy Laws
353
(b) Regulations
(1)
In general
Not later than 1 year after October 21, 1998, the Commission
shall promulgate under section 553 of title 5 regulations that—
(A) require the operator of any website or online service directed
to children that collects personal information from children
or the operator of a website or online service that has actual
knowledge that it is collecting personal information from
a child—
(i) to provide notice on the website of what information is
collected from children by the operator, how the opera-
tor uses such information, and the operator’s disclosure
practices for such information; and
(ii) to obtain verifiable parental consent for the collec-
tion, use, or disclosure of personal information from
children;
(B) require the operator to provide, upon request of a parent
under this subparagraph whose child has provided personal
information to that website or online service, upon proper
identification of that parent, to such parent—
(i) a description of the specific types of personal information