Concerns About Proposal
Sens. Patrick Leahy, D-Vt., and Al Franken, D-Minn., expressed some concerns about the proposal, suggesting the administration may be expanding the definition too much. "We can't ignore these threats," said Leahy as the chairman of the committee, but added that law enforcement agencies shouldn't get distracted by smaller issues. Changing the definition could wind up turning violations of Website terms of service or employer policies into serious crimes, Leahy said. The Department of Justice should be able to use discretion when applying the law.As the proposed law currently stands, employees could be charged with a crime if they violate the company's computer use policy, Franken said. Various civil liberties groups have also suggested the proposal would impose civil and criminal penalties for people who access protected computers within the company without proper authorization. Violations of terms of service or computer use policies are not computer crimes, the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation and Americans for Tax Reform wrote in a letter to the Judiciary Committee. "Our primary concern-that this will lead to overbroad application of the law-is far from hypothetical," the groups wrote. While Baker acknowledged the concerns, he pointed out that tightening the definitions could result in "a significant loophole" that would allow workers at federal agencies or private companies to steal the personal information or other sensitive data. "This insider case, where somebody violates the rules of their employer in misusing a computer, is a very challenging thing to address," Baker said. The administration also requested minimum sentences for anyone convicted of attacks or attempted attacks on critical infrastructure. "In light of the grave risk posed by those who might compromise our critical infrastructure, even an unsuccessful attempt at damaging our nation's critical infrastructure merits actual imprisonment of a term not less than three years-not probation, intermittent confinement, community confinement or home detention," Baker said. Leahy said he would not recommend including minimum sentences in the cyber-security bill currently circulating in the Judiciary Committee.
"We want you to concentrate on the real cyber-crimes, and not the minor things," Leahy told Baker.