The “Identity Theft Enforcement and Restitution Act” became law on September 26, 2008. The Act does not include the data security breach requirements proposed in other related legislation. However, the Act does provide the Department of Justice with new tools to combat identity theft and cyber-crime. In particular, the law imposes criminal liability on bad actors while not regulating technology. This law also incorporates recommendations from the President’s Identity Theft Task Force.

Of specific note in the “spyware” debate, this Act provides law enforcement with broader ability to combat bad actors. Section 204 of the Act amends the Computer Fraud and Abuse Act (“CFAA”) to address the malicious use of spyware to steal sensitive personal information. Specifically, the Act eliminates the requirement that the loss resulting from the damage to a victim’s computer must exceed $5,000. Eliminating the financial threshold should aid law enforcement efforts and increase prosecutions.

The Act creates new criminal offenses involving attacks on multiple computers, by making it a felony to employ spyware or keyloggers to damage 10 or more computers, regardless of the aggregate amount of damage caused. Removing this threshold requirement should aid law enforcement by ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence. Violators of the provision who knowingly transmit a program that intentionally causes damage without authorization to 10 or more computers would be subject to a criminal fine, or imprisonment for not more than 10 years, or both. Violators who intentionally access 10 or more computers without authorization and recklessly cause damage are subject to a criminal fine, or imprisonment for not more than 5 years, or both.

In addition to the above instances involving damage to 10 or more computers, the law imposes a punishment of a fine, imprisonment of not more than 5 years, or both, in circumstances where protected computers are intentionally accessed without authorization, and results in reckless damage. If, instead of “recklessly causing damage,” the intentional access “causes damage and loss,” the Act increases the punishment to a fine, or imprisonment of not more than 10 years, or both. This 10 year punishment also applies if an offender knowingly causes the transmission of a program that results in any of the above 5 harms (or damage to 10 or more computers).