President Bush recently signed The Identity Theft and Restitution Act of 2008 into law. This bill, authored by Senate Judiciary Committee Chairman Patrick Leahy (D-Vt), amended the Computer Fraud and Abuse Act, which was originally enacted to redress computer related improprieties both civilly and criminally. The new bill has several measures aimed at lowering the threshold required to convict those charged with perpetrating computerized identity theft. These changes will allow federal prosecutors to be more aggressive in cracking down on cyber crimes related to identity theft. Among the most important provisions of the new law are the following:

  • The elimination of the requirement that damage to a victim’s computer exceed an aggregate of $5,000 over a one year period, before charges can be brought for unauthorized access to a computer. 
  • The ability given to victims of identity theft to seek restitution for an amount equal to the value of the time reasonably spent in an attempt to remediate the intended or actual harm incurred. 
  • The elimination of the interstate jurisdictional requirement, thereby allowing prosecution of those who steal personal information from a computer, even when the victim’s computer is located in the same state as the thief’s computer. 
  • The creation of a provision making it a felony to damage ten or more computers using spyware or keyloggers regardless of the aggregate amount of damage caused. 
  • The creation of a provision making it a crime to threaten to steal or release information from an individual’s computer. (Previous law only permitted the prosecution of those who seek to extort companies or government agencies by explicitly threatening to shut down or damage a computer.) 
  • The addition of the remedies of civil and criminal forfeiture to the arsenal of tools available to federal prosecutors to combat cyber crime. Individuals found guilty of violating the act can be forced to forfeit both property used in commission of the cyber crime, as well as property obtained from any proceeds gained from the cyber crime. 
  • The addition of a conspiracy to commit cyber crimes charge. (Previous law only allowed for charges related to the actual crime, and made no provisions for conspiracy to commit the underlying charge.)

What This Means

In light of the foregoing statutory changes, federal prosecutors can now be far more aggressive in prosecuting those who commit cyber identity theft crimes. In particular, the elimination of the $5,000 damage requirement, combined with the elimination of the interstate jurisdictional requirement, makes it easier for prosecutors to bring charges under existing laws. The addition of laws relating to spyware or keyloggers and laws relating to threats to steal or release information from an individual’s computer allow prosecutors to bring charges in a much wider range of cases.