3.      Amendment: Section 2B1.1(b) is amended by inserting after subsection (b)(12) the following:

The Commentary to §2B1.1 captioned "Statutory Provisions" is amended by inserting ", 2701" after "2332b(a)(1)".

The Commentary to §2B1.1 captioned "Application Notes" is amended in Note 3(A)(v), as redesignated by Amendment 2, by striking subdivision (III) and inserting the following:

"(III)    Offenses Under 18 U.S.C. § 1030.—In the case of an offense under 18 U.S.C. § 1030, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.".

The Commentary to §2B1.1 captioned "Application Notes" is amended by inserting before Note 13, as redesignated by Amendment 2, the following:

"12. Application of Subsection (b)(13).—

The Commentary to §2B1.1 captioned "Application Notes" is amended in Note 18, as redesignated by Amendment 2, by adding at the end of subdivision (A)(ii) the following:

"An upward departure would be warranted, for example, in an 18 U.S.C. § 1030 offense involving damage to a protected computer, if, as a result of that offense, death resulted.";

by redesignating subdivision (B) as subdivision (C); and by inserting after subdivision (A) the following:

"(B) Upward Departure for Debilitating Impact on a Critical Infrastructure.—An upward departure would be warranted in a case in which subsection (b)(13)(iii)
applies and the disruption to the critical infrastructure(s) is so substantial as to have a debilitating impact on national security, national economic security,
national public health or safety, or any combination of those matters.".

The Commentary to §2B1.1 captioned "Background" is amended by adding at the end the following paragraph:

"       Subsection (b)(13) implements the directive in section 225(b) of Public Law 107–296. The minimum offense level of level 24 provided in subsection (b)(13)(B) for an offense that resulted in a substantial disruption of a critical infrastructure reflects the serious impact such an offense could have on national security, national economic security, national public health or safety, or a combination of any of these matters.".

Section 2B2.3(b)(1) is amended by striking "or " after "airport;" and by inserting after "residence" the following:

"; or (F) on a computer system used (i) to maintain or operate a critical infrastructure; or (ii) by or for a government entity in furtherance of the administration of justice, national defense, or national security".

The Commentary to §2B2.3 captioned "Application Notes" is amended in Note 1 by inserting after "United States Code." the following paragraph:

"‘Critical infrastructure' means systems and assets vital to national defense, national security, economic security, public health or safety, or any combination of those matters. A critical infrastructure may be publicly or privately owned. Examples of critical infrastructures include gas and oil production, storage, and delivery systems, water supply systems, telecommunications networks, electrical power delivery systems, financing and banking systems, emergency services (including medical, police, fire, and rescue services), transportation systems and services (including highways, mass transit, airlines, and airports), and government operations that provide essential services to the public.";

and by inserting after "Instructions)." the following paragraph:

‘Government entity' has the meaning given that term in 18 U.S.C. § 1030(e)(9).".

Section 2B3.2(b)(3)(B) is amended to read as follows:

"(B)      If (i) the offense involved preparation to carry out a threat of (I) death; (II) serious bodily injury; (III) kidnapping; (IV) product tampering; or (V) damage to a computer system used to maintain or operate a critical infrastructure, or by or for a government entity in furtherance of the administration of justice, national defense, or national security; or (ii) the participant(s) otherwise demonstrated the ability to carry out a threat described in any of subdivisions (i)(I) through (i)(V), increase by 3 levels.".

The Commentary to §2B3.2 captioned "Application Notes" is amended by striking Note 1 and inserting the following:

"1.      Definitions.—For purposes of this guideline:

The Commentary to §2M3.2 captioned "Statutory Provisions" is amended by inserting "§" before "793(a)"; and by inserting ", 1030(a)(1)" after "(g)".

Appendix A (Statutory Index) is amended by inserting after the line referenced to 18 U.S.C. § 2512 the following:

"18 U.S.C. § 2701 2B1.1".

Reason for Amendment: This amendment addresses the serious harm and invasion of privacy that can result from offenses involving the misuse of, or damage to, computers. It implements the directive in section 225(b) of the Homeland Security Act of 2002, Pub. L. 107–296, which required the Commission to review, and if appropriate amend, the guidelines and policy statements applicable to persons convicted of offenses under 18 U.S.C. § 1030 (fraud and related activity in connection with computers) to ensure that the guidelines and policy statements reflect the serious nature and growing incidence of such offenses and the need for an effective deterrent and appropriate punishment. The directive further requires the Commission to consider the extent to which eight specific factors were or were not accounted for by the guidelines. The amendment responds to the directive by making several changes to §§2B1.1 (Larceny, Embezzlement, and Other Forms of Theft; Offenses Involving Stolen Property; Property Damage or Destruction; Fraud and Deceit; Forgery; Offenses Involving Altered or Counterfeit Instruments Other
than Counterfeit Bearer Obligations of the United States), 2B2.3 (Trespass), and 2B3.2

(Extortion by Force or Threat of Injury or Serious Damage). These changes are designed to supplement existing guidelines and policy statements and thereby ensure that offenses under 18 U.S.C. § 1030 are adequately addressed and punished.

First, the amendment adds a new specific offense characteristic at §2B1.1(b)(13) with three alternative enhancements of two, four, and six levels. The first enhancement provides a two level increase for convictions under 18 U.S.C. § 1030 that involve either (1) a computer system used to maintain or operate a critical infrastructure or used in furtherance of the administration of justice, national defense, or national security; or (2) an intent to obtain private personal information. The second enhancement provides a four level increase for a conviction under 18 U.S.C. § 1030(a)(5)(A)(i), which requires a heightened showing of intent to cause damage. The third enhancement provides a six level increase, with a minimum offense level of level 24, for a conviction under 18 U.S.C. § 1030 that resulted in a substantial disruption of a critical infrastructure. The graduated levels ensure incremental punishment for increasingly serious conduct, and were chosen in recognition of the fact that conduct supporting application of a more serious enhancement frequently will encompass behavior relevant to a lesser enhancement as well. Accordingly, the most serious applicable enhancement will apply in any particular case.

The minimum offense level of level 24 applicable to the third such enhancement was chosen to maintain parity with the minimum offense level that applies to an offense that substantially jeopardized the safety and soundness of a financial institution, substantially endangered the solvency or financial security of a publicly traded company or an organization of at least 1,000 employees, or substantially endangered the solvency or financial security of 100 or more victims. See §2B1.1(b)(12)(B). Because of the potential overlap in certain cases, the commentary provides that the enhancement at §2B1.1(b)(12)(B) will not apply in a case in which the conduct supporting the six level critical infrastructure enhancement is the only conduct that forms the basis for the §2B1.1(b)(12)(B) enhancement.

The minimum offense level of level 24 applicable to the third enhancement also reflects the fact that some offenders to whom the enhancement may apply will be subject to a statutory maximum penalty of five years' imprisonment, i.e., those convicted of an offense under 18 U.S.C. § 1030(a)(5)(A)(ii). To ensure that the most egregious cases involving critical infrastructure are adequately addressed, the amendment also provides an encouraged upward departure for cases in which the disruption of the critical infrastructure has a debilitating impact on national security, national economic security, national public health or safety, or any combination of these matters.

A definition of critical infrastructure is provided in the commentary. This definition is derived in part from the definition of critical infrastructure in the USA PATRIOT Act (see Pub. L. 107–56, section 1016; 42 U.S.C. § 5195c(e)) but was modified to ensure that the enhancement will apply to substantial disruptions of critical infrastructure that are regional, rather than national, in scope. Examples of critical infrastructures are provided.

Second, the proposed amendment modifies the rule of construction relating to the calculation of loss in protected computer cases. This change was made to incorporate more fully the statutory definition of loss at 18 U.S.C. § 1030(e)(11), added as part of the USA PATRIOT Act, and to clarify its application to all 18 U.S.C. § 1030 offenses sentenced under §2B1.1.

Third, the proposed amendment expands the upward departure note in §2B1.1. That note provides that an upward departure may be warranted if an offense caused or risked substantial non-monetary harm, including physical harm. The amendment adds a provision that expressly states that an upward departure would be warranted for an offense under 18 U.S.C. § 1030 involving damage to a protected computer that results in death.

Fourth, the amendment modifies §2B2.3, to which 18 U.S.C. § 1030(a)(3) (misdemeanor trespass on a government computer) offenses are referenced, and §2B3.2, to which 18 U.S.C. § 1030(a)(7) (extortionate demand to damage protected computer) offenses are referenced, to provide enhancements relating to computer systems used to maintain or operate a critical infrastructure, or by or for a government entity in furtherance of the administration of justice, national defense, or national security. The amendment expands the scope of existing enhancements to ensure that trespasses and extortions involving these types of important computer systems are addressed.

Finally, the amendment references offenses under 18 U.S.C. § 2701 (unlawful access to stored communications) to §2B1.1. Prior to the Act, a first offense under section 2701 was classified as a misdemeanor offense, and the guidelines did not reference the statute in Appendix A (Statutory Index). Given that the Act increased the penalties available for 18 U.S.C. § 2701 offenses, the amendment references the statute in Appendix A. Section 2701 offenses are referenced to §2B1.1 because such offenses involve the obtaining, altering, or denial of authorized access to stored wire or electronic communications, conduct that is related to fraud, theft, and property damage, which are covered by §2B1.1.