“To limit liability for certain entities storing child sexual abuse material for law enforcement agencies, and for other purposes.”
No CRS summary available for this bill.
This section inserts new section 202 in Title II of the PROTECT Our Children Act of 2008 (34 U.S.C. 21101 et seq.) to establish limited civil and criminal liability for approved vendors (i.e., entities contracted by federal, state, or local law enforcement or prosecutorial agencies to store child pornography or child obscenity and provide related technical support), except in cases of intentional misconduct, negligence, actual malice, reckless disregard of injury risk, or actions unrelated to contract duties. Approved vendors must (1) secure data per the National Institute of Standards and Technology Cybersecurity Framework (or successor); (2) access data only with agency consent for maintenance, technical assistance, or forensic processing; (3) minimize and track employee access; (4) use end-to-end encryption or equivalent; (5) undergo annual independent audits assessing compliance with NIST Special Publication 800-53 Revision 5 (or successors); and (6) promptly remediate audit findings. Covered agencies must retain such evidence per Criminal Justice Information Services Division policies or applicable laws, rules, or prosecutorial guidelines—or at minimum through the statute of limitations or sentence duration including post-conviction review—and approved vendors must keep data in the U.S. unless the contracting agency consents to overseas transfer for investigative needs and file a notification letter with the Department of Justice Criminal Division within 30 days of contract award.