S3023-119

1. Short title This Act may be cited as the Safe Cloud Storage Act.

2. Storage of child sexual abuse material Title II of the PROTECT Our Children Act of 2008 (34 U.S.C. 21101 et seq.) is amended by inserting after section 201 the following: In this section: The term approved vendor means an organization, corporation, or entity that— offers digital storage services, including remote or cloud-based storage, and analytical and forensic tool processing support; and has been contractually retained and designated by a law enforcement or prosecutorial agency based in the United States to support the duties of such agency by— storing digital child pornography or child obscenity; making such child pornography or child obscenity available to the contracting agency, or any law enforcement or prosecutorial agency designated by the contracting agency, upon request; and providing maintenance, technical and analytical assistance, and forensic tool processing support upon request by the contracting agency. The term child pornography has the meaning given that term in section 2256 of title 18, United States Code. Except as provided in paragraph (2), a civil claim or criminal charge may not be brought in any Federal or State court against an approved vendor relating to the approved vendor's performance of any contractual obligation or service described in subsection (a)(1). A civil claim or criminal charge may be brought in any Federal or State court against an approved vendor if the approved vendor— engaged in— intentional misconduct; or negligent conduct; acted, or failed to act— with actual malice; with reckless disregard to a substantial risk of causing injury without legal justification; or for a purpose unrelated to the performance of any responsibility or function described in subsection (a)(1)(B). With respect to any visual depiction stored and available for analysis in the cloud storage service of an approved vendor, and pursuant to the duties of law enforcement in the investigation of the sexual exploitation of children, an approved vendor shall— secure such visual depiction in a manner that is consistent with the most recent version of the Cybersecurity Framework developed by the National Institute of Standards and Technology, or any successor thereto; only access the visual depictions upon consent of the law enforcement or prosecutorial agency contracting the service and for the purpose of providing maintenance, technical assistance, and forensic tool processing support in the cloud; minimize the number of employees that may be able to obtain access to such visual depiction; employ end-to-end encryption for data storage and transfer functions, or an equivalent technological standard; undergo an independent annual cybersecurity audit to determine whether such visual depiction is secured as required under paragraph (1); and promptly address all issues identified by an audit described in paragraph (5). Any law enforcement or prosecutorial agency that stores evidence of child pornography and child obscenity using cloud-based or remote storage services shall retain such evidence— in compliance with the security policy of the Criminal Justice Information Services of the Federal Bureau of Investigation; for a period consistent with the evidence retention requirements applicable to the investigating or prosecuting agency under the relevant Federal, State, or local law, rule of criminal procedure, or prosecutorial policy; or in the absence of such law, rule, or policy, for a period not less than the applicable statute of limitations or the duration of any sentence imposed, including the period of post-conviction review. Each approved vendor shall ensure that cloud-based storage and analytics of child pornography and child obscenity under this section remain in the United States. Approved vendors shall file a notification letter with the Department of Justice not later than 30 days after entering into a contract described in subsection (a)(1)(B). The notification letter shall include the entity name and point of contact information of the approved vendor, the name of the contracting agency, the period of performance of the contract, and an acknowledgment by the approved vendor that the approved vendor will notify the Department of Justice of any changes to the information in the letter. If a law enforcement or prosecutorial agency fails to make required payment under a contract, breaches any material term of such contract, or otherwise terminates such contract without establishing lawful transfer of the evidence, the approved vendor shall, not later than 30 days after the failure, breach, or termination, notify the Department of Justice, or in the case of a State or local agency, the appropriate State attorney general. Upon making a notification under subparagraph (A), the approved vendor shall continue to preserve and maintain the integrity of the evidence until a lawful transfer of custody occurs to the Department of Justice or another Federal, State, or local law enforcement agency with jurisdiction. Section 1(b) of the PROTECT Our Children Act of 2008 (Public Law 110–401; 122 Stat. 4229) is amended by inserting after the item relating to section 201 the following: 202. Modernizing law enforcement's ability to store child pornography and child obscenity and limited liability for approved vendors (a) Definitions In this section: (1) Approved vendor The term approved vendor means an organization, corporation, or entity that— (A) offers digital storage services, including remote or cloud-based storage, and analytical and forensic tool processing support; and (B) has been contractually retained and designated by a law enforcement or prosecutorial agency based in the United States to support the duties of such agency by— (i) storing digital child pornography or child obscenity; (ii) making such child pornography or child obscenity available to the contracting agency, or any law enforcement or prosecutorial agency designated by the contracting agency, upon request; and (iii) providing maintenance, technical and analytical assistance, and forensic tool processing support upon request by the contracting agency. (2) Child pornography The term child pornography has the meaning given that term in section 2256 of title 18, United States Code. (b) Limited liability for approved vendors (1) Limited liability for law enforcement approved vendors Except as provided in paragraph (2), a civil claim or criminal charge may not be brought in any Federal or State court against an approved vendor relating to the approved vendor's performance of any contractual obligation or service described in subsection (a)(1). (2) Intentional, reckless, or other misconduct A civil claim or criminal charge may be brought in any Federal or State court against an approved vendor if the approved vendor— (A) engaged in— (i) intentional misconduct; or (ii) negligent conduct; (B) acted, or failed to act— (i) with actual malice; (ii) with reckless disregard to a substantial risk of causing injury without legal justification; or (iii) for a purpose unrelated to the performance of any responsibility or function described in subsection (a)(1)(B). (c) Vendor cybersecurity requirements With respect to any visual depiction stored and available for analysis in the cloud storage service of an approved vendor, and pursuant to the duties of law enforcement in the investigation of the sexual exploitation of children, an approved vendor shall— (1) secure such visual depiction in a manner that is consistent with the most recent version of the Cybersecurity Framework developed by the National Institute of Standards and Technology, or any successor thereto; (2) only access the visual depictions upon consent of the law enforcement or prosecutorial agency contracting the service and for the purpose of providing maintenance, technical assistance, and forensic tool processing support in the cloud; (3) minimize the number of employees that may be able to obtain access to such visual depiction; (4) employ end-to-end encryption for data storage and transfer functions, or an equivalent technological standard; (5) undergo an independent annual cybersecurity audit to determine whether such visual depiction is secured as required under paragraph (1); and (6) promptly address all issues identified by an audit described in paragraph (5). (d) Evidence storage Any law enforcement or prosecutorial agency that stores evidence of child pornography and child obscenity using cloud-based or remote storage services shall retain such evidence— (1) in compliance with the security policy of the Criminal Justice Information Services of the Federal Bureau of Investigation; (2) for a period consistent with the evidence retention requirements applicable to the investigating or prosecuting agency under the relevant Federal, State, or local law, rule of criminal procedure, or prosecutorial policy; or (3) in the absence of such law, rule, or policy, for a period not less than the applicable statute of limitations or the duration of any sentence imposed, including the period of post-conviction review. (e) Additional requirements for approved vendors (1) In general Each approved vendor shall ensure that cloud-based storage and analytics of child pornography and child obscenity under this section remain in the United States. (2) Notification letter (A) In general Approved vendors shall file a notification letter with the Department of Justice not later than 30 days after entering into a contract described in subsection (a)(1)(B). (B) Contents The notification letter shall include the entity name and point of contact information of the approved vendor, the name of the contracting agency, the period of performance of the contract, and an acknowledgment by the approved vendor that the approved vendor will notify the Department of Justice of any changes to the information in the letter. (3) Breach of contract (A) In general If a law enforcement or prosecutorial agency fails to make required payment under a contract, breaches any material term of such contract, or otherwise terminates such contract without establishing lawful transfer of the evidence, the approved vendor shall, not later than 30 days after the failure, breach, or termination, notify the Department of Justice, or in the case of a State or local agency, the appropriate State attorney general. (B) Maintenance of evidence Upon making a notification under subparagraph (A), the approved vendor shall continue to preserve and maintain the integrity of the evidence until a lawful transfer of custody occurs to the Department of Justice or another Federal, State, or local law enforcement agency with jurisdiction. . Sec. 202. Modernizing law enforcement's ability to store child pornography and child obscenity and limited liability for approved vendors. .

202. Modernizing law enforcement's ability to store child pornography and child obscenity and limited liability for approved vendors In this section: The term approved vendor means an organization, corporation, or entity that— offers digital storage services, including remote or cloud-based storage, and analytical and forensic tool processing support; and has been contractually retained and designated by a law enforcement or prosecutorial agency based in the United States to support the duties of such agency by— storing digital child pornography or child obscenity; making such child pornography or child obscenity available to the contracting agency, or any law enforcement or prosecutorial agency designated by the contracting agency, upon request; and providing maintenance, technical and analytical assistance, and forensic tool processing support upon request by the contracting agency. The term child pornography has the meaning given that term in section 2256 of title 18, United States Code. Except as provided in paragraph (2), a civil claim or criminal charge may not be brought in any Federal or State court against an approved vendor relating to the approved vendor's performance of any contractual obligation or service described in subsection (a)(1). A civil claim or criminal charge may be brought in any Federal or State court against an approved vendor if the approved vendor— engaged in— intentional misconduct; or negligent conduct; acted, or failed to act— with actual malice; with reckless disregard to a substantial risk of causing injury without legal justification; or for a purpose unrelated to the performance of any responsibility or function described in subsection (a)(1)(B). With respect to any visual depiction stored and available for analysis in the cloud storage service of an approved vendor, and pursuant to the duties of law enforcement in the investigation of the sexual exploitation of children, an approved vendor shall— secure such visual depiction in a manner that is consistent with the most recent version of the Cybersecurity Framework developed by the National Institute of Standards and Technology, or any successor thereto; only access the visual depictions upon consent of the law enforcement or prosecutorial agency contracting the service and for the purpose of providing maintenance, technical assistance, and forensic tool processing support in the cloud; minimize the number of employees that may be able to obtain access to such visual depiction; employ end-to-end encryption for data storage and transfer functions, or an equivalent technological standard; undergo an independent annual cybersecurity audit to determine whether such visual depiction is secured as required under paragraph (1); and promptly address all issues identified by an audit described in paragraph (5). Any law enforcement or prosecutorial agency that stores evidence of child pornography and child obscenity using cloud-based or remote storage services shall retain such evidence— in compliance with the security policy of the Criminal Justice Information Services of the Federal Bureau of Investigation; for a period consistent with the evidence retention requirements applicable to the investigating or prosecuting agency under the relevant Federal, State, or local law, rule of criminal procedure, or prosecutorial policy; or in the absence of such law, rule, or policy, for a period not less than the applicable statute of limitations or the duration of any sentence imposed, including the period of post-conviction review. Each approved vendor shall ensure that cloud-based storage and analytics of child pornography and child obscenity under this section remain in the United States. Approved vendors shall file a notification letter with the Department of Justice not later than 30 days after entering into a contract described in subsection (a)(1)(B). The notification letter shall include the entity name and point of contact information of the approved vendor, the name of the contracting agency, the period of performance of the contract, and an acknowledgment by the approved vendor that the approved vendor will notify the Department of Justice of any changes to the information in the letter. If a law enforcement or prosecutorial agency fails to make required payment under a contract, breaches any material term of such contract, or otherwise terminates such contract without establishing lawful transfer of the evidence, the approved vendor shall, not later than 30 days after the failure, breach, or termination, notify the Department of Justice, or in the case of a State or local agency, the appropriate State attorney general. Upon making a notification under subparagraph (A), the approved vendor shall continue to preserve and maintain the integrity of the evidence until a lawful transfer of custody occurs to the Department of Justice or another Federal, State, or local law enforcement agency with jurisdiction.