Bill Summary
The "Protecting Stolen Encrypted Data Act of 2026" is a legislative proposal aimed at enhancing the Federal Government's ability to identify and manage sensitive data and classified information that has been unlawfully obtained by foreign entities. The Act defines "covered data" to include financial, medical, biometric data, intellectual property, and trade secrets belonging to U.S. persons.
Key provisions of the Act mandate the President, through the Secretary of Defense and the Director of National Intelligence, to develop strategies to:
1. Identify stolen covered data and classified information, including assessing if it has been encrypted or decrypted by foreign entities.
2. Address the threats posed by this stolen data, including determining whether destroying, manipulating, or recovering such information would serve U.S. economic and national security interests.
The Act also requires the Secretary and the Director to report to Congress within a year of enactment on the strategies developed and actions taken, including recommendations for further legislative or administrative measures. The report must be primarily unclassified, with the option of including a classified annex. Overall, the legislation aims to bolster national security by proactively managing risks associated with sensitive data theft.
Possible Impacts
The "Protecting Stolen Encrypted Data Act of 2026" could have several impacts on individuals and organizations. Here are three examples:
1. **Enhanced Data Security for Individuals**: By focusing on the identification and recovery of stolen sensitive data, the legislation could lead to improved security measures for personal information such as financial, medical, and biometric data. Individuals may experience increased confidence in how their sensitive data is handled and protected by both the government and private entities, potentially reducing the risk of identity theft and fraud.
2. **Impact on Businesses**: Companies that possess covered data, such as trade secrets and intellectual property, may need to enhance their cybersecurity measures to comply with new regulations stemming from this legislation. This could result in increased operational costs for businesses as they invest in stronger encryption technologies and data protection strategies. Additionally, businesses may benefit from government initiatives aimed at recovering stolen data, thus protecting their intellectual property and maintaining competitive advantages.
3. **Government Accountability and Transparency**: The requirement for the Secretary of Defense and Director of National Intelligence to report to Congress on strategies and actions taken under this legislation could lead to greater accountability regarding how stolen data is managed. Individuals and organizations may gain insights into government operations concerning data protection and national security, fostering a sense of transparency and trust in how sensitive information is handled and recovered. However, the potential for classified annexes in reports may also raise concerns about the balance between national security and public awareness.
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 4230 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
2d Session
S. 4230
To require the Federal Government to identify and address stolen
sensitive data and classified information, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 26, 2026
Ms. Hassan (for herself and Mrs. Blackburn) introduced the following
bill; which was read twice and referred to the Select Committee on
Intelligence
_______________________________________________________________________
A BILL
To require the Federal Government to identify and address stolen
sensitive data and classified information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting Stolen Encrypted Data Act
of 2026''.
SEC. 2. ADDRESSING STOLEN SENSITIVE DATA.
(a) Definitions.--In this section:
(1) Classified information.--The term ``classified
information'' has the meaning given such term in section 805 of
the National Security Act of 1947 (50 U.S.C. 3164).
(2) Covered data.--The term ``covered data'' means includes
the following:
(A) Financial, medical, and biometric data of
United States persons.
(B) Intellectual property of United States persons.
(C) Trade secrets of United States persons.
(3) United states person.--The term ``United States
person'' has the meaning given such term in section 101 of the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
(b) Addressing Stolen Sensitive Data.--
(1) Strategies to identify.--The President shall, acting
through the Secretary of Defense and the Director of National
Intelligence, develop strategies to identify--
(A) covered data and classified information
unlawfully held by foreign entities;
(B) whether such data and information were
encrypted; and
(C) whether such data and information have been
decrypted by such foreign entities.
(2) Strategies to address.--The President shall, acting
through the Secretary of Defense and the Director of National
Intelligence, develop strategies regarding how to address
stolen covered data and classified information.
(3) Destruction, manipulation, or recovery.--
(A) Determination of economic and national security
interest.--The Secretary and the Director shall jointly
determine whether the destruction, manipulation, or
recovery of covered data and classified information
identified pursuant to the strategies developed under
paragraph (1) would be in the economic and national
security interest of the United States.
(B) Destruction, manipulation, or recovery.--In a
case in which the Secretary and the Director jointly
determine under subparagraph (A) that destroying,
manipulating, or recovering covered data or classified
information is in the economic and national security
interested of the United States, the Secretary and the
Director may jointly--
(i) pursuant to strategies required by
paragraph (1), identify encrypted covered data
and classified information that is unlawfully
held by a foreign entity that has not been
decrypted by the foreign entity;
(ii) pursuant to the strategies required by
paragraph (2), attempt to destroy, manipulate,
or recover the data and information identified
pursuant to clause (i); and
(iii) when practicable, inform the lawful
owners of covered data or classified
information--
(I) of the intent of the Secretary
or the Director, as the case may be, to
destroy, manipulate, or recover the
covered data or classified information;
and
(II) upon successful destruction,
manipulation, or recovery of the
covered data or classified information.
(c) Report.--
(1) In general.--Not later than 1 year after the date of
the enactment of this Act, the Secretary and the Director shall
jointly submit to Congress a report on the strategies developed
under paragraphs (1) and (2) of subsection (c) and the actions
taken under paragraph (3) of such subsection.
(2) Recommendations.--The report submitted pursuant to
paragraph (1) shall include such recommendations as the
Secretary and the Director may have for legislative or
administrative action to carry out subsection (c).
(3) Form.--The report submitted pursuant to paragraph (1)
shall be submitted in unclassified form, but may include a
classified annex.
<all>