[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3023 Reported in Senate (RS)]
<DOC>
Calendar No. 345
119th CONGRESS
2d Session
S. 3023
To limit liability for certain entities storing child sexual abuse
material for law enforcement agencies, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
October 21, 2025
Mrs. Blackburn (for herself, Ms. Klobuchar, Mr. Cornyn, Mr. Blumenthal,
Mrs. Britt, Mr. Coons, Mr. Lee, and Mrs. Moody) introduced the
following bill; which was read twice and referred to the Committee on
the Judiciary
February 24, 2026
Reported by Mr. Grassley, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To limit liability for certain entities storing child sexual abuse
material for law enforcement agencies, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Safe Cloud Storage
Act''.</DELETED>
<DELETED>SEC. 2. STORAGE OF CHILD SEXUAL ABUSE MATERIAL.</DELETED>
<DELETED> (a) In General.--Title II of the PROTECT Our Children Act
of 2008 (34 U.S.C. 21101 et seq.) is amended by inserting after section
201 the following:</DELETED>
<DELETED>``SEC. 202. MODERNIZING LAW ENFORCEMENT'S ABILITY TO STORE
CHILD PORNOGRAPHY AND CHILD OBSCENITY AND LIMITED
LIABILITY FOR APPROVED VENDORS.</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Approved vendor.--The term `approved vendor'
means an organization, corporation, or entity that--</DELETED>
<DELETED> ``(A) offers digital storage services,
including remote or cloud-based storage, and analytical
and forensic tool processing support; and</DELETED>
<DELETED> ``(B) has been contractually retained and
designated by a law enforcement or prosecutorial agency
based in the United States to support the duties of
such agency by--</DELETED>
<DELETED> ``(i) storing digital child
pornography or child obscenity;</DELETED>
<DELETED> ``(ii) making such child
pornography or child obscenity available to the
contracting agency, or any law enforcement or
prosecutorial agency designated by the
contracting agency, upon request; and</DELETED>
<DELETED> ``(iii) providing maintenance,
technical and analytical assistance, and
forensic tool processing support upon request
by the contracting agency.</DELETED>
<DELETED> ``(2) Child pornography.--The term `child
pornography' has the meaning given that term in section 2256 of
title 18, United States Code.</DELETED>
<DELETED> ``(b) Limited Liability for Approved Vendors.--</DELETED>
<DELETED> ``(1) Limited liability for law enforcement
approved vendors.--Except as provided in paragraph (2), a civil
claim or criminal charge may not be brought in any Federal or
State court against an approved vendor relating to the approved
vendor's performance of any contractual obligation or service
described in subsection (a)(1).</DELETED>
<DELETED> ``(2) Intentional, reckless, or other
misconduct.--A civil claim or criminal charge may be brought in
any Federal or State court against an approved vendor if the
approved vendor--</DELETED>
<DELETED> ``(A) engaged in--</DELETED>
<DELETED> ``(i) intentional misconduct;
or</DELETED>
<DELETED> ``(ii) negligent
conduct;</DELETED>
<DELETED> ``(B) acted, or failed to act--</DELETED>
<DELETED> ``(i) with actual
malice;</DELETED>
<DELETED> ``(ii) with reckless disregard to
a substantial risk of causing injury without
legal justification; or</DELETED>
<DELETED> ``(iii) for a purpose unrelated to
the performance of any responsibility or
function described in subsection
(a)(1)(B).</DELETED>
<DELETED> ``(c) Vendor Cybersecurity Requirements.--With respect to
any visual depiction stored and available for analysis in the cloud
storage service of an approved vendor, and pursuant to the duties of
law enforcement in the investigation of the sexual exploitation of
children, an approved vendor shall--</DELETED>
<DELETED> ``(1) secure such visual depiction in a manner
that is consistent with the most recent version of the
Cybersecurity Framework developed by the National Institute of
Standards and Technology, or any successor thereto;</DELETED>
<DELETED> ``(2) only access the visual depictions upon
consent of the law enforcement or prosecutorial agency
contracting the service and for the purpose of providing
maintenance, technical assistance, and forensic tool processing
support in the cloud;</DELETED>
<DELETED> ``(3) minimize the number of employees that may be
able to obtain access to such visual depiction;</DELETED>
<DELETED> ``(4) employ end-to-end encryption for data
storage and transfer functions, or an equivalent technological
standard;</DELETED>
<DELETED> ``(5) undergo an independent annual cybersecurity
audit to determine whether such visual depiction is secured as
required under paragraph (1); and</DELETED>
<DELETED> ``(6) promptly address all issues identified by an
audit described in paragraph (5).</DELETED>
<DELETED> ``(d) Evidence Storage.--Any law enforcement or
prosecutorial agency that stores evidence of child pornography and
child obscenity using cloud-based or remote storage services shall
retain such evidence--</DELETED>
<DELETED> ``(1) in compliance with the security policy of
the Criminal Justice Information Services of the Federal Bureau
of Investigation;</DELETED>
<DELETED> ``(2) for a period consistent with the evidence
retention requirements applicable to the investigating or
prosecuting agency under the relevant Federal, State, or local
law, rule of criminal procedure, or prosecutorial policy;
or</DELETED>
<DELETED> ``(3) in the absence of such law, rule, or policy,
for a period not less than the applicable statute of
limitations or the duration of any sentence imposed, including
the period of post-conviction review.</DELETED>
<DELETED> ``(e) Additional Requirements for Approved Vendors.--
</DELETED>
<DELETED> ``(1) In general.--Each approved vendor shall
ensure that cloud-based storage and analytics of child
pornography and child obscenity under this section remain in
the United States.</DELETED>
<DELETED> ``(2) Notification letter.--</DELETED>
<DELETED> ``(A) In general.--Approved vendors shall
file a notification letter with the Department of
Justice not later than 30 days after entering into a
contract described in subsection (a)(1)(B).</DELETED>
<DELETED> ``(B) Contents.--The notification letter
shall include the entity name and point of contact
information of the approved vendor, the name of the
contracting agency, the period of performance of the
contract, and an acknowledgment by the approved vendor
that the approved vendor will notify the Department of
Justice of any changes to the information in the
letter.</DELETED>
<DELETED> ``(3) Breach of contract.--</DELETED>
<DELETED> ``(A) In general.--If a law enforcement or
prosecutorial agency fails to make required payment
under a contract, breaches any material term of such
contract, or otherwise terminates such contract without
establishing lawful transfer of the evidence, the
approved vendor shall, not later than 30 days after the
failure, breach, or termination, notify the Department
of Justice, or in the case of a State or local agency,
the appropriate State attorney general.</DELETED>
<DELETED> ``(B) Maintenance of evidence.--Upon
making a notification under subparagraph (A), the
approved vendor shall continue to preserve and maintain
the integrity of the evidence until a lawful transfer
of custody occurs to the Department of Justice or
another Federal, State, or local law enforcement agency
with jurisdiction.''.</DELETED>
<DELETED> (b) Clerical Amendment.--Section 1(b) of the PROTECT Our
Children Act of 2008 (Public Law 110-401; 122 Stat. 4229) is amended by
inserting after the item relating to section 201 the
following:</DELETED>
<DELETED>``Sec. 202. Modernizing law enforcement's ability to store
child pornography and child obscenity and
limited liability for approved vendors.''.
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safe Cloud Storage Act''.
SEC. 2. STORAGE OF CHILD PORNOGRAPHY AND CHILD OBSCENITY.
(a) In General.--Title II of the PROTECT Our Children Act of 2008
(34 U.S.C. 21101 et seq.) is amended by inserting after section 201 the
following:
``SEC. 202. MODERNIZING LAW ENFORCEMENT'S ABILITY TO STORE CHILD
PORNOGRAPHY AND CHILD OBSCENITY AND LIMITED LIABILITY FOR
APPROVED VENDORS.
``(a) Definitions.--In this section:
``(1) Approved vendor.--The term `approved vendor' means an
organization, corporation, or entity that--
``(A) offers digital storage services, including
remote or cloud-based storage, and analytical and
forensic tool processing support; and
``(B) has been contractually retained by a covered
agency to support the duties of such agency by--
``(i) storing digital child pornography or
child obscenity;
``(ii) making such child pornography or
child obscenity available to the contracting
agency, or any law enforcement or prosecutorial
agency designated by the contracting agency,
upon request; and
``(iii) providing maintenance, technical
and analytical assistance, and forensic tool
processing support upon request by the
contracting agency.
``(2) Child pornography.--The term `child pornography' has
the meaning given that term in section 2256(8) of title 18,
United States Code.
``(3) Covered agency.--The term `covered agency' means a
Federal, State, or local law enforcement or prosecutorial
agency.
``(4) Local.--The term `local' means any political
subdivision of a State.
``(5) State.--The term `State' means any of the 50 States
of the United States, the District of Columbia, the
Commonwealth of Puerto Rico, the Virgin Islands of the United
States, Guam, American Samoa, or the Commonwealth of the
Northern Mariana Islands.
``(b) Limited Liability for Approved Vendors.--
``(1) Limited liability for law enforcement approved
vendors.--Except as provided in paragraph (2), a civil claim or
criminal charge may not be brought in any Federal or State
court against an approved vendor relating to the approved
vendor's performance of any contractual obligation or service
described in subsection (a)(1).
``(2) Intentional, reckless, or other misconduct.--A civil
claim or criminal charge may be brought in any Federal or State
court against an approved vendor if the approved vendor--
``(A) engaged in--
``(i) intentional misconduct; or
``(ii) negligent conduct; or
``(B) acted, or failed to act--
``(i) with actual malice;
``(ii) with reckless disregard to a
substantial risk of causing injury without
legal justification; or
``(iii) for a purpose unrelated to the
performance of any responsibility or function
described in subsection (a)(1)(B).
``(c) Vendor Cybersecurity Requirements.--With respect to any child
pornography or child obscenity stored, maintained, or processed by an
approved vendor, such approved vendor shall--
``(1) secure such child pornography or child obscenity in a
manner that is consistent with the most recent version of the
Cybersecurity Framework developed by the National Institute of
Standards and Technology, or any successor thereto;
``(2) only access the child pornography or child obscenity
upon consent of the covered agency contracting the service and
for the purpose of providing maintenance, technical assistance,
and forensic tool processing support in the cloud;
``(3) minimize the number of employees that may be able to
obtain access to such child pornography or child obscenity and
maintain a list of employees who have obtained such access;
``(4) employ end-to-end encryption for data storage and
transfer functions, or an equivalent technological standard;
``(5) undergo an independent annual cybersecurity audit to
determine whether such child pornography or child obscenity is
secured as required by paragraph (1), including by assessing
compliance with the National Institute of Standards and
Technology Special Publication 800-53, Revision 5 (relating to
security and privacy controls for information systems and
organizations) or any successor documents or revisions; and
``(6) promptly address all issues identified by an audit
described in paragraph (5).
``(d) Evidence Storage.--Any covered agency that stores child
pornography and child obscenity pursuant to a contract with an approved
vendor shall retain such evidence--
``(1) in compliance with the security policy of the
Criminal Justice Information Services Division of the Federal
Bureau of Investigation, or any other similar and appropriate
division within the Federal Bureau of Investigation;
``(2) for a period consistent with the evidence retention
requirements applicable to the covered agency under the
relevant Federal, State, or local law, rule of criminal
procedure, or prosecutorial policy; or
``(3) in the absence of such law, rule, or policy, for a
period not less than the applicable statute of limitations or
the duration of any sentence imposed, including the period of
post-conviction review.
``(e) Additional Requirements for Approved Vendors.--
``(1) Location of data.--
``(A) In general.--Except as provided in
subparagraph (B), each approved vendor shall ensure
that child pornography and child obscenity stored
pursuant to this section remains in the United States.
``(B) Exception.--Child pornography and child
obscenity under this section may be transferred outside
the United States only with the express consent of the
contracting covered agency if such agency deems the
transfer necessary for investigative purposes.
``(2) Notification letter.--
``(A) In general.--Approved vendors shall file a
notification letter with the Criminal Division of the
Department of Justice not later than 30 days after
entering into a contract described in subsection
(a)(1)(B).
``(B) Contents.--The notification letter described
in subparagraph (A) shall include the entity name and
point of contact information of the approved vendor,
the name of the contracting covered agency, the period
of performance of the contract, and an acknowledgment
by the approved vendor that the approved vendor will
notify the Child Exploitation and Obscenity Section of
the Criminal Division of the Department of Justice of
any changes to the information in the letter.
``(3) Breach of contract.--
``(A) In general.--If a covered agency fails to
make required payment under a contract, breaches any
material term of such contract, or otherwise terminates
such contract without establishing lawful transfer of
the evidence, the approved vendor shall, not later than
30 days after the failure, breach, or termination,
notify the Criminal Division of the Department of
Justice in the case of a breach by a Federal agency, or
the appropriate State attorney general in the case of a
breach by a State or local agency.
``(B) Maintenance of evidence.--Upon making a
notification under subparagraph (A), the approved
vendor shall continue to preserve and maintain the
integrity of the evidence until a prompt and lawful
transfer of custody occ