Despite national efforts over the past decades, child sexual abuse material (CSAM) and online child sexual exploitation are still unfortunately prevalent. In 2023, the National Center for Missing and Exploited Children (NCMEC) received over 35.9 million reports of suspected CSAM.[1] This is more than a 20 percent increase over the previous three years. Notably, NCMEC’s 2023 report highlighted concern about the significant increase in reports involving generative artificial intelligence, noting that the Center received 4,700 reports of CSAM or other sexually exploitative content related to these technologies.
On May 7, 2024, President Biden signed into law the Revising Existing Procedures on Reporting via Technology Act (REPORT Act). The REPORT Act is clearly aimed at addressing these trends, allowing NCMEC to obtain appropriate vendor support, requiring longer preservation so that NCMEC has adequate time to address reports, and increasing penalties to ensure that providers make reports when required under law.
18 U.S.C. Chapter 110 contains key federal criminal prohibitions against CSAM and other abuse of children. It also includes provisions which require providers (including electronic communication services or remote computing services) to report to NCMEC when they have actual knowledge of apparent violations and preserve materials related to that report. Providers are exempt from civil or criminal liability arising from these preservation or reporting responsibilities unless they engaged in intentional or reckless misconduct.
The REPORT Act extends these limited liability protections to vendors who contract with NCMEC and to minors who report their own images; broadens reporting requirements to include additional criminal offenses; prolongs the preservation period for reports submitted to NCMEC; adds cybersecurity requirements; and increases penalties for failing to report.
The REPORT Act’s provisions and key takeaways are summarized below.
Limitations on Liability
The REPORT Act extends the limited liability provisions to two new categories of reporters: NCMEC-contracted vendors and individuals depicted as minors in CSAM.
Vendors hoping to benefit from this exception must be “contractually retained and designated by NCMEC” to support NCMEC’s duty to reduce the existence and distribution of CSAM under 34 U.S.C. § 11293(b)(1)(K). This limited liability protection will expand NCMEC’s ability to obtain additional support for its mission by contracting with designated vendors to handle certain functions.
Individuals who are depicted as minors in CSAM can also benefit from the limited liability provisions when reporting to NCMEC. An individual who is or was depicted as a minor in CSAM (even if they are an adult at the time of the report) may now report CSAM containing their own images without fear of prosecution arising from the report, so long as they are not engaged in negligent, reckless, intentional, or malicious misconduct. This protection also extends to representatives of that individual, which can include the individual’s parent, legal guardian, legal representative, or a mandated reporter, so long as that individual is not engaged in sexual exploitation of children.
Expansion of Reporting Requirements
The REPORT Act expands the situations in which providers are required to report apparent violations. Currently, reports are required for violations of sections related to sexual exploitation of children, child trafficking, CSAM, misleading domain names, and production of CSAM for importation into the United States.
The Act adds two additional mandatory reporting categories to this list: child sex trafficking and enticement of a minor.
NCMEC may, within 180 days, issue guidelines to providers regarding identification of content that may indicate child sex trafficking or enticement in order to aid in providers’ compliance with this part.
Preservation
Providers who submit reports to NCMEC are required to preserve any visual depictions, data, or other digital files that are reasonably accessible and may provide context or additional information about the reported material or person.
The REPORT Act extends the time frame for preserving information following a report from 90 days to one year. The additional time will give law enforcement a more realistic timeframe for requesting and obtaining data to support criminal investigations.
Additionally, the Act allows providers who submit a report to voluntarily preserve the contents in the report for longer than one year for the purpose of preventing or reducing online child sexual exploitation.
Cybersecurity Obligations
The REPORT Act adds two cybersecurity obligations.
First, any provider who has an obligation to preserve NCMEC report materials must secure that information in a manner that is consistent with the most recent version of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) or any successor thereto. Providers must ensure relevant compliance with the CSF within one year.
Second, NCMEC-contracted vendors must implement cybersecurity procedures for CSAM, including:
- securing the CSAM in a manner consistent with the most recent NIST CSF or any successor thereto;
- minimizing employee access to CSAM;
- employing end-to-end encryption or a technological equivalent for CSAM storage and transfers;
- undergoing an independent annual cybersecurity audit to ensure the CSAM is secured; and
- promptly addressing any issues identified in the audit.
Increased Penalties
The REPORT Act also modifies the penalties associated with providers that “knowingly and willfully” fail to make a required report.
For initial violations, the Act raises the fines from $150,000 to $600,000 (for providers with 100 million or less monthly active users) or $850,000 (for providers with more than 100 million monthly active users).
For subsequent violations, the Act raises the fines from $300,000 to $850,000 (for providers with 100 million or less monthly active users) or $1,000,000 (for providers with more than 100 million monthly active users).
Key Takeaways
The REPORT Act joins a wave of recent regulations showcasing the increased attention to minor safety online—from updates to the Children’s Online Privacy Protection Act Rule, to a sweep of new laws governing minors on social media platforms, to comprehensive legislation in the EU addressing minors online. Given regulators’ expanded focus on this area, companies should expect to see a major uptick in enforcement around issues related to children and teens online. In addition to examining general compliance with the new children- and teen-related laws that are coming into effect, providers should review their reporting protocols to capture the REPORT Act’s new mandatory reporting categories, update their data retention policies to preserve report information, and secure preserved data consistent with the NIST CSF if not already doing so.
If you or someone you know is a victim of child sexual exploitation in the United States, you can submit a report to NCMEC by going to https://report.cybertip.org/ or calling 1-800-THE-LOST (1-800-843-5678). And if you are thinking of hurting yourself, please reach out to the 988 Suicide & Crisis Lifelife by calling or texting 988 or chatting with them at https://988lifeline.org/chat/.
Wilson Sonsini Goodrich & Rosati specializes in helping companies navigate complex privacy and data security issues. For more information, please contact Libby Weingarten, Demian Ahn, Rebecca Weitzel Garcia, or another member of the firm’s privacy and cybersecurity practice.
[1] See CyberTipline 2023 Report, National Center for Missing & Exploited Children (last accessed May 8, 2024), https://www.missingkids.org/cybertiplinedata.