Introduced:
Oct 21, 2025
Congress.gov:
Bill Statistics
2
Actions
3
Cosponsors
0
Summaries
0
Subjects
1
Text Versions
Yes
Full Text
AI Summary
AI Summary
No AI Summary Available
Click the button above to generate an AI-powered summary of this bill using Claude.
The summary will analyze the bill's key provisions, impact, and implementation details.
Error generating summary
Latest Action
Oct 21, 2025
Read twice and referred to the Committee on the Judiciary.
Actions (2)
Read twice and referred to the Committee on the Judiciary.
Type: IntroReferral
| Source: Senate
Oct 21, 2025
Introduced in Senate
Type: IntroReferral
| Source: Library of Congress
| Code: 10000
Oct 21, 2025
Cosponsors (3)
(D-CT)
Oct 21, 2025
Oct 21, 2025
(R-TX)
Oct 21, 2025
Oct 21, 2025
(D-MN)
Oct 21, 2025
Oct 21, 2025
Full Bill Text
Length: 7,853 characters
Version: Introduced in Senate
Version Date: Oct 21, 2025
Last Updated: Nov 15, 2025 6:06 AM
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3023 Introduced in Senate
(IS) ]
<DOC>
119th CONGRESS
1st Session
S. 3023
To limit liability for certain entities storing child sexual abuse
material for law enforcement agencies, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
October 21, 2025
Mrs. Blackburn (for herself, Ms. Klobuchar, Mr. Cornyn, and Mr.
Blumenthal) introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
_______________________________________________________________________
A BILL
To limit liability for certain entities storing child sexual abuse
material for law enforcement agencies, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
[From the U.S. Government Publishing Office]
[S. 3023 Introduced in Senate
(IS) ]
<DOC>
119th CONGRESS
1st Session
S. 3023
To limit liability for certain entities storing child sexual abuse
material for law enforcement agencies, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
October 21, 2025
Mrs. Blackburn (for herself, Ms. Klobuchar, Mr. Cornyn, and Mr.
Blumenthal) introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
_______________________________________________________________________
A BILL
To limit liability for certain entities storing child sexual abuse
material for law enforcement agencies, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1.
This Act may be cited as the ``Safe Cloud Storage Act''.
SEC. 2.
(a) In General.--Title II of the PROTECT Our Children Act of 2008
(34 U.S.C. 21101 et seq.) is amended by inserting after
section 201 the
following:
``
following:
``
``
SEC. 202.
PORNOGRAPHY AND CHILD OBSCENITY AND LIMITED LIABILITY FOR
APPROVED VENDORS.
``
(a)
APPROVED VENDORS.
``
(a)
=== Definitions. ===
-In this section:
``
(1) Approved vendor.--The term `approved vendor' means an
organization, corporation, or entity that--
``
(A) offers digital storage services, including
remote or cloud-based storage, and analytical and
forensic tool processing support; and
``
(B) has been contractually retained and
designated by a law enforcement or prosecutorial agency
based in the United States to support the duties of
such agency by--
``
(i) storing digital child pornography or
child obscenity;
``
(ii) making such child pornography or
child obscenity available to the contracting
agency, or any law enforcement or prosecutorial
agency designated by the contracting agency,
upon request; and
``
(iii) providing maintenance, technical
and analytical assistance, and forensic tool
processing support upon request by the
contracting agency.
``
(2) Child pornography.--The term `child pornography' has
the meaning given that term in
section 2256 of title 18, United
States Code.
States Code.
``
(b) Limited Liability for Approved Vendors.--
``
(1) Limited liability for law enforcement approved
vendors.--Except as provided in paragraph
(2) , a civil claim or
criminal charge may not be brought in any Federal or State
court against an approved vendor relating to the approved
vendor's performance of any contractual obligation or service
described in subsection
(a)
(1) .
``
(2) Intentional, reckless, or other misconduct.--A civil
claim or criminal charge may be brought in any Federal or State
court against an approved vendor if the approved vendor--
``
(A) engaged in--
``
(i) intentional misconduct; or
``
(ii) negligent conduct;
``
(B) acted, or failed to act--
``
(i) with actual malice;
``
(ii) with reckless disregard to a
substantial risk of causing injury without
legal justification; or
``
(iii) for a purpose unrelated to the
performance of any responsibility or function
described in subsection
(a)
(1)
(B) .
``
(c) Vendor Cybersecurity Requirements.--With respect to any
visual depiction stored and available for analysis in the cloud storage
service of an approved vendor, and pursuant to the duties of law
enforcement in the investigation of the sexual exploitation of
children, an approved vendor shall--
``
(1) secure such visual depiction in a manner that is
consistent with the most recent version of the Cybersecurity
Framework developed by the National Institute of Standards and
Technology, or any successor thereto;
``
(2) only access the visual depictions upon consent of the
law enforcement or prosecutorial agency contracting the service
and for the purpose of providing maintenance, technical
assistance, and forensic tool processing support in the cloud;
``
(3) minimize the number of employees that may be able to
obtain access to such visual depiction;
``
(4) employ end-to-end encryption for data storage and
transfer functions, or an equivalent technological standard;
``
(5) undergo an independent annual cybersecurity audit to
determine whether such visual depiction is secured as required
under paragraph
(1) ; and
``
(6) promptly address all issues identified by an audit
described in paragraph
(5) .
``
(d) Evidence Storage.--Any law enforcement or prosecutorial
agency that stores evidence of child pornography and child obscenity
using cloud-based or remote storage services shall retain such
evidence--
``
(1) in compliance with the security policy of the
Criminal Justice Information Services of the Federal Bureau of
Investigation;
``
(2) for a period consistent with the evidence retention
requirements applicable to the investigating or prosecuting
agency under the relevant Federal, State, or local law, rule of
criminal procedure, or prosecutorial policy; or
``
(3) in the absence of such law, rule, or policy, for a
period not less than the applicable statute of limitations or
the duration of any sentence imposed, including the period of
post-conviction review.
``
(e) Additional Requirements for Approved Vendors.--
``
(1) In general.--Each approved vendor shall ensure that
cloud-based storage and analytics of child pornography and
child obscenity under this section remain in the United States.
``
(2) Notification letter.--
``
(A) In general.--Approved vendors shall file a
notification letter with the Department of Justice not
later than 30 days after entering into a contract
described in subsection
(a)
(1)
(B) .
``
(B) Contents.--The notification letter shall
include the entity name and point of contact
information of the approved vendor, the name of the
contracting agency, the period of performance of the
contract, and an acknowledgment by the approved vendor
that the approved vendor will notify the Department of
Justice of any changes to the information in the
letter.
``
(3) Breach of contract.--
``
(A) In general.--If a law enforcement or
prosecutorial agency fails to make required payment
under a contract, breaches any material term of such
contract, or otherwise terminates such contract without
establishing lawful transfer of the evidence, the
approved vendor shall, not later than 30 days after the
failure, breach, or termination, notify the Department
of Justice, or in the case of a State or local agency,
the appropriate State attorney general.
``
(B) Maintenance of evidence.--Upon making a
notification under subparagraph
(A) , the approved
vendor shall continue to preserve and maintain the
integrity of the evidence until a lawful transfer of
custody occurs to the Department of Justice or another
Federal, State, or local law enforcement agency with
jurisdiction.''.
(b) Clerical Amendment.--
``
(b) Limited Liability for Approved Vendors.--
``
(1) Limited liability for law enforcement approved
vendors.--Except as provided in paragraph
(2) , a civil claim or
criminal charge may not be brought in any Federal or State
court against an approved vendor relating to the approved
vendor's performance of any contractual obligation or service
described in subsection
(a)
(1) .
``
(2) Intentional, reckless, or other misconduct.--A civil
claim or criminal charge may be brought in any Federal or State
court against an approved vendor if the approved vendor--
``
(A) engaged in--
``
(i) intentional misconduct; or
``
(ii) negligent conduct;
``
(B) acted, or failed to act--
``
(i) with actual malice;
``
(ii) with reckless disregard to a
substantial risk of causing injury without
legal justification; or
``
(iii) for a purpose unrelated to the
performance of any responsibility or function
described in subsection
(a)
(1)
(B) .
``
(c) Vendor Cybersecurity Requirements.--With respect to any
visual depiction stored and available for analysis in the cloud storage
service of an approved vendor, and pursuant to the duties of law
enforcement in the investigation of the sexual exploitation of
children, an approved vendor shall--
``
(1) secure such visual depiction in a manner that is
consistent with the most recent version of the Cybersecurity
Framework developed by the National Institute of Standards and
Technology, or any successor thereto;
``
(2) only access the visual depictions upon consent of the
law enforcement or prosecutorial agency contracting the service
and for the purpose of providing maintenance, technical
assistance, and forensic tool processing support in the cloud;
``
(3) minimize the number of employees that may be able to
obtain access to such visual depiction;
``
(4) employ end-to-end encryption for data storage and
transfer functions, or an equivalent technological standard;
``
(5) undergo an independent annual cybersecurity audit to
determine whether such visual depiction is secured as required
under paragraph
(1) ; and
``
(6) promptly address all issues identified by an audit
described in paragraph
(5) .
``
(d) Evidence Storage.--Any law enforcement or prosecutorial
agency that stores evidence of child pornography and child obscenity
using cloud-based or remote storage services shall retain such
evidence--
``
(1) in compliance with the security policy of the
Criminal Justice Information Services of the Federal Bureau of
Investigation;
``
(2) for a period consistent with the evidence retention
requirements applicable to the investigating or prosecuting
agency under the relevant Federal, State, or local law, rule of
criminal procedure, or prosecutorial policy; or
``
(3) in the absence of such law, rule, or policy, for a
period not less than the applicable statute of limitations or
the duration of any sentence imposed, including the period of
post-conviction review.
``
(e) Additional Requirements for Approved Vendors.--
``
(1) In general.--Each approved vendor shall ensure that
cloud-based storage and analytics of child pornography and
child obscenity under this section remain in the United States.
``
(2) Notification letter.--
``
(A) In general.--Approved vendors shall file a
notification letter with the Department of Justice not
later than 30 days after entering into a contract
described in subsection
(a)
(1)
(B) .
``
(B) Contents.--The notification letter shall
include the entity name and point of contact
information of the approved vendor, the name of the
contracting agency, the period of performance of the
contract, and an acknowledgment by the approved vendor
that the approved vendor will notify the Department of
Justice of any changes to the information in the
letter.
``
(3) Breach of contract.--
``
(A) In general.--If a law enforcement or
prosecutorial agency fails to make required payment
under a contract, breaches any material term of such
contract, or otherwise terminates such contract without
establishing lawful transfer of the evidence, the
approved vendor shall, not later than 30 days after the
failure, breach, or termination, notify the Department
of Justice, or in the case of a State or local agency,
the appropriate State attorney general.
``
(B) Maintenance of evidence.--Upon making a
notification under subparagraph
(A) , the approved
vendor shall continue to preserve and maintain the
integrity of the evidence until a lawful transfer of
custody occurs to the Department of Justice or another
Federal, State, or local law enforcement agency with
jurisdiction.''.
(b) Clerical Amendment.--
Section 1
(b) of the PROTECT Our Children
Act of 2008 (Public Law 110-401; 122 Stat.
(b) of the PROTECT Our Children
Act of 2008 (Public Law 110-401; 122 Stat. 4229) is amended by
inserting after the item relating to
section 201 the following:
``
``
Sec. 202.
pornography and child obscenity and limited
liability for approved vendors.''.
<all>
liability for approved vendors.''.
<all>