The DOGE BROS Act increases statutory monetary penalties for a set of federal offenses involving unauthorized access to or disclosure of government-held information. Rather than creating new crimes, it amends existing statutes to raise maximum fines, and it adds a specific higher-fine rule for individual offenders who obtain information from federal departments or agencies under the Computer Fraud and Abuse Act (CFAA).
Professionals who advise federal contractors, agency privacy offices, prosecutors, and compliance programs should treat this as a rule-change that increases financial exposure for individuals and shifts prosecutorial bargaining power. Agencies that handle sensitive personal data will see the law change the penalty landscape without altering the underlying standards for culpability or reporting obligations.
At a Glance
What It Does
The bill amends multiple federal statutes to raise maximum monetary penalties for unauthorized access to or unauthorized disclosure of government data and adds a CFAA provision imposing a higher capped fine for individuals who obtain information from federal departments or agencies. It does not create new substantive offenses or change mens rea elements.
Who It Affects
Directly affected parties include federal employees and contractors with access to protected government records, individuals who access agency systems without authorization, agencies that hold personal data (e.g., SSA, HHS, IRS, Census), and prosecutors who bring related criminal cases. Compliance officers, legal counsel, and insurers will see changed exposure profiles.
Why It Matters
By increasing fines, the bill recalibrates the financial consequences of data theft and wrongful disclosures, potentially strengthening deterrence and prosecutorial leverage while shifting more financial risk onto individuals. That change can alter plea dynamics, insurance coverage decisions, and the incentives of insider threat mitigation programs.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act takes a narrow but consequential approach: it leaves the criminal and civil definitions largely intact and raises the dollar stakes tied to those violations. Rather than rewriting standards for unauthorized access or disclosure, it amends the penalty lines in several statutes so that a conviction or administrative finding can trigger a substantially larger monetary sanction.
For practitioners, that means the elements prosecutors must prove remain the same, but the potential financial sanction available at sentencing or in statutory fines is larger.
One statutory change targets the Computer Fraud and Abuse Act (CFAA) by inserting a clause that applies a special, higher maximum fine to individuals who commit the specific CFAA offense of obtaining information from a United States department or agency without authorization. The structure is procedural: it alters how the fine amount in subsection (c)(2) is applied when the offense involves federal departments or agencies.Other changes are straightforward statutory substitutions of higher dollar amounts in the penalty provisions of the Privacy Act, the Social Security Act’s confidentiality provisions, the Internal Revenue Code’s taxpayer information statute, and the Census Act.
Each amendment replaces the prior statutory dollar figure with a larger maximum fine; none of the amendments modifies how liability is established or the criminal/administrative pathways for enforcement.Because the bill increases fines but does not add alternative remedial paths (civil damage causes of action, private rights of action, or administrative enforcement mechanisms), its practical effect will depend on prosecutorial priorities and agency willingness to pursue criminal or administrative sanctions. Agencies and defense counsel should therefore expect a heavier focus on deterrence through monetary punishment and adjust internal risk assessments, contracts, and insurance placements accordingly.
The Five Things You Need to Know
Section 2 amends 5 U.S.C. 552a(i) (Privacy Act penalty provision) by increasing the statutory maximum fine previously listed in that subsection to a new, higher dollar amount.
Section 3 inserts a new subsection (k) into 18 U.S.C. 1030 (CFAA) that directs courts to apply a special higher maximum fine when an individual commits the offense of obtaining information from a United States department or agency without authorization.
Section 4 revises the Social Security Act confidentiality penalty provision (42 U.S.C. 1306(a)(1)) by replacing its existing monetary cap with a higher statutory maximum.
Section 5 amends multiple paragraphs of 26 U.S.C. 7213(a) to raise the per-offense statutory fine ceiling for unauthorized disclosure of taxpayer information.
Section 6 increases the statutory fine in 13 U.S.C. 214 for wrongful disclosure of Census data by substituting a larger dollar amount in place of the prior cap.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Declares the act’s short title — the Defending Our Government’s Electronic Data: Bolstering Responsible Oversight and Safeguards Act (DOGE BROS Act). This is a naming provision only and has no substantive legal effect on enforcement or penalties.
Raises Privacy Act monetary penalty
This provision replaces the numerical penalty listed in the Privacy Act’s penalty subsection with a larger statutory ceiling. Practically, that increases the maximum fine authorized for violations of the Privacy Act’s prohibitions on unauthorized disclosure and maintenance of records. The mechanics are a straight swap of the dollar figure in the statute rather than a change to who can be punished or how liability is proven.
Higher CFAA fine for offenses involving federal departments or agencies
Section 3 amends the CFAA’s sentencing/fine framework by adding subsection (k). The new language instructs courts to apply a specified higher maximum fine when an individual is convicted under the CFAA subsection that covers obtaining information from a U.S. department or agency without authorization. The change is targeted at individual defendants (as drafted) and does not explicitly alter fines for corporate entities; it also does not change the CFAA’s substantive elements or add new criminal counts.
Increases fines for unauthorized disclosures at SSA/HHS
This amendment lifts the statutory monetary cap in the Social Security Act provision governing unauthorized disclosures of SSA or HHS-held information. The practical implication is that prosecutions or administrative findings under that clause can carry higher maximum fines, which agencies could cite during administrative actions or which prosecutors could reference during plea negotiations.
Higher penalties for taxpayer and Census data disclosures
These two narrow edits update the Internal Revenue Code’s taxpayer-information disclosure penalties and the Census Bureau’s wrongful-disclosure penalty by substituting larger dollar figures for the former statutory caps. Both are mechanical changes: they increase the ceiling on statutory fines tied to wrongful disclosure but leave the statutory offense language intact, so liability proofs and defenses remain unchanged.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Data subjects and privacy advocates — higher statutory fines increase the theoretical financial consequence for wrongful disclosures, strengthening deterrence and giving agencies and prosecutors a stronger statutory tool to signal the seriousness of privacy breaches.
- Agency privacy offices and Chief Information Security Officers — the raised penalties provide additional leverage in internal discipline, contracting negotiations, and when coordinating with DOJ on prosecutions or referrals.
- Prosecutors and federal law enforcement — higher fines expand sentencing and plea-bargaining tools, particularly when seeking monetary sanctions against individual defendants rather than organizations.
Who Bears the Cost
- Individuals convicted of unlawful access or disclosure (including federal employees and contractors) — larger criminal fines increase personal financial exposure and could lead to greater collateral consequences in employment and security-clearance proceedings.
- Small contractors and subcontractors supplying services to agencies — although the bill targets individuals, increased individual liability can translate into higher contract insurance premiums, stronger indemnity demands, and revised personnel screening requirements.
- Federal agencies and courts — enforcement of higher fines can create administrative and prosecutorial workload (case preparation, asset-tracing, and fine collection) and may require agencies to update policies, training, and employment agreements to reflect expanded penalties.
Key Issues
The Core Tension
The central tension is deterrence versus proportionality: the bill boosts monetary deterrence against data theft and wrongful disclosures, but it does so by enlarging criminal fines without changing culpability standards or providing clearer prosecutorial guidance — raising the risk of disproportionate punishment for lower-level actors and uneven enforcement across agencies and districts.
The bill raises penalty ceilings but leaves liability elements untouched, which produces a particular set of implementation challenges. First, higher maximum fines are meaningful only if prosecutors and agencies use them; absent consistent enforcement guidance from DOJ and agency counsels, the practical change may be modest.
Second, the statute increases criminal fines for individuals without altering corporate liability lines: that asymmetry could incentivize prosecutors to focus on charging individuals rather than entities — a shift that may complicate investigations where misconduct is organizational or systemic.
There are also constitutional and proportionality risks to consider. A dramatic increase in statutory fines invites Eighth Amendment excessiveness claims in extreme cases and may produce wide disparities between similar offenses prosecuted in different districts.
Separately, the provision in the CFAA that singles out individuals who obtain information from federal departments raises questions about scope: will low-level unauthorized access (e.g., curiosity clicks or credential misuses) be treated the same as deliberate exfiltration? Finally, the bill does not add administrative processes, restitution pathways, or new compliance standards, so agencies will need to reconcile stronger penalty tools with existing reporting, remedial, and personnel frameworks — a task that may require new guidance, resources, and contract-language updates.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.