Safe Cloud Storage Act
May 20, 2026
Introduced: Oct 21, 2025
Last updated: May 20, 2026
May 20, 2026
Introduced: Oct 21, 2025
Last updated: May 20, 2026
Summary
Protects cloud storage companies from lawsuits when they store illegal child abuse material as evidence for police investigations.
What problem does this solve?
Police agencies need to store large amounts of digital evidence, but tech companies fear being sued for holding illegal material. This bill gives legal protection to approved companies so they can safely store this evidence for law enforcement.
What does this bill do?
Reference
Text:
Section:
Sec. 202(b)(1)
Header:
Limited liability for law enforcement approved vendors
Provides limited legal liability for approved vendors
Protects approved cloud storage companies from civil and criminal charges for storing child abuse material on behalf of law enforcement agencies.
Establishes exceptions for misconduct
Removes legal protection if a vendor engages in intentional or negligent misconduct, acts with malice, or uses the material for purposes unrelated to their contract.
Mandates strict cybersecurity standards
Requires vendors to follow the NIST Cybersecurity Framework, use end-to-end encryption, undergo annual security audits, and limit employee access to the data.
Requires data to be stored in the United States
Mandates that all stored child abuse material must remain within the U.S., unless a law enforcement agency gives express consent for an international transfer for investigative purposes.
Requires vendors to notify the Department of Justice
Approved vendors must send a letter to the DOJ's Criminal Division within 30 days of signing a contract with a law enforcement agency.
Creates protocol for breach of contract
If an agency breaks its contract, the vendor must notify the DOJ or state attorney general and continue to preserve the evidence until it can be lawfully transferred.
Who does this affect?
- Law enforcement agencies
- Cloud storage companies
- Victims of child exploitation
What is the real world impact?
•
Modernizes evidence storage for law enforcement
Allows police and prosecutors to use modern cloud services to store large amounts of digital evidence, which can be difficult and expensive to manage on their own systems.
•
Reduces accountability for tech companies
By limiting the legal liability of cloud storage vendors, the bill might make it harder to hold them accountable for mistakes or security lapses that don't meet the high bar of 'intentional misconduct' or 'actual malice'.
•
Creates risk of data breaches
Storing highly sensitive and illegal material on third-party cloud servers creates a new target for hackers. A security failure could lead to the widespread distribution of child abuse material.
When does this start?
The rules in this bill would take effect as soon as it is signed into law, and it includes several specific deadlines for companies.
Vendor notification to Department of Justice
Vendors must notify the Department of Justice within 30 days of starting a contract with a law enforcement agency.
Notification of contract breach
Vendors must notify the Department of Justice or a state attorney general within 30 days if a law enforcement agency breaks its contract.
Annual cybersecurity audit
Approved vendors are required to have an independent cybersecurity audit performed every year.