PRINTER'S NO. 1515
No. 1321 Session of 1999
INTRODUCED BY LESCOVITZ, HASAY, CALTAGIRONE, GEIST, LYNCH, KENNEY, MELIO, MUNDY, COY, HARHAI, LAUGHLIN, E. Z. TAYLOR, CLARK, McILHATTAN, SAINATO, BATTISTO, M. COHEN, BELFANTI, TIGUE, VAN HORNE, COLAFELLA, HENNESSEY, YOUNGBLOOD, MAHER, CAPPABIANCA, DALEY, TRELLO, SEMMEL, WILLIAMS, YUDICHAK AND FLICK, APRIL 15, 1999
REFERRED TO COMMITTEE ON COMMERCE AND ECONOMIC DEVELOPMENT, APRIL 15, 1999
AN ACT 1 Amending Titles 12 (Commerce and Trade) and 18 (Crimes and 2 Offenses) of the Pennsylvania Consolidated Statutes, 3 providing for electronic commerce; and providing penalties. 4 The General Assembly of the Commonwealth of Pennsylvania 5 hereby enacts as follows: 6 Section 1. Title 12 of the Pennsylvania Consolidated 7 Statutes is amended by adding a chapter to read: 8 CHAPTER 53 9 ELECTRONIC COMMERCE 10 Subchapter 11 A. Preliminary Provisions 12 B. Electronic Records and Signatures Generally 13 C. Secure Electronic Records and Signatures 14 D. Effect of a Digital Signature 15 E. Duties of Subscribers 16 F. State Agency Use of Electronic Records and Signatures
1 G. Enforcement; Civil Remedy; Criminal Penalties 2 SUBCHAPTER A 3 PRELIMINARY PROVISIONS 4 Sec. 5 5301. Short title of chapter. 6 5302. Purposes and construction. 7 5303. Definitions. 8 5304. Variation by agreement. 9 § 5301. Short title of chapter. 10 This chapter shall be known and may be cited as the 11 Electronic Commerce Security Act. 12 § 5302. Purposes and construction. 13 This chapter shall be construed consistently with what is 14 commercially reasonable under the circumstances and to 15 effectuate the following purposes: 16 (1) To facilitate electronic communications by means of 17 reliable electronic records. 18 (2) To facilitate and promote electronic commerce by 19 eliminating barriers resulting from uncertainties over 20 writing and signature requirements and promoting the 21 development of the legal and business infrastructure 22 necessary to implement secure electronic commerce. 23 (3) To facilitate electronic filing of documents with 24 State and local government agencies and promote efficient 25 delivery of government services by means of reliable 26 electronic records. 27 (4) To minimize the incidence of forged electronic 28 records, intentional and unintentional alteration of records 29 and fraud in electronic commerce. 30 (5) To help to establish uniformity of rules and 19990H1321B1515 - 2 -
1 standards regarding the authentication and integrity of 2 electronic records. 3 (6) To promote public confidence in the integrity and 4 reliability of electronic records and electronic commerce. 5 § 5303. Definitions. 6 The following words and phrases when used in this chapter 7 shall have the meanings given to them in this section unless the 8 context clearly indicates otherwise: 9 "Asymmetric cryptosystem." A computer-based system capable 10 of generating and using a key pair consisting of a private key 11 for creating a digital signature and a public key to verify the 12 digital signature. 13 "Certificate." A record that at a minimum: 14 (1) Identifies the certification authority issuing it. 15 (2) Identifies its subscriber, device or electronic 16 agent under the control of the subscriber. 17 (3) Contains the subscriber's public key that 18 corresponds to a private key under the control of the 19 subscriber. 20 (4) Specifies its operational period. 21 (5) Is digitally signed by the certification authority 22 issuing it. 23 "Certification authority." A person who issues a 24 certificate. 25 "Certification practice statement." A public statement of 26 practices which a certification authority employs in issuing 27 certificates. 28 "Correspond." To belong to the same key pair. 29 "Department." The Department of State of the Commonwealth. 30 "Digital signature." A transformation of an electronic 19990H1321B1515 - 3 -
1 record using an asymmetric cryptosystem and hash function such 2 that a person having the initial electronic record, and the 3 signer's public key can accurately determine: 4 (1) whether the transformation was created using the 5 private key that corresponds to the signer's public key; and 6 (2) whether the initial electronic record has been 7 altered since the transformation was made. 8 "Electronic." The term includes electrical, digital, 9 magnetic, optical, electromagnetic or any other form of 10 technology that entails capabilities similar to these 11 technologies. 12 "Electronic record." A record generated, communicated, 13 received or stored by electronic means for use in an information 14 system or for transmission from one information system to 15 another. 16 "Electronic signature." A signature in electronic form 17 attached to or logically associated with an electronic record. 18 "Hash function." An algorithm mapping or translating one 19 sequence of bits into another, generally smaller, set (the hash 20 result) such that a message yields the same hash result every 21 time the algorithm is executed using the same message as input. 22 It is computationally infeasible that a message can be derived 23 or reconstituted from the hash result produced by the algorithm 24 and that two messages can be found that produce the same hash 25 result using the algorithm. 26 "Hash result." The output produced by a hash function upon 27 processing a message. 28 "Information." The term includes data, text, images, sound, 29 codes, computer programs, software, data bases and the like. 30 "Key pair." In an asymmetric cryptosystem, two 19990H1321B1515 - 4 -
1 mathematically related keys, a private key and its 2 mathematically related public key, having the property that only 3 the public key can verify a digital signature that the private 4 key creates. 5 "Operational period of certificate." The time period of its 6 validity as specifically stated in the certificate excluding any 7 period of time during which the certificate is suspended. 8 "Person." An individual, corporation, business trust, 9 estate, trust, partnership, limited partnership, limited 10 liability partnership, limited liability company, association, 11 joint venture, government, governmental entity, or 12 instrumentality or any other legal or commercial entity. 13 "Private key." The key, known only to the signer, of a key 14 pair used to create a digital signature. 15 "Public key." The key of a key pair used to verify a digital 16 signature. 17 "Record." Information that is inscribed, stored or otherwise 18 fixed on a tangible medium or that is stored in an electronic or 19 other medium and is retrievable in perceivable form. 20 "Repository." A system for storing and retrieving 21 certificates or other information relevant to certificates, 22 including, but not limited to, information relating to the 23 status of a certificate. 24 "Revoke a certificate." To permanently end the operational 25 period of a certificate from a specified time forward. 26 "Rule of law." Any statute, ordinance, common law rule, 27 court decision, rule of court or other similar law enacted, 28 established or promulgated by the Commonwealth or any of its 29 instrumentalities. 30 "Secretary." The Secretary of the Commonwealth. 19990H1321B1515 - 5 -
1 "Security procedure." A methodology or procedure used to 2 verify the identity of the sender of an electronic record or to 3 detect error or alteration in the communication, content or 4 storage of an electronic record from a specific point in time. A 5 security procedure may require the use of algorithms or codes, 6 identifying words or numbers, encryption, answer back or 7 acknowledgment procedures or similar security devices. 8 "Signature device." Unique information, such as codes, 9 algorithms, letters, numbers, private keys or personal 10 identification numbers (PINs) or a uniquely configured physical 11 device that is required, alone or in conjunction with other 12 information or devices, in order to create an electronic 13 signature attributable to a specific person. 14 "Signed" or "signature." Any symbol executed or adopted or 15 any security procedure employed or adopted, using electronic 16 means or otherwise, by or on behalf of a person with intent to 17 authenticate a record. 18 "State agency." Any executive or independent agency under 2 19 Pa.C.S. (relating to administrative law and procedure). 20 "Subscriber." A person who: 21 (1) is the subject identified in a certificate; 22 (2) holds a private key that corresponds to the public 23 key listed in that certificate; and 24 (3) is the person to whom digitally signed messages 25 verified by reference to such certificate are to be 26 attributed. 27 "Suspend a certificate." To temporarily suspend the 28 operational period of a certificate for a specified time period 29 or from a specified time forward. 30 "Trustworthy manner." Computer hardware, software and 19990H1321B1515 - 6 -
1 procedures that: 2 (1) are reasonably secure from intrusion and misuse; 3 (2) provide a reasonably reliable level of availability 4 and correct operation; 5 (3) are reasonably suited to performing their intended 6 functions; 7 (4) adhere to generally accepted security procedures; 8 and 9 (5) comply with any applicable agreements between 10 parties. 11 "Valid certificate." A certificate that a certification 12 authority has issued and has been accepted by the subscriber 13 listed in the certificate. 14 "Verify a digital signature." The use of a public key listed 15 in a valid certificate and along with the appropriate message 16 digest function and asymmetric cryptosystem, to determine that 17 the digital signature was created using the private key 18 corresponding to the public key listed in the certificate and 19 the electronic record has not been altered since its digital 20 signature was created. 21 § 5304. Variation by agreement. 22 The provisions of this chapter may be changed by agreement of 23 the parties involved in generating, receiving, storing or 24 processing electronic records, except for the provisions of 25 sections 5326 (relating to attribution of signature), 5332 26 (relating to authority to adopt rules) and 5363 (relating to 27 criminal penalties). 28 SUBCHAPTER B 29 ELECTRONIC RECORDS AND SIGNATURES GENERALLY 30 Sec. 19990H1321B1515 - 7 -
1 5311. Legal recognition; judicial notice. 2 5312. Electronic records. 3 5313. Electronic signatures. 4 5314. Electronic record as original. 5 5315. Admissibility into evidence. 6 5316. Retention of electronic records. 7 5317. Electronic use not required. 8 § 5311. Legal recognition; judicial notice. 9 Information, records and signatures shall not be denied legal 10 effect, validity or enforceability solely on the grounds that 11 they are in electronic form. Courts shall take judicial notice 12 of this chapter. 13 § 5312. Electronic records. 14 (a) General rule.--An electronic record satisfies a rule of 15 law that requires information to be written or in writing. 16 (b) Exceptions.--The provisions of this section shall not 17 apply: 18 (1) to any rule of law where the clear intent is to 19 require the use of a tangible medium such as paper. The 20 requirement that information be in writing, written or 21 printed shall not by itself be sufficient to establish such 22 intent; 23 (2) to any rule of law governing the creation or 24 execution of a will or trust, living will or durable power of 25 attorney; or 26 (3) to any record that serves as a unique and 27 transferable instrument of rights and obligations, including, 28 without limitation, negotiable instruments and other 29 instruments of title wherein possession of the instrument is 30 deemed to confer title, unless an electronic version of such 19990H1321B1515 - 8 -
1 record is created, stored and transferred in a manner that 2 allows for the existence of only one unique, identifiable and 3 unalterable original with the functional attributes of an 4 equivalent physical instrument, that can be possessed by only 5 one person and which cannot be copied except in a form that 6 is readily identifiable as a copy. 7 § 5313. Electronic signatures. 8 (a) General rule.--An electronic signature satisfies a rule 9 of law that requires a signature. 10 (b) Proof.--An electronic signature may be proved in any 11 manner, including by showing that a procedure existed by which a 12 party executed a symbol or security procedure for the purpose of 13 verifying that an electronic record is that of such party in 14 order to proceed further with a transaction. 15 (c) Exceptions.--The provisions of this section shall not 16 apply: 17 (1) to any rule of law where the clear intent is to 18 require the use of a tangible medium such as paper. The 19 requirement of a signature or that a record be signed shall 20 not be sufficient to establish such intent; 21 (2) to any rule of law governing the creation or 22 execution of a will or trust, living will or durable power of 23 attorney; and 24 (3) to any record that serves as a unique and 25 transferable instrument of rights and obligations, including, 26 without limitation, negotiable instruments and other 27 instruments of title wherein possession of the instrument is 28 deemed to confer title, unless an electronic version of such 29 record is created, stored and transferred in a manner that 30 allows for the existence of only one unique, identifiable and 19990H1321B1515 - 9 -
1 unalterable original with the functional attributes of an 2 equivalent physical instrument, that can be possessed by only 3 one person and which cannot be copied except in a form that 4 is readily identifiable as a copy. 5 § 5314. Electronic record as original. 6 (a) General rule.--An electronic record satisfies a rule of 7 law that requires information to be presented or retained in its 8 original form, provided that there exists reliable assurance as 9 to the integrity of the information from the time when it was 10 first generated in its final form as an electronic record. 11 (b) Criteria.--The criteria for assessing integrity shall be 12 whether the information has remained complete and unaltered, 13 apart from the addition of any endorsement or other information 14 that arises in the normal course of communication, storage and 15 display. The standard of reliability required to ensure that 16 information has remained complete and unaltered shall be 17 assessed in the light of the purpose for which the information 18 was generated and in the light of all the relevant 19 circumstances. 20 (c) Exceptions.--The provisions of this section shall not 21 apply to any record that serves as a unique and transferable 22 instrument of rights and obligations, including, without 23 limitation, negotiable instruments and other instruments of 24 title wherein possession of the instrument is deemed to confer 25 title unless an electronic version of such record is created, 26 stored and transferred in a manner that allows for the existence 27 of only one unique, identifiable and unalterable original with 28 the functional attributes of an equivalent physical instrument, 29 that can be possessed by only one person, and which cannot be 30 copied except in a form that is readily identifiable as a copy. 19990H1321B1515 - 10 -
1 § 5315. Admissibility into evidence. 2 (a) General rule.--In any legal proceeding, a court may not 3 deny the admissibility of an electronic record or an electronic 4 signature solely on the grounds that it is an electronic record 5 or an electronic signature or that it is not an original. 6 (b) Weight of evidence.--Information in the form of an 7 electronic record shall be given due evidentiary weight by the 8 trier of fact. In assessing the evidential weight of an 9 electronic record or electronic signature where its authenticity 10 is in issue, the trier of fact may consider the manner in which 11 it was generated, stored or communicated, the reliability of the 12 manner in which its integrity was maintained, the manner in 13 which its originator was identified or the electronic record was 14 signed and any other relevant information or circumstances. 15 § 5316. Retention of electronic records. 16 (a) Requirement satisfied.--The retention of an electronic 17 record satisfies a rule of law that requires that certain 18 documents, records or information be retained, provided that the 19 following conditions are met: 20 (1) The electronic record is accessible so as to be 21 usable for subsequent reference at all times. 22 (2) The information is retained in a format that 23 accurately reflects the electronic record as it was sent. 24 (3) Any data that is necessary for the identification, 25 authentication or integrity of the records is retained. This 26 data may include, but is not limited to, transmittal 27 information and information about security procedures or 28 message integrity. 29 (b) Exceptions.--An obligation to retain documents, records 30 or information in accordance with subsection (a) does not extend 19990H1321B1515 - 11 -
1 to any data used solely for transmittal information and has no 2 value with regard to the electronic records. 3 (c) Additional requirements.--Any State agency may specify 4 additional requirements for the retention of records retained by 5 that agency. 6 § 5317. Electronic use not required. 7 Nothing in this chapter shall be construed to: 8 (1) require any person to create, store, transmit, 9 accept or otherwise use or communicate information, records 10 or signatures by electronic means or in electronic form; or 11 (2) prohibit any person engaging in an electronic 12 transaction from establishing reasonable requirements 13 regarding the medium on which it will accept records or the 14 method and type of symbol or security procedure it will 15 accept as a signature. 16 SUBCHAPTER C 17 SECURE ELECTRONIC RECORDS AND SIGNATURES 18 Sec. 19 5321. Determination of secure electronic record. 20 5322. Determination of secure electronic signature. 21 5323. Commercially reasonable; reliance. 22 5324. Presumptions. 23 5325. Creation and control of signature devices. 24 5326. Attribution of signature. 25 5327. Authority to certify security procedures. 26 § 5321. Determination of secure electronic record. 27 (a) Determination.--An electronic record shall be considered 28 to be a secure electronic record if it can be verified that such 29 electronic record has not been altered since a specified point 30 in time through the use of a qualified security procedure. The 19990H1321B1515 - 12 -
1 party relying on the qualified security procedure shall also 2 establish that the procedure was: 3 (1) commercially reasonable under the circumstances; 4 (2) implemented in a trustworthy manner; and 5 (3) reasonably relied upon in good faith. 6 (b) Elements.--A qualified security procedure for purposes 7 of this section is a security procedure to detect changes in the 8 content of an electronic record that is: 9 (1) previously agreed to by the parties; or 10 (2) certified by the secretary under section 5327 11 (relating to authority to certify security procedures) as 12 being capable of providing reliable evidence that an 13 electronic record has not been altered. 14 § 5322. Determination of secure electronic signature. 15 (a) Determination.--An electronic signature shall be 16 considered to be a secure electronic signature if it can be 17 verified that an electronic signature is the signature of a 18 special person through the use of a qualified security 19 procedure. The party relying on the qualified security procedure 20 shall also establish that the procedure was: 21 (1) commercially reasonable under the circumstances; 22 (2) implemented in a trustworthy manner; and 23 (3) reasonably relied upon in good faith. 24 (b) Elements.--A qualified security procedure for purposes 25 of this section is a security procedure for identifying a person 26 that is: 27 (1) previously agreed to by the parties; or 28 (2) certified by the secretary under section 5327 29 (relating to authority to certify security procedures) as 30 being capable of creating an electronic signature that meets 19990H1321B1515 - 13 -
1 the requirements of section 5327. 2 § 5323. Commercially reasonable; reliance. 3 (a) Question of law.--The commercial reasonableness of a 4 security procedure is a question of law to be determined in 5 light of the purposes of the procedure and the commercial 6 circumstances at the time the procedure was used. The court may 7 consider the nature of the transaction, sophistication of the 8 parties, availability of the parties, availability of 9 alternatives offered to but rejected by either of the parties, 10 cost of alternative procedures and procedures in general use for 11 similar types of transactions. 12 (b) Determination of good faith.--Whether reliance on a 13 security procedure was reasonable and in good faith is to be 14 determined in light of all the circumstances known to the 15 relying party at the time of the reliance. Consideration should 16 be given to the following factors: 17 (1) information that the relying party knew or should 18 have known of at the time of reliance that would suggest that 19 reliance was or was not reasonable; 20 (2) the value or importance of the electronic record, if 21 known; 22 (3) any course of dealing between the relying party and 23 the purported sender and the available indicia of reliability 24 or unreliability apart from the security procedure; 25 (4) any usage of trade, particularly trade conducted by 26 trustworthy systems or other computer-based means; and 27 (5) whether the verification was performed with the 28 assistance of an independent third party. 29 § 5324. Presumptions. 30 (a) Electronic record.--If any legal proceeding involves the 19990H1321B1515 - 14 -
1 use of a secure electronic record, then it shall be presumed 2 that the electronic record has not been altered since the date 3 it has received secure status. 4 (b) Electronic signature.--If any legal proceeding involves 5 the use of a secure electronic signature, then it shall be 6 presumed that it is the signature of the person to whom it 7 correlates. 8 (c) Burden of proof.--The party challenging the integrity of 9 a secure electronic record or challenging the genuineness of a 10 secure electronic signature shall have the burden of proving 11 that the secure electronic record has no integrity or that the 12 secure electronic signature is not genuine. 13 § 5325. Creation and control of signature devices. 14 A person creating or controlling a signature device created 15 by a qualified security procedure under section 5321 (relating 16 to determination of secure electronic record) or 5322 (relating 17 to determination of secure electronic signature) shall: 18 (1) do so in a trustworthy manner; 19 (2) exercise and require all other persons that 20 rightfully have access to such signature device to exercise 21 reasonable care to retain control of the signature device to 22 protect it from any unauthorized disclosure or use during any 23 time period that reliance on a signature created by such 24 device is reasonable; and 25 (3) make a reasonable effort to promptly notify all 26 persons that may foreseeably be damaged as a result of a 27 compromise of a signature device that is known or should be 28 known to the person. 29 § 5326. Attribution of signature. 30 (a) Reliance.--A secure electronic signature is attributable 19990H1321B1515 - 15 -
1 to the person to whom it correlates, if the following conditions 2 are satisfied: 3 (1) it appears that the electronic signature came from 4 that person; 5 (2) the access or use occurred under circumstances 6 constituting a failure to exercise reasonable care by that 7 person; and 8 (3) another party reasonably relied in good faith to its 9 detriment on the apparent source of the electronic record. 10 (b) Applicability.--Subsection (a) shall not apply to 11 transactions intended primarily for personal, family or 12 household use or otherwise defined as consumer transactions by 13 applicable law, including, but not limited to, credit card and 14 automated teller machine transactions. 15 § 5327. Authority to certify security procedures. 16 (a) Certification of a secure electronic record.--A security 17 procedure may be certified by the secretary as a qualified 18 security procedure for purposes of section 5321 (relating to 19 determination of secure electronic record) if it: 20 (1) is completely open and fully disclosed to the public 21 and has been so for a sufficient length of time, so that the 22 applicable information security or scientific community can 23 evaluate its suitability for its intended purpose; and 24 (2) is generally accepted in the applicable information 25 security or scientific community as being used in a 26 trustworthy manner and meeting the applicable requirements of 27 section 5322 (relating to determination of secure electronic 28 signature). 29 (b) Certification of secure electronic signature.--A 30 security procedure may be certified by the secretary for 19990H1321B1515 - 16 -
1 purposes of section 5322 if it: 2 (1) is completely open and fully disclosed to the public 3 for a sufficient length of time so that the applicable 4 information security or scientific community can evaluate its 5 suitability for its intended purpose; 6 (2) is generally accepted in the applicable information 7 security or scientific community as being used in a 8 trustworthy manner and meeting the applicable requirements of 9 section 5322; 10 (3) is unique to the signer within the context in which 11 it is used; 12 (4) can be used to objectively identify the person using 13 the electronic signature; 14 (5) is reliably created by such identified person; and 15 (6) is created and linked to the electronic record to 16 which it relates in a manner such that the electronic 17 signature is invalid if the record or signature is changed 18 after the creation of the signature. 19 (c) Determination of general acceptance.--The secretary 20 shall consider the opinion of independent experts in the 21 applicable field and the published findings of such community, 22 including applicable standards organizations such as the 23 American National Standards Institute (ANSI), International 24 Organization for Standardization (ISO), International 25 Telecommunication Union (ITU), and the National Institute of 26 Standards and Technology (NIST), when determining if a security 27 procedure has been generally accepted in the applicable 28 information security or scientific community. 29 (d) Regulations.--The secretary shall promulgate regulations 30 that specify a full and complete identification of the security 19990H1321B1515 - 17 -
1 procedure, including requirements as to how it is to be 2 implemented, if appropriate. 3 (e) Decertification.--The secretary may also decertify a 4 security procedure as a qualified security procedure for 5 purposes of sections 5321 or 5222 following an appropriate 6 investigation or review and the adoption of duly promulgated 7 regulations if subsequent developments establish that the 8 security procedure is no longer sufficiently trustworthy or 9 reliable for its intended purpose or for any other reason no 10 longer meets the requirements for certification. 11 (f) Exclusive authority.--The secretary shall have exclusive 12 authority to certify security procedures under this section. 13 SUBCHAPTER D 14 EFFECT OF A DIGITAL SIGNATURE 15 Sec. 16 5331. Digital signatures. 17 5332. Authority to adopt rules. 18 5333. Restrictions on publication of certificate. 19 5334. Trustworthy services. 20 5335. Disclosure. 21 5336. Issuance of certificate. 22 5337. Representations upon issuance of certificate. 23 5338. Revocation of certificate. 24 § 5331. Digital signatures. 25 (a) Secure electronic record.--If an electronic record is 26 signed with a digital signature that is created using an 27 asymmetric algorithm certified by the secretary under section 28 5321(b)(2) (relating to determination of secure electronic 29 record), then the record shall be considered to be a qualified 30 security procedure for purposes of detecting changes in the 19990H1321B1515 - 18 -
1 content of an electronic record under section 5321 provided that 2 the digital signature can be verified. 3 (b) Secure electronic signature.--If an electronic signature 4 is a digital signature that is created using an asymmetric 5 algorithm certified by the secretary under section 5322(b)(2) 6 (relating to determination of secure electronic signature), then 7 the signature shall be considered to be a secure electronic 8 signature for purposes of identifying a person under section 9 5322 if the digital signature: 10 (1) is created pursuant to a valid certificate issued by 11 a certification authority; 12 (2) is used within the scope of a valid certificate; and 13 (3) is verified. 14 A digital signature shall not be considered to be verified for 15 purposes of the determination of a secure electronic record 16 under section 5322 if reliance upon the certificate is not 17 foreseeable because it is outside the scope or the operational 18 period of the certificate. 19 § 5332. Authority to adopt rules. 20 (a) Rules.--The secretary may adopt rules applicable to both 21 the public and private sectors for the purpose of determining 22 when a certificate is considered sufficiently trustworthy so 23 that a digital signature is considered to be verified for 24 purposes of section 5331 (relating to digital signatures). The 25 secretary may adopt rules that establish appropriate standards 26 for certification authorities to be accredited by third parties 27 or certified by the department. If the secretary adopts rules 28 for certification, then the secretary may establish appropriate 29 fees to be charged. 30 (b) Flexibility.--The secretary shall develop rules that: 19990H1321B1515 - 19 -
1 (1) provide maximum flexibility to the implementation of 2 digital signature technology and the business models 3 necessary to support it; 4 (2) provide a clear basis for the recognition of 5 certificates issued by foreign certification authorities; and 6 (3) promote uniformity with the laws of other 7 jurisdictions, both domestic and international, to the extent 8 possible. 9 (c) Exclusive authority.--The secretary shall have exclusive 10 authority to adopt rules authorized by this section. 11 § 5333. Restrictions on publication of certificate. 12 No person shall publish a certificate, or otherwise make it 13 available to anyone likely to rely on the certificate or on a 14 digital signature that is verifiable with reference to the 15 public key listed in the certificate if such person knows that: 16 (1) the certification authority listed in the 17 certificate has not issued it; 18 (2) the subscriber listed in the certificate has not 19 accepted it; or 20 (3) the certificate has been revoked or suspended unless 21 such publication is for the purpose of verifying a digital 22 signature created prior to such revocation or suspension or 23 giving notice of revocation or suspension. 24 § 5334. Trustworthy services. 25 A certification authority and a person maintaining a 26 repository shall maintain its operations and perform its 27 services in a trustworthy manner unless it conspicuously 28 discloses in its practice statement services that it will not 29 perform in a trustworthy manner such as a low-cost or limited- 30 use certificate. 19990H1321B1515 - 20 -
1 § 5335. Disclosure. 2 (a) Publication.--If a certification authority issues a 3 certificate with the intention that it will be relied upon by 4 third parties to verify digital signatures created by 5 subscribers, a certification authority must publish or otherwise 6 make available to the subscriber and all such relying parties: 7 (1) any applicable certification practice statement, 8 which includes any disclosures under section 5337 (relating 9 to representations upon issuance of certificate); and 10 (2) its certificate that identifies the certification 11 authority as a subscriber and that contains the public key 12 corresponding to the private key used by the certification 13 authority to digitally sign the certificate, its 14 "certification authority certificate." 15 (b) Notice.--If an event occurs that materially and 16 adversely affects a certification authority's operations or 17 system, its certificate or any other aspect of its ability to 18 operate in a trustworthy manner, the certification authority 19 shall proceed in accordance with its certification practice 20 statement. If the certification practice statement does not 21 contain such procedures, the certification authority shall use 22 reasonable efforts to notify any persons that it knows may 23 foreseeably be damaged as a result of such occurrence. 24 § 5336. Issuance of certificate. 25 A certification authority may issue a certificate to a 26 prospective subscriber for the purpose of allowing third parties 27 to verify digital signatures created by the subscriber only 28 after the certification authority has received a request for 29 issuance from the prospective subscriber, and the certification 30 authority has complied with all of the relevant practices and 19990H1321B1515 - 21 -
1 procedures set forth in its applicable certification practice 2 statement. If the certification authority has no certification 3 practice statement addressing these issues, it shall confirm in 4 a trustworthy manner that: 5 (1) the prospective subscriber is the person to be 6 listed in the certificate to be issued; 7 (2) the information in the certificate to be issued is 8 accurate; and 9 (3) the prospective subscriber rightfully holds a 10 private key capable of creating a digital signature, and the 11 public key to be listed in the certificate can be used to 12 verify a digital signature affixed by such private key. 13 § 5337. Representations upon issuance of certificate. 14 (a) Representations.--A certificate authority makes certain 15 representations to the subscriber and any person who reasonably 16 relies on the certificate in good faith during its operational 17 period when it issues a certificate that will be relied upon by 18 third parties to verify digital signatures created by the 19 subscriber. These representations provide that: 20 (1) the certification authority has complied with all 21 applicable requirements of its applicable certification 22 practice statement or this chapter or the law of the 23 jurisdiction governing issuance of the certificate; 24 (2) the certification authority has verified the 25 identity of the subscriber to the extent stated in the 26 certificate or its applicable certification practice 27 statement or in a trustworthy manner; 28 (3) the certification authority has verified that the 29 person requesting the certificate holds the private key 30 corresponding to the public key listed in the certificate; 19990H1321B1515 - 22 -
1 (4) all other information in the certificate is accurate 2 and not materially misleading to the certification 3 authority's knowledge as of the date the certificate was 4 issued unless conspicuously stated in the certificate or its 5 applicable certification practice statement; and 6 (5) the certification authority will manage and revoke, 7 if necessary, the certificate in accordance with its 8 certification practice statement or this chapter or the law 9 of the jurisdiction governing issuance of the certificate. 10 (b) Other laws.--If a certification authority issued the 11 certificate subject to the laws of another jurisdiction, the 12 certification authority also makes all warranties and 13 representations, if any, otherwise applicable under the law 14 governing its issuance. 15 § 5338. Revocation of certificate. 16 (a) Conditions for revocation.--A certification authority 17 shall revoke a certificate during its operational period in 18 accordance with the policies and procedures governing revocation 19 specified in its applicable certification practice statement. If 20 there are no such policies and procedures in its certification 21 practice statement, then a certification authority shall revoke 22 a certificate as soon as possible after: 23 (1) receiving a request for revocation by the subscriber 24 named in the certificate and confirming that the person 25 requesting revocation is the subscriber or is an agent of the 26 subscriber with authority to request the revocation; 27 (2) receiving a certified copy of an individual 28 subscriber's death certificate or upon confirming by other 29 reliable evidence that the subscriber is dead; 30 (3) being presented with documents effecting a 19990H1321B1515 - 23 -
1 dissolution of a corporate subscriber or confirming by other 2 evidence that the subscriber has been dissolved or has ceased 3 to exist; 4 (4) being served with an order requiring revocation that 5 was issued by a court of competent jurisdiction; or 6 (5) confirming that: 7 (i) a material fact represented in the certificate 8 is false; 9 (ii) a material prerequisite to issuance of the 10 certificate was not satisfied; 11 (iii) the certification authority's private key or 12 system operations were compromised in a manner materially 13 affecting the certificate's reliability; or 14 (iv) the subscriber's private key was compromised. 15 (b) Notification.--When the certification authority revokes 16 a certificate, it shall notify the subscriber and relying 17 parties in accordance with the policies and procedures governing 18 notice of revocation specified in its applicable certification 19 practice statement. If there are no such policies and 20 procedures, the certification authority shall promptly notify 21 the subscriber, promptly publish notice of the revocation in all 22 repositories where the certification authority previously caused 23 publication of the certificate and otherwise disclose the fact 24 of revocation on inquiry by a relying party. 25 SUBCHAPTER E 26 DUTIES OF SUBSCRIBERS 27 Sec. 28 5341. Obtaining certificate. 29 5342. Acceptance of certificate. 30 5343. Revocation of certificate. 19990H1321B1515 - 24 -
1 § 5341. Obtaining certificate. 2 All material representations knowingly made by a person to a 3 certification authority for purposes of obtaining a certificate 4 naming such person as a subscriber must be accurate and complete 5 to the best of such person's knowledge and belief. 6 § 5342. Acceptance of certificate. 7 (a) Methods.--A person accepts a certificate that names such 8 person as a subscriber by publishing or approving publication of 9 it to one or more persons or in a repository or otherwise 10 demonstrating approval of it while knowing or having notice of 11 its contents. 12 (b) Representation.--When a subscriber accepts a 13 certificate, the subscriber listed in the certificate represents 14 to any person who reasonably relies on the certificate during 15 its operational period in good faith that: 16 (1) the subscriber rightfully holds the private key 17 corresponding to the public key listed in the certificate; 18 (2) all representations made by the subscriber to the 19 certification authority and material to the information 20 listed in the certificate are true; and 21 (3) all information in the certificate is true to the 22 best knowledge and belief of the subscriber. 23 § 5343. Revocation of certificate. 24 When the private key corresponding to the public key listed 25 in a valid certificate is lost, stolen, accessible to an 26 unauthorized person or otherwise compromised during the 27 operational period of the certificate, a subscriber who has 28 learned of the compromise shall promptly request the issuing 29 certification authority to revoke the certificate in accordance 30 with section 5538 (relating to revocation of certificate). 19990H1321B1515 - 25 -
1 SUBCHAPTER F 2 STATE AGENCY USE OF ELECTRONIC RECORDS AND SIGNATURES 3 Sec. 4 5351. State agency use of electronic records. 5 5352. Department of General Services to adopt State standards. 6 5353. Interoperability. 7 § 5351. State agency use of electronic records. 8 (a) Determination.--Each State agency may send and receive 9 electronic records and electronic signatures to and from other 10 persons and otherwise create, use, store and rely upon 11 electronic records and electronic signatures. 12 (b) Specifics.--If a State agency decides to send or receive 13 electronic records or to accept document filings by electronic 14 records, the State agency may promulgate regulations that 15 specify: 16 (1) the manner and format in which such electronic 17 records must be created, sent, received and stored; 18 (2) if such electronic records must be signed, the type 19 of electronic signature required, the manner and format in 20 which such signature must be affixed to the electronic record 21 and the identity of or criteria that must be met by any third 22 party used by the person filing the document to facilitate 23 the process; 24 (3) control processes and procedures as appropriate to 25 ensure adequate integrity, security, confidentiality and 26 auditability of such electronic records; and 27 (4) any other required attributes for such electronic 28 records that are currently specified for corresponding paper 29 documents or reasonably necessary under the circumstances. 30 (c) Security requirements.--All regulations promulgated by a 19990H1321B1515 - 26 -
1 State agency shall include the relevant minimum security 2 requirements established by the Department of General Services, 3 if any. 4 (d) Satisfaction of requirement.--If a rule of law requires 5 or authorizes the filing of any information, notice, lien or 6 other document or record with a State agency, a filing made by 7 an electronic record shall have the same force and effect as a 8 filing made on paper in all cases if the State agency has 9 authorized or agreed to such electronic filing and the filing is 10 made in accordance with applicable regulations. 11 § 5352. Department of General Services to adopt State 12 standards. 13 (a) Rules.--The Department of General Services may adopt 14 rules setting forth minimum security requirements for the use of 15 electronic records and electronic signatures by State agencies. 16 (b) Minimum security requirements.--The Department of 17 General Services shall specify appropriate minimum security 18 requirements to be implemented and followed by State agencies 19 for the generation, use and storage of key pairs, the issuance, 20 acceptance, use, suspension and revocation of certificates and 21 the use of digital signatures. 22 (c) Authority.--Each State agency may issue or contract for 23 the issuance of certificates to its employees and agents, and 24 persons conducting business or other transactions with such 25 State agency and to take other actions consistent therewith, 26 including the establishment of repositories and the suspension 27 or revocation of certificates so issued, provided that the 28 foregoing is conducted in accordance with all the rules, 29 procedures and policies specified by the Department of General 30 Services. The Department of General Services shall have the 19990H1321B1515 - 27 -
1 authority to specify the rules, procedures and policies whereby 2 State agencies may issue or contract for the issuance of 3 certificates. 4 (d) Minimum standards.--The Department of General Services 5 may specify appropriate minimum standards and requirements that 6 must be satisfied by a certification authority before: 7 (1) its services are used by any State agency for the 8 issuance, publication, revocation and suspension of 9 certificates to such agency or its employees or agents (for 10 official use); or 11 (2) the certificates it issues will be accepted for 12 purposes of verifying digitally signed electronic records 13 sent to any State agency by any person. 14 (e) Different levels.--Where appropriate, the rules adopted 15 by the Department of General Services pursuant to this section 16 shall specify differing levels of minimum standards from which 17 implementing State agencies can select the standard most 18 appropriate for a particular application. 19 (f) Separate rules.--The General Assembly and the Supreme 20 Court separately for the respective branches may adopt rules 21 setting forth the minimum security requirements for the use of 22 electronic records and electronic signatures by these respective 23 branches. The General Assembly and the Supreme Court may accept 24 the rules adopted by the Department of General Services for the 25 use of electronic records and electronic signatures by the 26 respective branches. 27 (g) Authority of Department of General Services.--Except as 28 provided in subsection (f) and in section 5351 (relating to 29 State agency use of electronic records), the Department of 30 General Services shall have exclusive authority to adopt rules 19990H1321B1515 - 28 -
1 authorized by this section. 2 § 5353. Interoperability. 3 To the extent reasonable under the circumstances, rules 4 adopted by the Department of General Services or a State agency 5 relating to the use of electronic records or electronic 6 signatures shall be drafted in a manner designed to encourage 7 and promote consistency and interoperability with similar 8 requirements adopted by government agencies of the Federal 9 Government and other states. 10 SUBCHAPTER G 11 ENFORCEMENT; CIVIL REMEDY; CRIMINAL PENALTIES 12 Sec. 13 5361. Enforcement. 14 5362. Civil remedy. 15 5363. Criminal penalties. 16 § 5361. Enforcement. 17 The secretary may investigate complaints or other information 18 indicating violations of rules adopted under this chapter. The 19 secretary may refer to the Attorney General for such action as 20 the Attorney General may deem appropriate all information the 21 secretary obtains that discloses a violation of any provision of 22 this chapter or the rules adopted under this chapter. 23 § 5362. Civil remedy. 24 Whoever suffers loss by reason of a violation of section 5363 25 (relating to criminal penalties) may, in a civil action against 26 the violator, obtain appropriate relief. In a civil action under 27 this section, the court may award to the prevailing party 28 reasonable attorney fees and other litigation expenses. 29 § 5363. Criminal penalties. 30 (a) Unauthorized access of signature device.--Any person who 19990H1321B1515 - 29 -
1 intentionally obtains access, copies or possesses the signature 2 device of another person without authorization commits a 3 misdemeanor of the first degree. 4 (b) Unauthorized disclosure or alteration of signature 5 device.--Any person who intentionally discloses, uses or alters 6 the signature device of another person without lawful authority 7 or in excess of lawful authorization commits a felony of the 8 third degree. A person who violates this subsection in 9 furtherance of any scheme or artifice to defraud in excess of 10 $50,000 commits a felony of the second degree. A person who has 11 previously been convicted of an offense under subsection (c) and 12 who violates this section commits a felony of the third degree. 13 (c) Fraudulent use.--Any person who intentionally creates, 14 publishes, alters or uses a certificate for any fraudulent or 15 unlawful purpose commits a felony of the third degree. A person 16 who violates this subsection in furtherance of any scheme or 17 artifice to defraud in excess of $50,000 commits a felony of the 18 second degree. 19 (d) False or unauthorized request.--Any person who 20 intentionally misrepresents the person's identity or 21 authorization in requesting or accepting a certificate or 22 requesting suspension or revocation of a certificate commits a 23 misdemeanor of the third degree. A person who violates this 24 subsection ten times within a 12-month period or in furtherance 25 of any scheme or artifice to defraud in excess of $50,000 26 commits a felony of the second degree. 27 (e) Unauthorized creation of electronic signature.--Any 28 person who intentionally obtains access, alters, discloses or 29 uses the signature device of a certification authority without 30 or in excess of lawful authorization for the purpose of creating 19990H1321B1515 - 30 -
1 an unauthorized electronic signature using this device commits a 2 felony of the third degree. A person also commits a felony of 3 the third degree if the person causes another person to violate 4 this section. A person who violates this subsection in 5 furtherance of any scheme or artifice to defraud in excess of 6 $50,000 commits a felony of the second degree. 7 Section 2. Section 4101(a) of Title 18 is amended to read: 8 § 4101. Forgery. 9 (a) Offense defined.--A person is guilty of forgery if, with 10 intent to defraud or injure anyone, or with knowledge that he is 11 facilitating a fraud or injury to be perpetrated by anyone, the 12 actor: 13 (1) alters any writing of another without his authority; 14 (2) makes, completes, executes, authenticates, issues or 15 transfers any writing so that it purports to be the act of 16 another who did not authorize that act, or to have been 17 executed at a time or place or in a numbered sequence other 18 than was in fact the case, or to be a copy of an original 19 when no such original existed; [or] 20 (3) utters any writing which he knows to be forged in a 21 manner specified in paragraphs (1) or (2) of this 22 subsection[.]; or 23 (4) unlawfully uses the signature device of another to 24 create an electronic signature of that other person, as those 25 terms are defined in 12 Pa.C.S. Ch. 53 (relating to 26 electronic commerce). 27 Section 3. This act shall take effect July 1, 1999. D13L12BIL/19990H1321B1515 - 31 -