PRINTER'S NO. 1515
No. 1321 Session of 1999
INTRODUCED BY LESCOVITZ, HASAY, CALTAGIRONE, GEIST, LYNCH,
KENNEY, MELIO, MUNDY, COY, HARHAI, LAUGHLIN, E. Z. TAYLOR,
CLARK, McILHATTAN, SAINATO, BATTISTO, M. COHEN, BELFANTI,
TIGUE, VAN HORNE, COLAFELLA, HENNESSEY, YOUNGBLOOD, MAHER,
CAPPABIANCA, DALEY, TRELLO, SEMMEL, WILLIAMS, YUDICHAK AND
FLICK, APRIL 15, 1999
REFERRED TO COMMITTEE ON COMMERCE AND ECONOMIC DEVELOPMENT,
APRIL 15, 1999
AN ACT
1 Amending Titles 12 (Commerce and Trade) and 18 (Crimes and
2 Offenses) of the Pennsylvania Consolidated Statutes,
3 providing for electronic commerce; and providing penalties.
4 The General Assembly of the Commonwealth of Pennsylvania
5 hereby enacts as follows:
6 Section 1. Title 12 of the Pennsylvania Consolidated
7 Statutes is amended by adding a chapter to read:
8 CHAPTER 53
9 ELECTRONIC COMMERCE
10 Subchapter
11 A. Preliminary Provisions
12 B. Electronic Records and Signatures Generally
13 C. Secure Electronic Records and Signatures
14 D. Effect of a Digital Signature
15 E. Duties of Subscribers
16 F. State Agency Use of Electronic Records and Signatures
1 G. Enforcement; Civil Remedy; Criminal Penalties
2 SUBCHAPTER A
3 PRELIMINARY PROVISIONS
4 Sec.
5 5301. Short title of chapter.
6 5302. Purposes and construction.
7 5303. Definitions.
8 5304. Variation by agreement.
9 § 5301. Short title of chapter.
10 This chapter shall be known and may be cited as the
11 Electronic Commerce Security Act.
12 § 5302. Purposes and construction.
13 This chapter shall be construed consistently with what is
14 commercially reasonable under the circumstances and to
15 effectuate the following purposes:
16 (1) To facilitate electronic communications by means of
17 reliable electronic records.
18 (2) To facilitate and promote electronic commerce by
19 eliminating barriers resulting from uncertainties over
20 writing and signature requirements and promoting the
21 development of the legal and business infrastructure
22 necessary to implement secure electronic commerce.
23 (3) To facilitate electronic filing of documents with
24 State and local government agencies and promote efficient
25 delivery of government services by means of reliable
26 electronic records.
27 (4) To minimize the incidence of forged electronic
28 records, intentional and unintentional alteration of records
29 and fraud in electronic commerce.
30 (5) To help to establish uniformity of rules and
19990H1321B1515 - 2 -
1 standards regarding the authentication and integrity of
2 electronic records.
3 (6) To promote public confidence in the integrity and
4 reliability of electronic records and electronic commerce.
5 § 5303. Definitions.
6 The following words and phrases when used in this chapter
7 shall have the meanings given to them in this section unless the
8 context clearly indicates otherwise:
9 "Asymmetric cryptosystem." A computer-based system capable
10 of generating and using a key pair consisting of a private key
11 for creating a digital signature and a public key to verify the
12 digital signature.
13 "Certificate." A record that at a minimum:
14 (1) Identifies the certification authority issuing it.
15 (2) Identifies its subscriber, device or electronic
16 agent under the control of the subscriber.
17 (3) Contains the subscriber's public key that
18 corresponds to a private key under the control of the
19 subscriber.
20 (4) Specifies its operational period.
21 (5) Is digitally signed by the certification authority
22 issuing it.
23 "Certification authority." A person who issues a
24 certificate.
25 "Certification practice statement." A public statement of
26 practices which a certification authority employs in issuing
27 certificates.
28 "Correspond." To belong to the same key pair.
29 "Department." The Department of State of the Commonwealth.
30 "Digital signature." A transformation of an electronic
19990H1321B1515 - 3 -
1 record using an asymmetric cryptosystem and hash function such
2 that a person having the initial electronic record, and the
3 signer's public key can accurately determine:
4 (1) whether the transformation was created using the
5 private key that corresponds to the signer's public key; and
6 (2) whether the initial electronic record has been
7 altered since the transformation was made.
8 "Electronic." The term includes electrical, digital,
9 magnetic, optical, electromagnetic or any other form of
10 technology that entails capabilities similar to these
11 technologies.
12 "Electronic record." A record generated, communicated,
13 received or stored by electronic means for use in an information
14 system or for transmission from one information system to
15 another.
16 "Electronic signature." A signature in electronic form
17 attached to or logically associated with an electronic record.
18 "Hash function." An algorithm mapping or translating one
19 sequence of bits into another, generally smaller, set (the hash
20 result) such that a message yields the same hash result every
21 time the algorithm is executed using the same message as input.
22 It is computationally infeasible that a message can be derived
23 or reconstituted from the hash result produced by the algorithm
24 and that two messages can be found that produce the same hash
25 result using the algorithm.
26 "Hash result." The output produced by a hash function upon
27 processing a message.
28 "Information." The term includes data, text, images, sound,
29 codes, computer programs, software, data bases and the like.
30 "Key pair." In an asymmetric cryptosystem, two
19990H1321B1515 - 4 -
1 mathematically related keys, a private key and its
2 mathematically related public key, having the property that only
3 the public key can verify a digital signature that the private
4 key creates.
5 "Operational period of certificate." The time period of its
6 validity as specifically stated in the certificate excluding any
7 period of time during which the certificate is suspended.
8 "Person." An individual, corporation, business trust,
9 estate, trust, partnership, limited partnership, limited
10 liability partnership, limited liability company, association,
11 joint venture, government, governmental entity, or
12 instrumentality or any other legal or commercial entity.
13 "Private key." The key, known only to the signer, of a key
14 pair used to create a digital signature.
15 "Public key." The key of a key pair used to verify a digital
16 signature.
17 "Record." Information that is inscribed, stored or otherwise
18 fixed on a tangible medium or that is stored in an electronic or
19 other medium and is retrievable in perceivable form.
20 "Repository." A system for storing and retrieving
21 certificates or other information relevant to certificates,
22 including, but not limited to, information relating to the
23 status of a certificate.
24 "Revoke a certificate." To permanently end the operational
25 period of a certificate from a specified time forward.
26 "Rule of law." Any statute, ordinance, common law rule,
27 court decision, rule of court or other similar law enacted,
28 established or promulgated by the Commonwealth or any of its
29 instrumentalities.
30 "Secretary." The Secretary of the Commonwealth.
19990H1321B1515 - 5 -
1 "Security procedure." A methodology or procedure used to
2 verify the identity of the sender of an electronic record or to
3 detect error or alteration in the communication, content or
4 storage of an electronic record from a specific point in time. A
5 security procedure may require the use of algorithms or codes,
6 identifying words or numbers, encryption, answer back or
7 acknowledgment procedures or similar security devices.
8 "Signature device." Unique information, such as codes,
9 algorithms, letters, numbers, private keys or personal
10 identification numbers (PINs) or a uniquely configured physical
11 device that is required, alone or in conjunction with other
12 information or devices, in order to create an electronic
13 signature attributable to a specific person.
14 "Signed" or "signature." Any symbol executed or adopted or
15 any security procedure employed or adopted, using electronic
16 means or otherwise, by or on behalf of a person with intent to
17 authenticate a record.
18 "State agency." Any executive or independent agency under 2
19 Pa.C.S. (relating to administrative law and procedure).
20 "Subscriber." A person who:
21 (1) is the subject identified in a certificate;
22 (2) holds a private key that corresponds to the public
23 key listed in that certificate; and
24 (3) is the person to whom digitally signed messages
25 verified by reference to such certificate are to be
26 attributed.
27 "Suspend a certificate." To temporarily suspend the
28 operational period of a certificate for a specified time period
29 or from a specified time forward.
30 "Trustworthy manner." Computer hardware, software and
19990H1321B1515 - 6 -
1 procedures that:
2 (1) are reasonably secure from intrusion and misuse;
3 (2) provide a reasonably reliable level of availability
4 and correct operation;
5 (3) are reasonably suited to performing their intended
6 functions;
7 (4) adhere to generally accepted security procedures;
8 and
9 (5) comply with any applicable agreements between
10 parties.
11 "Valid certificate." A certificate that a certification
12 authority has issued and has been accepted by the subscriber
13 listed in the certificate.
14 "Verify a digital signature." The use of a public key listed
15 in a valid certificate and along with the appropriate message
16 digest function and asymmetric cryptosystem, to determine that
17 the digital signature was created using the private key
18 corresponding to the public key listed in the certificate and
19 the electronic record has not been altered since its digital
20 signature was created.
21 § 5304. Variation by agreement.
22 The provisions of this chapter may be changed by agreement of
23 the parties involved in generating, receiving, storing or
24 processing electronic records, except for the provisions of
25 sections 5326 (relating to attribution of signature), 5332
26 (relating to authority to adopt rules) and 5363 (relating to
27 criminal penalties).
28 SUBCHAPTER B
29 ELECTRONIC RECORDS AND SIGNATURES GENERALLY
30 Sec.
19990H1321B1515 - 7 -
1 5311. Legal recognition; judicial notice.
2 5312. Electronic records.
3 5313. Electronic signatures.
4 5314. Electronic record as original.
5 5315. Admissibility into evidence.
6 5316. Retention of electronic records.
7 5317. Electronic use not required.
8 § 5311. Legal recognition; judicial notice.
9 Information, records and signatures shall not be denied legal
10 effect, validity or enforceability solely on the grounds that
11 they are in electronic form. Courts shall take judicial notice
12 of this chapter.
13 § 5312. Electronic records.
14 (a) General rule.--An electronic record satisfies a rule of
15 law that requires information to be written or in writing.
16 (b) Exceptions.--The provisions of this section shall not
17 apply:
18 (1) to any rule of law where the clear intent is to
19 require the use of a tangible medium such as paper. The
20 requirement that information be in writing, written or
21 printed shall not by itself be sufficient to establish such
22 intent;
23 (2) to any rule of law governing the creation or
24 execution of a will or trust, living will or durable power of
25 attorney; or
26 (3) to any record that serves as a unique and
27 transferable instrument of rights and obligations, including,
28 without limitation, negotiable instruments and other
29 instruments of title wherein possession of the instrument is
30 deemed to confer title, unless an electronic version of such
19990H1321B1515 - 8 -
1 record is created, stored and transferred in a manner that
2 allows for the existence of only one unique, identifiable and
3 unalterable original with the functional attributes of an
4 equivalent physical instrument, that can be possessed by only
5 one person and which cannot be copied except in a form that
6 is readily identifiable as a copy.
7 § 5313. Electronic signatures.
8 (a) General rule.--An electronic signature satisfies a rule
9 of law that requires a signature.
10 (b) Proof.--An electronic signature may be proved in any
11 manner, including by showing that a procedure existed by which a
12 party executed a symbol or security procedure for the purpose of
13 verifying that an electronic record is that of such party in
14 order to proceed further with a transaction.
15 (c) Exceptions.--The provisions of this section shall not
16 apply:
17 (1) to any rule of law where the clear intent is to
18 require the use of a tangible medium such as paper. The
19 requirement of a signature or that a record be signed shall
20 not be sufficient to establish such intent;
21 (2) to any rule of law governing the creation or
22 execution of a will or trust, living will or durable power of
23 attorney; and
24 (3) to any record that serves as a unique and
25 transferable instrument of rights and obligations, including,
26 without limitation, negotiable instruments and other
27 instruments of title wherein possession of the instrument is
28 deemed to confer title, unless an electronic version of such
29 record is created, stored and transferred in a manner that
30 allows for the existence of only one unique, identifiable and
19990H1321B1515 - 9 -
1 unalterable original with the functional attributes of an
2 equivalent physical instrument, that can be possessed by only
3 one person and which cannot be copied except in a form that
4 is readily identifiable as a copy.
5 § 5314. Electronic record as original.
6 (a) General rule.--An electronic record satisfies a rule of
7 law that requires information to be presented or retained in its
8 original form, provided that there exists reliable assurance as
9 to the integrity of the information from the time when it was
10 first generated in its final form as an electronic record.
11 (b) Criteria.--The criteria for assessing integrity shall be
12 whether the information has remained complete and unaltered,
13 apart from the addition of any endorsement or other information
14 that arises in the normal course of communication, storage and
15 display. The standard of reliability required to ensure that
16 information has remained complete and unaltered shall be
17 assessed in the light of the purpose for which the information
18 was generated and in the light of all the relevant
19 circumstances.
20 (c) Exceptions.--The provisions of this section shall not
21 apply to any record that serves as a unique and transferable
22 instrument of rights and obligations, including, without
23 limitation, negotiable instruments and other instruments of
24 title wherein possession of the instrument is deemed to confer
25 title unless an electronic version of such record is created,
26 stored and transferred in a manner that allows for the existence
27 of only one unique, identifiable and unalterable original with
28 the functional attributes of an equivalent physical instrument,
29 that can be possessed by only one person, and which cannot be
30 copied except in a form that is readily identifiable as a copy.
19990H1321B1515 - 10 -
1 § 5315. Admissibility into evidence.
2 (a) General rule.--In any legal proceeding, a court may not
3 deny the admissibility of an electronic record or an electronic
4 signature solely on the grounds that it is an electronic record
5 or an electronic signature or that it is not an original.
6 (b) Weight of evidence.--Information in the form of an
7 electronic record shall be given due evidentiary weight by the
8 trier of fact. In assessing the evidential weight of an
9 electronic record or electronic signature where its authenticity
10 is in issue, the trier of fact may consider the manner in which
11 it was generated, stored or communicated, the reliability of the
12 manner in which its integrity was maintained, the manner in
13 which its originator was identified or the electronic record was
14 signed and any other relevant information or circumstances.
15 § 5316. Retention of electronic records.
16 (a) Requirement satisfied.--The retention of an electronic
17 record satisfies a rule of law that requires that certain
18 documents, records or information be retained, provided that the
19 following conditions are met:
20 (1) The electronic record is accessible so as to be
21 usable for subsequent reference at all times.
22 (2) The information is retained in a format that
23 accurately reflects the electronic record as it was sent.
24 (3) Any data that is necessary for the identification,
25 authentication or integrity of the records is retained. This
26 data may include, but is not limited to, transmittal
27 information and information about security procedures or
28 message integrity.
29 (b) Exceptions.--An obligation to retain documents, records
30 or information in accordance with subsection (a) does not extend
19990H1321B1515 - 11 -
1 to any data used solely for transmittal information and has no
2 value with regard to the electronic records.
3 (c) Additional requirements.--Any State agency may specify
4 additional requirements for the retention of records retained by
5 that agency.
6 § 5317. Electronic use not required.
7 Nothing in this chapter shall be construed to:
8 (1) require any person to create, store, transmit,
9 accept or otherwise use or communicate information, records
10 or signatures by electronic means or in electronic form; or
11 (2) prohibit any person engaging in an electronic
12 transaction from establishing reasonable requirements
13 regarding the medium on which it will accept records or the
14 method and type of symbol or security procedure it will
15 accept as a signature.
16 SUBCHAPTER C
17 SECURE ELECTRONIC RECORDS AND SIGNATURES
18 Sec.
19 5321. Determination of secure electronic record.
20 5322. Determination of secure electronic signature.
21 5323. Commercially reasonable; reliance.
22 5324. Presumptions.
23 5325. Creation and control of signature devices.
24 5326. Attribution of signature.
25 5327. Authority to certify security procedures.
26 § 5321. Determination of secure electronic record.
27 (a) Determination.--An electronic record shall be considered
28 to be a secure electronic record if it can be verified that such
29 electronic record has not been altered since a specified point
30 in time through the use of a qualified security procedure. The
19990H1321B1515 - 12 -
1 party relying on the qualified security procedure shall also
2 establish that the procedure was:
3 (1) commercially reasonable under the circumstances;
4 (2) implemented in a trustworthy manner; and
5 (3) reasonably relied upon in good faith.
6 (b) Elements.--A qualified security procedure for purposes
7 of this section is a security procedure to detect changes in the
8 content of an electronic record that is:
9 (1) previously agreed to by the parties; or
10 (2) certified by the secretary under section 5327
11 (relating to authority to certify security procedures) as
12 being capable of providing reliable evidence that an
13 electronic record has not been altered.
14 § 5322. Determination of secure electronic signature.
15 (a) Determination.--An electronic signature shall be
16 considered to be a secure electronic signature if it can be
17 verified that an electronic signature is the signature of a
18 special person through the use of a qualified security
19 procedure. The party relying on the qualified security procedure
20 shall also establish that the procedure was:
21 (1) commercially reasonable under the circumstances;
22 (2) implemented in a trustworthy manner; and
23 (3) reasonably relied upon in good faith.
24 (b) Elements.--A qualified security procedure for purposes
25 of this section is a security procedure for identifying a person
26 that is:
27 (1) previously agreed to by the parties; or
28 (2) certified by the secretary under section 5327
29 (relating to authority to certify security procedures) as
30 being capable of creating an electronic signature that meets
19990H1321B1515 - 13 -
1 the requirements of section 5327.
2 § 5323. Commercially reasonable; reliance.
3 (a) Question of law.--The commercial reasonableness of a
4 security procedure is a question of law to be determined in
5 light of the purposes of the procedure and the commercial
6 circumstances at the time the procedure was used. The court may
7 consider the nature of the transaction, sophistication of the
8 parties, availability of the parties, availability of
9 alternatives offered to but rejected by either of the parties,
10 cost of alternative procedures and procedures in general use for
11 similar types of transactions.
12 (b) Determination of good faith.--Whether reliance on a
13 security procedure was reasonable and in good faith is to be
14 determined in light of all the circumstances known to the
15 relying party at the time of the reliance. Consideration should
16 be given to the following factors:
17 (1) information that the relying party knew or should
18 have known of at the time of reliance that would suggest that
19 reliance was or was not reasonable;
20 (2) the value or importance of the electronic record, if
21 known;
22 (3) any course of dealing between the relying party and
23 the purported sender and the available indicia of reliability
24 or unreliability apart from the security procedure;
25 (4) any usage of trade, particularly trade conducted by
26 trustworthy systems or other computer-based means; and
27 (5) whether the verification was performed with the
28 assistance of an independent third party.
29 § 5324. Presumptions.
30 (a) Electronic record.--If any legal proceeding involves the
19990H1321B1515 - 14 -
1 use of a secure electronic record, then it shall be presumed
2 that the electronic record has not been altered since the date
3 it has received secure status.
4 (b) Electronic signature.--If any legal proceeding involves
5 the use of a secure electronic signature, then it shall be
6 presumed that it is the signature of the person to whom it
7 correlates.
8 (c) Burden of proof.--The party challenging the integrity of
9 a secure electronic record or challenging the genuineness of a
10 secure electronic signature shall have the burden of proving
11 that the secure electronic record has no integrity or that the
12 secure electronic signature is not genuine.
13 § 5325. Creation and control of signature devices.
14 A person creating or controlling a signature device created
15 by a qualified security procedure under section 5321 (relating
16 to determination of secure electronic record) or 5322 (relating
17 to determination of secure electronic signature) shall:
18 (1) do so in a trustworthy manner;
19 (2) exercise and require all other persons that
20 rightfully have access to such signature device to exercise
21 reasonable care to retain control of the signature device to
22 protect it from any unauthorized disclosure or use during any
23 time period that reliance on a signature created by such
24 device is reasonable; and
25 (3) make a reasonable effort to promptly notify all
26 persons that may foreseeably be damaged as a result of a
27 compromise of a signature device that is known or should be
28 known to the person.
29 § 5326. Attribution of signature.
30 (a) Reliance.--A secure electronic signature is attributable
19990H1321B1515 - 15 -
1 to the person to whom it correlates, if the following conditions
2 are satisfied:
3 (1) it appears that the electronic signature came from
4 that person;
5 (2) the access or use occurred under circumstances
6 constituting a failure to exercise reasonable care by that
7 person; and
8 (3) another party reasonably relied in good faith to its
9 detriment on the apparent source of the electronic record.
10 (b) Applicability.--Subsection (a) shall not apply to
11 transactions intended primarily for personal, family or
12 household use or otherwise defined as consumer transactions by
13 applicable law, including, but not limited to, credit card and
14 automated teller machine transactions.
15 § 5327. Authority to certify security procedures.
16 (a) Certification of a secure electronic record.--A security
17 procedure may be certified by the secretary as a qualified
18 security procedure for purposes of section 5321 (relating to
19 determination of secure electronic record) if it:
20 (1) is completely open and fully disclosed to the public
21 and has been so for a sufficient length of time, so that the
22 applicable information security or scientific community can
23 evaluate its suitability for its intended purpose; and
24 (2) is generally accepted in the applicable information
25 security or scientific community as being used in a
26 trustworthy manner and meeting the applicable requirements of
27 section 5322 (relating to determination of secure electronic
28 signature).
29 (b) Certification of secure electronic signature.--A
30 security procedure may be certified by the secretary for
19990H1321B1515 - 16 -
1 purposes of section 5322 if it:
2 (1) is completely open and fully disclosed to the public
3 for a sufficient length of time so that the applicable
4 information security or scientific community can evaluate its
5 suitability for its intended purpose;
6 (2) is generally accepted in the applicable information
7 security or scientific community as being used in a
8 trustworthy manner and meeting the applicable requirements of
9 section 5322;
10 (3) is unique to the signer within the context in which
11 it is used;
12 (4) can be used to objectively identify the person using
13 the electronic signature;
14 (5) is reliably created by such identified person; and
15 (6) is created and linked to the electronic record to
16 which it relates in a manner such that the electronic
17 signature is invalid if the record or signature is changed
18 after the creation of the signature.
19 (c) Determination of general acceptance.--The secretary
20 shall consider the opinion of independent experts in the
21 applicable field and the published findings of such community,
22 including applicable standards organizations such as the
23 American National Standards Institute (ANSI), International
24 Organization for Standardization (ISO), International
25 Telecommunication Union (ITU), and the National Institute of
26 Standards and Technology (NIST), when determining if a security
27 procedure has been generally accepted in the applicable
28 information security or scientific community.
29 (d) Regulations.--The secretary shall promulgate regulations
30 that specify a full and complete identification of the security
19990H1321B1515 - 17 -
1 procedure, including requirements as to how it is to be
2 implemented, if appropriate.
3 (e) Decertification.--The secretary may also decertify a
4 security procedure as a qualified security procedure for
5 purposes of sections 5321 or 5222 following an appropriate
6 investigation or review and the adoption of duly promulgated
7 regulations if subsequent developments establish that the
8 security procedure is no longer sufficiently trustworthy or
9 reliable for its intended purpose or for any other reason no
10 longer meets the requirements for certification.
11 (f) Exclusive authority.--The secretary shall have exclusive
12 authority to certify security procedures under this section.
13 SUBCHAPTER D
14 EFFECT OF A DIGITAL SIGNATURE
15 Sec.
16 5331. Digital signatures.
17 5332. Authority to adopt rules.
18 5333. Restrictions on publication of certificate.
19 5334. Trustworthy services.
20 5335. Disclosure.
21 5336. Issuance of certificate.
22 5337. Representations upon issuance of certificate.
23 5338. Revocation of certificate.
24 § 5331. Digital signatures.
25 (a) Secure electronic record.--If an electronic record is
26 signed with a digital signature that is created using an
27 asymmetric algorithm certified by the secretary under section
28 5321(b)(2) (relating to determination of secure electronic
29 record), then the record shall be considered to be a qualified
30 security procedure for purposes of detecting changes in the
19990H1321B1515 - 18 -
1 content of an electronic record under section 5321 provided that
2 the digital signature can be verified.
3 (b) Secure electronic signature.--If an electronic signature
4 is a digital signature that is created using an asymmetric
5 algorithm certified by the secretary under section 5322(b)(2)
6 (relating to determination of secure electronic signature), then
7 the signature shall be considered to be a secure electronic
8 signature for purposes of identifying a person under section
9 5322 if the digital signature:
10 (1) is created pursuant to a valid certificate issued by
11 a certification authority;
12 (2) is used within the scope of a valid certificate; and
13 (3) is verified.
14 A digital signature shall not be considered to be verified for
15 purposes of the determination of a secure electronic record
16 under section 5322 if reliance upon the certificate is not
17 foreseeable because it is outside the scope or the operational
18 period of the certificate.
19 § 5332. Authority to adopt rules.
20 (a) Rules.--The secretary may adopt rules applicable to both
21 the public and private sectors for the purpose of determining
22 when a certificate is considered sufficiently trustworthy so
23 that a digital signature is considered to be verified for
24 purposes of section 5331 (relating to digital signatures). The
25 secretary may adopt rules that establish appropriate standards
26 for certification authorities to be accredited by third parties
27 or certified by the department. If the secretary adopts rules
28 for certification, then the secretary may establish appropriate
29 fees to be charged.
30 (b) Flexibility.--The secretary shall develop rules that:
19990H1321B1515 - 19 -
1 (1) provide maximum flexibility to the implementation of
2 digital signature technology and the business models
3 necessary to support it;
4 (2) provide a clear basis for the recognition of
5 certificates issued by foreign certification authorities; and
6 (3) promote uniformity with the laws of other
7 jurisdictions, both domestic and international, to the extent
8 possible.
9 (c) Exclusive authority.--The secretary shall have exclusive
10 authority to adopt rules authorized by this section.
11 § 5333. Restrictions on publication of certificate.
12 No person shall publish a certificate, or otherwise make it
13 available to anyone likely to rely on the certificate or on a
14 digital signature that is verifiable with reference to the
15 public key listed in the certificate if such person knows that:
16 (1) the certification authority listed in the
17 certificate has not issued it;
18 (2) the subscriber listed in the certificate has not
19 accepted it; or
20 (3) the certificate has been revoked or suspended unless
21 such publication is for the purpose of verifying a digital
22 signature created prior to such revocation or suspension or
23 giving notice of revocation or suspension.
24 § 5334. Trustworthy services.
25 A certification authority and a person maintaining a
26 repository shall maintain its operations and perform its
27 services in a trustworthy manner unless it conspicuously
28 discloses in its practice statement services that it will not
29 perform in a trustworthy manner such as a low-cost or limited-
30 use certificate.
19990H1321B1515 - 20 -
1 § 5335. Disclosure.
2 (a) Publication.--If a certification authority issues a
3 certificate with the intention that it will be relied upon by
4 third parties to verify digital signatures created by
5 subscribers, a certification authority must publish or otherwise
6 make available to the subscriber and all such relying parties:
7 (1) any applicable certification practice statement,
8 which includes any disclosures under section 5337 (relating
9 to representations upon issuance of certificate); and
10 (2) its certificate that identifies the certification
11 authority as a subscriber and that contains the public key
12 corresponding to the private key used by the certification
13 authority to digitally sign the certificate, its
14 "certification authority certificate."
15 (b) Notice.--If an event occurs that materially and
16 adversely affects a certification authority's operations or
17 system, its certificate or any other aspect of its ability to
18 operate in a trustworthy manner, the certification authority
19 shall proceed in accordance with its certification practice
20 statement. If the certification practice statement does not
21 contain such procedures, the certification authority shall use
22 reasonable efforts to notify any persons that it knows may
23 foreseeably be damaged as a result of such occurrence.
24 § 5336. Issuance of certificate.
25 A certification authority may issue a certificate to a
26 prospective subscriber for the purpose of allowing third parties
27 to verify digital signatures created by the subscriber only
28 after the certification authority has received a request for
29 issuance from the prospective subscriber, and the certification
30 authority has complied with all of the relevant practices and
19990H1321B1515 - 21 -
1 procedures set forth in its applicable certification practice
2 statement. If the certification authority has no certification
3 practice statement addressing these issues, it shall confirm in
4 a trustworthy manner that:
5 (1) the prospective subscriber is the person to be
6 listed in the certificate to be issued;
7 (2) the information in the certificate to be issued is
8 accurate; and
9 (3) the prospective subscriber rightfully holds a
10 private key capable of creating a digital signature, and the
11 public key to be listed in the certificate can be used to
12 verify a digital signature affixed by such private key.
13 § 5337. Representations upon issuance of certificate.
14 (a) Representations.--A certificate authority makes certain
15 representations to the subscriber and any person who reasonably
16 relies on the certificate in good faith during its operational
17 period when it issues a certificate that will be relied upon by
18 third parties to verify digital signatures created by the
19 subscriber. These representations provide that:
20 (1) the certification authority has complied with all
21 applicable requirements of its applicable certification
22 practice statement or this chapter or the law of the
23 jurisdiction governing issuance of the certificate;
24 (2) the certification authority has verified the
25 identity of the subscriber to the extent stated in the
26 certificate or its applicable certification practice
27 statement or in a trustworthy manner;
28 (3) the certification authority has verified that the
29 person requesting the certificate holds the private key
30 corresponding to the public key listed in the certificate;
19990H1321B1515 - 22 -
1 (4) all other information in the certificate is accurate
2 and not materially misleading to the certification
3 authority's knowledge as of the date the certificate was
4 issued unless conspicuously stated in the certificate or its
5 applicable certification practice statement; and
6 (5) the certification authority will manage and revoke,
7 if necessary, the certificate in accordance with its
8 certification practice statement or this chapter or the law
9 of the jurisdiction governing issuance of the certificate.
10 (b) Other laws.--If a certification authority issued the
11 certificate subject to the laws of another jurisdiction, the
12 certification authority also makes all warranties and
13 representations, if any, otherwise applicable under the law
14 governing its issuance.
15 § 5338. Revocation of certificate.
16 (a) Conditions for revocation.--A certification authority
17 shall revoke a certificate during its operational period in
18 accordance with the policies and procedures governing revocation
19 specified in its applicable certification practice statement. If
20 there are no such policies and procedures in its certification
21 practice statement, then a certification authority shall revoke
22 a certificate as soon as possible after:
23 (1) receiving a request for revocation by the subscriber
24 named in the certificate and confirming that the person
25 requesting revocation is the subscriber or is an agent of the
26 subscriber with authority to request the revocation;
27 (2) receiving a certified copy of an individual
28 subscriber's death certificate or upon confirming by other
29 reliable evidence that the subscriber is dead;
30 (3) being presented with documents effecting a
19990H1321B1515 - 23 -
1 dissolution of a corporate subscriber or confirming by other
2 evidence that the subscriber has been dissolved or has ceased
3 to exist;
4 (4) being served with an order requiring revocation that
5 was issued by a court of competent jurisdiction; or
6 (5) confirming that:
7 (i) a material fact represented in the certificate
8 is false;
9 (ii) a material prerequisite to issuance of the
10 certificate was not satisfied;
11 (iii) the certification authority's private key or
12 system operations were compromised in a manner materially
13 affecting the certificate's reliability; or
14 (iv) the subscriber's private key was compromised.
15 (b) Notification.--When the certification authority revokes
16 a certificate, it shall notify the subscriber and relying
17 parties in accordance with the policies and procedures governing
18 notice of revocation specified in its applicable certification
19 practice statement. If there are no such policies and
20 procedures, the certification authority shall promptly notify
21 the subscriber, promptly publish notice of the revocation in all
22 repositories where the certification authority previously caused
23 publication of the certificate and otherwise disclose the fact
24 of revocation on inquiry by a relying party.
25 SUBCHAPTER E
26 DUTIES OF SUBSCRIBERS
27 Sec.
28 5341. Obtaining certificate.
29 5342. Acceptance of certificate.
30 5343. Revocation of certificate.
19990H1321B1515 - 24 -
1 § 5341. Obtaining certificate.
2 All material representations knowingly made by a person to a
3 certification authority for purposes of obtaining a certificate
4 naming such person as a subscriber must be accurate and complete
5 to the best of such person's knowledge and belief.
6 § 5342. Acceptance of certificate.
7 (a) Methods.--A person accepts a certificate that names such
8 person as a subscriber by publishing or approving publication of
9 it to one or more persons or in a repository or otherwise
10 demonstrating approval of it while knowing or having notice of
11 its contents.
12 (b) Representation.--When a subscriber accepts a
13 certificate, the subscriber listed in the certificate represents
14 to any person who reasonably relies on the certificate during
15 its operational period in good faith that:
16 (1) the subscriber rightfully holds the private key
17 corresponding to the public key listed in the certificate;
18 (2) all representations made by the subscriber to the
19 certification authority and material to the information
20 listed in the certificate are true; and
21 (3) all information in the certificate is true to the
22 best knowledge and belief of the subscriber.
23 § 5343. Revocation of certificate.
24 When the private key corresponding to the public key listed
25 in a valid certificate is lost, stolen, accessible to an
26 unauthorized person or otherwise compromised during the
27 operational period of the certificate, a subscriber who has
28 learned of the compromise shall promptly request the issuing
29 certification authority to revoke the certificate in accordance
30 with section 5538 (relating to revocation of certificate).
19990H1321B1515 - 25 -
1 SUBCHAPTER F
2 STATE AGENCY USE OF ELECTRONIC RECORDS AND SIGNATURES
3 Sec.
4 5351. State agency use of electronic records.
5 5352. Department of General Services to adopt State standards.
6 5353. Interoperability.
7 § 5351. State agency use of electronic records.
8 (a) Determination.--Each State agency may send and receive
9 electronic records and electronic signatures to and from other
10 persons and otherwise create, use, store and rely upon
11 electronic records and electronic signatures.
12 (b) Specifics.--If a State agency decides to send or receive
13 electronic records or to accept document filings by electronic
14 records, the State agency may promulgate regulations that
15 specify:
16 (1) the manner and format in which such electronic
17 records must be created, sent, received and stored;
18 (2) if such electronic records must be signed, the type
19 of electronic signature required, the manner and format in
20 which such signature must be affixed to the electronic record
21 and the identity of or criteria that must be met by any third
22 party used by the person filing the document to facilitate
23 the process;
24 (3) control processes and procedures as appropriate to
25 ensure adequate integrity, security, confidentiality and
26 auditability of such electronic records; and
27 (4) any other required attributes for such electronic
28 records that are currently specified for corresponding paper
29 documents or reasonably necessary under the circumstances.
30 (c) Security requirements.--All regulations promulgated by a
19990H1321B1515 - 26 -
1 State agency shall include the relevant minimum security
2 requirements established by the Department of General Services,
3 if any.
4 (d) Satisfaction of requirement.--If a rule of law requires
5 or authorizes the filing of any information, notice, lien or
6 other document or record with a State agency, a filing made by
7 an electronic record shall have the same force and effect as a
8 filing made on paper in all cases if the State agency has
9 authorized or agreed to such electronic filing and the filing is
10 made in accordance with applicable regulations.
11 § 5352. Department of General Services to adopt State
12 standards.
13 (a) Rules.--The Department of General Services may adopt
14 rules setting forth minimum security requirements for the use of
15 electronic records and electronic signatures by State agencies.
16 (b) Minimum security requirements.--The Department of
17 General Services shall specify appropriate minimum security
18 requirements to be implemented and followed by State agencies
19 for the generation, use and storage of key pairs, the issuance,
20 acceptance, use, suspension and revocation of certificates and
21 the use of digital signatures.
22 (c) Authority.--Each State agency may issue or contract for
23 the issuance of certificates to its employees and agents, and
24 persons conducting business or other transactions with such
25 State agency and to take other actions consistent therewith,
26 including the establishment of repositories and the suspension
27 or revocation of certificates so issued, provided that the
28 foregoing is conducted in accordance with all the rules,
29 procedures and policies specified by the Department of General
30 Services. The Department of General Services shall have the
19990H1321B1515 - 27 -
1 authority to specify the rules, procedures and policies whereby
2 State agencies may issue or contract for the issuance of
3 certificates.
4 (d) Minimum standards.--The Department of General Services
5 may specify appropriate minimum standards and requirements that
6 must be satisfied by a certification authority before:
7 (1) its services are used by any State agency for the
8 issuance, publication, revocation and suspension of
9 certificates to such agency or its employees or agents (for
10 official use); or
11 (2) the certificates it issues will be accepted for
12 purposes of verifying digitally signed electronic records
13 sent to any State agency by any person.
14 (e) Different levels.--Where appropriate, the rules adopted
15 by the Department of General Services pursuant to this section
16 shall specify differing levels of minimum standards from which
17 implementing State agencies can select the standard most
18 appropriate for a particular application.
19 (f) Separate rules.--The General Assembly and the Supreme
20 Court separately for the respective branches may adopt rules
21 setting forth the minimum security requirements for the use of
22 electronic records and electronic signatures by these respective
23 branches. The General Assembly and the Supreme Court may accept
24 the rules adopted by the Department of General Services for the
25 use of electronic records and electronic signatures by the
26 respective branches.
27 (g) Authority of Department of General Services.--Except as
28 provided in subsection (f) and in section 5351 (relating to
29 State agency use of electronic records), the Department of
30 General Services shall have exclusive authority to adopt rules
19990H1321B1515 - 28 -
1 authorized by this section.
2 § 5353. Interoperability.
3 To the extent reasonable under the circumstances, rules
4 adopted by the Department of General Services or a State agency
5 relating to the use of electronic records or electronic
6 signatures shall be drafted in a manner designed to encourage
7 and promote consistency and interoperability with similar
8 requirements adopted by government agencies of the Federal
9 Government and other states.
10 SUBCHAPTER G
11 ENFORCEMENT; CIVIL REMEDY; CRIMINAL PENALTIES
12 Sec.
13 5361. Enforcement.
14 5362. Civil remedy.
15 5363. Criminal penalties.
16 § 5361. Enforcement.
17 The secretary may investigate complaints or other information
18 indicating violations of rules adopted under this chapter. The
19 secretary may refer to the Attorney General for such action as
20 the Attorney General may deem appropriate all information the
21 secretary obtains that discloses a violation of any provision of
22 this chapter or the rules adopted under this chapter.
23 § 5362. Civil remedy.
24 Whoever suffers loss by reason of a violation of section 5363
25 (relating to criminal penalties) may, in a civil action against
26 the violator, obtain appropriate relief. In a civil action under
27 this section, the court may award to the prevailing party
28 reasonable attorney fees and other litigation expenses.
29 § 5363. Criminal penalties.
30 (a) Unauthorized access of signature device.--Any person who
19990H1321B1515 - 29 -
1 intentionally obtains access, copies or possesses the signature
2 device of another person without authorization commits a
3 misdemeanor of the first degree.
4 (b) Unauthorized disclosure or alteration of signature
5 device.--Any person who intentionally discloses, uses or alters
6 the signature device of another person without lawful authority
7 or in excess of lawful authorization commits a felony of the
8 third degree. A person who violates this subsection in
9 furtherance of any scheme or artifice to defraud in excess of
10 $50,000 commits a felony of the second degree. A person who has
11 previously been convicted of an offense under subsection (c) and
12 who violates this section commits a felony of the third degree.
13 (c) Fraudulent use.--Any person who intentionally creates,
14 publishes, alters or uses a certificate for any fraudulent or
15 unlawful purpose commits a felony of the third degree. A person
16 who violates this subsection in furtherance of any scheme or
17 artifice to defraud in excess of $50,000 commits a felony of the
18 second degree.
19 (d) False or unauthorized request.--Any person who
20 intentionally misrepresents the person's identity or
21 authorization in requesting or accepting a certificate or
22 requesting suspension or revocation of a certificate commits a
23 misdemeanor of the third degree. A person who violates this
24 subsection ten times within a 12-month period or in furtherance
25 of any scheme or artifice to defraud in excess of $50,000
26 commits a felony of the second degree.
27 (e) Unauthorized creation of electronic signature.--Any
28 person who intentionally obtains access, alters, discloses or
29 uses the signature device of a certification authority without
30 or in excess of lawful authorization for the purpose of creating
19990H1321B1515 - 30 -
1 an unauthorized electronic signature using this device commits a
2 felony of the third degree. A person also commits a felony of
3 the third degree if the person causes another person to violate
4 this section. A person who violates this subsection in
5 furtherance of any scheme or artifice to defraud in excess of
6 $50,000 commits a felony of the second degree.
7 Section 2. Section 4101(a) of Title 18 is amended to read:
8 § 4101. Forgery.
9 (a) Offense defined.--A person is guilty of forgery if, with
10 intent to defraud or injure anyone, or with knowledge that he is
11 facilitating a fraud or injury to be perpetrated by anyone, the
12 actor:
13 (1) alters any writing of another without his authority;
14 (2) makes, completes, executes, authenticates, issues or
15 transfers any writing so that it purports to be the act of
16 another who did not authorize that act, or to have been
17 executed at a time or place or in a numbered sequence other
18 than was in fact the case, or to be a copy of an original
19 when no such original existed; [or]
20 (3) utters any writing which he knows to be forged in a
21 manner specified in paragraphs (1) or (2) of this
22 subsection[.]; or
23 (4) unlawfully uses the signature device of another to
24 create an electronic signature of that other person, as those
25 terms are defined in 12 Pa.C.S. Ch. 53 (relating to
26 electronic commerce).
27 Section 3. This act shall take effect July 1, 1999.
D13L12BIL/19990H1321B1515 - 31 -