PRINTER'S NO. 741
No. 555 Session of 1999
INTRODUCED BY HART, JUBELIRER, MELLOW, BRIGHTBILL, CONTI, DENT,
THOMPSON, GERLACH, WOZNIAK, EARLL, SLOCUM, KUKOVICH, MUSTO,
WAGNER, BOSCOLA, WAUGH AND CORMAN, MARCH 24, 1999
REFERRED TO COMMUNICATIONS AND HIGH TECHNOLOGY, MARCH 24, 1999
AN ACT
1 Regulating electronic records and electronic signatures;
2 providing for their security and for their use by
3 governmental entities; imposing duties on the Secretary of
4 the Commonwealth; providing for enforcement; and establishing
5 civil remedies.
6 TABLE OF CONTENTS
7 Chapter 1. Preliminary Provisions
8 Section 101. Short title.
9 Section 102. Purposes and construction.
10 Section 103. Application.
11 Section 104. Definitions.
12 Section 105. Public access to information.
13 Chapter 3. Electronic Records and Electronic Signatures
14 Section 301. Legal recognition.
15 Section 302. Electronic records.
16 Section 303. Electronic signatures.
17 Section 304. Originals forms.
18 Section 305. Admissibility into evidence.
19 Section 306. Retention of electronic records.
1 Section 307. Electronic use not required.
2 Section 308. Applicability of other statutes or rules.
3 Chapter 5. Secure Electronic Records and Secure Electronic
4 Signatures
5 Section 501. Secure electronic records.
6 Section 502. Secure electronic signatures.
7 Section 503. Commercially reasonableness and reliance.
8 Section 504. Rebuttable presumptions.
9 Section 505. Creation and control of signature devices.
10 Section 506. Attribution of signature.
11 Section 507. Notarization and acknowledgment.
12 Section 508. Secretary's authority to certify security
13 procedures.
14 Section 509. Unauthorized use of signature devices.
15 Chapter 7. Use of Electronic Records And Signatures
16 by Governmental Entities
17 Section 701. Use of electronic records by governmental
18 entities.
19 Section 702. Adoption of standards for use by governmental
20 entities.
21 Section 703. Interoperability.
22 Chapter 9. Administration
23 Section 901. Departmental regulations.
24 Section 902. Enforcement.
25 Chapter 11. Miscellaneous Provisions
26 Section 1101. Severability.
27 Section 1102. Effective date.
28 The General Assembly of the Commonwealth of Pennsylvania
29 hereby enacts as follows:
30 CHAPTER 1
19990S0555B0741 - 2 -
1 PRELIMINARY PROVISIONS
2 Section 101. Short title.
3 This act shall be known and may be cited as the Electronic
4 Transactions Act.
5 Section 102. Purposes and construction.
6 This act shall be construed consistently with what is
7 commercially reasonable under the circumstances and to
8 effectuate the following purposes:
9 (1) To facilitate electronic communications by means of
10 reliable electronic records.
11 (2) To facilitate and promote electronic commerce, by
12 eliminating barriers resulting from uncertainties over
13 writing and signature requirements and by promoting the
14 development of the legal and business infrastructure
15 necessary to implement secure electronic commerce.
16 (3) To facilitate electronic filing of documents with
17 State and local government agencies and to promote efficient
18 delivery of government services by means of reliable
19 electronic records.
20 (4) To minimize the incidence of forged electronic
21 records, intentional and unintentional alteration of records
22 and fraud in electronic commerce.
23 (5) To help to establish uniformity of rules and
24 standards regarding the authentication and integrity of
25 electronic records.
26 (6) To promote public confidence in the integrity and
27 reliability of electronic records and electronic commerce.
28 Section 103. Application.
29 (a) General rule.--This act applies to all parties involved
30 in generating, sending, receiving, storing or otherwise
19990S0555B0741 - 3 -
1 processing electronic records and, except for section 509, may
2 be varied by an agreement of the parties.
3 (b) Application to executive agencies.--
4 (1) Unless specifically provided by law to the contrary,
5 this act shall apply to all executive agencies. The
6 Governor's Office of Administration may adopt standards
7 setting forth the minimum security requirements for the use
8 of electronic records and electronic signatures by executive
9 agencies. The Governor's Office of Administration shall
10 specify appropriate minimum security requirements to be
11 implemented and followed by executive agencies.
12 (2) Notwithstanding the provisions of subsection (a), an
13 executive agency may not vary this act by any agreement that
14 is inconsistent with the standards published by the
15 Governor's Office of Administration without the written
16 approval of the Governor's Office of Administration.
17 (c) Application to independent agencies and State-affiliated
18 entities.--Independent agencies and State-affiliated entities
19 may adopt standards setting forth the minimum security
20 requirements for their use of electronic records and electronic
21 signatures.
22 (d) Application to General Assembly and unified judicial
23 system.--The General Assembly and its agencies and the unified
24 judicial system and its agencies may adopt rules setting forth
25 the minimum security requirements for their use of electronic
26 records and electronic signatures.
27 (e) Application to political subdivisions.--Political
28 subdivisions may adopt a resolution or take other official
29 action setting forth the minimum security requirements for their
30 use of electronic records and electronic signatures.
19990S0555B0741 - 4 -
1 Section 104. Definitions.
2 The following words and phrases when used in this act shall
3 have the meanings given to them in this section unless the
4 context clearly indicates otherwise:
5 "Department." The Department of State of the Commonwealth.
6 "Electronic." An electrical, digital, magnetic, optical,
7 electromagnetic or any other form of technology that entails
8 capabilities similar to these technologies.
9 "Electronic record." A record generated, communicated,
10 received or stored by electronic means for use in an information
11 system or for transmission from one information system to
12 another.
13 "Electronic signature." A signature in electronic form
14 attached to or logically associated with an electronic record.
15 "Executive agency." A department, board, commission,
16 authority or officer or agency of the executive branch of the
17 Commonwealth subject to the policy, supervision and control of
18 the Governor.
19 "Governmental entity." An executive agency, independent
20 agency, State-affiliated entity or other instrumentality of the
21 Commonwealth. The term includes the General Assembly and its
22 agencies, the unified judicial system and its agencies as well
23 as all State-related institutions, authorities and political
24 subdivisions.
25 "Independent agency." A board, commission or other agency or
26 officer of the Commonwealth which is not subject to the policy
27 supervision and control of the Governor. This term does not
28 include any State-affiliated entity, any court or other officer
29 or agency of the unified judicial system, the General Assembly
30 and its officers and agencies, any State-related institution,
19990S0555B0741 - 5 -
1 political subdivision or any local, regional or metropolitan
2 transportation authority.
3 "Information." Data, text, images, sound, codes, computer
4 programs, software, data bases and the like.
5 "Person." An individual, corporation, business trust,
6 estate, trust, partnership, limited partnership, limited
7 liability partnership, limited liability company, association,
8 joint venture, government, governmental entity, agency, or
9 instrumentality, or any other legal or commercial entity.
10 "Qualified security procedure." A methodology or procedure
11 approved by the Secretary of the Commonwealth or agreed upon by
12 the parties and used for the purpose of:
13 (1) verifying that an electronic record is that of a
14 specific person; or
15 (2) detecting error or alteration in the communication,
16 content or storage of an electronic record since a specific
17 point in time and that may use algorithms or codes,
18 identifying words or numbers, encryption, answer back or
19 acknowledgment procedures or similar security devices.
20 "Record." Information that is inscribed, stored or otherwise
21 fixed on a tangible medium or that is stored in an electronic or
22 other medium and is retrievable in perceivable form.
23 "Secretary." The Secretary of the Commonwealth.
24 "Signature device." Unique information, including, but not
25 limited to, codes, algorithms, letters, numbers, personal
26 identification numbers (PINs) or a uniquely configured physical
27 device, that is required, alone or in conjunction with other
28 information or devices, in order to create an electronic
29 signature attributable to a specific person.
30 "Signed" or "signature." A symbol executed or adopted or a
19990S0555B0741 - 6 -
1 security procedure employed or adopted, using electronic means
2 or otherwise, by or on behalf of a person with intent to
3 authenticate a record.
4 "State-affiliated entity." A Commonwealth authority or a
5 Commonwealth entity. The term includes the Pennsylvania Turnpike
6 Commission, the Pennsylvania Housing Finance Agency, the
7 Pennsylvania Municipal Retirement Board, the Pennsylvania
8 Infrastructure Investment Authority, the State Public School
9 Building Authority, the Pennsylvania Higher Education Facilities
10 Authority and the State System of Higher Education. The term
11 does not include a court or an officer or agency of the unified
12 judicial system, the General Assembly and its officers and
13 agencies, any State-related institution, political subdivision
14 or a local, regional or metropolitan transportation authority.
15 "Trustworthy manner." Through the use of computer hardware,
16 software and procedures that in the context in which they are
17 used:
18 (1) Can be shown to be reasonably resistant to
19 penetration, compromise and misuse.
20 (2) Provide a reasonable level of reliability and
21 correct operation.
22 (3) Are reasonably suited to performing their intended
23 functions or serving their intended purposes.
24 (4) Comply with applicable agreements between the
25 parties, if any.
26 (5) Adhere to generally accepted security procedures.
27 Section 105. Public access to information.
28 Information or records created by or provided to a
29 governmental entity shall be subject to inspection and copying
30 only to the extent already required under the act of June 21,
19990S0555B0741 - 7 -
1 1957 (P.L.390, No.212), referred to as the Right-to-Know Law.
2 CHAPTER 3
3 ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES
4 Section 301. Legal recognition.
5 Information, records, agreements and signatures may not be
6 denied legal effect, validity or enforceability solely on the
7 grounds that they are in electronic form.
8 Section 302. Electronic records.
9 (a) General rule.--Where a law requires information to be in
10 writing or provides for certain consequences if it is not, an
11 electronic record satisfies that law or regulation.
12 (b) Inapplicability.--This section shall not apply:
13 (1) when its application would involve construction of a
14 law or regulation that is clearly inconsistent with the
15 manifest intent of the lawmaking body or repugnant to the
16 context of the same law or regulation, provided that the mere
17 requirement that information be in writing or printed shall
18 not by itself be sufficient to establish the intent;
19 (2) to any law or regulation governing the creation or
20 execution of a will or trust, living will or health care
21 power of attorney; or
22 (3) to any record that serves as a unique and
23 transferable instrument of rights and obligations, including,
24 without limitation, negotiable instruments and other
25 instruments of title wherein possession of the instrument is
26 deemed to confer title unless an electronic version of the
27 record is created, stored and transferred in a manner:
28 (i) that allows for the existence of only one
29 unique, identifiable and unalterable original with the
30 functional attributes of an equivalent physical
19990S0555B0741 - 8 -
1 instrument;
2 (ii) that can be possessed by only one person; and
3 (iii) that cannot be copied except in a form that is
4 readily identifiable as a copy.
5 Section 303. Electronic signatures.
6 (a) General rule.--Where a law or regulation requires a
7 signature or provides for certain consequences if a document is
8 not signed, an electronic signature shall be deemed to satisfy
9 that law or regulation.
10 (b) Proof.--An electronic signature may be proved in any
11 manner, including, but not limited to, by showing that a
12 procedure existed by which a party must, of necessity, have
13 executed a symbol or security procedure for the purpose of
14 verifying that an electronic record is that of the party in
15 order to proceed further with a transaction.
16 (c) Inapplicability.--This section shall not apply:
17 (1) when its application would involve a construction of
18 a law or regulation that is clearly inconsistent with the
19 manifest intent of the lawmaking body or repugnant to the
20 context of the same law or regulation, provided that the mere
21 requirement of a signature shall not by itself be sufficient
22 to establish the intent;
23 (2) to any law or regulation governing the creation or
24 execution of a will or trust, living will or health care
25 power of attorney; or
26 (3) to any record that serves as a unique and
27 transferable instrument of rights and obligations, including,
28 without limitation, a negotiable instrument and any other
29 instrument of title wherein possession of the instrument is
30 deemed to confer title unless an electronic version of that
19990S0555B0741 - 9 -
1 record is created, stored and transferred in a manner:
2 (i) that allows for the existence of only one
3 unique, identifiable and unalterable original with the
4 functional attributes of an equivalent physical
5 instrument;
6 (ii) that can be possessed by only one person; and
7 (iii) that cannot be copied except in a form that is
8 readily identifiable as a copy.
9 Section 304. Original forms.
10 (a) General rule.--Where a law or regulation requires
11 information to be presented or retained in its original form or
12 provides consequences if the information is not presented or
13 retained in its original form, that law or regulation shall be
14 deemed satisfied by an electronic record if there exists
15 reliable assurance as to the integrity of the information from
16 the time when it was first generated in its final form as an
17 electronic record or otherwise.
18 (b) Assessment of integrity and standard of reliability.--
19 (1) The criteria for assessing integrity
20 shall be whether the information has remained complete and
21 unaltered, apart from the addition of any endorsement or
22 other information that arises in the normal course of
23 communication, storage and display.
24 (2) The standard of reliability required to ensure that
25 information has remained complete and unaltered shall be
26 assessed in the light of the purpose for which the
27 information was generated and in the light of all the
28 relevant circumstances.
29 (c) Inapplicability.--This section shall not apply to any
30 record that serves as a unique and transferable instrument of
19990S0555B0741 - 10 -
1 rights and obligations, including, without limitation, a
2 negotiable instrument and any other instrument of title wherein
3 possession of the instrument is deemed to confer title unless an
4 electronic version of the record is created, stored and
5 transferred in a manner:
6 (1) that allows for the existence of only one unique,
7 identifiable and unalterable original with the functional
8 attributes of an equivalent physical instrument;
9 (2) that can be possessed by only one person; and
10 (3) that cannot be copied except in a form that is
11 readily identifiable as a copy.
12 Section 305. Admissibility into evidence.
13 (a) General rule.--In any legal proceeding, the
14 admissibility of an electronic record or electronic signature
15 into evidence may not be denied:
16 (1) on the sole ground that it is an electronic record
17 signature; or
18 (2) on the grounds that it is not in its original form
19 or is not an original.
20 (b) Weight of evidence.--Information in the form of an
21 electronic record shall be given due evidentiary weight by the
22 trier of fact. In assessing the evidentiary weight of an
23 electronic record or electronic signature where its authenticity
24 is at issue, the trier of fact may consider:
25 (1) The manner in which it was generated, stored or
26 communicated.
27 (2) The reliability of the manner in which its integrity
28 was maintained.
29 (3) The manner in which its originator was identified or
30 the electronic record was signed.
19990S0555B0741 - 11 -
1 (4) Any other relevant information or circumstances.
2 Section 306. Retention of electronic records.
3 (a) General rule.--Where a law or regulation requires that
4 certain documents, records or information be retained, that
5 requirement is met by retaining electronic records of the
6 information in a trustworthy manner provided that the following
7 conditions are satisfied:
8 (1) The electronic record and the information contained
9 therein are accessible so as to be usable for subsequent
10 reference at all times when the information must be retained.
11 (2) The information is retained in the format in which
12 it was originally generated, sent or received or in a format
13 that can be demonstrated to represent accurately the
14 information originally generated, sent or received.
15 (3) Such data as enables the identification of the
16 origin and destination of the information, the authenticity
17 and integrity of the information and retention of the date
18 and time when it was sent or received.
19 (b) Qualification.--An obligation to retain documents,
20 records or information in accordance with subsection (a) does
21 not extend to any data, the sole purpose of which is to enable
22 the record to be sent or received.
23 (c) Construction.--Nothing in this section shall be
24 construed to prohibit a governmental entity from specifying
25 additional requirements for the retention and use of records
26 that are subject to the jurisdiction of the entity.
27 Section 307. Electronic use not required.
28 Nothing in this act shall be construed to:
29 (1) require any person to create, store, transmit,
30 accept or otherwise use or communicate information, records
19990S0555B0741 - 12 -
1 or signatures by electronic means or in electronic form; or
2 (2) prohibit any person engaged in an electronic
3 transaction from establishing reasonable requirements
4 regarding the medium on which it will accept records or the
5 method and type of symbol or security procedure it will
6 accept as a signature.
7 Section 308. Applicability of other statutes.
8 (a) Laws.--Notwithstanding any other provision of this act,
9 if any other law requires approval by a governmental entity
10 prior to the use or retention of electronic records or the use
11 of electronic signatures, the provisions of that other law shall
12 also apply.
13 (b) Discretion to governmental entities.--Nothing in this
14 act shall prohibit a governmental entity from requiring persons
15 who are authorized to do business in this Commonwealth to use
16 nonelectronic records or signatures.
17 CHAPTER 5
18 SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES
19 Section 501. Secure electronic records.
20 (a) General rule.--If through the use of a qualified
21 security procedure it can be verified that an electronic record
22 has not been altered since a specified point in time, then the
23 electronic record shall be considered to be a secure electronic
24 record from the specified point in time to the time of
25 verification if the relying party establishes that the qualified
26 security procedure was:
27 (1) Commercially reasonable under the circumstances.
28 (2) Applied by the relying party in a trustworthy
29 manner.
30 (3) Reasonably and in good faith relied upon by the
19990S0555B0741 - 13 -
1 relying party.
2 (b) Qualified security procedures.--A qualified security
3 procedure for purposes of this section is a security procedure
4 to detect changes in the content of an electronic record that
5 is:
6 (1) previously agreed to by the parties; or
7 (2) certified by the secretary in accordance with
8 section 901 as being capable of providing reliable evidence
9 that an electronic record has not been altered.
10 Section 502. Secure electronic signatures.
11 (a) General rule.--If through the use of a qualified
12 security procedure it can be verified that an electronic
13 signature is the signature of a specific person, then the
14 electronic signature shall be considered to be a secure
15 electronic signature at the time of verification if the relying
16 party establishes that the qualified security procedure was:
17 (1) Commercially reasonable under the circumstances.
18 (2) Applied by the relying party in a trustworthy
19 manner.
20 (3) Reasonably and in good faith relied upon by the
21 relying party.
22 (b) Qualified security procedure.--A qualified security
23 procedure for purposes of this section is a security procedure
24 for identifying a person that is:
25 (1) previously agreed to by the parties; or
26 (2) certified by the secretary in accordance with
27 section 901 as being capable of creating in a trustworthy
28 manner an electronic signature that:
29 (i) is unique to the signer within the context in
30 which it is used;
19990S0555B0741 - 14 -
1 (ii) can be used to objectively identify the person
2 signing the electronic record;
3 (iii) was reliably created by the identified person,
4 insofar as some aspect of the procedure involves the use
5 of a signature device or other means or method that is
6 under the sole control of this person, and that it cannot
7 be readily duplicated or compromised; and
8 (iv) is created and is linked to the electronic
9 record to which it relates in a manner such that if the
10 record or the signature is intentionally or
11 unintentionally changed after signing, the electronic
12 signature is invalidated.
13 Section 503. Commercially reasonableness and reliance.
14 (a) Considerations for determining commercial
15 reasonableness.--The commercial reasonableness of a security
16 procedure is a question of law to be determined in light of the
17 purposes of the procedure and the commercial circumstances at
18 the time the procedure was used, including:
19 (1) The nature of the transaction.
20 (2) Sophistication of the parties.
21 (3) Volume of similar transactions engaged in by either
22 or both of the parties.
23 (4) Availability of alternatives offered to but rejected
24 by either of the parties.
25 (5) Cost of alternative procedures.
26 (6) Procedures in general use for similar types of
27 transactions.
28 (b) Considerations for determining reliance.--Whether
29 reliance on a security procedure was reasonable and in good
30 faith is to be determined in light of all the circumstances
19990S0555B0741 - 15 -
1 known to the relying party at the time of the reliance, giving
2 due regard to the:
3 (1) information that the relying party knew or should
4 have known at the time of reliance that would suggest that
5 reliance was or was not reasonable;
6 (2) the value or importance of the electronic record, if
7 known;
8 (3) the course of dealing between the relying party and
9 the purported sender, if any, and the available indicia of
10 reliability or unreliability apart from the security
11 procedure;
12 (4) the usage of trade, particularly if the trade is
13 conducted by trustworthy systems or other computer-based
14 means, if any; and
15 (5) whether the verification was performed with the
16 assistance of an independent third party.
17 Section 504. Rebuttable presumptions.
18 (a) Secure electronic records.--In resolving a civil dispute
19 involving a secure electronic record, it shall be rebuttably
20 presumed that the electronic record has not been altered since
21 the specific point in time to which the secure status relates.
22 (b) Secure electronic signatures.--In resolving a civil
23 dispute involving a secure electronic signature, it shall be
24 rebuttably presumed that the secure electronic signature is the
25 signature of the person to whom it correlates.
26 (c) Effect of presumptions.--The effect of the presumptions
27 set forth in this section is to place on the party challenging
28 the integrity of a secure electronic record or challenging the
29 genuineness of a secure electronic signature with both the
30 burden of going forward with evidence to rebut the presumption
19990S0555B0741 - 16 -
1 and the burden of persuading the trier of fact that the
2 nonexistence of the presumed fact is more probable than its
3 existence.
4 (d) Existing law and rules.--In the absence of a secure
5 electronic record or a secure electronic signature, nothing in
6 this act shall change existing law or evidentiary rules
7 regarding the burden of proving the authenticity and integrity
8 of an electronic record or an electronic signature.
9 Section 505. Creation and control of signature devices.
10 Except as otherwise provided by another applicable rule of
11 law, whenever the creation, validity or reliability of an
12 electronic signature created by a qualified security procedure
13 under section 501 or 502 is dependent upon the secrecy or
14 control of a signature device of the signer:
15 (1) The person generating or creating the signature
16 device must do so in a trustworthy manner.
17 (2) The signer and all other persons that rightfully
18 have access to the device must exercise reasonable care to
19 retain control and maintain the secrecy of the device and to
20 protect it from any unauthorized access, disclosure or use
21 during the period when reliance on a signature created by the
22 device is reasonable.
23 (3) In the event that the signer or any other person
24 that rightfully has access to the device knows or has reason
25 to know that the secrecy or control of the device has been
26 compromised, that person must make a reasonable effort:
27 (i) to promptly notify all persons who might
28 foreseeably be damaged as a result of the compromise; or
29 (ii) where an appropriate publication mechanism is
30 available, to publish notice of the compromise and a
19990S0555B0741 - 17 -
1 disavowal of any signatures created thereafter. For
2 executive agencies, independent agencies and State-
3 affiliated entities, notice may include publication in
4 the Pennsylvania Bulletin.
5 Section 506. Attribution of signature.
6 Except as provided by another applicable law or regulation, a
7 secure electronic signature is attributable to the person to
8 whom it correlates, whether or not authorized, if:
9 (1) The electronic signature resulted from acts of a
10 person that obtained the signature device or other
11 information necessary to create the signature from a source
12 under the control of the alleged signer, creating the
13 appearance that it came from that party.
14 (2) The access or use occurred under circumstances
15 constituting a failure to exercise reasonable care by the
16 alleged signer.
17 (3) The relying party relied reasonably and in good
18 faith to his detriment on the apparent source of the
19 electronic record.
20 Section 507. Notarization and acknowledgment.
21 If a law or regulation requires that a signature be notarized
22 or acknowledged or provides consequences in the absence of a
23 notarization or acknowledgment, the requirement is satisfied
24 with respect to an electronic record if a security procedure was
25 applied to the electronic signature which establishes by clear
26 and convincing evidence the identity of the person signing the
27 electronic record.
28 Section 508. Secretary's authority to certify security
29 procedures.
30 (a) Investigation and review.--A security procedure may be
19990S0555B0741 - 18 -
1 certified by the secretary as a qualified security procedure for
2 purposes of sections 501 and 502 following an appropriate
3 investigation or review if:
4 (1) The security procedure, including any technology and
5 algorithms it employs, is completely open and fully disclosed
6 to the public and has been so for a sufficient length of time
7 so as to facilitate a comprehensive review and evaluation of
8 its suitability for the intended purpose by the applicable
9 information security or scientific community.
10 (2) The security procedure, including any technology and
11 algorithms it employs, has been generally accepted in the
12 applicable information security or scientific community as
13 being capable of satisfying the requirements of section 501
14 or 502 as applicable in a trustworthy manner.
15 (b) Opinion of independent experts.--In making a
16 determination regarding whether the security procedure,
17 including any technology and algorithms it employs, has been
18 generally accepted in the applicable information security or
19 scientific community, the secretary shall consider the opinion
20 of independent experts in the applicable field and the published
21 findings of the community, including applicable standards
22 organizations such as the American National Standards Institute
23 (ANSI), International Standards Organization (ISO),
24 International Telecommunications Union (ITU) and the National
25 Institute of Standards and Technology (NIST).
26 (c) Regulation.--Certification under this section shall be
27 performed through the adoption of regulations in accordance with
28 the act of June 25, 1982 (P.L.633, No.181), known as the
29 Regulatory Review Act, and shall specify a full and complete
30 identification of the security procedure, including requirements
19990S0555B0741 - 19 -
1 as to how it is to be implemented, if appropriate.
2 (d) Decertification.--If subsequent developments establish
3 that the security procedure is no longer sufficiently
4 trustworthy or reliable for its intended purpose or for any
5 other reason no longer meets the requirements for certification,
6 the secretary may, following an appropriate investigation and
7 review, decertify a security procedure as a qualified security
8 procedure for purposes of section 501 or 502 by publishing
9 notice of the decertification in the Pennsylvania Bulletin.
10 (e) Exclusive authority.--The secretary shall have exclusive
11 authority to certify and decertify security procedures under
12 this section.
13 § 509. Unauthorized use of signature device.
14 (a) Offense defined.--A person commits an offense if he:
15 (1) knowingly or intentionally accesses, copies or
16 otherwise obtains possession of or recreates the signature
17 device of another person without authorization for the
18 purpose of creating, allowing or causing another person to
19 create an unauthorized electronic signature using such
20 signature device; or
21 (2) knowingly alters, discloses or uses the signature
22 device of another person without authorization, or in excess
23 of lawful authorization, for the purpose of creating, or
24 allowing or causing another person to create, an unauthorized
25 electronic signature using such signature device.
26 (b) Grading.--An offense under subsection (a)(1) is a
27 misdemeanor of the first degree. An offense under subsection
28 (a)(2) is a felony of the third degree, except that an offense
29 under subsection (a)(2) in furtherance of any scheme or artifice
30 to defraud in excess of $50,000 is a felony of the second
19990S0555B0741 - 20 -
1 degree.
2 CHAPTER 7
3 USE OF ELECTRONIC RECORDS AND SIGNATURES
4 BY GOVERNMENTAL ENTITIES
5 Section 701. Use of electronic records by governmental
6 entities.
7 (a) Executive agencies.--In accordance with the standards
8 published by the Governor's Office of Administration, each
9 executive agency shall determine if and the extent to which it
10 will send and receive electronic records and electronic
11 signatures to and from other persons and otherwise create, use,
12 store and rely upon electronic records and electronic
13 signatures.
14 (b) Governmental entities.--
15 (1) All other governmental entities shall determine if
16 and the extent to which they will send and receive electronic
17 signatures to and from other persons and otherwise create,
18 use, store and rely upon electronic records and electronic
19 signatures.
20 (2) In any case where a governmental entity decides to
21 send or receive electronic records or to accept document
22 filings by electronic records, the governmental entity may,
23 giving due consideration to security, specify:
24 (i) The manner and format in which the electronic
25 records must be created, sent, received and stored.
26 (ii) If the electronic records must be signed, the
27 type of electronic signature required, the manner and
28 format in which the signature must be affixed to the
29 electronic record and the identity of or criteria that
30 must be met by any third party used by the person filing
19990S0555B0741 - 21 -
1 the document to facilitate the process.
2 (iii) Control processes and procedures as
3 appropriate to ensure adequate integrity, security,
4 confidentiality and to audit the electronic records.
5 (iv) Any other required attributes for the
6 electronic records that are currently specified for
7 corresponding paper documents, or reasonably necessary
8 under the circumstances.
9 (c) Minimum standards.--Standards adopted by an executive
10 agency shall include the relevant minimum security requirements
11 established by the Governor's Office of Administration, if any.
12 (d) Effect of certain electronic record filings.--Whenever
13 any law or regulation requires or authorizes the filing of any
14 information, notice, lien or other document or record with any
15 governmental entity, a filing made by an electronic record shall
16 have the same force and effect as a filing made on paper in all
17 cases where the governmental agency has authorized or agreed to
18 the electronic filing and the filing is made in accordance with
19 the applicable rules or agreement.
20 (e) Construction.--Nothing in this act shall be construed to
21 require a governmental entity to use or to permit the use of
22 electronic records or electronic signatures.
23 Section 702. Adoption of standards for use by governmental
24 entities.
25 (a) Governor's Office of Administration.--The Governor's
26 Office of Administration may establish standards setting forth
27 minimum security requirements for the use of electronic records
28 and electronic signatures by executive agencies. The Governor's
29 Office of Administration shall specify appropriate minimum
30 security requirements to be implemented and followed by
19990S0555B0741 - 22 -
1 executive agencies.
2 (b) Minimum security requirement standards.--Governmental
3 entities may establish standards setting forth minimum security
4 requirements for the use of electronic records and electronic
5 signatures.
6 Section 703. Interoperability.
7 To the extent reasonable under the circumstances, the
8 standards adopted by the Governor's Office of Administration or
9 any other governmental entity relating to the use of electronic
10 records or electronic signatures shall be drafted in a manner
11 designed to encourage and promote consistency and
12 interoperability with similar requirements adopted by government
13 agencies of the Federal Government and other states.
14 CHAPTER 9
15 ADMINISTRATION
16 Section 901. Departmental regulations.
17 (a) Interim regulation.--
18 (1) Within 90 days of the effective date of this act,
19 the department shall promulgate interim regulations
20 applicable to both governmental entities and the private
21 sector in order to implement this act. The regulations may
22 establish fees to be charged by the department to recover all
23 or a portion of its costs.
24 (2) In developing the interim regulations, the
25 department shall provide maximum flexibility to the
26 implementation and incorporation of technology and, to the
27 extent reasonably possible, maximize the opportunities for
28 uniformity with the laws of other jurisdictions, both within
29 the United States and internationally.
30 (3) The interim regulations shall not be subject to
19990S0555B0741 - 23 -
1 review under any of the following:
2 (i) Section 205 of the act of July 31, 1968
3 (P.L.769, No.240), referred to as the Commonwealth
4 Documents Law.
5 (ii) Section 204(b) of the act of October 15, 1980
6 (P.L.950, No.164), known as the Commonwealth Attorneys
7 Act.
8 (iii) Act of June 25, 1982 (P.L.633, No.181), known
9 as the Regulatory Review Act.
10 (b) Other regulations.--The interim regulations under
11 subsection (a) shall expire July 1, 2001 and shall be replaced
12 with regulations that are promulgated as provided by law.
13 Section 902. Enforcement.
14 The secretary may investigate complaints or other information
15 indicating violations of rules adopted by the secretary under
16 this act. The secretary shall refer to the Attorney General for
17 such action as the Attorney General may deem appropriate all
18 information the secretary obtains that discloses a violation of
19 any provision of this act or the regulations adopted under this
20 act.
21 CHAPTER 11
22 MISCELLANEOUS PROVISIONS
23 Section 1101. Severability.
24 The provisions of this act are severable. If any provision of
25 this act or its application to any person or circumstance is
26 held invalid, the invalidity shall not affect other provisions
27 or applications of this act which can be given effect without
28 the invalid provision or application.
29 Section 1102. Effective date.
30 This act shall take effect in 30 days.
B18L12DMS/19990S0555B0741 - 24 -