PRINTER'S NO. 741
No. 555 Session of 1999
INTRODUCED BY HART, JUBELIRER, MELLOW, BRIGHTBILL, CONTI, DENT, THOMPSON, GERLACH, WOZNIAK, EARLL, SLOCUM, KUKOVICH, MUSTO, WAGNER, BOSCOLA, WAUGH AND CORMAN, MARCH 24, 1999
REFERRED TO COMMUNICATIONS AND HIGH TECHNOLOGY, MARCH 24, 1999
AN ACT 1 Regulating electronic records and electronic signatures; 2 providing for their security and for their use by 3 governmental entities; imposing duties on the Secretary of 4 the Commonwealth; providing for enforcement; and establishing 5 civil remedies. 6 TABLE OF CONTENTS 7 Chapter 1. Preliminary Provisions 8 Section 101. Short title. 9 Section 102. Purposes and construction. 10 Section 103. Application. 11 Section 104. Definitions. 12 Section 105. Public access to information. 13 Chapter 3. Electronic Records and Electronic Signatures 14 Section 301. Legal recognition. 15 Section 302. Electronic records. 16 Section 303. Electronic signatures. 17 Section 304. Originals forms. 18 Section 305. Admissibility into evidence. 19 Section 306. Retention of electronic records.
1 Section 307. Electronic use not required. 2 Section 308. Applicability of other statutes or rules. 3 Chapter 5. Secure Electronic Records and Secure Electronic 4 Signatures 5 Section 501. Secure electronic records. 6 Section 502. Secure electronic signatures. 7 Section 503. Commercially reasonableness and reliance. 8 Section 504. Rebuttable presumptions. 9 Section 505. Creation and control of signature devices. 10 Section 506. Attribution of signature. 11 Section 507. Notarization and acknowledgment. 12 Section 508. Secretary's authority to certify security 13 procedures. 14 Section 509. Unauthorized use of signature devices. 15 Chapter 7. Use of Electronic Records And Signatures 16 by Governmental Entities 17 Section 701. Use of electronic records by governmental 18 entities. 19 Section 702. Adoption of standards for use by governmental 20 entities. 21 Section 703. Interoperability. 22 Chapter 9. Administration 23 Section 901. Departmental regulations. 24 Section 902. Enforcement. 25 Chapter 11. Miscellaneous Provisions 26 Section 1101. Severability. 27 Section 1102. Effective date. 28 The General Assembly of the Commonwealth of Pennsylvania 29 hereby enacts as follows: 30 CHAPTER 1 19990S0555B0741 - 2 -
1 PRELIMINARY PROVISIONS 2 Section 101. Short title. 3 This act shall be known and may be cited as the Electronic 4 Transactions Act. 5 Section 102. Purposes and construction. 6 This act shall be construed consistently with what is 7 commercially reasonable under the circumstances and to 8 effectuate the following purposes: 9 (1) To facilitate electronic communications by means of 10 reliable electronic records. 11 (2) To facilitate and promote electronic commerce, by 12 eliminating barriers resulting from uncertainties over 13 writing and signature requirements and by promoting the 14 development of the legal and business infrastructure 15 necessary to implement secure electronic commerce. 16 (3) To facilitate electronic filing of documents with 17 State and local government agencies and to promote efficient 18 delivery of government services by means of reliable 19 electronic records. 20 (4) To minimize the incidence of forged electronic 21 records, intentional and unintentional alteration of records 22 and fraud in electronic commerce. 23 (5) To help to establish uniformity of rules and 24 standards regarding the authentication and integrity of 25 electronic records. 26 (6) To promote public confidence in the integrity and 27 reliability of electronic records and electronic commerce. 28 Section 103. Application. 29 (a) General rule.--This act applies to all parties involved 30 in generating, sending, receiving, storing or otherwise 19990S0555B0741 - 3 -
1 processing electronic records and, except for section 509, may 2 be varied by an agreement of the parties. 3 (b) Application to executive agencies.-- 4 (1) Unless specifically provided by law to the contrary, 5 this act shall apply to all executive agencies. The 6 Governor's Office of Administration may adopt standards 7 setting forth the minimum security requirements for the use 8 of electronic records and electronic signatures by executive 9 agencies. The Governor's Office of Administration shall 10 specify appropriate minimum security requirements to be 11 implemented and followed by executive agencies. 12 (2) Notwithstanding the provisions of subsection (a), an 13 executive agency may not vary this act by any agreement that 14 is inconsistent with the standards published by the 15 Governor's Office of Administration without the written 16 approval of the Governor's Office of Administration. 17 (c) Application to independent agencies and State-affiliated 18 entities.--Independent agencies and State-affiliated entities 19 may adopt standards setting forth the minimum security 20 requirements for their use of electronic records and electronic 21 signatures. 22 (d) Application to General Assembly and unified judicial 23 system.--The General Assembly and its agencies and the unified 24 judicial system and its agencies may adopt rules setting forth 25 the minimum security requirements for their use of electronic 26 records and electronic signatures. 27 (e) Application to political subdivisions.--Political 28 subdivisions may adopt a resolution or take other official 29 action setting forth the minimum security requirements for their 30 use of electronic records and electronic signatures. 19990S0555B0741 - 4 -
1 Section 104. Definitions. 2 The following words and phrases when used in this act shall 3 have the meanings given to them in this section unless the 4 context clearly indicates otherwise: 5 "Department." The Department of State of the Commonwealth. 6 "Electronic." An electrical, digital, magnetic, optical, 7 electromagnetic or any other form of technology that entails 8 capabilities similar to these technologies. 9 "Electronic record." A record generated, communicated, 10 received or stored by electronic means for use in an information 11 system or for transmission from one information system to 12 another. 13 "Electronic signature." A signature in electronic form 14 attached to or logically associated with an electronic record. 15 "Executive agency." A department, board, commission, 16 authority or officer or agency of the executive branch of the 17 Commonwealth subject to the policy, supervision and control of 18 the Governor. 19 "Governmental entity." An executive agency, independent 20 agency, State-affiliated entity or other instrumentality of the 21 Commonwealth. The term includes the General Assembly and its 22 agencies, the unified judicial system and its agencies as well 23 as all State-related institutions, authorities and political 24 subdivisions. 25 "Independent agency." A board, commission or other agency or 26 officer of the Commonwealth which is not subject to the policy 27 supervision and control of the Governor. This term does not 28 include any State-affiliated entity, any court or other officer 29 or agency of the unified judicial system, the General Assembly 30 and its officers and agencies, any State-related institution, 19990S0555B0741 - 5 -
1 political subdivision or any local, regional or metropolitan 2 transportation authority. 3 "Information." Data, text, images, sound, codes, computer 4 programs, software, data bases and the like. 5 "Person." An individual, corporation, business trust, 6 estate, trust, partnership, limited partnership, limited 7 liability partnership, limited liability company, association, 8 joint venture, government, governmental entity, agency, or 9 instrumentality, or any other legal or commercial entity. 10 "Qualified security procedure." A methodology or procedure 11 approved by the Secretary of the Commonwealth or agreed upon by 12 the parties and used for the purpose of: 13 (1) verifying that an electronic record is that of a 14 specific person; or 15 (2) detecting error or alteration in the communication, 16 content or storage of an electronic record since a specific 17 point in time and that may use algorithms or codes, 18 identifying words or numbers, encryption, answer back or 19 acknowledgment procedures or similar security devices. 20 "Record." Information that is inscribed, stored or otherwise 21 fixed on a tangible medium or that is stored in an electronic or 22 other medium and is retrievable in perceivable form. 23 "Secretary." The Secretary of the Commonwealth. 24 "Signature device." Unique information, including, but not 25 limited to, codes, algorithms, letters, numbers, personal 26 identification numbers (PINs) or a uniquely configured physical 27 device, that is required, alone or in conjunction with other 28 information or devices, in order to create an electronic 29 signature attributable to a specific person. 30 "Signed" or "signature." A symbol executed or adopted or a 19990S0555B0741 - 6 -
1 security procedure employed or adopted, using electronic means 2 or otherwise, by or on behalf of a person with intent to 3 authenticate a record. 4 "State-affiliated entity." A Commonwealth authority or a 5 Commonwealth entity. The term includes the Pennsylvania Turnpike 6 Commission, the Pennsylvania Housing Finance Agency, the 7 Pennsylvania Municipal Retirement Board, the Pennsylvania 8 Infrastructure Investment Authority, the State Public School 9 Building Authority, the Pennsylvania Higher Education Facilities 10 Authority and the State System of Higher Education. The term 11 does not include a court or an officer or agency of the unified 12 judicial system, the General Assembly and its officers and 13 agencies, any State-related institution, political subdivision 14 or a local, regional or metropolitan transportation authority. 15 "Trustworthy manner." Through the use of computer hardware, 16 software and procedures that in the context in which they are 17 used: 18 (1) Can be shown to be reasonably resistant to 19 penetration, compromise and misuse. 20 (2) Provide a reasonable level of reliability and 21 correct operation. 22 (3) Are reasonably suited to performing their intended 23 functions or serving their intended purposes. 24 (4) Comply with applicable agreements between the 25 parties, if any. 26 (5) Adhere to generally accepted security procedures. 27 Section 105. Public access to information. 28 Information or records created by or provided to a 29 governmental entity shall be subject to inspection and copying 30 only to the extent already required under the act of June 21, 19990S0555B0741 - 7 -
1 1957 (P.L.390, No.212), referred to as the Right-to-Know Law. 2 CHAPTER 3 3 ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES 4 Section 301. Legal recognition. 5 Information, records, agreements and signatures may not be 6 denied legal effect, validity or enforceability solely on the 7 grounds that they are in electronic form. 8 Section 302. Electronic records. 9 (a) General rule.--Where a law requires information to be in 10 writing or provides for certain consequences if it is not, an 11 electronic record satisfies that law or regulation. 12 (b) Inapplicability.--This section shall not apply: 13 (1) when its application would involve construction of a 14 law or regulation that is clearly inconsistent with the 15 manifest intent of the lawmaking body or repugnant to the 16 context of the same law or regulation, provided that the mere 17 requirement that information be in writing or printed shall 18 not by itself be sufficient to establish the intent; 19 (2) to any law or regulation governing the creation or 20 execution of a will or trust, living will or health care 21 power of attorney; or 22 (3) to any record that serves as a unique and 23 transferable instrument of rights and obligations, including, 24 without limitation, negotiable instruments and other 25 instruments of title wherein possession of the instrument is 26 deemed to confer title unless an electronic version of the 27 record is created, stored and transferred in a manner: 28 (i) that allows for the existence of only one 29 unique, identifiable and unalterable original with the 30 functional attributes of an equivalent physical 19990S0555B0741 - 8 -
1 instrument; 2 (ii) that can be possessed by only one person; and 3 (iii) that cannot be copied except in a form that is 4 readily identifiable as a copy. 5 Section 303. Electronic signatures. 6 (a) General rule.--Where a law or regulation requires a 7 signature or provides for certain consequences if a document is 8 not signed, an electronic signature shall be deemed to satisfy 9 that law or regulation. 10 (b) Proof.--An electronic signature may be proved in any 11 manner, including, but not limited to, by showing that a 12 procedure existed by which a party must, of necessity, have 13 executed a symbol or security procedure for the purpose of 14 verifying that an electronic record is that of the party in 15 order to proceed further with a transaction. 16 (c) Inapplicability.--This section shall not apply: 17 (1) when its application would involve a construction of 18 a law or regulation that is clearly inconsistent with the 19 manifest intent of the lawmaking body or repugnant to the 20 context of the same law or regulation, provided that the mere 21 requirement of a signature shall not by itself be sufficient 22 to establish the intent; 23 (2) to any law or regulation governing the creation or 24 execution of a will or trust, living will or health care 25 power of attorney; or 26 (3) to any record that serves as a unique and 27 transferable instrument of rights and obligations, including, 28 without limitation, a negotiable instrument and any other 29 instrument of title wherein possession of the instrument is 30 deemed to confer title unless an electronic version of that 19990S0555B0741 - 9 -
1 record is created, stored and transferred in a manner: 2 (i) that allows for the existence of only one 3 unique, identifiable and unalterable original with the 4 functional attributes of an equivalent physical 5 instrument; 6 (ii) that can be possessed by only one person; and 7 (iii) that cannot be copied except in a form that is 8 readily identifiable as a copy. 9 Section 304. Original forms. 10 (a) General rule.--Where a law or regulation requires 11 information to be presented or retained in its original form or 12 provides consequences if the information is not presented or 13 retained in its original form, that law or regulation shall be 14 deemed satisfied by an electronic record if there exists 15 reliable assurance as to the integrity of the information from 16 the time when it was first generated in its final form as an 17 electronic record or otherwise. 18 (b) Assessment of integrity and standard of reliability.-- 19 (1) The criteria for assessing integrity 20 shall be whether the information has remained complete and 21 unaltered, apart from the addition of any endorsement or 22 other information that arises in the normal course of 23 communication, storage and display. 24 (2) The standard of reliability required to ensure that 25 information has remained complete and unaltered shall be 26 assessed in the light of the purpose for which the 27 information was generated and in the light of all the 28 relevant circumstances. 29 (c) Inapplicability.--This section shall not apply to any 30 record that serves as a unique and transferable instrument of 19990S0555B0741 - 10 -
1 rights and obligations, including, without limitation, a 2 negotiable instrument and any other instrument of title wherein 3 possession of the instrument is deemed to confer title unless an 4 electronic version of the record is created, stored and 5 transferred in a manner: 6 (1) that allows for the existence of only one unique, 7 identifiable and unalterable original with the functional 8 attributes of an equivalent physical instrument; 9 (2) that can be possessed by only one person; and 10 (3) that cannot be copied except in a form that is 11 readily identifiable as a copy. 12 Section 305. Admissibility into evidence. 13 (a) General rule.--In any legal proceeding, the 14 admissibility of an electronic record or electronic signature 15 into evidence may not be denied: 16 (1) on the sole ground that it is an electronic record 17 signature; or 18 (2) on the grounds that it is not in its original form 19 or is not an original. 20 (b) Weight of evidence.--Information in the form of an 21 electronic record shall be given due evidentiary weight by the 22 trier of fact. In assessing the evidentiary weight of an 23 electronic record or electronic signature where its authenticity 24 is at issue, the trier of fact may consider: 25 (1) The manner in which it was generated, stored or 26 communicated. 27 (2) The reliability of the manner in which its integrity 28 was maintained. 29 (3) The manner in which its originator was identified or 30 the electronic record was signed. 19990S0555B0741 - 11 -
1 (4) Any other relevant information or circumstances. 2 Section 306. Retention of electronic records. 3 (a) General rule.--Where a law or regulation requires that 4 certain documents, records or information be retained, that 5 requirement is met by retaining electronic records of the 6 information in a trustworthy manner provided that the following 7 conditions are satisfied: 8 (1) The electronic record and the information contained 9 therein are accessible so as to be usable for subsequent 10 reference at all times when the information must be retained. 11 (2) The information is retained in the format in which 12 it was originally generated, sent or received or in a format 13 that can be demonstrated to represent accurately the 14 information originally generated, sent or received. 15 (3) Such data as enables the identification of the 16 origin and destination of the information, the authenticity 17 and integrity of the information and retention of the date 18 and time when it was sent or received. 19 (b) Qualification.--An obligation to retain documents, 20 records or information in accordance with subsection (a) does 21 not extend to any data, the sole purpose of which is to enable 22 the record to be sent or received. 23 (c) Construction.--Nothing in this section shall be 24 construed to prohibit a governmental entity from specifying 25 additional requirements for the retention and use of records 26 that are subject to the jurisdiction of the entity. 27 Section 307. Electronic use not required. 28 Nothing in this act shall be construed to: 29 (1) require any person to create, store, transmit, 30 accept or otherwise use or communicate information, records 19990S0555B0741 - 12 -
1 or signatures by electronic means or in electronic form; or 2 (2) prohibit any person engaged in an electronic 3 transaction from establishing reasonable requirements 4 regarding the medium on which it will accept records or the 5 method and type of symbol or security procedure it will 6 accept as a signature. 7 Section 308. Applicability of other statutes. 8 (a) Laws.--Notwithstanding any other provision of this act, 9 if any other law requires approval by a governmental entity 10 prior to the use or retention of electronic records or the use 11 of electronic signatures, the provisions of that other law shall 12 also apply. 13 (b) Discretion to governmental entities.--Nothing in this 14 act shall prohibit a governmental entity from requiring persons 15 who are authorized to do business in this Commonwealth to use 16 nonelectronic records or signatures. 17 CHAPTER 5 18 SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES 19 Section 501. Secure electronic records. 20 (a) General rule.--If through the use of a qualified 21 security procedure it can be verified that an electronic record 22 has not been altered since a specified point in time, then the 23 electronic record shall be considered to be a secure electronic 24 record from the specified point in time to the time of 25 verification if the relying party establishes that the qualified 26 security procedure was: 27 (1) Commercially reasonable under the circumstances. 28 (2) Applied by the relying party in a trustworthy 29 manner. 30 (3) Reasonably and in good faith relied upon by the 19990S0555B0741 - 13 -
1 relying party. 2 (b) Qualified security procedures.--A qualified security 3 procedure for purposes of this section is a security procedure 4 to detect changes in the content of an electronic record that 5 is: 6 (1) previously agreed to by the parties; or 7 (2) certified by the secretary in accordance with 8 section 901 as being capable of providing reliable evidence 9 that an electronic record has not been altered. 10 Section 502. Secure electronic signatures. 11 (a) General rule.--If through the use of a qualified 12 security procedure it can be verified that an electronic 13 signature is the signature of a specific person, then the 14 electronic signature shall be considered to be a secure 15 electronic signature at the time of verification if the relying 16 party establishes that the qualified security procedure was: 17 (1) Commercially reasonable under the circumstances. 18 (2) Applied by the relying party in a trustworthy 19 manner. 20 (3) Reasonably and in good faith relied upon by the 21 relying party. 22 (b) Qualified security procedure.--A qualified security 23 procedure for purposes of this section is a security procedure 24 for identifying a person that is: 25 (1) previously agreed to by the parties; or 26 (2) certified by the secretary in accordance with 27 section 901 as being capable of creating in a trustworthy 28 manner an electronic signature that: 29 (i) is unique to the signer within the context in 30 which it is used; 19990S0555B0741 - 14 -
1 (ii) can be used to objectively identify the person 2 signing the electronic record; 3 (iii) was reliably created by the identified person, 4 insofar as some aspect of the procedure involves the use 5 of a signature device or other means or method that is 6 under the sole control of this person, and that it cannot 7 be readily duplicated or compromised; and 8 (iv) is created and is linked to the electronic 9 record to which it relates in a manner such that if the 10 record or the signature is intentionally or 11 unintentionally changed after signing, the electronic 12 signature is invalidated. 13 Section 503. Commercially reasonableness and reliance. 14 (a) Considerations for determining commercial 15 reasonableness.--The commercial reasonableness of a security 16 procedure is a question of law to be determined in light of the 17 purposes of the procedure and the commercial circumstances at 18 the time the procedure was used, including: 19 (1) The nature of the transaction. 20 (2) Sophistication of the parties. 21 (3) Volume of similar transactions engaged in by either 22 or both of the parties. 23 (4) Availability of alternatives offered to but rejected 24 by either of the parties. 25 (5) Cost of alternative procedures. 26 (6) Procedures in general use for similar types of 27 transactions. 28 (b) Considerations for determining reliance.--Whether 29 reliance on a security procedure was reasonable and in good 30 faith is to be determined in light of all the circumstances 19990S0555B0741 - 15 -
1 known to the relying party at the time of the reliance, giving 2 due regard to the: 3 (1) information that the relying party knew or should 4 have known at the time of reliance that would suggest that 5 reliance was or was not reasonable; 6 (2) the value or importance of the electronic record, if 7 known; 8 (3) the course of dealing between the relying party and 9 the purported sender, if any, and the available indicia of 10 reliability or unreliability apart from the security 11 procedure; 12 (4) the usage of trade, particularly if the trade is 13 conducted by trustworthy systems or other computer-based 14 means, if any; and 15 (5) whether the verification was performed with the 16 assistance of an independent third party. 17 Section 504. Rebuttable presumptions. 18 (a) Secure electronic records.--In resolving a civil dispute 19 involving a secure electronic record, it shall be rebuttably 20 presumed that the electronic record has not been altered since 21 the specific point in time to which the secure status relates. 22 (b) Secure electronic signatures.--In resolving a civil 23 dispute involving a secure electronic signature, it shall be 24 rebuttably presumed that the secure electronic signature is the 25 signature of the person to whom it correlates. 26 (c) Effect of presumptions.--The effect of the presumptions 27 set forth in this section is to place on the party challenging 28 the integrity of a secure electronic record or challenging the 29 genuineness of a secure electronic signature with both the 30 burden of going forward with evidence to rebut the presumption 19990S0555B0741 - 16 -
1 and the burden of persuading the trier of fact that the 2 nonexistence of the presumed fact is more probable than its 3 existence. 4 (d) Existing law and rules.--In the absence of a secure 5 electronic record or a secure electronic signature, nothing in 6 this act shall change existing law or evidentiary rules 7 regarding the burden of proving the authenticity and integrity 8 of an electronic record or an electronic signature. 9 Section 505. Creation and control of signature devices. 10 Except as otherwise provided by another applicable rule of 11 law, whenever the creation, validity or reliability of an 12 electronic signature created by a qualified security procedure 13 under section 501 or 502 is dependent upon the secrecy or 14 control of a signature device of the signer: 15 (1) The person generating or creating the signature 16 device must do so in a trustworthy manner. 17 (2) The signer and all other persons that rightfully 18 have access to the device must exercise reasonable care to 19 retain control and maintain the secrecy of the device and to 20 protect it from any unauthorized access, disclosure or use 21 during the period when reliance on a signature created by the 22 device is reasonable. 23 (3) In the event that the signer or any other person 24 that rightfully has access to the device knows or has reason 25 to know that the secrecy or control of the device has been 26 compromised, that person must make a reasonable effort: 27 (i) to promptly notify all persons who might 28 foreseeably be damaged as a result of the compromise; or 29 (ii) where an appropriate publication mechanism is 30 available, to publish notice of the compromise and a 19990S0555B0741 - 17 -
1 disavowal of any signatures created thereafter. For 2 executive agencies, independent agencies and State- 3 affiliated entities, notice may include publication in 4 the Pennsylvania Bulletin. 5 Section 506. Attribution of signature. 6 Except as provided by another applicable law or regulation, a 7 secure electronic signature is attributable to the person to 8 whom it correlates, whether or not authorized, if: 9 (1) The electronic signature resulted from acts of a 10 person that obtained the signature device or other 11 information necessary to create the signature from a source 12 under the control of the alleged signer, creating the 13 appearance that it came from that party. 14 (2) The access or use occurred under circumstances 15 constituting a failure to exercise reasonable care by the 16 alleged signer. 17 (3) The relying party relied reasonably and in good 18 faith to his detriment on the apparent source of the 19 electronic record. 20 Section 507. Notarization and acknowledgment. 21 If a law or regulation requires that a signature be notarized 22 or acknowledged or provides consequences in the absence of a 23 notarization or acknowledgment, the requirement is satisfied 24 with respect to an electronic record if a security procedure was 25 applied to the electronic signature which establishes by clear 26 and convincing evidence the identity of the person signing the 27 electronic record. 28 Section 508. Secretary's authority to certify security 29 procedures. 30 (a) Investigation and review.--A security procedure may be 19990S0555B0741 - 18 -
1 certified by the secretary as a qualified security procedure for 2 purposes of sections 501 and 502 following an appropriate 3 investigation or review if: 4 (1) The security procedure, including any technology and 5 algorithms it employs, is completely open and fully disclosed 6 to the public and has been so for a sufficient length of time 7 so as to facilitate a comprehensive review and evaluation of 8 its suitability for the intended purpose by the applicable 9 information security or scientific community. 10 (2) The security procedure, including any technology and 11 algorithms it employs, has been generally accepted in the 12 applicable information security or scientific community as 13 being capable of satisfying the requirements of section 501 14 or 502 as applicable in a trustworthy manner. 15 (b) Opinion of independent experts.--In making a 16 determination regarding whether the security procedure, 17 including any technology and algorithms it employs, has been 18 generally accepted in the applicable information security or 19 scientific community, the secretary shall consider the opinion 20 of independent experts in the applicable field and the published 21 findings of the community, including applicable standards 22 organizations such as the American National Standards Institute 23 (ANSI), International Standards Organization (ISO), 24 International Telecommunications Union (ITU) and the National 25 Institute of Standards and Technology (NIST). 26 (c) Regulation.--Certification under this section shall be 27 performed through the adoption of regulations in accordance with 28 the act of June 25, 1982 (P.L.633, No.181), known as the 29 Regulatory Review Act, and shall specify a full and complete 30 identification of the security procedure, including requirements 19990S0555B0741 - 19 -
1 as to how it is to be implemented, if appropriate. 2 (d) Decertification.--If subsequent developments establish 3 that the security procedure is no longer sufficiently 4 trustworthy or reliable for its intended purpose or for any 5 other reason no longer meets the requirements for certification, 6 the secretary may, following an appropriate investigation and 7 review, decertify a security procedure as a qualified security 8 procedure for purposes of section 501 or 502 by publishing 9 notice of the decertification in the Pennsylvania Bulletin. 10 (e) Exclusive authority.--The secretary shall have exclusive 11 authority to certify and decertify security procedures under 12 this section. 13 § 509. Unauthorized use of signature device. 14 (a) Offense defined.--A person commits an offense if he: 15 (1) knowingly or intentionally accesses, copies or 16 otherwise obtains possession of or recreates the signature 17 device of another person without authorization for the 18 purpose of creating, allowing or causing another person to 19 create an unauthorized electronic signature using such 20 signature device; or 21 (2) knowingly alters, discloses or uses the signature 22 device of another person without authorization, or in excess 23 of lawful authorization, for the purpose of creating, or 24 allowing or causing another person to create, an unauthorized 25 electronic signature using such signature device. 26 (b) Grading.--An offense under subsection (a)(1) is a 27 misdemeanor of the first degree. An offense under subsection 28 (a)(2) is a felony of the third degree, except that an offense 29 under subsection (a)(2) in furtherance of any scheme or artifice 30 to defraud in excess of $50,000 is a felony of the second 19990S0555B0741 - 20 -
1 degree. 2 CHAPTER 7 3 USE OF ELECTRONIC RECORDS AND SIGNATURES 4 BY GOVERNMENTAL ENTITIES 5 Section 701. Use of electronic records by governmental 6 entities. 7 (a) Executive agencies.--In accordance with the standards 8 published by the Governor's Office of Administration, each 9 executive agency shall determine if and the extent to which it 10 will send and receive electronic records and electronic 11 signatures to and from other persons and otherwise create, use, 12 store and rely upon electronic records and electronic 13 signatures. 14 (b) Governmental entities.-- 15 (1) All other governmental entities shall determine if 16 and the extent to which they will send and receive electronic 17 signatures to and from other persons and otherwise create, 18 use, store and rely upon electronic records and electronic 19 signatures. 20 (2) In any case where a governmental entity decides to 21 send or receive electronic records or to accept document 22 filings by electronic records, the governmental entity may, 23 giving due consideration to security, specify: 24 (i) The manner and format in which the electronic 25 records must be created, sent, received and stored. 26 (ii) If the electronic records must be signed, the 27 type of electronic signature required, the manner and 28 format in which the signature must be affixed to the 29 electronic record and the identity of or criteria that 30 must be met by any third party used by the person filing 19990S0555B0741 - 21 -
1 the document to facilitate the process. 2 (iii) Control processes and procedures as 3 appropriate to ensure adequate integrity, security, 4 confidentiality and to audit the electronic records. 5 (iv) Any other required attributes for the 6 electronic records that are currently specified for 7 corresponding paper documents, or reasonably necessary 8 under the circumstances. 9 (c) Minimum standards.--Standards adopted by an executive 10 agency shall include the relevant minimum security requirements 11 established by the Governor's Office of Administration, if any. 12 (d) Effect of certain electronic record filings.--Whenever 13 any law or regulation requires or authorizes the filing of any 14 information, notice, lien or other document or record with any 15 governmental entity, a filing made by an electronic record shall 16 have the same force and effect as a filing made on paper in all 17 cases where the governmental agency has authorized or agreed to 18 the electronic filing and the filing is made in accordance with 19 the applicable rules or agreement. 20 (e) Construction.--Nothing in this act shall be construed to 21 require a governmental entity to use or to permit the use of 22 electronic records or electronic signatures. 23 Section 702. Adoption of standards for use by governmental 24 entities. 25 (a) Governor's Office of Administration.--The Governor's 26 Office of Administration may establish standards setting forth 27 minimum security requirements for the use of electronic records 28 and electronic signatures by executive agencies. The Governor's 29 Office of Administration shall specify appropriate minimum 30 security requirements to be implemented and followed by 19990S0555B0741 - 22 -
1 executive agencies. 2 (b) Minimum security requirement standards.--Governmental 3 entities may establish standards setting forth minimum security 4 requirements for the use of electronic records and electronic 5 signatures. 6 Section 703. Interoperability. 7 To the extent reasonable under the circumstances, the 8 standards adopted by the Governor's Office of Administration or 9 any other governmental entity relating to the use of electronic 10 records or electronic signatures shall be drafted in a manner 11 designed to encourage and promote consistency and 12 interoperability with similar requirements adopted by government 13 agencies of the Federal Government and other states. 14 CHAPTER 9 15 ADMINISTRATION 16 Section 901. Departmental regulations. 17 (a) Interim regulation.-- 18 (1) Within 90 days of the effective date of this act, 19 the department shall promulgate interim regulations 20 applicable to both governmental entities and the private 21 sector in order to implement this act. The regulations may 22 establish fees to be charged by the department to recover all 23 or a portion of its costs. 24 (2) In developing the interim regulations, the 25 department shall provide maximum flexibility to the 26 implementation and incorporation of technology and, to the 27 extent reasonably possible, maximize the opportunities for 28 uniformity with the laws of other jurisdictions, both within 29 the United States and internationally. 30 (3) The interim regulations shall not be subject to 19990S0555B0741 - 23 -
1 review under any of the following: 2 (i) Section 205 of the act of July 31, 1968 3 (P.L.769, No.240), referred to as the Commonwealth 4 Documents Law. 5 (ii) Section 204(b) of the act of October 15, 1980 6 (P.L.950, No.164), known as the Commonwealth Attorneys 7 Act. 8 (iii) Act of June 25, 1982 (P.L.633, No.181), known 9 as the Regulatory Review Act. 10 (b) Other regulations.--The interim regulations under 11 subsection (a) shall expire July 1, 2001 and shall be replaced 12 with regulations that are promulgated as provided by law. 13 Section 902. Enforcement. 14 The secretary may investigate complaints or other information 15 indicating violations of rules adopted by the secretary under 16 this act. The secretary shall refer to the Attorney General for 17 such action as the Attorney General may deem appropriate all 18 information the secretary obtains that discloses a violation of 19 any provision of this act or the regulations adopted under this 20 act. 21 CHAPTER 11 22 MISCELLANEOUS PROVISIONS 23 Section 1101. Severability. 24 The provisions of this act are severable. If any provision of 25 this act or its application to any person or circumstance is 26 held invalid, the invalidity shall not affect other provisions 27 or applications of this act which can be given effect without 28 the invalid provision or application. 29 Section 1102. Effective date. 30 This act shall take effect in 30 days. B18L12DMS/19990S0555B0741 - 24 -