SENATE BILL REPORT

                  ESB 5962

               As Passed Senate, March 11, 1999

 

Title:  An act relating to the promotion of electronic commerce through digital signatures.

 

Brief Description:  Promoting electronic commerce through digital signatures.

 

Sponsors:  Senators Brown, Horn and Finkbeiner; by request of Secretary of State and Governor Locke.

 

Brief History:

Committee Activity:  Energy, Technology & Telecommunications:  2/23/99, 3/2/99 [DPS, DNPS].

Passed Senate, 3/11/99, 38-8.

 

SENATE COMMITTEE ON ENERGY, TECHNOLOGY & TELECOMMUNICATIONS

 

Majority Report:  That Substitute Senate Bill No. 5962 be substituted therefor, and the substitute bill do pass.

  Signed by Senators Brown, Chair; Goings, Vice Chair; Fairley and Fraser.

 

Minority Report:  Do not pass substitute.

  Signed by Senator Hochstatter.

 

Staff:  Karen Kirkpatrick (786-7403)

 

Background:  On January 1, 1998, the Washington Electronic Authentication Act became effective.  This law allows the use of digital signature technology in electronic transactions and creates a process for licensing certification authorities.  The Office of the Secretary of State has responsibility for implementing and administering the Electronic Authentication Act.

 

Digital signature encryption systems are used to both protect the confidentiality of an electronic document and authenticate its source.  These systems operate on the basis of two digital keys or codes created by the person desiring to send encrypted messages.  One key is the private key, which is known only to the signer of the electronic message, and the other is the signer's public key, which is given to individuals with whom the sender wishes to exchange the confidential or authenticated message.  The public key is used to verify both that the message was signed by the person holding the private key and that the message itself was not altered during its transmission.

 

The Governor and the Secretary of State are requesting this legislation, drafted by the Secretary of State and Department of Information Services (DIS), to clarify and simplify the Electronic Authentication Act, give greater flexibility to the secretary in administering the act, and allow DIS to become a licensed certification authority (CA) for the purpose of validating digital signatures between state agencies and citizens for official business.

 

Summary of Bill:  Presumptions of validity and liability limitations do not apply unless all provisions of the Electronic Authentication Act are met.  A digitally signed message must be deemed to be an original of the message and a verified signature must satisfy requirements for acknowledgments under current law.

 

The Secretary of State's authority to establish rules is  broadened and clarified.  The secretary may adopt rules to license CAs, recognize repositories, certify operative personnel, govern the practices of each, determine the form and amount suitable for guaranty, specify reasonable requirements for contents and form of certificates and certification practice statements, specify the procedure and manner by which laws of other jurisdictions may be recognized, and establish audit requirements and auditor qualifications.  Provisions for recognizing repositories are modified to require record keeping, recognition and discontinuance of recognition in accordance with rules adopted by the secretary.

 

Provisions relating to obtaining or retaining a license are modified, including requiring a CA to provide proof of identity, allowing only certified operative personnel to be employed in appropriate positions and authorizing the secretary to create license classifications by rule and impose license restrictions specific to the practices of an individual CA.

 

The secretary may order penalties, but only a finding of noncompliance and order requiring compliance must be authorized against an agency acting as a CA.  Penalties are enforceable in court.

 

Provisions authorizing the secretary to publish brief statements about activities of a CA that create risk are modified.  A licensed CA must use only a trustworthy system and recognized repository for issuance, suspension, or revocation of a certificate.  A CA may establish policies regarding the publication and suspension of certificates.  If a CA does not establish a policy, it must satisfy certain conditions.  A CA may suspend a certificate for a period not exceeding five business days as needed for an investigation.

 

A licensed CA may issue a certificate to a subscriber only after certain conditions are met.  In confirming the identification of a prospective subscriber, a licensed CA must make a reasonable inquiry into the subscriber's identity and must be presumed to have confirmed the identity where the subscriber has appeared and presented a specified form of identification and a certified operative personnel or a notary has reviewed and accepted the identification.

 

If a signature of a unit of government is required by statute or rule, that unit of government must become a subscriber to a certificate issued by a licensed CA for purposes of conducting official public business with electronic records.  No unit of state government, other than the secretary and the Department of Information Services (DIS), must act as CA.

 

DIS is authorized to become a licensed CA for the purpose of providing services to agencies, local governments and other entities and persons for purposes of official state business.

 

The Office of Financial Management must convene a task force, which must include both governmental and nongovernmental representatives, to review the practice of the state issuing certificates to nongovernmental entities or individuals for the purpose of conducting official public business.  The task force must prepare and submit its findings to the Legislature by December 31, 2001.  The task force provision expires June 30, 2001.

 

Intent language and definitions are modified.  Other clarifying and technical changes are made.

 

Appropriation:  None.

 

Fiscal Note:  Not requested.

 

Effective Date:  The bill contains an emergency clause and takes effect immediately.

 

Testimony For:  The Electronic Authentication Act promotes trustworthy systems and standards.  Licensing is voluntary and protects citizens that want to be protected.  The state is a leader in the field that other states and countries are following.  When a company states it is licensed in Washington, that holds great value.  The act enhances commerce and economic opportunity.  Digital signatures are fundamental to the growth of electronic commerce by enabling transactions over the Internet that reduce paper, costs, and increase efficiency.  The original task force never considered agencies competing with the private sector, but this bill allows DIS to compete with the private sector without the same risk.  The task force can reevaluate this policy if necessary.

 

Testimony Against:  The bill turns over important decisions to the rulemaking process rather than the Legislature.  Several issues are not articulated in the bill including privacy protection and standards.  The private-public relationship is confusing.

 

Testified:  PRO:  Pat Kohler, Department of General Administration; Chris Hedrick, Governor=s Office; Ralph Munro, Secretary of State; Steve Kolodney, DIS; Linda Mackintosh, ID Certify; Gary Gardner, Boeing Employee Credit Union (w/amend); CON:  Janeane Dubuar, Computer Professionals for Social Responsibility.

 

House Amendment(s):  Before DIS may issue a certificate to a nongovernmental entity, it must issue a request for proposals from licensed certification authorities and make a written determination that such services are not sufficient to meet the department=s published requirements.  The task force would convene only if DIS issues a certificate to a nongovernmental entity.  A provision modifying requirements for acknowledgments is deleted.