HOUSE BILL REPORT

                 SSB 5308

 

             As Reported By House Committee On:

                      Commerce & Labor

 

Title:  An act relating to electronic signatures.

 

Brief Description:  Regulating electronic signatures.

 

Sponsors:  Senate Committee on Energy & Utilities (originally sponsored by Senators Horn, Finkbeiner, Franklin, Fraser and Winsley; by request of Secretary of State).

 

Brief History:

  Committee Activity:

Commerce & Labor:  4/2/97 [DP].

 

HOUSE COMMITTEE ON COMMERCE & LABOR

 

Majority Report:  Do pass.  Signed by 9 members:  Representatives McMorris, Chairman; Honeyford, Vice Chairman; Conway, Ranking Minority Member; Wood, Assistant Ranking Minority Member; Boldt; Clements; Cole; Hatfield and Lisk.

 

Staff:  Pam Madson (786-7166).

 

Background:  Digital signature encryption systems are used to both protect the confidentiality of an electronic document and authenticate its source.  These systems operate on the basis of two digital keys, or codes, created by the person desiring to send encrypted messages.  One key is the Aprivate@ key, which is known only to the signer of the electronic message, and the other is the signer=s Apublic@ key, which is given to individuals with whom the sender wishes to exchange the confidential or authenticated message.  A message encrypted by the private key is Adigitally signed@ by the sender and the message then can be read only by the person using the corresponding public key.  The public key is used to verify both that the message was signed by the person holding the private key and that the message itself was not altered during its transmission. 

 

To ensure public keys really do belong to the people to whom they appear to belong, each public key is provided with a computer-based certificate of authenticity.  These certificates are created by Acertification authorities,@ which guarantee that the public keys they certify belong to the people possessing the corresponding private keys.  Further, a chain of certification authorities can be created to provide even greater assurance as to the identity of the holder of the private key.  Protections were  needed, however, to ensure the reliability of both the certificates and the certificating authorities.  Thus, the Washington Electronic Authentication Act was enacted in 1996 to provide rules with respect to the authentication and reliability of digital signature encryption systems, the issuance,  suspension, and revocation of certificates, and the licensing of certification authorities.  This law will take effect on January 1, 1998. 

 

Duties of the secretary of state.

 

If no certification authority is licensed in the state, then the secretary of state may issue, suspend, and revoke certificates as a licensed certification authority.  Once another certification authority becomes licensed in the state, the secretary of state may no longer act as a certification authority.

 

The Department of Information Services.

 

The Washington Electronic Authorization Act does not authorize the Department of Information Services to become a licensed certification authority. 

 

State and local government units as subscribers and certification authorities.

 

The Washington Electronic Authentication Act does not specifically authorize state or local government units to become subscribers or licensed certification authorities. 

 

Licensing of certification authorities.

 

There is no limitation on the duration of a license issued to a certification authority. 

 

Audit requirements.

 

The secretary of state may exempt a licensed certification authority from audit requirements.

 

Discontinuance of licensed certification authorities.

 

There are no specific actions that licensed certification authorities are required to take when they discontinue providing certification authority services. 

 

Recommended reliance limits and penalties.

 

By specifying a recommended reliance limit in a certificate, both the issuing certification authority and accepting subscriber recommend that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit. 

 

A licensed certification authority is not liable for any loss in excess of the certificate=s recommended reliance limit that results from (1) the certification authority=s failure to comply with the rules for issuing certificates; or (2) a misrepresentation in the certificate of a fact that the certification authority is required to confirm.  Further, a licensed certification authority is liable only for direct compensatory damages in an action to recover a loss due to reliance on the certificate. 

 

A repository is liable only for direct compensatory damages in an action to recover a loss due to reliance on a certificate.

 

The secretary of state may impose a maximum civil monetary penalty of $5,000 or 90 percent of the recommended reliance limit of a certificate, whichever is less, for a violation of the Washington Electronic Authentication Act. 

 

Revocation and suspension of certificates.

 

A certificate issued by a licensed certification authority need not contain any information with respect to the location or identity of a repository in which notification of the certificate=s revocation or suspension will be listed if the certificate is suspended or revoked. 

 

The secretary of state may revoke or suspend a certification authority=s license for failure to comply with the Washington Electronic Authentication Act. 

 

In an emergency resulting from a licensed certification authority=s noncompliance with the rules for issuing certificates, the secretary of state may suspend a certificate for a period not to exceed 48 hours.  The secretary of state also may suspend a certificate for a period of 48 hours upon request. 

 

A licensed certification authority upon request or by order of the secretary of state must suspend a certificate for a period not to exceed 48 hours. 

 

The county clerk may suspend certificates by a licensed certification authority. 

 

A person who knowingly or intentionally misrepresents to a certification authority his or her identity or authorization in requesting a suspension of a certificate is guilty of a misdemeanor.

 

Control of private keys.

 

By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to a person not authorized to create the subscriber=s digital signature.  However, there is no statutory provision concerning the duty of the subscriber if the certificate expires or is revoked.  Further, the subscriber has no duty to keep the private key secure while a certificate is suspended. 

 

The Washington Electronic Authentication Act does not exempt a private key in the possession of a state or local agency from public inspection and copying under Washington=s public record disclosure laws. 

 

Satisfaction of signature requirements.

 

Where a signature is required by law, that rule is satisfied by a digital signature if, among other requirements, no party affected by a digital signature objects to the use of digital signatures in lieu of a signature. 

 

No person is obligated to accept a digital signature or to respond to an electronic message containing a digital signature, nor is any person required to honor, accept, or act upon a court order, writ, or warrant if it is electronic in form and signed with a digital signature, including a digital signature that is certified by a licensed certification authority or otherwise issued under court rule.

 

Factors used in evaluating reasonable reliance upon a certificate.

 

No specific factors must be considered in evaluating the reasonableness of a recipient=s reliance upon a certificate and its digital signatures. 

 

Summary of Bill:  A variety of changes are made to the Washington Electronic Authentication Act. 

 

Duties of the secretary of state.

 

The secretary of state is not authorized to act as a certification authority. 

 

The Department of Information Services.

 

The Department of Information Services may become a licensed certification authority for the purpose of providing services to state and local government.  The department may only issue certificates in which the subscriber is: (1) the state of Washington or a department, office, or agency of the state; (2) a city, county, district, or other municipal corporation, or a department, office, or agency of the city, county, district, or municipal corporation; (3) an agent or employee of an entity described in (1) or (2) for purposes of official public business; or (4) an applicant for a license as a certification authority. 

 

 

State and local government units as subscribers and certification authorities.

 

A state and local government unit, including its appropriate officers or employees, may become a subscriber for the purposes of conducting official business.  The only state government unit that may act as a certification authority is the Department of Information Services.  A city or county, however, may become a licensed certification authority for the purpose of providing services to local government, but only if authorized by local ordinance.

 

Licensing of certificated authorities.

 

Licenses expire one year after they are issued, except that the secretary of state may provide for a longer duration by rule.

 

Audit requirements.

 

The secretary of state no longer may exempt a licensed certification authority from audit requirements. 

 

Discontinuance of licensed certification authorities.

 

A licensed certification authority that no longer provides certification authority services must (1) notify all subscribers listed in valid certificates issued by the licensed certification authority; (2) minimize disruption, to the extent commercially reasonable, to subscribers of the valid certificates and parties relying on those certificates; and (3) make reasonable arrangements for the preservation of the licensed certification authority=s records. 

 

Recommended reliance limits and penalties.

 

By specifying a recommended reliance limit in a certificate, the issuing certification authority only, and not the subscriber, recommends that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit. 

 

A licensed certification authority is no longer liable only for direct compensatory damages in an action to recover a loss due to reliance on a certificate that it has issued, and it is liable for damages for lost profits or opportunity.  In addition, a licensed certification authority is liable for breach of any of the warranties it gives or for lack of good faith.  By agreement a licensed certification authority, however, may liquidate, limit, alter, or exclude consequential or incidental damages, unless the limitation, alteration, or exclusion is unconscionable. 

 

A repository is no longer liable only for direct compensatory damages in an action to recover a loss due to reliance on a certificate.  In addition, a repository is liable for damages for lost profits or opportunity, and by agreement may liquidate, limit, alter, or exclude consequential or incidental damages, unless the limitation, alteration, or exclusion is unconscionable. 

 

The secretary of state may impose a maximum civil monetary penalty of $10,000 or 90 percent of the recommended reliance limit of a certificate, whichever is less, for a violation of the Washington Electronic Authentication Act. 

 

Revocation and suspension of certificates.

 

A certificate issued by a licensed certification authority must provide information sufficient to locate or identify one or more repositories in which notification of the certificate=s revocation or suspension will be listed if the certificate is suspended or revoked. 

 

In addition to having the authority to suspend or revoke a certificate for noncompliance, the secretary of state may suspend a license pending revocation proceedings or other actions.  The secretary of state must find the certification authority has used its license to violate a state or federal criminal statute or Washington=s consumer protection act or has engaged in conduct giving rise to a serious risk of loss to public or private parties if the license is not immediately suspended. 

 

The maximum length of time for which a certificate may be suspended by the secretary of state in an emergency or upon request is 96 hours.

 

The maximum period of time for which a certificate may be suspended by a licensed certification authority is 96 hours.  

 

The county clerk may no longer suspend certificates by a licensed certification authority. 

 

A person who knowingly or intentionally misrepresents to a certification authority his or her identity or authorization in requesting suspension of a certificate is guilty of a gross misdemeanor.

 

Control of private keys.

 

The subscriber identified in a certificate issued by a licensed certification authority has no duty to exercise reasonable care to retain control of the private key and prevent its disclosure to a person not authorized to create the subscriber=s digital signature if the certificate expires or is revoked. 

 

A private key in the possession of a state or local agency is exempt from the public inspection and copying requirements in Washington=s public record disclosure laws. 

 

Satisfaction of signature requirements.

 

Where a signature is required by law, the absence of any objection to the use of digital signatures in lieu of a signature is no longer required. 

 

No person is obligated to accept a digital signature or to respond to an electronic message containing a digital signature, except that a person may not refuse to honor, accept, or act upon a court order, writ, or warrant upon the basis that it is electronic in form and signed with a digital signature, if the digital signature was certified by a licensed certification authority or otherwise issued under court rule.  In addition, the recipient of a digital signature or an electronic message containing a digital signature may establish the conditions under which the recipient will accept a digital signature. 

 

Factors used in evaluating reasonable reliance upon a certificate.

 

The following factors are significant in evaluating the reasonableness of a recipient=s reliance upon a certificate and the digital signatures it lists: (1) facts which the relying party knows or of which the relying party has notice; (2) the value or importance of the digitally signed message, if known; (3) the course of dealing between the person and subscriber; and (4) usage of trade, particulary trade conducted by trustworthy systems or other computer-based means.

 

Appropriation:  None.

 

Fiscal Note:  Not requested.

 

Effective Date:  Ninety days after adjournment of session in which bill is passed, except for Sections 1 through 23, 25 through 27, and 29 through 34 of this act take effect January 1, 1998.

 

Testimony For:  The underlying bill was enacted last year. A task force worked during the summer to address concerns for implementation of this new act.  This bill represents changes that are agreed upon by the interested parties.  Washington has become a leading state regarding digital signatures, particularly in licensing certification authorities.  This state is attracting national attention on this issue.  Washington took the approach of involving private business in developing this process.  It is appropriate for Washington to be a leader on this issue because this state has a number of major international businesses who use this technology.  This will open the way to international and national trade transactions.  It will allow small businesses to use this technology as well.

 

Testimony Against:  None.

 

Testified:  Senator Jim Horn, prime sponsor; and Ralph Munro, Secretary of State.