FINAL BILL REPORT
SSB 5308
C 27 L 97
Synopsis as Enacted
Brief Description: Regulating electronic signatures.
Sponsors: Senate Committee on Energy & Utilities (originally sponsored by Senators Horn, Finkbeiner, Franklin, Fraser and Winsley; by request of Secretary of State).
Senate Committee on Energy & Utilities
House Committee on Commerce & Labor
Background: The 1996 Legislature enacted the AWashington Electronic Authentication Act,@ a measure that sets the initial guidelines for regulating electronic Adigital signatures.@ These digital signatures are used to authenticate an electronic transmission.
Digital signatures often involve usage of dual key encryption that uses two digital codes, referred to as Akeys.@ One key is secret, kept confidential by the user. The other key is a public key, more widely known. If a person wants to digitally sign a message, he or she may use the secret key to create a signature. The recipient then uses the sender=s public key to verify the source of the message. The public key will be listed on a certificate that includes additional information about the user and limitations relevant to the transactions. The certificate will be issued by a certification authority that will be responsible for verifying the status of the user.
The existing legislation is slated to become effective on January 1, 1998. The Office of the Secretary of State was given the responsibility of implementing and administering the legislation. A working group convened by the Secretary of State has met regularly to make implementation recommendations, including changes to the original act.
Summary: The Secretary of State (Secretary) is given the responsibility to adopt rules pertaining to when a certificate may be suspended or revoked. Provisions are added specifying when the Secretary may suspend or revoke a certification authority=s license to issue certificates.
Licenses are valid for a period of one year, except if the Secretary by rule allows for longer duration. The Secretary is required to provide for a system of renewing licenses for issuing certificates.
Certification authorities are required to obtain a compliance audit at least once per year. Language is removed that specifies levels of compliance and exempts some certification authorities from being audited. Qualifications are listed for auditors that verify compliance audits.
Monetary penalty limits imposed by the Secretary on licensed certification authorities are raised to $10,000 per incident.
Certification authorities are required to use trustworthy systems and the Secretary may specify by rule conditions on the system. When issuing certificates, the requirements are expanded to include that the certificate must provide information to identify repositories in which any revocation will be listed. In an emergency, the Secretary may suspend a certificate for a period not to exceed 96 hours.
Provisions are added specifying that the Department of Information Services may become a licensed certification authority. Cities and counties may become licensed certification authorities for purposes of providing services to local governments if authorized by ordinance.
Provisions are added relating to the suspension of certificates, requirements on a licensed certification authority if it discontinues providing service, liability and damages, and relevant factors to be considered when evaluating reliance upon a certificate. Language is added specifying when a digital signature meets the requirements if a rule of law requires a signature, and when a digital signature meets requirements pertaining to notaries and property transactions. Persons may not refuse to honor certain court documents that are digitally signed.
The Secretary is given authority to adopt rules beginning July 27, 1997, but the rules may not become effective prior to January 1, 1998.
Votes on Final Passage:
Senate 48 1
House 97 0
Effective: July 27, 1997 (Sections 24 and 28)
January 1, 1998