Z-0585.1  _______________________________________________

 

                         SENATE BILL 5308

          _______________________________________________

 

State of Washington      55th Legislature     1997 Regular Session

 

By Senators Horn, Finkbeiner, Franklin, Fraser and Winsley; by request of Secretary of State

 

Read first time 01/22/97.  Referred to Committee on Energy & Utilities.

 

Regulating electronic signatures.



    AN ACT Relating to electronic signatures; amending RCW 19.34.030, 19.34.040, 19.34.100, 19.34.110, 19.34.120, 19.34.200, 19.34.210, 19.34.240, 19.34.250, 19.34.260, 19.34.280, 19.34.300, 19.34.310, 19.34.320, 19.34.340, 19.34.350, 19.34.400, 19.34.500, and 19.34.901; adding new sections to chapter 19.34 RCW; adding a new section to chapter 43.105 RCW; prescribing penalties; and providing an effective date.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

 

    Sec. 1.  RCW 19.34.030 and 1996 c 250 s 104 are each amended to read as follows:

    (1) ((If six months elapse during which time no certification authority is licensed in this state, then the secretary shall be a certification authority, and may issue, suspend, and revoke certificates in the manner prescribed for licensed certification authorities.  Except for licensing requirements, this chapter applies to the secretary with respect to certificates he or she issues.  The secretary must discontinue acting as a certification authority if another certification authority is licensed, in a manner allowing reasonable transition to private enterprise.)) The secretary is a certification authority.  A certificate issued by the secretary has the same effect as a certificate issued by a licensed certification authority.  The secretary shall only issue certificates in which the subscriber is:

    (a) The secretary or an authorized agent or employee of the secretary for purposes of official business; or

    (b) An applicant for a license as a certification authority, for the purpose of compliance with RCW 19.34.100(1)(a).

    (2) The secretary must maintain a publicly accessible data base containing a certification authority disclosure record for each licensed certification authority, and a list of all judgments filed with the secretary, within the previous five years, under RCW 19.34.290.  The secretary must publish the contents of the data base in at least one recognized repository.

    (3) The secretary ((must)) may adopt rules consistent with this chapter and in furtherance of its purposes:

    (a) To govern licensed certification authorities and recognized repositories, their practice, and the termination of a licensed certification authority's or recognized repository's practice;

    (b) To determine an amount reasonably appropriate for a suitable guaranty, in light of the burden a suitable guaranty places upon licensed certification authorities and the assurance of quality and financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities;

    (c) To specify reasonable requirements for the form of certificates issued by licensed certification authorities, in accordance with generally accepted standards for digital signature certificates;

    (d) To specify reasonable requirements for recordkeeping by licensed certification authorities;

    (e) To specify reasonable requirements for the content, form, and sources of information in certification authority disclosure records, the updating and timeliness of the information, and other practices and policies relating to certification authority disclosure records;

    (f) To specify the form of certification practice statements; ((and))

    (g) To specify the procedure and manner in which a certificate may be suspended or revoked, as consistent with this chapter; and

    (h) Otherwise to give effect to and implement this chapter.

 

    Sec. 2.  RCW 19.34.040 and 1996 c 250 s 105 are each amended to read as follows:

    The secretary may adopt rules establishing reasonable fees for all services rendered by the secretary under this chapter, in amounts that are reasonably calculated to be sufficient to compensate for the costs of all services under this chapter, but that are not estimated to exceed those costs in the aggregate.  All fees recovered by the secretary must be deposited in the state general fund.

 

    Sec. 3.  RCW 19.34.100 and 1996 c 250 s 201 are each amended to read as follows:

    (1) To obtain or retain a license, a certification authority must:

    (a) Be the subscriber of a certificate published in a recognized repository;

    (b) Employ as operative personnel only persons who have not been convicted within the past fifteen years of a felony or have ever been convicted of a crime involving fraud, false statement, or deception;

    (c) Employ as operative personnel only persons who have demonstrated knowledge and proficiency in following the requirements of this chapter;

    (d) File with the secretary a suitable guaranty, unless the certification authority is a ((department, office, or official of a state,)) city((,)) or county ((governmental entity, provided that:

    (i) Each of the public entities in (d) of this subsection act through designated officials authorized by rule or ordinance to perform certification authority functions; or

    (ii) This state or one of the public entities in (d) of this subsection is the subscriber of all certificates issued by the certification authority)) that is self-insured or the department of information services;

    (e) ((Have the right to)) Use a trustworthy system, including a secure means for limiting access to its private key;

    (f) Present proof to the secretary of having working capital reasonably sufficient, according to rules adopted by the secretary, to enable the applicant to conduct business as a certification authority;

    (g) Maintain an office in this state or have established a registered agent for service of process in this state; and

    (h) Comply with all further licensing requirements established by rule by the secretary.

    (2) The secretary must issue a license to a certification authority that:

    (a) Is qualified under subsection (1) of this section;

    (b) Applies in writing to the secretary for a license; and

    (c) Pays a filing fee adopted by rule by the secretary.

    (3) The secretary may by rule classify licenses according to specified limitations, such as a maximum number of outstanding certificates, cumulative maximum of recommended reliance limits in certificates issued by the certification authority, or issuance only within a single firm or organization, and the secretary may issue licenses restricted according to the limits of each classification.  A certification authority acts as an unlicensed certification authority in issuing a certificate exceeding the restrictions of the certification authority's license.

    (4) The secretary may revoke or suspend a certification authority's license, in accordance with the administrative procedure act, chapter 34.05 RCW, for failure to comply with this chapter or for failure to remain qualified under subsection (1) of this section.  The secretary may order the summary suspension of a license pending proceedings for revocation or other action, which must be promptly instituted and determined, if the secretary includes within a written order a finding that the certification authority has either:

    (a) Utilized its license in the commission of a violation of a state or federal criminal statute or of chapter 19.86 RCW; or

    (b) Engaged in conduct giving rise to a serious risk of loss to public or private parties if the license is not immediately suspended.

    (5) The secretary may recognize by rule the licensing or authorization of certification authorities by other governmental entities, provided that those licensing or authorization requirements are substantially similar to those of this state.  If licensing by another government is so recognized:

    (a) RCW 19.34.300 through 19.34.350 apply to certificates issued by the certification authorities licensed or authorized by that government in the same manner as it applies to licensed certification authorities of this state; and

    (b) The liability limits of RCW 19.34.280 apply to the certification authorities licensed or authorized by that government in the same manner as they apply to licensed certification authorities of this state.

    (6) Unless the parties provide otherwise by contract between themselves, the licensing requirements in this section do not affect the effectiveness, enforceability, or validity of any digital signature, except that RCW 19.34.300 through 19.34.350 do not apply ((in relation)) to ((a digital signature that cannot be verified by)) a certificate, and associated digital signature, issued by an unlicensed certification authority.

    (7) A certification authority that has not obtained a license is not subject to the provisions of this chapter, except as specifically provided.

 

    NEW SECTION.  Sec. 4.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.100 immediately, to read as follows:

    Licenses issued under this chapter expire one year after issuance, except that the secretary may provide by rule for a longer duration.  The secretary shall provide, by rule, for a system of license renewal, which may include requirements for continuing education.

 

    Sec. 5.  RCW 19.34.110 and 1996 c 250 s 202 are each amended to read as follows:

    (1) ((A certified public accountant having expertise in computer security or an accredited computer security professional must audit the operations of each licensed certification authority at least once each year to evaluate compliance with this chapter.  The secretary may by rule specify the qualifications of auditors.)) A licensed certification authority shall obtain a compliance audit, as may be more fully defined by rule of the secretary, at least once every year.  The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and the administrative rules adopted by the secretary.  If the certification authority is also a recognized repository, the audit must include the repository.

    (2) ((Based on information gathered in the audit, the auditor must categorize the licensed certification authority's compliance as one of the following:

    (a) Full compliance.  The certification authority appears to conform to all applicable statutory and regulatory requirements.

    (b) Substantial compliance.  The certification authority appears generally to conform to applicable statutory and regulatory requirements.  However, one or more instances of noncompliance or of inability to demonstrate compliance were found in an audited sample, but were likely to be inconsequential.

    (c) Partial compliance.  The certification authority appears to comply with some statutory and regulatory requirements, but was found not to have complied or not to be able to demonstrate compliance with one or more important safeguards.

    (d) Noncompliance.  The certification authority complies with few or none of the statutory and regulatory requirements, fails to keep adequate records to demonstrate compliance with more than a few requirements, or refused to submit to an audit.))  The certification authority shall file a copy of the audit report with the secretary.  The secretary may provide by rule for filing of the report in an electronic format.  The secretary ((must)) shall publish the report in the certification authority disclosure record it maintains for the certification authority ((the date of the audit and the resulting categorization of the certification authority.

    (3) The secretary may exempt a licensed certification authority from the requirements of subsection (1) of this section, if:

    (a) The certification authority to be exempted requests exemption in writing;

    (b) The most recent performance audit, if any, of the certification authority resulted in a finding of full or substantial compliance; and

    (c) The certification authority declares under oath, affirmation, or penalty of perjury that one or more of the following is true with respect to the certification authority:

    (i) The certification authority has issued fewer than six certificates during the past year and the recommended reliance limits of all of the certificates do not exceed ten thousand dollars;

    (ii) The aggregate lifetime of all certificates issued by the certification authority during the past year is less than thirty days and the recommended reliance limits of all of the certificates do not exceed ten thousand dollars; or

    (iii) The recommended reliance limits of all certificates outstanding and issued by the certification authority total less than one thousand dollars.

    (4) If the certification authority's declaration under subsection (3) of this section falsely states a material fact, the certification authority has failed to comply with the performance audit requirements of this section.

    (5) If a licensed certification authority is exempt under subsection (3) of this section, the secretary must publish in the certification authority disclosure record it maintains for the certification authority that the certification authority is exempt from the performance audit requirement)).

 

    NEW SECTION.  Sec. 6.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.110 immediately, to read as follows:

    (1)(a) An auditor signing a report of opinion as to a compliance audit required by RCW 19.34.110 must:

    (i) Be a certified public accountant, licensed under chapter 18.04 RCW or equivalent licensing statute of another jurisdiction; or

    (ii) Meet such other qualifications as the secretary may establish by rule.

    (b) Auditors must either possess such computer security qualifications as are necessary to conduct the audit or employ, contract, or associate with firms or individuals who do.  The secretary may adopt rules establishing qualifications as to expertise or experience in computer security.

    (2) The compliance audits of state agencies and local governments who are licensed certification authorities, and the secretary, must be performed under the authority of the state auditor.  The state auditor may contract with private entities as needed to comply with this chapter.

 

    Sec. 7.  RCW 19.34.120 and 1996 c 250 s 203 are each amended to read as follows:

    (1) The secretary may investigate the activities of a licensed certification authority material to its compliance with this chapter and issue orders to a certification authority to further its investigation and secure compliance with this chapter.

    (2) The secretary may suspend or revoke the license of a certification authority for its failure to comply with an order of the secretary.

    (3) The secretary may by order impose and collect a civil monetary penalty for a violation of this chapter in an amount not to exceed ((five)) ten thousand dollars per incident, or ninety percent of the recommended reliance limit of a material certificate, whichever is ((less)) greater.  In case of a violation continuing for more than one day, each day is considered a separate incident.  The secretary may adopt rules setting forth the standards governing the exercise of the secretary's discretion as to penalty amounts.

    (4) The secretary may order a certification authority, which it has found to be in violation of this chapter, to pay the costs incurred by the secretary in prosecuting and adjudicating proceedings relative to the order, and enforcing it.

    (5) The secretary must exercise authority under this section in accordance with the administrative procedure act, chapter 34.05 RCW, and a licensed certification authority may obtain judicial review of the secretary's actions as prescribed by chapter 34.05 RCW.  The secretary may also seek injunctive relief to compel compliance with an order.

 

    Sec. 8.  RCW 19.34.200 and 1996 c 250 s 301 are each amended to read as follows:

    (1) A licensed certification authority or subscriber ((may)) shall use only a trustworthy system:

    (a) To issue, suspend, or revoke a certificate;

    (b) To publish or give notice of the issuance, suspension, or revocation of a certificate; or

    (c) To create a private key.

    (2) A licensed certification authority must disclose any material certification practice statement, and any fact material to either the reliability of a certificate that it has issued or its ability to perform its services.  A certification authority may require a signed, written, and reasonably specific inquiry from an identified person, and payment of reasonable compensation, as conditions precedent to effecting a disclosure required in this subsection.

 

    Sec. 9.  RCW 19.34.210 and 1996 c 250 s 302 are each amended to read as follows:

    (1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:

    (a) The certification authority has received a request for issuance signed by the prospective subscriber; and

    (b) The certification authority has confirmed that:

    (i) The prospective subscriber is the person to be listed in the certificate to be issued;

    (ii) If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;

    (iii) The information in the certificate to be issued is accurate;

    (iv) The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

    (v) The prospective subscriber holds a private key capable of creating a digital signature; ((and))

    (vi) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber; and

    (vii) The certificate provides information sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.

    (c) The requirements of this subsection may not be waived or disclaimed by either the licensed certification authority, the subscriber, or both.

    (2) If the subscriber accepts the issued certificate, the certification authority must publish a signed copy of the certificate in a recognized repository, as the certification authority and the subscriber named in the certificate may agree, unless a contract between the certification authority and the subscriber provides otherwise.  If the subscriber does not accept the certificate, a licensed certification authority must not publish it, or must cancel its publication if the certificate has already been published.

    (3) Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.

    (4) After issuing a certificate, a licensed certification authority must revoke it immediately upon confirming that it was not issued as required by this section.  A licensed certification authority may also suspend a certificate that it has issued for a reasonable period not exceeding forty-eight hours as needed for an investigation to confirm grounds for revocation under this subsection.  The certification authority must give notice to the subscriber as soon as practicable after a decision to revoke or suspend under this subsection.

    (5) The secretary may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued, if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary determines that:

    (a) The certificate was issued without substantial compliance with this section; and

    (b) The noncompliance poses a significant risk to persons reasonably relying on the certificate.

    Upon determining that an emergency requires an immediate remedy, and in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary may issue an order suspending a certificate for a period not to exceed ((forty-eight)) ninety-six hours.

 

    NEW SECTION.  Sec. 10.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.230 immediately, to read as follows:

    (1) A unit of state or local government, including its appropriate officers or employees, may become a subscriber to a certificate for purposes of conducting official business, but only if the certificate is issued by a licensed certification authority.  A unit of state government, except the secretary and the department of information services, may not act as a certification authority.

    (2) A city or county may become a licensed certification authority under RCW 19.34.100 for purposes of providing services to local government, if authorized by ordinance adopted by the city or county legislative authority.

    (3) The limitation to licensed certification authorities in subsection (1) of this section does not apply to uses of digital signatures or key pairs limited to internal agency procedures, as to which the signature is not required by statute, administrative rule, court rule, or requirement of the office of financial management.

 

    Sec. 11.  RCW 19.34.240 and 1996 c 250 s 305 are each amended to read as follows:

    (1) By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to a person not authorized to create the subscriber's digital signature.  The subscriber is released from this duty if the certificate expires or is revoked.

    (2) A private key is the personal property of the subscriber who rightfully holds it.

    (3) If a certification authority holds the private key corresponding to a public key listed in a certificate that it has issued, the certification authority holds the private key as a fiduciary of the subscriber named in the certificate, and may use that private key only with the subscriber's prior, written approval, unless the subscriber expressly grants the private key to the certification authority and expressly permits the certification authority to hold the private key according to other terms.

    (4) A private key in the possession of a state agency or local agency, as those terms are defined by RCW 42.17.020, is exempt from public inspection and copying under chapter 42.17 RCW.

 

    Sec. 12.  RCW 19.34.250 and 1996 c 250 s 306 are each amended to read as follows:

    (1) Unless the certification authority and the subscriber agree otherwise, the licensed certification authority that issued a certificate that is not a transactional certificate must suspend the certificate for a period not to exceed ((forty-eight)) ninety-six hours:

    (a) Upon request by a person ((identifying himself or herself as)) whom the certification authority reasonably believes to be:  (i) The subscriber named in the certificate((,)); (ii) a person duly authorized to act for that subscriber; or ((as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee, or member of the immediate family of the subscriber)) (iii) a person acting on behalf of the unavailable subscriber; or

    (b) By order of the secretary under RCW 19.34.210(5).

    The certification authority need not confirm the identity or agency of the person requesting suspension.  The certification authority may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding the requestor's identity, authorization, or the unavailability of the subscriber.  Law enforcement agencies may investigate suspensions for possible wrongdoing by persons requesting suspension.

    (2) Unless the certificate provides otherwise or the certificate is a transactional certificate, the secretary ((or a county clerk)) may suspend a certificate issued by a licensed certification authority for a period ((of forty-eight)) not to exceed ninety-six hours, if:

    (a) A person identifying himself or herself as the subscriber named in the certificate ((or as an agent, business associate, employee, or member of the immediate family of the subscriber requests suspension)), a person authorized to act for that subscriber, or a person acting on behalf of that unavailable subscriber; and

    (b) The requester represents that the certification authority that issued the certificate is unavailable.

    The secretary ((or county clerk)) may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding his or her identity, authorization, or the unavailability of the issuing certification authority, and may decline to suspend the certificate in its discretion.  ((The secretary or)) Law enforcement agencies may investigate suspensions by the secretary ((or county clerk)) for possible wrongdoing by persons requesting suspension.

    (3) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority must give notice of the suspension according to the specification in the certificate.  If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the suspension in all the repositories.  If a repository no longer exists or refuses to accept publication, or if no repository is recognized under RCW 19.34.400, the licensed certification authority must also publish the notice in a recognized repository.  If a certificate is suspended by the secretary ((or county clerk)), the secretary ((or clerk)) must give notice as required in this subsection for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.

    (4) A certification authority must terminate a suspension initiated by request only:

    (a) If the subscriber named in the suspended certificate requests termination of the suspension, the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or

    (b) When the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber.  However, this subsection (4)(b) does not require the certification authority to confirm a request for suspension.

    (5) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority, or may provide otherwise for termination of a requested suspension.  However, if the contract limits or precludes suspension by the secretary ((or county clerk)) when the issuing certification authority is unavailable, the limitation or preclusion is effective only if notice of it is published in the certificate.

    (6) No person may knowingly or intentionally misrepresent to a certification authority his or her identity or authorization in requesting suspension of a certificate.  Violation of this subsection is a gross misdemeanor.

    (7) ((The subscriber is released from the duty to keep the private key secure under RCW 19.34.240(1) while the certificate is suspended.))  The secretary may authorize other state or local governmental agencies to perform any of the functions of the secretary under this section upon a regional basis.  The authorization must be formalized by an agreement under chapter 39.34 RCW.  The secretary may provide by rule the terms and conditions of the regional services.

    (8) A suspension under this section must be completed within twenty-four hours of receipt of all information required in this section.

 

    Sec. 13.  RCW 19.34.260 and 1996 c 250 s 307 are each amended to read as follows:

    (1) A licensed certification authority must revoke a certificate that it issued but which is not a transactional certificate, after:

    (a) Receiving a request for revocation by the subscriber named in the certificate; and

    (b) Confirming that the person requesting revocation is the subscriber, or is an agent of the subscriber with authority to request the revocation.

    (2) A licensed certification authority must confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity and any agency of the person requesting the ((suspension)) revocation.

    (3) A licensed certification authority must revoke a certificate that it issued:

    (a) Upon receiving a certified copy of the subscriber's death certificate, or upon confirming by other evidence that the subscriber is dead; or

    (b) Upon presentation of documents effecting a dissolution of the subscriber, or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist, except that if the subscriber is administratively dissolved and is reinstated before revocation is completed, the certification authority is not required to revoke the certificate.

    (4) A licensed certification authority may revoke one or more certificates that it issued if the certificates are or become unreliable, regardless of whether the subscriber consents to the revocation and notwithstanding a provision to the contrary in a contract between the subscriber and certification authority.

    (5) Immediately upon revocation of a certificate by a licensed certification authority, the licensed certification authority must give notice of the revocation according to the specification in the certificate.  If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the revocation in all repositories.  If a repository no longer exists or refuses to accept publication, or if no repository is recognized under RCW 19.34.400, then the licensed certification authority must also publish the notice in a recognized repository.

    (6) A subscriber ceases to certify, as provided in RCW 19.34.230, and has no further duty to keep the private key secure, as required by RCW 19.34.240, in relation to the certificate whose revocation the subscriber has requested, beginning at the earlier of either:

    (a) When notice of the revocation is published as required in subsection (5) of this section; or

    (b) One business day after the subscriber requests revocation in writing, supplies to the issuing certification authority information reasonably sufficient to confirm the request, and pays any contractually required fee.

    (7) Upon notification as required by subsection (5) of this section, a licensed certification authority is discharged of its warranties based on issuance of the revoked certificate, as to transactions occurring after the notification, and ceases to certify as provided in RCW 19.34.220 (2) and (3) in relation to the revoked certificate.

 

    Sec. 14.  RCW 19.34.280 and 1996 c 250 s 309 are each amended to read as follows:

    (1) By specifying a recommended reliance limit in a certificate, the issuing certification authority ((and accepting subscriber)) recommends that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

    (2) Unless a licensed certification authority waives application of this subsection, a licensed certification authority is:

    (a) Not liable for a loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the certification authority complied with all material requirements of this chapter;

    (b) Not liable in excess of the amount specified in the certificate as its recommended reliance limit for either:

    (i) A loss caused by reliance on a misrepresentation in the certificate of a fact that the licensed certification authority is required to confirm; or

    (ii) Failure to comply with RCW 19.34.210 in issuing the certificate;

    (c) Liable only for direct compensatory damages in an action to recover a loss due to reliance on the certificate.  Direct compensatory damages do not include:

    (i) Punitive or exemplary damages((.  Nothing in this chapter may be interpreted to permit punitive or exemplary damages that would not otherwise be permitted by the law of this state));

    (ii) Damages for lost profits or opportunity; or

    (iii) Damages for pain or suffering.

 

    NEW SECTION.  Sec. 15.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.290 immediately, to read as follows:

    (1) A licensed certification authority that discontinues providing certification authority services shall:

    (a) Notify all subscribers listed in valid certificates issued by the certification authority, before discontinuing services;

    (b) Minimize, to the extent commercially reasonable, disruption to the subscribers of valid certificates and relying parties; and

    (c) Make reasonable arrangements for preservation of the certification authority's records.

    (2) A suitable guaranty of a licensed certification authority may not be released until the expiration of the term specified in the guaranty.

    (3) The secretary may provide by rule for a process by which the secretary may, in any combination, receive, administer, or disburse the records of a licensed certification authority or a recognized repository that discontinues providing services, for the purpose of maintaining access to the records and revoking any previously issued valid certificates in a manner that minimizes disruption to subscribers and relying parties.  The secretary's rules may include provisions by which the secretary may recover costs incurred in doing so.

 

    Sec. 16.  RCW 19.34.300 and 1996 c 250 s 401 are each amended to read as follows:

    (1) Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature, if:

    (((1) No party affected by a digital signature objects to the use of digital signatures in lieu of a signature, and the objection may be evidenced by refusal to provide or accept a digital signature;

    (2) That)) (a) The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;

    (((3) That)) (b) The digital signature was affixed by the signer with the intention of signing the message((, and after the signer has had an opportunity to review items being signed)); and

    (((4))) (c) The recipient has no knowledge or notice that the signer either:

    (((a))) (i) Breached a duty as a subscriber; or

    (((b))) (ii) Does not rightfully hold the private key used to affix the digital signature.

    ((However,)) (2) Nothing in this chapter precludes a mark from being valid as a signature under other applicable law.

 

    Sec. 17.  RCW 19.34.310 and 1996 c 250 s 402 are each amended to read as follows:

    Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances.  If the recipient determines not to rely on a digital signature under this section, the recipient must promptly notify the signer of any determination not to rely on a digital signature and the grounds for that determination.  Nothing in this chapter shall be construed to obligate a person to accept a digital signature or to respond to an electronic message containing a digital signature, except as provided in section 20 of this act.

 

    NEW SECTION.  Sec. 18.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.310 immediately, to read as follows:

    The following factors, among others, are significant in evaluating the reasonableness of a recipient's reliance upon a certificate and upon the digital signatures verifiable with reference to the public key listed in the certificate:

    (1) Facts which the relying party knows or of which the relying party has notice, including all facts listed in the certificate or incorporated in it by reference;

    (2) The value or importance of the digitally signed message, if known;

    (3) The course of dealing between the relying person and subscriber and the available indicia of reliability or unreliability apart from the digital signature; and

    (4) Usage of trade, particularly trade conducted by trustworthy systems or other computer-based means.

 

    Sec. 19.  RCW 19.34.320 and 1996 c 250 s 403 are each amended to read as follows:

    A message is as valid, enforceable, and effective as if it had been written on paper, if it:

    (1) Bears in its entirety a digital signature; and

    (2) That digital signature is verified by the public key listed in a certificate that:

    (a) Was issued by a licensed certification authority; and

    (b) Was valid at the time the digital signature was created.

    Nothing in this chapter shall be construed to eliminate, modify, or condition any other requirements for a contract to be valid, enforceable, and effective.  No digital message shall be deemed to be an instrument under ((the provisions of)) Title 62A RCW unless all parties to the transaction agree, including financial institutions affected.

 

    NEW SECTION.  Sec. 20.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.320 immediately, to read as follows:

    (1) A person may not refuse to honor, accept, or act upon a court order, writ, or warrant upon the basis that it is electronic in form and signed with a digital signature, if the digital signature was certified by a licensed certification authority or otherwise issued under court rule.  This section applies to a paper printout of a digitally signed document, if the printout reveals that the digital signature was electronically verified before the printout, and in the absence of a finding that the document has been altered.

    (2) Nothing in this chapter shall be construed to limit the authority of the supreme court to adopt rules of pleading, practice, or procedure, or of the court of appeals or superior courts to adopt supplementary local rules, governing the use of electronic messages or documents, including rules governing the use of digital signatures, in judicial proceedings.

 

    Sec. 21.  RCW 19.34.340 and 1996 c 250 s 405 are each amended to read as follows:

    Unless otherwise provided by law or contract, a certificate issued by a licensed certification authority is an acknowledgment, and satisfies any requirement for a notarized signature, of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgment appear with the digital signature and regardless of whether the signer physically appeared before the certification authority when the digital signature was created, if that digital signature is:

    (1) Verifiable by that certificate; and

    (2) Affixed when that certificate was valid.

 

    Sec. 22.  RCW 19.34.350 and 1996 c 250 s 406 are each amended to read as follows:

    In adjudicating a dispute involving a digital signature, a court of this state presumes that:

    (1) A certificate digitally signed by a licensed certification authority and either published in a recognized repository, or made available by the issuing certification authority or by the subscriber listed in the certificate is issued by the certification authority that digitally signed it and is accepted by the subscriber listed in it.

    (2) The information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate.

    (3) If a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority:

    (a) That digital signature is the digital signature of the subscriber listed in that certificate;

    (b) That digital signature was affixed by that subscriber with the intention of signing the message; ((and))

    (c) The message associated with the digital signature has not been altered since the signature was affixed; and

    (d) The recipient of that digital signature has no knowledge or notice that the signer:

    (i) Breached a duty as a subscriber; or

    (ii) Does not rightfully hold the private key used to affix the digital signature.

    (4) A digital signature was created before it was time stamped by a disinterested person utilizing a trustworthy system.

 

    Sec. 23.  RCW 19.34.400 and 1996 c 250 s 501 are each amended to read as follows:

    (1) The secretary must recognize one or more repositories, after finding that a repository to be recognized:

    (a) Is ((operated under the direction of)) a licensed certification authority;

    (b) Includes, or will include, a data base containing:

    (i) Certificates published in the repository;

    (ii) Notices of suspended or revoked certificates published by licensed certification authorities or other persons suspending or revoking certificates;

    (iii) Certification authority disclosure records for licensed certification authorities;

    (iv) All orders or advisory statements published by the secretary in regulating certification authorities; and

    (v) Other information adopted by rule by the secretary;

    (c) Operates by means of a trustworthy system, that may, under administrative rule of the secretary, include additional or different attributes than those applicable to a certification authority that does not operate as a recognized repository;

    (d) Contains no significant amount of information that is known or likely to be untrue, inaccurate, or not reasonably reliable;

    (e) Contains certificates published by certification authorities that conform to legally binding requirements that the secretary finds to be substantially similar to, or more stringent toward the certification authorities, than those of this state;

    (f) Keeps an archive of certificates that have been suspended or revoked, or that have expired, within at least the past three years; and

    (g) Complies with other reasonable requirements adopted by rule by the secretary.

    (2) A repository may apply to the secretary for recognition by filing a written request and providing evidence to the secretary sufficient for the secretary to find that the conditions for recognition are satisfied.

    (3) A repository may discontinue its recognition by filing thirty days' written notice with the secretary.  In addition the secretary may discontinue recognition of a repository in accordance with the administrative procedure act, chapter 34.05 RCW, if ((it)) the secretary concludes that the repository no longer satisfies the conditions for recognition listed in this section or in rules adopted by the secretary.

 

    Sec. 24.  RCW 19.34.500 and 1996 c 250 s 603 are each amended to read as follows:

    The secretary of state may adopt rules to implement this chapter beginning ((July 1, 1996)) July 27, 1997, but the rules may not take effect until January 1, 1998.

 

    NEW SECTION.  Sec. 25.  A new section is added to chapter 19.34 RCW, to be codified to follow RCW 19.34.500 immediately, to read as follows:

    This chapter supersedes and preempts all local laws or ordinances regarding the same subject matter.

 

    NEW SECTION.  Sec. 26.  A new section is added to chapter 19.34 RCW, to be codified to follow section 25 of this act immediately, to read as follows:

    This chapter does not preclude criminal prosecution under other laws of this state, nor may any provision of this chapter be regarded as an exclusive remedy for a violation.  Injunctive relief may not be denied to a party regarding conduct governed by this chapter on the basis that the conduct is also subject to potential criminal prosecution.

 

    NEW SECTION.  Sec. 27.  A new section is added to chapter 19.34 RCW, to be codified to follow section 26 of this act immediately, to read as follows:

    Issues regarding jurisdiction, venue, and choice of laws for all actions involving digital signatures must be determined according to the same principles as if all transactions had been performed through paper documents.

 

    Sec. 28.  RCW 19.34.901 and 1996 c 250 s 602 are each amended to read as follows:

    ((This act shall)) (1) Sections 1 through 601, 604, and 605, chapter 250, Laws of 1996 take effect January 1, 1998.

    (2) Sections 602 and 603, chapter 250, Laws of 1996 take effect July 27, 1997.

 

    NEW SECTION.  Sec. 29.  A new section is added to chapter 43.105 RCW to read as follows:

    The department of information services may become a licensed certification authority, under chapter 19.34 RCW, for the purpose of providing services to state and local government.  The department shall only issue certificates, as defined in RCW 19.34.020, in which the subscriber is:

    (1) The state of Washington or a department, office, or agency of the state;

    (2) A city, county, district, or other municipal corporation, or a department, office, or agency of the city, county, district, or municipal corporation; or

    (3) An agent or employee of an entity described by subsection (1) or (2) of this section, for purposes of official public business.

 

    NEW SECTION.  Sec. 30.  Sections 1 through 23, 25 through 27, and 29 of this act takes effect January 1, 1998.

 

    NEW SECTION.  Sec. 31.  If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.

 


                            --- END ---