Current through Register Vol. 46, No. 50, December 11, 2024
Section 540.4 - Electronic signatures(a) The use of an electronic signature as defined in ESRA shall have the same validity and effect as the use of a signature affixed by hand.(b) In accordance with ESRA, an electronic signature is an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record. An electronic signature is considered to be "attached to or logically associated with an electronic record" if the electronic signature is linked to the record during transmission and storage.(c) A governmental entity shall complete and document a business analysis and risk assessment when selecting an electronic signature to be used or accepted by that governmental entity in an electronic transaction. A governmental entity may elect to collaborate with other governmental entities in the completion and documentation of a business analysis and risk assessment when selecting an electronic signature for use or acceptance in an electronic transaction common to such governmental entities. A governmental entity may elect to adopt an existing business analysis and risk assessment completed and documented by another governmental entity when selecting an electronic signature for use or acceptance in the same type of electronic transaction to which the existing business analysis and risk assessment applies.(d) Where a governmental entity agrees to use or accept an electronic signature that involves the services of a certification authority, the certification authority shall meet the following standards and operating practices:(1) produce and maintain a certification practice statement or other documents containing, but not limited to, the following information: (i) community and applicability--describing the types of entities that the certificate authority certifies and the applications for which certificates may be used, and any restrictions relating to their use;(ii) identification and authentication policy--the policies used to bind a public key to an individual, including those policies addressing initial registration, reissuing a certificate with a new public key, reissuing a certificate with a new public key after revocation, revocation request and how name disputes, if any, are resolved;(iii) key management policy--describing the security measures taken by the certificate authority to protect its cryptographic keys and critical security parameters including the life- cycle management of keys from generation, through storage and usage, to archiving and destruction;(iv) local security policy--describing the physical, personnel and procedural controls used by the certificate authority to perform certificate authority functions securely, including key generation, user authentication, certificate registration, certificate revocation, audit, and archival and records management;(v) technical security policy--describing the software, hardware and network security controls used by a certificate authority to perform certificate authority functions including key generation, user authentication, certificate registration, certificate revocation, audit, and archival and records management;(vi) operations policy--describing the frequency of routine certificate revocation list (CRL) issuance, frequency of special CRL issuance (e.g., key compromise CRL), and frequency of certificate authority key changeover;(vii) legal provisions--describing the liability and obligations of the parties. This information must be prominently displayed in the documents required by this paragraph;(viii) certificate and CRL standards--describing the standards, versions and data included;(ix) policy administration--defining the authority that is responsible for the registration, maintenance and interpretation of policy including contact information and practice statement change procedures;(x) audit policy--describing the type and frequency of internal and external audits;(xi) personal privacy policy--reciting the certification authority's statutory obligation to maintain the confidentiality of personal information in accordance with the provisions of subdivision 2 of section 308 of the State Technology Law and section 540.6 of this Part;(2) make the certification practice statement or other documents maintained in accordance with paragraph (1) of this subdivision available to any person who requests the same;(3) have an audit performed by a certified public accounting firm that reports on the policies and procedures of the certification authority as set forth and maintained in accordance with the provisions of this subdivision, and tests the operational effectiveness of such procedures during the first year in service to a governmental entity, and every two years thereafter or when there is material change to its certification practices, whichever comes first; and(4) make available to the public the final opinion letter resulting from an audit performed under paragraph (3) of this subdivision.N.Y. Comp. Codes R. & Regs. Tit. 9 § 540.4