Re154port Title:

Electronic Commerce Security

 

Description:

Adds new provisions to the Uniform Electronic Transactions Act (UETA) on electronic commerce security.

 

 

HOUSE OF REPRESENTATIVES

H.B. NO.

  

TWENTY-FIRST LEGISLATURE, 2001

  

STATE OF HAWAII

  

 

A BILL FOR AN ACT

 

relating to electronic commerce security.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

SECTION 1. The purpose of this Act is to amend the recently enacted Uniform Electronic Transactions Act (UETA) to include a new part governing electronic commerce security. Like UETA, this Act seeks to facilitate and encourage the flow of commerce in this state by ensuring, without changing applicable substantive rules of law, that transactions in the electronic marketplace are as enforceable as those memorialized on paper. This Act provides the legal infrastructure to support electronic commerce security businesses, and ensure the integrity and reliability of electronic transactions.

SECTION 2. Chapter 489E, Hawaii Revised Statutes, is amended by adding a new part to be appropriately designated and to read as follows:

"PART   .  ELECTRONIC COMMERCE SECURITY
§489E-A  Secure electronic record.  (a)  If, through the use of a qualified security procedure, it can be verified that an electronic record has not been altered since a specified point in time, then the electronic records shall be considered to be a secure electronic record from the specified point in time to the time of verification, if the party relying upon the qualified electronic security procedure establishes that the procedure was:
    1. Commercially reasonable under the circumstances;
    2. Applied by the relying party in a trustworthy manner; and
    3. Reasonably and in good faith relied upon by the relying party;
	(b)  As used in this section, "qualified security procedure" means a security procedure to detect changes in the content of an electronic record that is:
    1. Previously agreed to by the parties; or
    2. Certified by the {lieutenant governor} as being capable of providing reliable evidence that an electronic record has not been altered.

§489E-B Secure electronic signature. (a) If, through the use of a qualified security procedure, it can be verified that an electronic signature is the signature of a specific person, then the electronic signature shall be considered to be a secure electronic signature at the time of verification, if the party relying on the qualified electronic signature security procedure establishes that the procedure was:

    1. Commercially reasonable under the circumstances;
    2. Applied by the relying party in a trustworthy manner; and
    3. Reasonably and in good faith relied upon by the relying party. 
	(b)  As used in this section, "qualified security procedure" means a security procedure for identifying a person that is:
    1. Previously agreed to by the parties; and
    2. Certified by the {lieutenant governor} as being capable of creating, in a trustworthy manner, an electronic signature that:
    1. Is unique to the signer within the context in which it is used;
    2. Can be used to objectively identify the person signing the electronic record;
    3. Was reliably created by the identified person and that cannot be readily duplicated or compromised; and
    4. Is created, and is linked to the electronic record to which it relates, in a manner that, if the record or the signature is intentionally or unintentionally changed after signing the electronic signature is invalidated.
     
	§489E-C  Commercially reasonable; reliance.  (a)  The commercial reasonableness of a security procedure is a question of law to be determined in light of the purposes of the procedure and the commercial circumstances at the time the procedure was used, including:
  1. The nature of the transaction;
  2. The sophistication of the parties;
  3. The volume of similar transactions engaged in by either or both parties;
  4. The cost of alternative procedures; and
  5. The procedures in general use for similar types of transactions.
    6. 	(b)  Whether reliance on a security procedure was reasonable and in good faith is to be determined in light of all the circumstances known to the relying party at the time of the reliance, having due regard to:
  6. The information that the relying party knew or should have known of at the time of reliance that would suggest that reliance was or was not reasonable;
  7. The value or importance of the electronic record, if known;
  8. Any course of dealing between the relying party and the purported sender and the available indicia of reliability or unreliability apart from the security procedure;
  9. Any usage of trade, particularly trade conducted by trustworthy systems or other computer-based means; and
  10. Whether the verification was performed with the assistance of an independent third party.
	§489E-D  Presumptions.  (a)  In resolving a civil dispute involving a secure electronic record, it shall be rebuttably presumed that the electronic record has not been altered since the specific point in time to which the secure status relates.
	(b)  In resolving a civil dispute involving a secure electronic signature, it shall be rebuttably presumed that the secure electronic signature is the signature of the person to whom it correlates.
(c)  The effect of presumptions provided in this section is to place on the party challenging the integrity of a secure electronic record or challenging the genuineness of a secure electronic signature both the burden of:

(1) Going forward with evidence to rebut the presumption; and

(2) Persuading the trier of fact that the nonexistence of the presumed fact is more probable than its evidence.

 
	(d)  In the absence of a secure electronic record or a secure electronic signature, nothing in this part shall change existing rules regarding legal or evidentiary rules regarding the burden of proving the authenticity and integrity of an electronic record or an electronic signature.
§489E-E  Creation and control of signature devices.  (a)  Except as otherwise provided by another applicable rule of law, whenever the creation, validity, or reliability of an electronic signature created by a qualified security procedure under section 489E-A or 489E-B is dependent on the secrecy or control of a signature device of the signer:
  1. The person generating or creating the signature device shall do so in a trustworthy manner;
  2. The signer and all other persons that rightfully have access to the signature device shall exercise reasonable care to retain control and maintain the secrecy of the signature device, and to protect it from any unauthorized access, disclosure, or use, during the period when reliance on a signature created by the device is unreasonable; and
  3. If the signer, or any other person that rightfully has access to the signature device, knows or has reason to know that the secrecy or control of a signature device has been compromised, the person shall make a reasonable effort to promptly notify all person that the person knows might foreseeably be damaged as a result of the compromise, or where an appropriate publication mechanism is available to publish notice of the compromise and a disavowal of any signatures created thereafter.
§489E-F  Authority to certify security procedures.  (a)  A security procedure may be certified by the {lieutenant governor}, as a qualified security procedure for purposes of sections 489E-A or 489E-B, following an appropriate investigation or review, if the security procedure has been generally accepted in the applicable information security or scientific community as being capable of satisfying the requirements of sections 489E-A or 489E-B, as applicable, in a trustworthy manner.
(b)  In making a determination regarding whether the security procedure has been generally accepted in the applicable information, security, or scientific community, the {lieutenant governor} shall consider the opinion of independent experts in the applicable field and the published findings of the community, including applicable standards organizations such as the American National Standards Institute (ANSI), International Standards Organization (ISO), International Telecommunications Union (ITU), and the National Institute of Standards and Technology (NIST).
	(c)  Certification shall be done through the adoption of rules in accordance with chapter 91 and shall specify a full and complete identification of the security procedure, including requirements as to how it is to be implemented, if appropriate.
(d)  The {lieutenant governor} may also decertify a security procedure as a qualified security procedure for purposes of section 489E-A or 489E-B following an appropriate investigation or review and the adoption of rules in accordance with chapter 91, if subsequent developments establish that the security procedure is no longer sufficiently trustworthy or reliable for its intended purpose, or for any other reason no longer meets the requirements for certification.
	(e)  The {lieutenant governor} shall have exclusive authority to certify security procedures under this section.
	§489E-G  Unauthorized use of signature device.  (a)  No person shall knowingly or intentionally access, copy, or otherwise obtain possession of or recreate the signature device of another person without authorization for the purpose of creating, or allowing or causing another person to create, an unauthorized electronic signature using such signature device.  A person convicted of a violation of this subsection shall be guilty of a misdemeanor.
	(b)  No person shall knowingly alter, disclose, or use the signature device of another person without authorization, or in excess of lawful authorization, for the purpose of creating, or allowing or causing another person to create, an unauthorized electronic signature using such signature device.  A person convicted of a violation of this subsection shall be guilty of a class C felony.
(c)  A person who violates this section in furtherance of any scheme or artifice to defraud in excess of $50,000 shall be guilty of a class B felony.
§489E-H  Enforcement.  The attorney general shall have jurisdiction to enforce this part."
SECTION 3.  Chapter 489E, Hawaii Revised Statutes, is amended as follows:
1.  By designating sections 489E-1 through 489E-4 as part I and designating a title before section 489E-1 to read:
"PART I.  GENERAL PROVISIONS"
	2.  By designating sections 489E-5 through 489E-19 as part II and designating a title before section 489E-5 to read:
"PART II.  ELECTRONIC TRANSACTIONS"
	3.	By amending section 489E-2 by adding three new definitions to be appropriately inserted and to read:
	""Signature" or "signed" includes any symbol executed or adopted, or any security procedure employed or adopted, using electronic means or otherwise, by or on behalf of a person with intent to authenticate a record.
	"Signature device" means unique information, such as codes, algorithms, letters, numbers, private keys, personal identification numbers (PINs), or a uniquely configured physical device, that is required, alone or in conjunction with other information or devices, to create an electronic signature attributable to a specific person.
	"Trustworthy manner" means, through the use of computer hardware, software, and procedures that, in the context in which they are used:
    1. Can be shown to be reasonably resistant to penetration, compromise, and misuse;
    2. Provide a reasonable level of reliability and correct operation;
    3. Are reasonably suited to performing their intended functions or serving their intended purposes; and
    4. Adhere to generally accepted security procedures."

SECTION 4. Section 708-852, Hawaii Revised Statutes, is amended by amending subsection (1) to read as follows:

"(1) A person commits the offense of forgery in the second degree if, with intent to defraud, the person [falsely]:

(a) Falsely makes, completes, endorses, or alters a written instrument[, or utters];

(b) Utters a forged instrument[, or fraudulently];

(c) Fraudulently encodes the magnetic ink character recognition numbers[,]; or

(d) Unlawfully uses the signature device of another to create an electronic signature of that other person, as those terms are defined in chapter 489E,

which is or purports to be, or which is calculated to become or to represent if completed, a deed, will, codicil, contract, assignment, commercial instrument, or other instrument [which] that does or may evidence, create, transfer, terminate, or otherwise affect a legal right, interest, obligation, or status."

SECTION 5. This Act does not affect rights and duties that were matured, penalties that were incurred, and proceedings that were begun, before its effective date.

SECTION 6. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.

SECTION 7. This Act shall take effect on upon its approval.

INTRODUCED BY:

_____________________________