As Introduced 1
123rd General Assembly 4
Regular Session H. B. No. 488 5
1999-2000 6
REPRESENTATIVES TERWILLEGER-AMSTUTZ-HOUSEHOLDER-HARRIS- 8
GARDNER-TIBERI-CAREY-MOTTLEY-CORBIN-METZGER-HOLLISTER- 10
VAN VYVEN-WILLAMOWSKI-OLMAN-DePIERO-LUEBBERS-THOMAS-
TRAKAS-GOODMAN-HOOPS-AUSTRIA-DAMSCHRODER-HARTNETT-SYKES- 11
MAIER-BRADING-PETERSON-MEAD-SCHULER-METELSKY-TAYLOR-JOLIVETTE- 12
BUEHRER-FLANNERY 13
_________________________________________________________________ 14
A B I L L
To amend section 2913.31 and to enact sections 16
1306.01 to 1306.13, 1306.15, 1306.17 to 1306.26, 17
1306.28, 1306.29, 1306.32, 1306.35 to 1306.38,
and 1306.99 of the Revised Code to enact the 19
Electronic Records and Signatures Act by 20
providing for regulation of electronic 21
signatures, including digital signatures, and
electronic records; creating the Electronic 22
Commerce Commission to regulate security and 23
enforcement relative to electronic records and
electronic signatures; providing for state agency 26
use of electronic records and signatures; and
providing civil remedies and criminal penalties 27
for violations, and to terminate the Electronic 28
Commerce Commission four years after the
effective date of this act by repealing section 29
1306.32 of the Revised Code on that date. 30
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO: 32
Section 1. That section 2913.31 be amended and sections 34
1306.01, 1306.02, 1306.03, 1306.04, 1306.05, 1306.06, 1306.07, 35
1306.08, 1306.09, 1306.10, 1306.11, 1306.12, 1306.13, 1306.15, 36
2
1306.17, 1306.18, 1306.19, 1306.20, 1306.21, 1306.22, 1306.23, 37
1306.24, 1306.25, 1306.26, 1306.28, 1306.29, 1306.32, 1306.35, 38
1306.36, 1306.37, 1306.38, and 1306.99 of the Revised Code be 39
enacted to read as follows: 40
Sec. 1306.01. AS USED IN SECTIONS 1306.01 TO 1306.38 OF 42
THE REVISED CODE:
(A) "ASYMMETRIC CRYPTOSYSTEM" MEANS A COMPUTER-BASED 44
SYSTEM CAPABLE OF GENERATING AND USING A KEY PAIR CONSISTING OF A 45
PRIVATE KEY FOR CREATING A DIGITAL SIGNATURE AND A PUBLIC KEY TO 46
VERIFY THE DIGITAL SIGNATURE.
(B) "CERTIFICATE" MEANS A RECORD THAT AT A MINIMUM DOES 48
ALL OF THE FOLLOWING: 50
(1) IT IDENTIFIES THE CERTIFICATION AUTHORITY ISSUING IT. 52
(2) IT NAMES OR OTHERWISE IDENTIFIES ITS SUBSCRIBER OR A 54
DEVICE OR ELECTRONIC AGENT UNDER THE CONTROL OF THE SUBSCRIBER. 55
(3) IT CONTAINS A PUBLIC KEY THAT CORRESPONDS TO A PRIVATE 57
KEY UNDER THE CONTROL OF THE SUBSCRIBER. 58
(4) IT SPECIFIES ITS OPERATIONAL PERIOD. 60
(5) IT IS DIGITALLY SIGNED BY THE CERTIFICATION AUTHORITY 62
ISSUING IT.
(C) "CERTIFICATION AUTHORITY" MEANS A PERSON THAT 64
AUTHORIZES AND CAUSES THE ISSUANCE OF A CERTIFICATE. 65
(D) "CERTIFICATION PRACTICE STATEMENT" IS A STATEMENT 67
PUBLISHED BY A CERTIFICATION AUTHORITY THAT SPECIFIES THE 68
POLICIES OR PRACTICES THAT THE CERTIFICATION AUTHORITY EMPLOYS IN 69
ISSUING, MANAGING, SUSPENDING, AND REVOKING CERTIFICATES AND 70
PROVIDING ACCESS TO THEM.
(E) "CORRESPOND," WITH REFERENCE TO KEYS, MEANS TO BELONG 72
TO THE SAME KEY PAIR. 73
(F) "DIGITAL SIGNATURE" MEANS A SECURITY PROCEDURE AND A 75
TYPE OF ELECTRONIC SIGNATURE CREATED BY TRANSFORMING AN 76
ELECTRONIC RECORD USING A MESSAGE DIGEST FUNCTION AND ENCRYPTING 77
THE RESULTING TRANSFORMATION WITH AN ASYMMETRIC CRYPTOSYSTEM 78
USING THE SIGNER'S PRIVATE KEY SUCH THAT ANY PERSON HAVING THE 79
3
INITIAL UNTRANSFORMED ELECTRONIC RECORD, THE ENCRYPTED
TRANSFORMATION, AND THE SIGNER'S CORRESPONDING PUBLIC KEY CAN 80
ACCURATELY DETERMINE WHETHER THE TRANSFORMATION WAS CREATED USING 81
THE PRIVATE KEY THAT CORRESPONDS TO THE SIGNER'S PUBLIC KEY AND 82
WHETHER THE INITIAL ELECTRONIC RECORD HAS BEEN ALTERED SINCE THE 83
TRANSFORMATION WAS MADE.
(G) "ELECTRONIC" INCLUDES ELECTRICAL, DIGITAL, MAGNETIC, 85
OPTICAL, ELECTROMAGNETIC, OR ANY OTHER FORM OF TECHNOLOGY THAT 86
ENTAILS CAPABILITIES SIMILAR TO THESE TECHNOLOGIES. 87
(H) "ELECTRONIC RECORD" MEANS A RECORD GENERATED, 89
COMMUNICATED, RECEIVED, OR STORED BY ELECTRONIC MEANS FOR USE IN 90
AN INFORMATION SYSTEM OR FOR TRANSMISSION FROM ONE INFORMATION 91
SYSTEM TO ANOTHER.
(I) "ELECTRONIC SIGNATURE" MEANS A SIGNATURE IN ELECTRONIC 93
FORM ATTACHED TO OR LOGICALLY ASSOCIATED WITH AN ELECTRONIC 94
RECORD.
(J) "INFORMATION" INCLUDES DATA, TEXT, IMAGES, SOUND, 96
CODE, COMPUTER PROGRAMS, SOFTWARE, DATABASES, AND THE LIKE. 97
(K) "KEY PAIR" MEANS, IN AN ASYMMETRIC CRYPTOSYSTEM, TWO 99
MATHEMATICALLY RELATED KEYS, REFERRED TO AS A PRIVATE KEY AND A 100
PUBLIC KEY, TO WHICH BOTH OF THE FOLLOWING APPLY: 101
(1) THE PRIVATE KEY CAN ENCRYPT A MESSAGE THAT ONLY THE 103
PUBLIC KEY CAN DECRYPT. 104
(2) EVEN KNOWING THE PUBLIC KEY, IT IS COMPUTATIONALLY 106
UNFEASIBLE TO DISCOVER THE PRIVATE KEY. 107
(L) "MESSAGE DIGEST FUNCTION" MEANS AN ALGORITHM THAT MAPS 109
OR TRANSLATES THE SEQUENCE OF BITS COMPRISING AN ELECTRONIC 110
RECORD INTO A MESSAGE DIGEST, WHICH IS GENERALLY A SMALLER SET OF 111
BITS, WITHOUT REQUIRING THE USE OF ANY SECRET INFORMATION, SUCH 112
THAT AN ELECTRONIC RECORD YIELDS THE SAME MESSAGE DIGEST EVERY 113
TIME THE ALGORITHM IS EXECUTED USING SUCH RECORD AS INPUT, AND IT
IS COMPUTATIONALLY UNFEASIBLE THAT ANY TWO ELECTRONIC RECORDS CAN 114
BE FOUND OR DELIBERATELY GENERATED THAT WOULD PRODUCE THE SAME 115
MESSAGE DIGEST USING THE ALGORITHM UNLESS THE TWO RECORDS ARE 116
4
PRECISELY IDENTICAL.
(M) "OPERATIONAL PERIOD OF A CERTIFICATE" BEGINS ON THE 118
DATE AND TIME THE CERTIFICATE IS ISSUED BY A CERTIFICATION 119
AUTHORITY OR ON A LATER DATE AND TIME CERTAIN IF STATED IN THE 120
CERTIFICATE AND ENDS ON THE DATE AND TIME IT EXPIRES AS NOTED IN 121
THE CERTIFICATE OR IS EARLIER REVOKED BUT DOES NOT INCLUDE ANY 122
PERIOD DURING WHICH A CERTIFICATE IS SUSPENDED.
(N) "PERSON" MEANS AN INDIVIDUAL, CORPORATION, BUSINESS 124
TRUST, ESTATE, TRUST, PARTNERSHIP, LIMITED PARTNERSHIP, LIMITED 125
LIABILITY PARTNERSHIP, LIMITED LIABILITY COMPANY, ASSOCIATION, 126
JOINT VENTURE, GOVERNMENT, GOVERNMENTAL SUBDIVISION, AGENCY, OR 127
INSTRUMENTALITY, OR ANY OTHER LEGAL OR COMMERCIAL ENTITY. 128
(O) "PRIVATE KEY" MEANS THE KEY OF A KEY PAIR USED TO 130
CREATE A DIGITAL SIGNATURE. 131
(P) "PUBLIC KEY" MEANS THE KEY OF A KEY PAIR USED TO 133
VERIFY A DIGITAL SIGNATURE. 134
(Q) "RECORD" MEANS INFORMATION THAT IS INSCRIBED, STORED, 136
OR OTHERWISE FIXED ON A TANGIBLE MEDIUM OR THAT IS STORED IN AN 137
ELECTRONIC OR OTHER MEDIUM AND IS RETRIEVABLE IN PERCEIVABLE 138
FORM.
(R) "REPOSITORY" MEANS A SYSTEM FOR STORING AND RETRIEVING 140
CERTIFICATES OR OTHER INFORMATION RELEVANT TO CERTIFICATES, 141
INCLUDING INFORMATION RELATING TO THE STATUS OF A CERTIFICATE. 142
(S) "REVOKE A CERTIFICATE" MEANS TO PERMANENTLY END THE 144
OPERATIONAL PERIOD OF A CERTIFICATE FROM A SPECIFIED TIME 145
FORWARD.
(T) "SECURITY PROCEDURE" MEANS A METHODOLOGY OR PROCEDURE 147
USED FOR THE PURPOSE OF VERIFYING THAT AN ELECTRONIC RECORD IS 148
THAT OF A SPECIFIC PERSON OR DETECTING ERROR OR ALTERATION IN THE 149
COMMUNICATION, CONTENT, OR STORAGE OF AN ELECTRONIC RECORD SINCE 150
A SPECIFIC POINT IN TIME. A SECURITY PROCEDURE MAY REQUIRE THE 151
USE OF ALGORITHMS OR CODES, IDENTIFYING WORDS OR NUMBERS, 152
ENCRYPTION, ANSWER BACK OR ACKNOWLEDGMENT PROCEDURES, OR SIMILAR 153
SECURITY DEVICES.
5
(U) "SIGNATURE DEVICE" MEANS UNIQUE INFORMATION, SUCH AS 155
CODES, ALGORITHMS, LETTERS, NUMBERS, PRIVATE KEYS, OR PERSONAL 156
IDENTIFICATION NUMBERS, OR A UNIQUELY CONFIGURED PHYSICAL DEVICE, 157
THAT IS REQUIRED, ALONE OR IN CONJUNCTION WITH OTHER INFORMATION 158
OR DEVICES, IN ORDER TO CREATE AN ELECTRONIC SIGNATURE 159
ATTRIBUTABLE TO A SPECIFIC PERSON.
(V) "SIGNED" OR "SIGNATURE" INCLUDES ANY SYMBOL EXECUTED 161
OR ADOPTED, OR ANY SECURITY PROCEDURE EMPLOYED OR ADOPTED, USING 162
ELECTRONIC MEANS OR OTHERWISE, BY OR ON BEHALF OF A PERSON WITH 163
INTENT TO AUTHENTICATE A RECORD. 164
(W) "STATE AGENCY" MEANS EVERY ORGANIZED BODY, OFFICE, OR 166
AGENCY ESTABLISHED BY THE LAWS OF THE STATE FOR THE EXERCISE OF 167
ANY FUNCTION OF STATE GOVERNMENT. 168
(X) "SUBSCRIBER" MEANS A PERSON MEETING ALL OF THE 170
FOLLOWING:
(1) THE PERSON IS THE SUBJECT NAMED OR OTHERWISE 172
IDENTIFIED IN A CERTIFICATE. 173
(2) THE PERSON CONTROLS A PRIVATE KEY THAT CORRESPONDS TO 175
THE PUBLIC KEY LISTED IN THAT CERTIFICATE. 176
(3) THE PERSON IS THE PERSON TO WHOM DIGITALLY SIGNED 178
MESSAGES VERIFIED BY REFERENCE TO SUCH CERTIFICATE ARE TO BE 179
ATTRIBUTED.
(Y) "SUSPEND A CERTIFICATE" MEANS TO TEMPORARILY SUSPEND 181
THE OPERATIONAL PERIOD OF A CERTIFICATE FOR A SPECIFIED TIME 182
PERIOD OR FROM A SPECIFIED TIME FORWARD. 183
(Z) "TRUSTWORTHY MANNER" MEANS THE USE OF COMPUTER 185
HARDWARE, SOFTWARE, AND PROCEDURES THAT, IN THE CONTEXT IN WHICH 186
THEY ARE USED, MEET ALL OF THE FOLLOWING: 187
(1) THEY CAN BE SHOWN TO BE REASONABLY RESISTANT TO 189
PENETRATION, COMPROMISE, AND MISUSE. 190
(2) THEY PROVIDE A REASONABLE LEVEL OF RELIABILITY AND 192
CORRECT OPERATION.
(3) THEY ARE REASONABLY SUITED TO PERFORMING THEIR 194
INTENDED FUNCTIONS OR SERVING THEIR INTENDED PURPOSES. 195
6
(4) THEY COMPLY WITH APPLICABLE AGREEMENTS BETWEEN THE 197
PARTIES, IF ANY.
(5) THEY ADHERE TO GENERALLY ACCEPTED SECURITY PROCEDURES. 199
(AA) "VALID CERTIFICATE" MEANS A CERTIFICATE THAT A 201
CERTIFICATION AUTHORITY HAS ISSUED AND THAT THE SUBSCRIBER LISTED 202
IN THE CERTIFICATE HAS ACCEPTED. 203
(BB) "VERIFY A DIGITAL SIGNATURE" MEANS TO USE THE PUBLIC 205
KEY LISTED IN A VALID CERTIFICATE, ALONG WITH THE APPROPRIATE 206
MESSAGE DIGEST FUNCTION AND ASYMMETRIC CRYPTOSYSTEM, TO EVALUATE 207
A DIGITALLY SIGNED ELECTRONIC RECORD, SUCH THAT THE RESULT OF THE 208
PROCESS CONCLUDES THAT THE DIGITAL SIGNATURE WAS CREATED USING 209
THE PRIVATE KEY CORRESPONDING TO THE PUBLIC KEY LISTED IN THE 210
CERTIFICATE AND THAT THE ELECTRONIC RECORD HAS NOT BEEN ALTERED 211
SINCE ITS DIGITAL SIGNATURE WAS CREATED.
Sec. 1306.02. (A) SECTIONS 1306.01 TO 1306.38 OF THE 214
REVISED CODE MAY BE CITED AS THE "ELECTRONIC RECORDS AND 216
SIGNATURES ACT."
(B) SECTIONS 1306.01 TO 1306.38 OF THE REVISED CODE SHALL 219
BE CONSTRUED CONSISTENTLY WITH WHAT IS COMMERCIALLY REASONABLE 220
UNDER THE CIRCUMSTANCES AND TO EFFECTUATE THE FOLLOWING PURPOSES: 221
(1) TO FACILITATE ELECTRONIC COMMUNICATIONS BY MEANS OF 223
RELIABLE ELECTRONIC RECORDS; 224
(2) TO FACILITATE AND PROMOTE ELECTRONIC COMMERCE, BY 226
ELIMINATING BARRIERS RESULTING FROM UNCERTAINTIES OVER WRITING 227
AND SIGNATURE REQUIREMENTS, AND PROMOTING THE DEVELOPMENT OF THE 228
LEGAL AND BUSINESS INFRASTRUCTURE NECESSARY TO IMPLEMENT SECURE 229
ELECTRONIC COMMERCE;
(3) TO FACILITATE ELECTRONIC FILING OF DOCUMENTS WITH 231
STATE AGENCIES AND LOCAL GOVERNMENTS, AND TO PROMOTE EFFICIENT 232
DELIVERY OF GOVERNMENT SERVICES BY MEANS OF RELIABLE ELECTRONIC 233
RECORDS;
(4) TO MINIMIZE THE INCIDENCE OF FORGED ELECTRONIC 235
RECORDS, INTENTIONAL AND UNINTENTIONAL ALTERATION OF RECORDS, AND 236
FRAUD IN ELECTRONIC COMMERCE; 237
7
(5) TO HELP TO ESTABLISH UNIFORMITY OF RULES AND STANDARDS 239
REGARDING THE AUTHENTICATION AND INTEGRITY OF ELECTRONIC RECORDS; 240
(6) TO PROMOTE PUBLIC CONFIDENCE IN THE INTEGRITY AND 242
RELIABILITY OF ELECTRONIC RECORDS AND ELECTRONIC COMMERCE. 243
Sec. 1306.03. (A) INFORMATION, RECORDS, AND SIGNATURES 245
SHALL NOT BE DENIED LEGAL EFFECT, VALIDITY, OR ENFORCEABILITY 246
SOLELY ON THE GROUNDS THAT THEY ARE IN ELECTRONIC FORM. 247
(B) WHERE A RULE OF LAW REQUIRES INFORMATION TO BE 249
"WRITTEN" OR "IN WRITING," OR PROVIDES FOR CERTAIN CONSEQUENCES 250
IF IT IS NOT, AN ELECTRONIC RECORD SATISFIES THAT RULE OF LAW. 251
(C)(1) WHERE A RULE OF LAW REQUIRES A SIGNATURE, OR 253
PROVIDES FOR CERTAIN CONSEQUENCES IF A DOCUMENT IS NOT SIGNED, AN 254
ELECTRONIC SIGNATURE SATISFIES THAT RULE OF LAW. 255
(2) AN ELECTRONIC SIGNATURE MAY BE PROVED IN ANY MANNER, 257
INCLUDING BY SHOWING THAT A PROCEDURE EXISTED BY WHICH A PARTY 258
MUST OF NECESSITY HAVE EXECUTED A SYMBOL OR SECURITY PROCEDURE 259
FOR THE PURPOSE OF VERIFYING THAT AN ELECTRONIC RECORD IS THAT OF 260
SUCH PARTY IN ORDER TO PROCEED FURTHER WITH A TRANSACTION. 261
(D) DIVISIONS (B) AND (C) OF THIS SECTION DO NOT APPLY: 264
(1) WHEN THEIR APPLICATION WOULD INVOLVE A CONSTRUCTION OF 266
A RULE OF LAW THAT IS CLEARLY INCONSISTENT WITH THE LAW OR 267
REPUGNANT TO THE CONTEXT OF THE SAME RULE OF LAW, PROVIDED THAT 268
THE REQUIREMENT THAT INFORMATION BE "IN WRITING," "WRITTEN," OR 269
"PRINTED," OR THAT THERE BE A "SIGNATURE" OR THAT THE RECORD BE 270
"SIGNED," SHALL NOT BY ITSELF BE SUFFICIENT TO ESTABLISH THIS 271
INTENT;
(2) TO ANY RULE OF LAW GOVERNING THE CREATION OR EXECUTION 273
OF A WILL OR TRUST, LIVING WILL, OR HEALTH CARE POWER OF 274
ATTORNEY;
(3) TO ANY RECORD THAT SERVES AS A UNIQUE AND TRANSFERABLE 276
INSTRUMENT OF RIGHTS AND OBLIGATIONS, INCLUDING, WITHOUT 277
LIMITATION, NEGOTIABLE INSTRUMENTS AND OTHER INSTRUMENTS OF TITLE 278
WHEREIN POSSESSION OF THE INSTRUMENT IS DEEMED TO CONFER TITLE, 279
UNLESS AN ELECTRONIC VERSION OF THE RECORD IS CREATED, STORED, 280
8
AND TRANSFERRED IN A MANNER THAT ALLOWS FOR THE EXISTENCE OF ONLY
ONE UNIQUE, IDENTIFIABLE, AND UNALTERABLE ORIGINAL WITH THE 281
FUNCTIONAL ATTRIBUTES OF AN EQUIVALENT PHYSICAL INSTRUMENT, THAT 282
CAN BE POSSESSED BY ONLY ONE PERSON, AND THAT CANNOT BE COPIED 283
EXCEPT IN A FORM THAT IS READILY IDENTIFIABLE AS A COPY. 284
Sec. 1306.04. (A) WHERE A RULE OF LAW REQUIRES 286
INFORMATION TO BE PRESENTED OR RETAINED IN ITS ORIGINAL FORM, OR 287
PROVIDES CONSEQUENCES FOR THE INFORMATION NOT BEING PRESENTED OR 288
RETAINED IN ITS ORIGINAL FORM, THAT RULE OF LAW IS SATISFIED BY 289
AN ELECTRONIC RECORD IF THERE EXISTS RELIABLE ASSURANCE AS TO THE 290
INTEGRITY AND RELIABILITY OF THE INFORMATION, DETERMINED IN
ACCORDANCE WITH DIVISION (B) OF THIS SECTION, FROM THE TIME WHEN 291
IT WAS FIRST GENERATED IN ITS FINAL FORM, AS AN ELECTRONIC RECORD 292
OR OTHERWISE.
(B)(1) THE CRITERION FOR ASSESSING INTEGRITY IS WHETHER 294
THE INFORMATION HAS REMAINED COMPLETE AND UNALTERED, APART FROM 295
THE ADDITION OF ANY ENDORSEMENT OR OTHER INFORMATION THAT ARISES 296
IN THE NORMAL COURSE OF COMMUNICATION, STORAGE, AND DISPLAY. 297
(2) THE STANDARD OF RELIABILITY REQUIRED TO ENSURE THAT 299
INFORMATION HAS REMAINED COMPLETE AND UNALTERED IS TO BE ASSESSED 300
IN THE LIGHT OF THE PURPOSE FOR WHICH THE INFORMATION WAS 301
GENERATED AND IN THE LIGHT OF ALL THE RELEVANT CIRCUMSTANCES. 302
(C) THIS SECTION DOES NOT APPLY TO ANY RECORD THAT SERVES 304
AS A UNIQUE AND TRANSFERABLE INSTRUMENT OF RIGHTS AND 305
OBLIGATIONS, INCLUDING, WITHOUT LIMITATION, NEGOTIABLE 306
INSTRUMENTS AND OTHER INSTRUMENTS OF TITLE WHEREIN POSSESSION OF 307
THE INSTRUMENT IS DEEMED TO CONFER TITLE, UNLESS AN ELECTRONIC 308
VERSION OF THE RECORD IS CREATED, STORED, AND TRANSFERRED IN A
MANNER THAT ALLOWS FOR THE EXISTENCE OF ONLY ONE UNIQUE, 309
IDENTIFIABLE, AND UNALTERABLE ORIGINAL WITH THE FUNCTIONAL 310
ATTRIBUTES OF AN EQUIVALENT PHYSICAL INSTRUMENT, THAT CAN BE 311
POSSESSED BY ONLY ONE PERSON, AND THAT CANNOT BE COPIED EXCEPT IN 312
A FORM THAT IS READILY IDENTIFIABLE AS A COPY.
Sec. 1306.05. (A) WHERE A RULE OF LAW REQUIRES THAT 314
9
CERTAIN DOCUMENTS, RECORDS, OR INFORMATION BE RETAINED, THAT 315
REQUIREMENT IS MET BY RETAINING ELECTRONIC RECORDS OF SUCH 316
INFORMATION IN A TRUSTWORTHY MANNER, PROVIDED THE FOLLOWING 317
CONDITIONS ARE SATISFIED:
(1) THE ELECTRONIC RECORD AND THE INFORMATION CONTAINED 319
THEREIN ARE ACCESSIBLE SO AS TO BE USABLE FOR SUBSEQUENT 320
REFERENCE AT ALL TIMES WHEN SUCH INFORMATION MUST BE RETAINED. 321
(2) THE INFORMATION IS RETAINED IN THE FORMAT IN WHICH IT 323
WAS ORIGINALLY GENERATED, SENT, OR RECEIVED OR IN A FORMAT THAT 324
CAN BE DEMONSTRATED TO REPRESENT ACCURATELY THE INFORMATION 325
ORIGINALLY GENERATED, SENT, OR RECEIVED.
(3) SUCH DATA, IF ANY, IS RETAINED AS ENABLES THE 327
IDENTIFICATION OF THE ORIGIN AND DESTINATION OF THE INFORMATION, 328
THE AUTHENTICITY AND INTEGRITY OF THE INFORMATION, AND THE DATE 329
AND TIME WHEN IT WAS SENT OR RECEIVED.
(B) AN OBLIGATION TO RETAIN DOCUMENTS, RECORDS, OR 331
INFORMATION IN ACCORDANCE WITH DIVISION (A) OF THIS SECTION DOES 332
NOT EXTEND TO ANY DATA THE SOLE PURPOSE OF WHICH IS TO ENABLE THE 333
RECORD TO BE SENT OR RECEIVED.
(C) NOTHING IN THIS SECTION PRECLUDES ANY STATE AGENCY, IN 335
ACCORDANCE WITH SECTION 1306.35 OF THE REVISED CODE, FROM 336
SPECIFYING ADDITIONAL REQUIREMENTS FOR THE RETENTION OF RECORDS 337
THAT ARE SUBJECT TO THE JURISDICTION OF THAT AGENCY. 338
Sec. 1306.06. AS BETWEEN PARTIES INVOLVED IN GENERATING, 340
SENDING, RECEIVING, STORING, OR OTHERWISE PROCESSING ELECTRONIC 341
RECORDS, THE APPLICABILITY OF SECTIONS 1306.01 TO 1306.38 OF THE 342
REVISED CODE MAY BE WAIVED BY AGREEMENT OF THE PARTIES, EXCEPT 343
FOR THE PROHIBITIONS SET FORTH IN SECTION 1306.24 OF THE REVISED 344
CODE OR UNLESS THE AGREEMENT INVOLVES THE ATTRIBUTION OF AN 345
ELECTRONIC SIGNATURE IN A CONSUMER TRANSACTION DESCRIBED IN 346
DIVISION (B) OF SECTION 1306.12 OF THE REVISED CODE. 347
Sec. 1306.07. (A) NOTHING IN SECTIONS 1306.01 TO 1306.38 349
OF THE REVISED CODE SHALL BE CONSTRUED TO DO EITHER OF THE 350
FOLLOWING:
10
(1) REQUIRE ANY PERSON TO CREATE, STORE, TRANSMIT, ACCEPT, 352
OR OTHERWISE USE OR COMMUNICATE INFORMATION, RECORDS, OR 353
SIGNATURES BY ELECTRONIC MEANS OR IN ELECTRONIC FORM; 354
(2) PROHIBIT ANY PERSON ENGAGING IN AN ELECTRONIC 356
TRANSACTION FROM ESTABLISHING REASONABLE REQUIREMENTS REGARDING 357
THE MEDIUM ON WHICH IT WILL ACCEPT RECORDS OR THE METHOD AND TYPE 358
OF SYMBOL OR SECURITY PROCEDURE IT WILL ACCEPT AS A SIGNATURE. 359
(B) NOTHING IN SECTIONS 1306.01 TO 1306.38 OF THE REVISED 361
CODE SHALL BE CONSTRUED TO PREVENT APPLICATION OF ANY OTHER LAW 362
OR RULE ADOPTED PURSUANT TO SECTION 1306.35 OF THE REVISED CODE 363
REQUIRING THE APPROVAL OF A STATE AGENCY PRIOR TO THE USE OR 364
RETENTION OF ELECTRONIC RECORDS OR THE USE OF ELECTRONIC 365
SIGNATURES. 366
Sec. 1306.08. (A) IF, THROUGH THE USE OF A QUALIFIED 368
SECURITY PROCEDURE, IT CAN BE VERIFIED THAT AN ELECTRONIC RECORD 369
HAS NOT BEEN ALTERED SINCE A SPECIFIED POINT IN TIME, SUCH 370
ELECTRONIC RECORD SHALL BE CONSIDERED TO BE A SECURE ELECTRONIC 371
RECORD FROM THAT SPECIFIED POINT IN TIME TO THE TIME OF
VERIFICATION, IF THE RELYING PARTY ESTABLISHES THAT THE QUALIFIED 372
SECURITY PROCEDURE WAS ALL OF THE FOLLOWING: 373
(1) COMMERCIALLY REASONABLE UNDER THE CIRCUMSTANCES IN 375
ACCORDANCE WITH SECTION 1306.10 OF THE REVISED CODE; 376
(2) APPLIED BY THE RELYING PARTY IN A TRUSTWORTHY MANNER; 378
(3) REASONABLY AND IN GOOD FAITH RELIED UPON BY THE 380
RELYING PARTY.
(B) FOR PURPOSES OF THIS SECTION, A QUALIFIED SECURITY 382
PROCEDURE IS A SECURITY PROCEDURE TO DETECT CHANGES IN THE 383
CONTENT OF AN ELECTRONIC RECORD THAT IS EITHER OF THE FOLLOWING: 384
(1) PREVIOUSLY AGREED TO BY THE PARTIES; 386
(2) CERTIFIED BY THE ELECTRONIC COMMERCE COMMISSION IN 388
ACCORDANCE WITH SECTION 1306.13 OF THE REVISED CODE AS BEING 390
CAPABLE OF PROVIDING RELIABLE EVIDENCE THAT AN ELECTRONIC RECORD
HAS NOT BEEN ALTERED. 391
Sec. 1306.09. (A) IF, THROUGH THE USE OF A QUALIFIED 393
11
SECURITY PROCEDURE, IT CAN BE VERIFIED THAT AN ELECTRONIC 394
SIGNATURE IS THE SIGNATURE OF A SPECIFIC PERSON, THE ELECTRONIC 395
SIGNATURE SHALL BE CONSIDERED TO BE A SECURE ELECTRONIC SIGNATURE 396
AT THE TIME OF VERIFICATION, IF THE RELYING PARTY ESTABLISHES 397
THAT THE QUALIFIED SECURITY PROCEDURE WAS ALL OF THE FOLLOWING:
(1) COMMERCIALLY REASONABLE IN ACCORDANCE WITH SECTION 399
1306.10 OF THE REVISED CODE;
(2) APPLIED BY THE RELYING PARTY IN A TRUSTWORTHY MANNER; 401
(3) REASONABLY AND IN GOOD FAITH RELIED UPON BY THE 403
RELYING PARTY.
(B) FOR PURPOSES OF THIS SECTION, A QUALIFIED SECURITY 405
PROCEDURE IS A SECURITY PROCEDURE FOR IDENTIFYING A PERSON, WHICH 407
PROCEDURE IS EITHER OF THE FOLLOWING:
(1) PREVIOUSLY AGREED TO BY THE PARTIES; 409
(2) CERTIFIED BY THE ELECTRONIC COMMERCE COMMISSION IN 411
ACCORDANCE WITH SECTION 1306.13 OF THE REVISED CODE AS BEING 413
CAPABLE OF CREATING, IN A TRUSTWORTHY MANNER, AN ELECTRONIC
SIGNATURE THAT IS ALL OF THE FOLLOWING: 414
(a) IT IS UNIQUE TO THE SIGNER WITHIN THE CONTEXT IN WHICH 416
IT IS USED. 417
(b) IT CAN BE USED TO OBJECTIVELY IDENTIFY THE PERSON 419
SIGNING THE ELECTRONIC RECORD. 420
(c) IT WAS RELIABLY CREATED BY THE IDENTIFIED PERSON, AND 422
IT CANNOT BE READILY DUPLICATED OR COMPROMISED. 423
(d) IT IS CREATED AND IS LINKED TO THE ELECTRONIC RECORD 425
TO WHICH IT RELATES, IN SUCH A MANNER THAT IF THE RECORD OR THE 426
SIGNATURE IS INTENTIONALLY OR UNINTENTIONALLY CHANGED AFTER 427
SIGNING, THE ELECTRONIC SIGNATURE IS INVALIDATED. 428
Sec. 1306.10. (A) THE COMMERCIAL REASONABLENESS OF A 430
SECURITY PROCEDURE IS A QUESTION OF LAW TO BE DETERMINED IN LIGHT 431
OF THE PURPOSES OF THE PROCEDURE AND THE COMMERCIAL CIRCUMSTANCES 432
AT THE TIME THE PROCEDURE WAS USED, INCLUDING CONSIDERATION OF 433
ALL OF THE FOLLOWING:
(1) THE NATURE OF THE TRANSACTION; 435
12
(2) THE SOPHISTICATION OF THE PARTIES; 437
(3) THE VOLUME OF SIMILAR TRANSACTIONS ENGAGED IN BY 439
EITHER OR BOTH OF THE PARTIES; 440
(4) THE AVAILABILITY OF ALTERNATIVES OFFERED TO BUT 442
REJECTED BY EITHER OF THE PARTIES; 443
(5) THE COST OF ALTERNATIVE PROCEDURES; 445
(6) THE PROCEDURES USED FOR SIMILAR TYPES OF TRANSACTIONS. 447
(B) WHETHER RELIANCE ON A SECURITY PROCEDURE WAS 449
REASONABLE AND IN GOOD FAITH IS TO BE DETERMINED IN LIGHT OF ALL 450
THE CIRCUMSTANCES KNOWN TO THE RELYING PARTY AT THE TIME OF THE 451
RELIANCE, HAVING REGARD TO ALL OF THE FOLLOWING: 452
(1) THE INFORMATION THAT THE RELYING PARTY KNEW OR SHOULD 454
HAVE KNOWN OF AT THE TIME OF RELIANCE THAT WOULD SUGGEST THAT 455
RELIANCE WAS OR WAS NOT REASONABLE; 456
(2) THE VALUE OR IMPORTANCE OF THE ELECTRONIC RECORD, IF 458
KNOWN;
(3) ANY COURSE OF DEALING BETWEEN THE RELYING PARTY AND 460
THE PURPORTED SENDER AND THE AVAILABLE INDICIA OF RELIABILITY OR 461
UNRELIABILITY APART FROM THE SECURITY PROCEDURE; 462
(4) ANY USAGE OF TRADE, PARTICULARLY TRADE CONDUCTED BY 464
TRUSTWORTHY SYSTEMS OR OTHER COMPUTER-BASED MEANS; 465
(5) WHETHER THE VERIFICATION WAS PERFORMED WITH THE 467
ASSISTANCE OF AN INDEPENDENT THIRD PARTY. 468
Sec. 1306.11. (A) EXCEPT AS OTHERWISE PROVIDED BY ANOTHER 470
APPLICABLE RULE OF LAW, WHENEVER THE CREATION, VALIDITY, OR 471
RELIABILITY OF AN ELECTRONIC SIGNATURE CREATED BY A QUALIFIED 472
SECURITY PROCEDURE UNDER SECTION 1306.08 OR 1306.09 OF THE 473
REVISED CODE IS DEPENDENT UPON THE SECRECY OR CONTROL OF A
SIGNATURE DEVICE OF THE SIGNER, ALL OF THE FOLLOWING APPLY: 474
(1) THE PERSON GENERATING OR CREATING THE SIGNATURE DEVICE 476
SHALL DO SO IN A TRUSTWORTHY MANNER. 477
(2) THE SIGNER AND ALL OTHER PERSONS THAT RIGHTFULLY HAVE 479
ACCESS TO THE SIGNATURE DEVICE SHALL EXERCISE REASONABLE CARE TO 480
RETAIN CONTROL AND MAINTAIN THE SECRECY OF THE SIGNATURE DEVICE, 481
13
AND TO PROTECT IT FROM ANY UNAUTHORIZED ACCESS, DISCLOSURE, OR 482
USE, DURING THE PERIOD WHEN RELIANCE ON A SIGNATURE CREATED BY 483
THE DEVICE IS REASONABLE.
(3) IN THE EVENT THAT THE SIGNER, OR ANY OTHER PERSON THAT 485
RIGHTFULLY HAS ACCESS TO THE SIGNATURE DEVICE, KNOWS OR HAS 486
REASON TO KNOW THAT THE SECRECY OR CONTROL OF THE SIGNATURE 487
DEVICE HAS BEEN COMPROMISED, THAT PERSON SHALL MAKE A REASONABLE 488
EFFORT TO PROMPTLY NOTIFY ALL PERSONS THAT THE PERSON KNOWS MIGHT 489
FORESEEABLY BE DAMAGED AS A RESULT OF SUCH COMPROMISE OR, WHERE
AN APPROPRIATE PUBLICATION MECHANISM IS AVAILABLE, TO PUBLISH 490
NOTICE OF THE COMPROMISE AND A DISAVOWAL OF ANY SIGNATURES 491
CREATED THEREAFTER.
(B) FOR PURPOSES OF DIVISION (A)(3) OF THIS SECTION, IF 493
THE PERSON IS A STATE AGENCY, THE NOTICE DESCRIBED IN THAT 494
DIVISION SHALL BE PUBLISHED IN A NEWSPAPER OF GENERAL CIRCULATION 496
IN THE CITY OF COLUMBUS, OHIO, AND ALSO PUBLISHED ON THE PERSON'S 497
INTERNET HOME PAGE FOR A MINIMUM OF THIRTY CONSECUTIVE DAYS. 498
Sec. 1306.12. (A) EXCEPT AS PROVIDED BY ANOTHER 500
APPLICABLE RULE OF LAW, A SECURE ELECTRONIC SIGNATURE IS 501
ATTRIBUTABLE TO THE PERSON TO WHOM IT CORRELATES, WHETHER OR NOT 502
AUTHORIZED, IF ALL OF THE FOLLOWING APPLY:
(1) THE ELECTRONIC SIGNATURE RESULTED FROM ACTS OF A 504
PERSON THAT OBTAINED THE SIGNATURE DEVICE OR OTHER INFORMATION 505
NECESSARY TO CREATE THE SIGNATURE FROM A SOURCE UNDER THE CONTROL 506
OF THE ALLEGED SIGNER, CREATING THE APPEARANCE THAT IT CAME FROM 507
THAT PARTY.
(2) THE ACCESS OR USE OCCURRED UNDER CIRCUMSTANCES 509
CONSTITUTING A FAILURE TO EXERCISE REASONABLE CARE BY THE ALLEGED 510
SIGNER.
(3) THE RELYING PARTY RELIED REASONABLY AND IN GOOD FAITH 512
TO ITS DETRIMENT ON THE APPARENT SOURCE OF THE ELECTRONIC RECORD. 513
(B) THIS SECTION DOES NOT APPLY TO TRANSACTIONS THAT ARE 515
INTENDED PRIMARILY FOR PERSONAL, FAMILY, OR HOUSEHOLD USE, OR 516
THAT OTHERWISE ARE CONSUMER TRANSACTIONS. 517
14
Sec. 1306.13. (A) A SECURITY PROCEDURE MAY BE CERTIFIED 519
IN ACCORDANCE WITH DIVISION (C) OF THIS SECTION BY THE ELECTRONIC 521
COMMERCE COMMISSION, AS A QUALIFIED SECURITY PROCEDURE FOR 522
PURPOSES OF SECTION 1306.08 OR 1306.09 OF THE REVISED CODE, 523
FOLLOWING AN APPROPRIATE INVESTIGATION OR REVIEW, IF BOTH OF THE 524
FOLLOWING APPLY:
(1) THE SECURITY PROCEDURE, INCLUDING ANY TECHNOLOGY AND 526
ALGORITHMS IT EMPLOYS, IS COMPLETELY OPEN AND FULLY DISCLOSED TO 527
THE PUBLIC, AND HAS BEEN SO FOR A LENGTH OF TIME SUFFICIENT TO 528
FACILITATE A COMPREHENSIVE REVIEW AND EVALUATION OF ITS 529
SUITABILITY FOR THE INTENDED PURPOSE BY THE APPLICABLE
INFORMATION SECURITY OR SCIENTIFIC COMMUNITY. 530
(2) THE SECURITY PROCEDURE, INCLUDING ANY TECHNOLOGY AND 532
ALGORITHMS IT EMPLOYS, HAS BEEN GENERALLY ACCEPTED IN THE 533
APPLICABLE INFORMATION SECURITY OR SCIENTIFIC COMMUNITY AS BEING 534
CAPABLE OF SATISFYING THE REQUIREMENTS OF SECTION 1306.08 OR 535
1306.09 OF THE REVISED CODE, AS APPLICABLE, IN A TRUSTWORTHY
MANNER.
(B) IN MAKING THE DETERMINATION DESCRIBED IN DIVISION 538
(A)(2) OF THIS SECTION, THE COMMISSION SHALL CONSIDER THE OPINION 539
OF INDEPENDENT EXPERTS IN THE APPLICABLE FIELD AND THE PUBLISHED 540
FINDINGS OF THE APPLICABLE INFORMATION SECURITY OR SCIENTIFIC 541
COMMUNITY, INCLUDING APPLICABLE STANDARDS ORGANIZATIONS SUCH AS 542
THE AMERICAN NATIONAL STANDARDS INSTITUTE, INTERNATIONAL
STANDARDS ORGANIZATION, INTERNATIONAL TELECOMMUNICATIONS UNION, 543
AND NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY. 544
(C) CERTIFICATION SHALL BE DONE THROUGH THE ADOPTION OF 546
RULES IN ACCORDANCE WITH CHAPTER 119. OF THE REVISED CODE AND 547
SHALL SPECIFY A FULL AND COMPLETE IDENTIFICATION OF THE SECURITY 548
PROCEDURE, INCLUDING REQUIREMENTS AS TO HOW IT IS TO BE 549
IMPLEMENTED, IF APPROPRIATE.
(D) THE COMMISSION MAY DECERTIFY A SECURITY PROCEDURE AS A 552
QUALIFIED SECURITY PROCEDURE FOR PURPOSES OF SECTION 1306.08 OR
1309.09 OF THE REVISED CODE FOLLOWING AN APPROPRIATE 553
15
INVESTIGATION OR REVIEW AND THE ADOPTION OF RULES IN ACCORDANCE 554
WITH CHAPTER 119. OF THE REVISED CODE, IF SUBSEQUENT DEVELOPMENTS
ESTABLISH THAT THE SECURITY PROCEDURE IS NO LONGER SUFFICIENTLY 555
TRUSTWORTHY OR RELIABLE FOR ITS INTENDED PURPOSE OR FOR ANY OTHER 556
REASON NO LONGER MEETS THE REQUIREMENTS FOR CERTIFICATION. 557
(E) THE COMMISSION HAS EXCLUSIVE AUTHORITY TO CERTIFY 559
SECURITY PROCEDURES UNDER THIS SECTION. 560
Sec. 1306.15. (A) A DIGITAL SIGNATURE THAT IS CREATED 562
USING AN ASYMMETRIC ALGORITHM CERTIFIED BY THE ELECTRONIC 563
COMMERCE COMMISSION PURSUANT TO DIVISION (B)(2) OF SECTION 566
1306.08 OF THE REVISED CODE SHALL BE CONSIDERED TO BE A QUALIFIED
SECURITY PROCEDURE FOR PURPOSES OF DETECTING CHANGES IN THE 567
CONTENT OF AN ELECTRONIC RECORD UNDER THAT SECTION, IF THE 568
DIGITAL SIGNATURE WAS CREATED DURING THE OPERATIONAL PERIOD OF A 569
VALID CERTIFICATE AND IS VERIFIED BY REFERENCE TO THE PUBLIC KEY 570
LISTED IN THE CERTIFICATE.
(B) A DIGITAL SIGNATURE THAT IS CREATED USING AN 572
ASYMMETRIC ALGORITHM CERTIFIED BY THE COMMISSION PURSUANT TO 574
DIVISION (B)(2) OF SECTION 1306.09 OF THE REVISED CODE SHALL BE 575
CONSIDERED TO BE A QUALIFIED SECURITY PROCEDURE FOR PURPOSES OF
IDENTIFYING A PERSON UNDER THAT SECTION IF BOTH OF THE FOLLOWING 576
APPLY:
(1) THE DIGITAL SIGNATURE MEETS ALL OF THE FOLLOWING: 578
(a) IT WAS CREATED DURING THE OPERATIONAL PERIOD OF A 580
VALID CERTIFICATE. 581
(b) IT WAS USED WITHIN THE SCOPE OF ANY OTHER RESTRICTIONS 583
SPECIFIED OR INCORPORATED BY REFERENCE IN THE CERTIFICATE. 584
(c) IT CAN BE VERIFIED BY REFERENCE TO THE PUBLIC KEY 586
LISTED IN THE CERTIFICATE. 587
(2) THE CERTIFICATE IS CONSIDERED TRUSTWORTHY AND AN 589
ACCURATE BINDING OF A PUBLIC KEY TO A PERSON'S IDENTITY AS A 590
RESULT OF EITHER OF THE FOLLOWING:
(a) THE CERTIFICATE WAS ISSUED BY A CERTIFICATION 592
AUTHORITY IN ACCORDANCE WITH STANDARDS, PROCEDURES, AND OTHER 593
16
REQUIREMENTS SPECIFIED BY THE COMMISSION. 594
(b) A TRIER OF FACT IN A LEGAL PROCEEDING INDEPENDENTLY 596
FINDS THAT THE CERTIFICATE WAS ISSUED IN A TRUSTWORTHY MANNER BY 598
A CERTIFICATION AUTHORITY THAT PROPERLY AUTHENTICATED THE 599
SUBSCRIBER AND THE SUBSCRIBER'S PUBLIC KEY OR OTHERWISE FINDS 600
THAT THE MATERIAL INFORMATION SET FORTH IN THE CERTIFICATE IS
TRUE.
(C) FOR PURPOSES OF THIS SECTION, IT IS FORESEEABLE THAT 602
PERSONS RELYING ON A DIGITAL SIGNATURE ALSO WILL RELY ON A VALID 603
CERTIFICATE CONTAINING THE PUBLIC KEY BY WHICH THE DIGITAL 604
SIGNATURE CAN BE VERIFIED, DURING THE OPERATIONAL PERIOD OF THAT 605
CERTIFICATE AND WITHIN ANY LIMITS SPECIFIED IN THAT CERTIFICATE. 606
Sec. 1306.17. (A) THE ELECTRONIC COMMERCE COMMISSION, IN 609
ACCORDANCE WITH CHAPTER 119. OF THE REVISED CODE, MAY ADOPT RULES 611
APPLICABLE TO BOTH THE PUBLIC AND PRIVATE SECTORS FOR THE PURPOSE 612
OF DEFINING UNDER WHAT CIRCUMSTANCES A CERTIFICATE IS CONSIDERED 613
SUFFICIENTLY TRUSTWORTHY UNDER SECTION 1306.15 OF THE REVISED 614
CODE SUCH THAT A DIGITAL SIGNATURE VERIFIED BY REFERENCE TO SUCH 616
A CERTIFICATE WILL BE CONSIDERED A QUALIFIED SECURITY PROCEDURE
UNDER SECTION 1306.09 OF THE REVISED CODE. 617
(B) THE RULES DESCRIBED IN DIVISION (A) OF THIS SECTION 619
MAY INCLUDE BOTH OF THE FOLLOWING: 620
(1) RULES ESTABLISHING OR ADOPTING STANDARDS APPLICABLE TO 622
CERTIFICATION AUTHORITIES OR CERTIFICATES, COMPLIANCE WITH WHICH 623
MAY BE MEASURED BY BECOMING CERTIFIED BY THE COMMISSION, BY 624
BECOMING ACCREDITED BY ONE OR MORE INDEPENDENT ACCREDITING 625
ENTITIES RECOGNIZED BY THE COMMISSION, OR BY OTHER APPROPRIATE 626
MEANS;
(2) WHERE APPROPRIATE, RULES ESTABLISHING FEES TO BE 628
CHARGED BY THE COMMISSION TO RECOVER ALL OR A PORTION OF COSTS IN 629
CONNECTION WITH BECOMING CERTIFIED BY THE COMMISSION. 630
(C) IF THE COMMISSION ADOPTS RULES PURSUANT TO DIVISION 633
(A) OR (B) OF THIS SECTION, THE RULES SHALL DO ALL OF THE 634
FOLLOWING:
17
(1) PROVIDE MAXIMUM FLEXIBILITY TO THE IMPLEMENTATION OF 636
DIGITAL SIGNATURE TECHNOLOGY AND THE BUSINESS MODELS NECESSARY TO 637
SUPPORT IT;
(2) PROVIDE A CLEAR BASIS FOR THE AUTHORITIES; 639
(3) TO THE EXTENT REASONABLY POSSIBLE, MAXIMIZE THE 641
OPPORTUNITIES FOR UNIFORMITY WITH THE LAWS OF OTHER JURISDICTIONS 642
WITHIN THE UNITED STATES AND INTERNATIONALLY. 643
Sec. 1306.18. (A) EXCEPT AS CONSPICUOUSLY SET FORTH IN 645
ITS CERTIFICATION PRACTICE STATEMENT, A CERTIFICATION AUTHORITY, 646
AND A PERSON MAINTAINING A REPOSITORY, SHALL MAINTAIN ITS 647
OPERATIONS AND PERFORM ITS SERVICES IN A TRUSTWORTHY MANNER. 648
(B) FOR EACH CERTIFICATE ISSUED BY A CERTIFICATION 650
AUTHORITY WITH THE INTENTION THAT IT WILL BE RELIED UPON BY THIRD 651
PARTIES TO VERIFY DIGITAL SIGNATURES CREATED BY SUBSCRIBERS, A 652
CERTIFICATION AUTHORITY SHALL PUBLISH OR OTHERWISE MAKE AVAILABLE 653
TO THE SUBSCRIBER AND ALL SUCH RELYING PARTIES BOTH OF THE 654
FOLLOWING:
(1) ITS CERTIFICATION PRACTICE STATEMENT, IF ANY; 656
(2) ITS CERTIFICATION AUTHORITY CERTIFICATE THAT 658
IDENTIFIES THE CERTIFICATION AUTHORITY AS A SUBSCRIBER AND THAT 659
CONTAINS THE PUBLIC KEY CORRESPONDING TO THE PRIVATE KEY USED BY 660
THE CERTIFICATION AUTHORITY TO DIGITALLY SIGN THE CERTIFICATE. 661
(C) IN THE EVENT OF AN OCCURRENCE THAT MATERIALLY AND 663
ADVERSELY AFFECTS A CERTIFICATION AUTHORITY'S OPERATIONS OR 664
SYSTEM, ITS CERTIFICATION AUTHORITY CERTIFICATE, OR ANY OTHER 665
ASPECT OF ITS ABILITY TO OPERATE IN A TRUSTWORTHY MANNER, THE 666
CERTIFICATION AUTHORITY SHALL ACT IN ACCORDANCE WITH PROCEDURES 667
GOVERNING SUCH AN OCCURRENCE SPECIFIED IN ITS CERTIFICATION 668
PRACTICE STATEMENT OR, IN THE ABSENCE OF SUCH PROCEDURES, SHALL
USE REASONABLE EFFORTS TO NOTIFY ANY PERSONS THAT THE 669
CERTIFICATION AUTHORITY KNOWS MIGHT FORESEEABLY BE DAMAGED AS A 670
RESULT OF SUCH OCCURRENCE.
Sec. 1306.19. A CERTIFICATION AUTHORITY MAY ISSUE A 672
CERTIFICATE TO A PROSPECTIVE SUBSCRIBER FOR THE PURPOSE OF 673
18
ALLOWING THIRD PARTIES TO VERIFY DIGITAL SIGNATURES CREATED BY 674
THE SUBSCRIBER ONLY AFTER BOTH OF THE FOLLOWING OCCUR: 675
(A) THE CERTIFICATION AUTHORITY HAS RECEIVED A REQUEST FOR 677
ISSUANCE FROM THE PROSPECTIVE SUBSCRIBER. 678
(B) THE CERTIFICATION AUTHORITY HAS DONE EITHER OF THE 680
FOLLOWING:
(1) COMPLIED WITH ALL OF THE RELEVANT PRACTICES AND 682
PROCEDURES SET FORTH IN ITS APPLICABLE CERTIFICATION PRACTICE 683
STATEMENT;
(2) IN THE ABSENCE OF A CERTIFICATION PRACTICE STATEMENT 685
ADDRESSING ISSUES RELATED TO THE ISSUANCE OF A CERTIFICATE, 686
CONFIRMED IN A TRUSTWORTHY MANNER ALL OF THE FOLLOWING: 687
(a) THE PROSPECTIVE SUBSCRIBER IS THE PERSON TO BE LISTED 689
IN THE CERTIFICATE TO BE ISSUED. 690
(b) THE INFORMATION IN THE CERTIFICATE TO BE ISSUED IS 692
ACCURATE.
(c) THE PROSPECTIVE SUBSCRIBER RIGHTFULLY HOLDS A PRIVATE 694
KEY CAPABLE OF CREATING A DIGITAL SIGNATURE, AND THE PUBLIC KEY 695
TO BE LISTED IN THE CERTIFICATE CAN BE USED TO VERIFY A DIGITAL 696
SIGNATURE AFFIXED BY THAT PRIVATE KEY. 697
Sec. 1306.20. (A) BY ISSUING A CERTIFICATE WITH THE 699
INTENTION THAT IT WILL BE RELIED UPON BY THIRD PARTIES TO VERIFY 700
DIGITAL SIGNATURES CREATED BY THE SUBSCRIBER, A CERTIFICATION 701
AUTHORITY REPRESENTS ALL OF THE FOLLOWING TO THE SUBSCRIBER, AND 702
TO ANY PERSON THAT REASONABLY RELIES ON INFORMATION CONTAINED IN 703
THE CERTIFICATE IN GOOD FAITH AND DURING ITS OPERATIONAL PERIOD: 704
(1) THE CERTIFICATION AUTHORITY HAS PROCESSED, APPROVED, 706
AND ISSUED, AND WILL MANAGE AND REVOKE IF NECESSARY, THE 707
CERTIFICATE IN ACCORDANCE WITH ITS APPLICABLE CERTIFICATION 708
PRACTICE STATEMENT STATED OR INCORPORATED BY REFERENCE IN THE 709
CERTIFICATE OR OF WHICH SUCH PERSON HAS NOTICE OR, IN LIEU
THEREOF, IN ACCORDANCE WITH SECTIONS 1306.01 TO 1306.38 OF THE 710
REVISED CODE OR THE LAW OF THE JURISDICTION GOVERNING ISSUANCE OF 711
THE CERTIFICATE.
19
(2) THE CERTIFICATION AUTHORITY HAS VERIFIED THE IDENTITY 713
OF THE SUBSCRIBER TO THE EXTENT STATED IN THE CERTIFICATE OR ITS 714
APPLICABLE CERTIFICATION PRACTICE STATEMENT, OR IN LIEU THEREOF, 715
THE CERTIFICATION AUTHORITY HAS VERIFIED THE IDENTITY OF THE 716
SUBSCRIBER IN A TRUSTWORTHY MANNER.
(3) THE CERTIFICATION AUTHORITY HAS VERIFIED THAT THE 718
PERSON REQUESTING THE CERTIFICATE HOLDS THE PRIVATE KEY 719
CORRESPONDING TO THE PUBLIC KEY LISTED IN THE CERTIFICATE. 720
(4) EXCEPT AS CONSPICUOUSLY SET FORTH IN THE CERTIFICATE 722
OR ITS APPLICABLE CERTIFICATION PRACTICE STATEMENT, TO THE 723
CERTIFICATION AUTHORITY'S KNOWLEDGE AS OF THE DATE THE 724
CERTIFICATE WAS ISSUED, ALL OTHER INFORMATION IN THE CERTIFICATE 725
IS ACCURATE AND NOT MATERIALLY MISLEADING.
(B) IF A CERTIFICATION AUTHORITY ISSUED THE CERTIFICATE 727
SUBJECT TO THE LAWS OF ANOTHER JURISDICTION, THE CERTIFICATION 728
AUTHORITY ALSO MAKES ALL WARRANTIES AND REPRESENTATIONS OTHERWISE 729
APPLICABLE UNDER THE LAW GOVERNING ITS ISSUANCE. 730
Sec. 1306.21. (A) DURING THE OPERATIONAL PERIOD OF A 732
CERTIFICATE, THE CERTIFICATION AUTHORITY THAT ISSUED THE 733
CERTIFICATE SHALL REVOKE THE CERTIFICATE IN ACCORDANCE WITH THE 734
POLICIES AND PROCEDURES GOVERNING REVOCATION SPECIFIED IN ITS 735
APPLICABLE CERTIFICATION PRACTICE STATEMENT OR, IN THE ABSENCE OF 736
SUCH POLICIES AND PROCEDURES, AS SOON AS POSSIBLE AFTER ANY OF 737
THE FOLLOWING:
(1) RECEIVING A REQUEST FOR REVOCATION BY THE SUBSCRIBER 739
NAMED IN THE CERTIFICATE, AND CONFIRMING THAT THE PERSON 740
REQUESTING REVOCATION IS THE SUBSCRIBER, OR IS AN AGENT OF THE 741
SUBSCRIBER, OR IS AN AGENT OF THE SUBSCRIBER WITH AUTHORITY TO 742
REQUEST THE REVOCATION;
(2) RECEIVING A CERTIFIED COPY OF AN INDIVIDUAL 744
SUBSCRIBER'S DEATH CERTIFICATE, OR UPON CONFIRMING BY OTHER 745
RELIABLE EVIDENCE THAT THE SUBSCRIBER IS DEAD; 746
(3) BEING PRESENTED WITH DOCUMENTS EFFECTING A DISSOLUTION 748
OF A CORPORATE SUBSCRIBER, OR CONFIRMATION BY OTHER EVIDENCE THAT 749
20
THE SUBSCRIBER HAS BEEN DISSOLVED OR HAS CEASED TO EXIST; 750
(4) BEING SERVED WITH AN ORDER REQUIRING REVOCATION THAT 752
WAS ISSUED BY A COURT OF COMPETENT JURISDICTION; 753
(5) CONFIRMATION BY THE CERTIFICATION AUTHORITY THAT ANY 755
OF THE FOLLOWING APPLY: 756
(a) A MATERIAL FACT REPRESENTED IN THE CERTIFICATE IS 758
FALSE.
(b) A MATERIAL PREREQUISITE TO ISSUANCE OF THE CERTIFICATE 760
WAS NOT SATISFIED. 761
(c) THE CERTIFICATION AUTHORITY'S PRIVATE KEY OR SYSTEM 763
OPERATIONS WERE COMPROMISED IN A MANNER MATERIALLY AFFECTING THE 764
CERTIFICATE'S RELIABILITY. 765
(d) THE SUBSCRIBER'S PRIVATE KEY WAS COMPROMISED. 767
(B) UPON EFFECTING A REVOCATION DESCRIBED IN DIVISION (A) 770
OF THIS SECTION, THE CERTIFICATION AUTHORITY SHALL DO ALL OF THE
FOLLOWING: 771
(1) NOTIFY THE SUBSCRIBER AND RELYING PARTIES IN 773
ACCORDANCE WITH THE POLICIES AND PROCEDURES GOVERNING NOTICE OF 774
REVOCATION SPECIFIED IN ITS APPLICABLE CERTIFICATION PRACTICE 775
STATEMENT OR, IN THE ABSENCE OF SUCH POLICIES AND PROCEDURES, 776
PROMPTLY NOTIFY THE SUBSCRIBER;
(2) PROMPTLY PUBLISH NOTICE OF THE REVOCATION IN ALL 778
REPOSITORIES WHERE THE CERTIFICATION AUTHORITY PREVIOUSLY CAUSED 779
PUBLICATION OF THE CERTIFICATE;
(3) OTHERWISE DISCLOSE THE FACT OF REVOCATION ON INQUIRY 781
BY A RELYING PARTY. 782
Sec. 1306.22. (A) A PERSON ACCEPTS A CERTIFICATE THAT 784
NAMES THAT PERSON AS A SUBSCRIBER BY PUBLISHING OR APPROVING 785
PUBLICATION OF IT TO ONE OR MORE PERSONS OR IN A REPOSITORY, OR 786
BY OTHERWISE DEMONSTRATING APPROVAL OF IT, WHILE KNOWING OR 787
HAVING NOTICE OF ITS CONTENTS.
(B) BY ACCEPTING A CERTIFICATE, THE SUBSCRIBER LISTED IN 789
THE CERTIFICATE REPRESENTS ALL OF THE FOLLOWING TO ANY PERSON 790
THAT REASONABLY RELIES ON INFORMATION CONTAINED IN THE 791
21
CERTIFICATE IN GOOD FAITH AND DURING ITS OPERATIONAL PERIOD: 792
(1) THE SUBSCRIBER RIGHTFULLY HOLDS THE PRIVATE KEY 794
CORRESPONDING TO THE PUBLIC KEY LISTED IN THE CERTIFICATE. 795
(2) ALL REPRESENTATIONS MADE BY THE SUBSCRIBER TO THE 797
CERTIFICATION AUTHORITY AND MATERIAL TO THE INFORMATION LISTED IN 798
THE CERTIFICATE ARE TRUE.
(3) ALL INFORMATION IN THE CERTIFICATE THAT IS WITHIN THE 800
KNOWLEDGE OF THE SUBSCRIBER IS TRUE. 801
(C) ALL MATERIAL REPRESENTATIONS KNOWINGLY MADE BY A 803
PERSON TO A CERTIFICATION AUTHORITY FOR PURPOSES OF OBTAINING A 804
CERTIFICATE NAMING SUCH PERSON AS A SUBSCRIBER SHALL BE ACCURATE 805
AND COMPLETE TO THE BEST OF SUCH PERSON'S KNOWLEDGE AND BELIEF. 806
Sec. 1306.23. EXCEPT AS OTHERWISE PROVIDED BY ANOTHER 808
APPLICABLE RULE OF LAW, IF THE PRIVATE KEY CORRESPONDING TO THE 809
PUBLIC KEY LISTED IN A VALID CERTIFICATE IS LOST, STOLEN, 810
ACCESSIBLE TO AN UNAUTHORIZED PERSON, OR OTHERWISE COMPROMISED 812
DURING THE OPERATIONAL PERIOD OF THE CERTIFICATE, A SUBSCRIBER
THAT HAS LEARNED OF THE COMPROMISE SHALL DO EITHER OF THE 814
FOLLOWING:
(A) PROMPTLY REQUEST THE ISSUING CERTIFICATION AUTHORITY 816
TO REVOKE THE CERTIFICATE AND PUBLISH NOTICE OF REVOCATION IN ALL 818
REPOSITORIES IN WHICH THE SUBSCRIBER PREVIOUSLY AUTHORIZED THE 819
CERTIFICATE TO BE PUBLISHED;
(B) PROVIDE REASONABLE NOTICE OF THE REVOCATION. 822
Sec. 1306.24. (A) NO PERSON SHALL KNOWINGLY ACCESS, COPY, 824
OR OTHERWISE OBTAIN POSSESSION OF OR RE-CREATE THE SIGNATURE 825
DEVICE OF ANOTHER PERSON WITHOUT AUTHORIZATION FOR THE PURPOSE OF 826
CREATING, OR ALLOWING OR CAUSING ANOTHER PERSON TO CREATE, AN 827
UNAUTHORIZED ELECTRONIC SIGNATURE USING SUCH SIGNATURE DEVICE. 828
(B) NO PERSON SHALL KNOWINGLY ALTER, DISCLOSE, OR USE THE 830
SIGNATURE DEVICE OF ANOTHER PERSON WITHOUT AUTHORIZATION, OR IN 831
EXCESS OF LAWFUL AUTHORIZATION, FOR THE PURPOSE OF CREATING, OR 832
ALLOWING OR CAUSING ANOTHER PERSON TO CREATE, AN UNAUTHORIZED 833
ELECTRONIC SIGNATURE USING SUCH SIGNATURE DEVICE. 834
22
(C) NO PERSON SHALL KNOWINGLY CREATE, PUBLISH, ALTER, OR 836
OTHERWISE USE A CERTIFICATE ISSUED IN CONNECTION WITH A DIGITAL 837
SIGNATURE FOR ANY FRAUDULENT OR OTHER UNLAWFUL PURPOSE. 838
(D) NO PERSON SHALL KNOWINGLY MISREPRESENT THE PERSON'S 840
IDENTITY OR AUTHORIZATION IN REQUESTING OR ACCEPTING A 841
CERTIFICATE OR IN REQUESTING SUSPENSION OR REVOCATION OF A 842
CERTIFICATE ISSUED IN CONNECTION WITH A DIGITAL SIGNATURE. 843
(E) NO PERSON, IN CONNECTION WITH A DIGITAL SIGNATURE, 845
SHALL KNOWINGLY ACCESS, ALTER, DISCLOSE, OR USE THE SIGNATURE 846
DEVICE OF A CERTIFICATION AUTHORITY USED TO ISSUE CERTIFICATES 847
WITHOUT AUTHORIZATION, OR IN EXCESS OF LAWFUL AUTHORIZATION, FOR 848
THE PURPOSE OF CREATING, OR ALLOWING OR CAUSING ANOTHER PERSON TO 849
CREATE, AN UNAUTHORIZED ELECTRONIC SIGNATURE USING SUCH SIGNATURE 850
DEVICE.
(F) NO PERSON SHALL PUBLISH A CERTIFICATE, OR OTHERWISE 852
KNOWINGLY MAKE IT AVAILABLE TO ANYONE LIKELY TO RELY ON THE 853
CERTIFICATE OR ON A DIGITAL SIGNATURE THAT IS VERIFIABLE WITH 854
REFERENCE TO THE PUBLIC KEY LISTED IN THE CERTIFICATE, IF THE 855
PERSON HAS KNOWLEDGE OF ANY OF THE FOLLOWING:
(1) THE CERTIFICATION AUTHORITY LISTED IN THE CERTIFICATE 857
HAS NOT ISSUED IT. 858
(2) THE SUBSCRIBER LISTED IN THE CERTIFICATE HAS NOT 860
ACCEPTED IT.
(3) THE CERTIFICATE HAS BEEN REVOKED OR SUSPENDED, UNLESS 862
THE PUBLICATION IS FOR THE PURPOSE OF VERIFYING A DIGITAL 863
SIGNATURE CREATED PRIOR TO THE REVOCATION OR SUSPENSION, OR 864
GIVING NOTICE OF REVOCATION OR SUSPENSION.
Sec. 1306.25. (A) IN ANY LEGAL PROCEEDING, NOTHING IN THE 866
RULES OF EVIDENCE SHALL APPLY TO DENY THE ADMISSIBILITY OF AN 867
ELECTRONIC RECORD OR ELECTRONIC SIGNATURE INTO EVIDENCE ON THE 869
SOLE GROUND THAT IT IS AN ELECTRONIC RECORD OR ELECTRONIC 870
SIGNATURE, OR ON THE GROUNDS THAT IT IS NOT IN ITS ORIGINAL FORM 871
OR IS NOT AN ORIGINAL.
(B)(1) INFORMATION IN THE FORM OF AN ELECTRONIC RECORD 873
23
SHALL BE GIVEN DUE EVIDENTIARY WEIGHT BY THE TRIER OF FACT. 874
(2) IN ASSESSING THE EVIDENTIAL WEIGHT OF AN ELECTRONIC 876
RECORD OR ELECTRONIC SIGNATURE WHERE ITS AUTHENTICITY IS IN 877
ISSUE, THE TRIER OF FACT MAY CONSIDER ANY OR ALL OF THE 878
FOLLOWING:
(a) THE MANNER IN WHICH IT WAS GENERATED, STORED, OR 880
COMMUNICATED; 881
(b) THE RELIABILITY OF THE MANNER IN WHICH ITS INTEGRITY 883
WAS MAINTAINED; 884
(c) THE MANNER IN WHICH ITS ORIGINATOR WAS IDENTIFIED OR 886
THE ELECTRONIC RECORD WAS SIGNED; 887
(d) ANY OTHER RELEVANT INFORMATION OR CIRCUMSTANCES. 889
Sec. 1306.26. ANY PERSON THAT SUFFERS A LOSS DUE TO A 891
VIOLATION OF SECTION 1306.24 OR 2913.35 OF THE REVISED CODE MAY 892
BRING A CIVIL ACTION IN A COURT OF COMPETENT JURISDICTION AND, IN 893
ADDITION TO OTHER APPROPRIATE RELIEF, IS ENTITLED TO RECOVER 894
REASONABLE ATTORNEY'S FEES AND OTHER COURT COSTS. 895
Sec. 1306.28. (A) IN RESOLVING A CIVIL DISPUTE INVOLVING 897
A SECURE ELECTRONIC RECORD, IT SHALL BE REBUTTABLY PRESUMED THAT 899
THE ELECTRONIC RECORD HAS NOT BEEN ALTERED SINCE THE SPECIFIC 900
TIME TO WHICH THE SECURE STATUS RELATES. 901
(B) IN RESOLVING A CIVIL DISPUTE INVOLVING A SECURE 903
ELECTRONIC SIGNATURE, IT SHALL BE REBUTTABLY PRESUMED THAT THE 904
SECURE ELECTRONIC SIGNATURE IS THE SIGNATURE OF THE PERSON TO 905
WHOM IT CORRELATES.
(C) THE EFFECT OF PRESUMPTIONS PROVIDED IN THIS SECTION IS 907
TO PLACE ON THE PARTY CHALLENGING THE INTEGRITY OF A SECURE 908
ELECTRONIC RECORD OR CHALLENGING THE GENUINENESS OF A SECURE 909
ELECTRONIC SIGNATURE BOTH THE BURDEN OF GOING FORWARD WITH 911
EVIDENCE TO REBUT THE PRESUMPTION AND THE BURDEN OF PERSUADING 912
THE TRIER OF FACT THAT THE NONEXISTENCE OF THE PRESUMED FACT IS
MORE PROBABLE THAN ITS EXISTENCE. 914
(D) IN THE ABSENCE OF A SECURE ELECTRONIC RECORD OR A 916
SECURE ELECTRONIC SIGNATURE, NOTHING IN SECTIONS 1306.01 TO 917
24
1306.38 OF THE REVISED CODE SHALL CHANGE EXISTING RULES REGARDING 918
LEGAL OR EVIDENTIARY RULES REGARDING THE BURDEN OF PROVING THE 919
AUTHENTICITY AND INTEGRITY OF AN ELECTRONIC RECORD OR AN
ELECTRONIC SIGNATURE. 920
Sec. 1306.29. (A)(1) EXCEPT AS PROVIDED IN DIVISION 923
(A)(2) OF THIS SECTION, THE ELECTRONIC COMMERCE COMMISSION MAY 924
INVESTIGATE COMPLAINTS FILED WITH THE COMMISSION OR OTHER 926
INFORMATION BROUGHT TO THE ATTENTION OF THE COMMISSION, WHICH 927
COMPLAINTS OR INFORMATION INDICATE A VIOLATION OF SECTIONS 928
1306.01 TO 1306.38 OF THE REVISED CODE OR THE RULES ADOPTED UNDER 929
THOSE SECTIONS.
(2) IF THE DEPARTMENT OF ADMINISTRATIVE SERVICES IS THE 931
SUBJECT OF A COMPLAINT FILED PURSUANT TO DIVISION (A) OF THIS 932
SECTION, THE AUDITOR OF STATE SHALL INVESTIGATE THE COMPLAINT. 933
(B) UPON REQUEST OF THE COMMISSION, THE ATTORNEY GENERAL, 935
OR COUNTY PROSECUTOR LOCATED IN THE COUNTY IN WHICH THE SUBJECT 936
OF A COMPLAINT INVESTIGATED PURSUANT TO DIVISION (A) OF THIS 937
SECTION RESIDES, MAY COMMENCE AND PROSECUTE ANY APPROPRIATE 938
ACTION OR PROCEEDING AGAINST A PERSON FOR A VIOLATION OF SECTIONS 939
1306.01 TO 1306.38 OF THE REVISED CODE.
Sec. 1306.32. (A) THERE IS HEREBY ESTABLISHED IN THE 941
DEPARTMENT OF ADMINISTRATIVE SERVICES THE ELECTRONIC COMMERCE 942
COMMISSION CONSISTING OF SEVEN MEMBERS. 943
(B)(1) OF THE SEVEN MEMBERS OF THE COMMISSION, FOUR SHALL 945
BE EX OFFICIO MEMBERS, AS FOLLOWS: 946
(a) THE DIRECTOR OF ADMINISTRATIVE SERVICES OR THE 948
DIRECTOR'S DESIGNEE; 949
(b) THE DIRECTOR OF COMMERCE OR THE DIRECTOR'S DESIGNEE; 951
(c) THE SECRETARY OF STATE OR THE SECRETARY OF STATE'S 953
DESIGNEE;
(d) THE AUDITOR OF STATE OR THE AUDITOR OF STATE'S 955
DESIGNEE.
(2) OF THE OTHER MEMBERS OF THE COMMISSION, THREE SHALL BE 957
APPOINTED BY THE GOVERNOR, AS FOLLOWS: 959
25
(a) AN INDIVIDUAL WHO SHALL BE AN ATTORNEY AT LAW LICENSED 961
TO PRACTICE IN THIS STATE AND WHO SHALL HAVE SIGNIFICANT 962
KNOWLEDGE OF INTELLECTUAL PROPERTY LAW OR INTERNET SECURITY LAW, 964
OR BOTH AREAS OF THE LAW;
(b) AN INDIVIDUAL WHO SHALL BE EMPLOYED BY A FOR-PROFIT 966
BUSINESS WITH OFFICES IN THIS STATE, THE PRIMARY BUSINESS OF 967
WHICH IS OTHER THAN PROVIDING INFORMATION SYSTEMS PRODUCTS OR 968
SERVICES, AND WHO SHALL HAVE SIGNIFICANT KNOWLEDGE OF INTERNET 969
SECURITY ISSUES AND EXPERIENCE WITH THE DEVELOPMENT OF 970
INTERNET-BASED ELECTRONIC COMMERCE;
(c) AN INDIVIDUAL WHO SHALL BE EMPLOYED BY A FOR-PROFIT 972
BUSINESS WITH OFFICES IN THIS STATE, THE PRIMARY BUSINESS OF 973
WHICH IS PROVIDING INFORMATION SYSTEMS PRODUCTS OR SERVICES, AND 974
WHO SHALL HAVE SIGNIFICANT KNOWLEDGE OF INTERNET SECURITY ISSUES 975
AND EXPERIENCE WITH THE DEVELOPMENT OF INTERNET-BASED ELECTRONIC 976
COMMERCE.
(C)(1) WITHIN THIRTY DAYS AFTER THE EFFECTIVE DATE OF THIS 979
SECTION, THE GOVERNOR SHALL MAKE INITIAL APPOINTMENTS TO THE 980
COMMISSION OF PERSONS DESCRIBED IN DIVISIONS (B)(2)(a) TO (c) OF 982
THIS SECTION. OF THE INITIAL APPOINTMENTS MADE TO THE 983
COMMISSION, ONE SHALL BE FOR A TERM ENDING ONE YEAR AFTER THE 984
EFFECTIVE DATE OF THIS SECTION, ONE SHALL BE FOR A TERM ENDING 986
TWO YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION, AND ONE SHALL 988
BE FOR A TERM ENDING THREE YEARS AFTER THE EFFECTIVE DATE OF THIS 989
SECTION. THEREAFTER, TERMS OF OFFICE SHALL BE FOR THREE YEARS, 990
WITH EACH TERM ENDING ON THE SAME DAY OF THE SAME MONTH AS DID 991
THE TERM THAT IT SUCCEEDS.
(2) EACH MEMBER APPOINTED PURSUANT TO DIVISIONS (B)(2)(a) 994
TO (c) OF THIS SECTION SHALL HOLD OFFICE FROM THE DATE OF 997
APPOINTMENT UNTIL THE END OF THE TERM FOR WHICH THE MEMBER WAS 999
APPOINTED. ANY MEMBER APPOINTED TO FILL A VACANCY OCCURRING
PRIOR TO THE EXPIRATION OF THE TERM FOR WHICH THE MEMBER'S 1,000
PREDECESSOR WAS APPOINTED SHALL HOLD OFFICE FOR THE REMAINDER OF 1,001
THAT TERM. ANY MEMBER SHALL CONTINUE IN OFFICE SUBSEQUENT TO THE 1,002
26
EXPIRATION DATE OF THE MEMBER'S TERM UNTIL THE MEMBER'S SUCCESSOR 1,003
TAKES OFFICE, OR UNTIL A PERIOD OF SIXTY DAYS HAS ELAPSED, 1,004
WHICHEVER OCCURS FIRST. 1,005
(3) BEFORE ENTERING UPON THEIR OFFICIAL DUTIES, EACH 1,007
MEMBER APPOINTED PURSUANT TO DIVISIONS (B)(2)(a) TO (c) OF THIS 1,009
SECTION SHALL TAKE AN OATH AS PROVIDED BY SECTION 7 OF ARTICLE 1,013
XV, OHIO CONSTITUTION. 1,015
(4) EACH MEMBER APPOINTED TO THE COMMISSION PURSUANT TO 1,017
DIVISIONS (B)(2)(a) TO (c) OF THIS SECTION SHALL RECEIVE 1,019
COMPENSATION FOR ACTUAL AND NECESSARY EXPENSES INCURRED IN THE 1,020
PERFORMANCE OF OFFICIAL DUTIES. THE AMOUNT OF THE EXPENSES SHALL 1,021
BE CERTIFIED BY THE CHAIRPERSON OF THE COMMISSION AND PAID IN THE 1,022
SAME MANNER AS THE EXPENSES OF EMPLOYEES OF THE DEPARTMENT OF 1,023
ADMINISTRATIVE SERVICES ARE PAID. 1,024
(D) THE DIRECTOR OF ADMINISTRATIVE SERVICES OR THE 1,026
DIRECTOR'S DESIGNEE SHALL SERVE AS CHAIRPERSON OF THE COMMISSION. 1,027
(E) THE DEPARTMENT OF ADMINISTRATIVE SERVICES SHALL 1,029
PROVIDE ADMINISTRATIVE SERVICES TO THE COMMISSION AND SHALL 1,030
ASSIGN EXPERTS REQUIRED BY THE COMMISSION TO ENABLE THE 1,031
COMMISSION TO CARRY OUT THE COMMISSION'S DUTIES UNDER SECTIONS 1,032
1306.13, 1306.17, AND 1306.29 OF THE REVISED CODE.
(F) THE COMMISSION MAY ADOPT ITS OWN RULES OF PROCEDURE 1,034
AND MAY CHANGE THEM AT ITS DISCRETION. THE VOTES OF FOUR OF THE 1,035
MEMBERS OF THE COMMISSION ARE REQUIRED FOR THE ADOPTION OF ANY 1,036
RULE OR ANY AMENDMENT OR RESCISSION OF A RULE. 1,037
(G) A FULL AND COMPLETE RECORD OF ALL PROCEEDINGS OF THE 1,039
COMMISSION SHALL BE KEPT OPEN TO PUBLIC INSPECTION AND 1,040
AUTHENTICATED IN THE MANNER PROVIDED IN SECTION 121.20 OF THE 1,041
REVISED CODE.
Sec. 1306.35. (A) EACH STATE AGENCY SHALL DETERMINE IF, 1,043
AND THE EXTENT TO WHICH, IT WILL SEND AND RECEIVE ELECTRONIC 1,044
RECORDS AND ELECTRONIC SIGNATURES TO AND FROM OTHER PERSONS AND 1,045
OTHERWISE CREATE, USE, STORE, AND RELY UPON ELECTRONIC RECORDS 1,047
AND ELECTRONIC SIGNATURES.
27
(B) IN ANY CASE IN WHICH A STATE AGENCY DECIDES TO SEND OR 1,049
RECEIVE ELECTRONIC RECORDS, OR TO ACCEPT DOCUMENT FILINGS BY 1,051
ELECTRONIC RECORDS, THE STATE AGENCY, BY RULE AND GIVING DUE 1,052
CONSIDERATION TO SECURITY, MAY SPECIFY ALL OF THE FOLLOWING: 1,054
(1) THE MANNER AND FORMAT IN WHICH SUCH ELECTRONIC RECORDS 1,056
MUST BE CREATED, SENT, RECEIVED, AND STORED; 1,058
(2) IF THE ELECTRONIC RECORDS MUST BE SIGNED, ALL OF THE 1,060
FOLLOWING:
(a) THE TYPE OF ELECTRONIC SIGNATURE REQUIRED; 1,062
(b) THE MANNER AND FORMAT IN WHICH SUCH SIGNATURE MUST BE 1,064
AFFIXED TO THE ELECTRONIC RECORD; 1,065
(c) THE IDENTITY OF, OR CRITERIA THAT MUST BE MET BY, ANY 1,067
THIRD PARTY USED BY THE PERSON FILING THE DOCUMENT TO FACILITATE 1,068
THE PROCESS.
(3) CONTROL PROCESSES AND PROCEDURES AS APPROPRIATE TO 1,070
ENSURE ADEQUATE INTEGRITY, SECURITY, CONFIDENTIALITY, AND 1,071
AUDITABILITY OF SUCH ELECTRONIC RECORDS; 1,072
(4) ANY OTHER REQUIRED ATTRIBUTES FOR ELECTRONIC RECORDS 1,074
THAT ARE CURRENTLY SPECIFIED FOR CORRESPONDING PAPER DOCUMENTS OR 1,075
ARE REASONABLY NECESSARY UNDER THE CIRCUMSTANCES. 1,076
(C) ALL RULES ADOPTED BY A STATE AGENCY MAY INCLUDE THE 1,078
RELEVANT MINIMUM SECURITY REQUIREMENTS ESTABLISHED BY THE 1,079
DEPARTMENT OF ADMINISTRATIVE SERVICES IN ACCORDANCE WITH DIVISION 1,080
(A) OF SECTION 1306.36 OF THE REVISED CODE, IF ANY. 1,081
(D) WHENEVER ANY RULE OF LAW REQUIRES OR AUTHORIZES THE 1,083
FILING OF ANY INFORMATION, NOTICE, LIEN, OR OTHER DOCUMENT OR 1,084
RECORD WITH ANY STATE AGENCY, A FILING MADE BY AN ELECTRONIC 1,085
RECORD SHALL HAVE THE SAME FORCE AND EFFECT AS A FILING MADE ON 1,086
PAPER IN ALL CASES WHERE THE STATE AGENCY HAS AUTHORIZED OR 1,087
AGREED TO SUCH ELECTRONIC FILING AND THE FILING IS MADE IN
ACCORDANCE WITH APPLICABLE RULES OR AGREEMENT. 1,088
(E)(1) NOTHING IN SECTIONS 1306.01 TO 1306.38 OF THE 1,090
REVISED CODE SHALL BE CONSTRUED TO REQUIRE ANY STATE AGENCY TO 1,091
USE OR PERMIT THE USE OF ELECTRONIC RECORDS OR ELECTRONIC 1,092
28
SIGNATURES.
(2) NOTWITHSTANDING DIVISION (C) OF THIS SECTION, ANY 1,094
STATE AGENCY THAT, PRIOR TO THE EFFECTIVE DATE OF THIS SECTION, 1,095
USED OR PERMITTED THE USE OF ELECTRONIC RECORDS OR ELECTRONIC 1,096
SIGNATURES PURSUANT TO LAWS ENACTED OR RULES ADOPTED BEFORE THE 1,097
EFFECTIVE DATE OF THIS SECTION, MAY USE OR PERMIT THE USE OF 1,098
ELECTRONIC RECORDS OR ELECTRONIC SIGNATURES PURSUANT TO THOSE 1,100
PREVIOUSLY ENACTED LAWS OR ADOPTED RULES. 1,101
(F) FOR PURPOSES OF THIS SECTION, "STATE AGENCY" DOES NOT 1,103
INCLUDE THE GENERAL ASSEMBLY OR THE SUPREME COURT. 1,104
Sec. 1306.36. (A) THE DEPARTMENT OF ADMINISTRATIVE 1,106
SERVICES, IN ACCORDANCE WITH CHAPTER 119. OF THE REVISED CODE, 1,107
MAY ADOPT RULES, INCLUDING RULES DESCRIBED IN DIVISION (C) OF 1,108
THIS SECTION, SETTING FORTH MINIMUM SECURITY REQUIREMENTS FOR THE 1,109
USE OF ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES BY STATE 1,110
AGENCIES.
(B) WITH RESPECT TO VERIFYING A DIGITAL SIGNATURE, THE 1,112
DEPARTMENT MAY ADOPT RULES, PROCEDURES, AND POLICIES WHEREBY 1,113
STATE AGENCIES MAY ISSUE OR CONTRACT FOR THE ISSUANCE OF 1,115
CERTIFICATES.
(C) THE DEPARTMENT, BY RULE, MAY SPECIFY APPROPRIATE 1,117
MINIMUM SECURITY REQUIREMENTS TO BE IMPLEMENTED AND FOLLOWED BY 1,119
STATE AGENCIES FOR ALL OF THE FOLLOWING: 1,120
(1) THE GENERATION, USE, AND STORAGE OF KEY PAIRS; 1,122
(2) THE ISSUANCE, ACCEPTANCE, USE, SUSPENSION, AND 1,124
REVOCATION OF CERTIFICATES; 1,125
(3) THE USE OF DIGITAL SIGNATURES. 1,127
(D) EACH STATE AGENCY MAY ISSUE, OR CONTRACT FOR THE 1,129
ISSUANCE OF, CERTIFICATES TO ITS EMPLOYEES AND AGENTS AND PERSONS 1,130
CONDUCTING BUSINESS OR OTHER TRANSACTIONS WITH THE STATE AGENCY 1,131
AND MAY TAKE OTHER ACTIONS CONSISTENT THEREWITH, INCLUDING THE 1,132
ESTABLISHMENT OF REPOSITORIES AND THE SUSPENSION OR REVOCATION OF 1,133
CERTIFICATES ISSUED, PROVIDED THESE ACTIONS ARE CONDUCTED IN
ACCORDANCE WITH ALL RULES, PROCEDURES, AND POLICIES ADOPTED BY 1,134
29
THE DEPARTMENT PURSUANT TO THIS SECTION. 1,135
(E) THE DEPARTMENT MAY SPECIFY APPROPRIATE MINIMUM 1,138
STANDARDS AND REQUIREMENTS THAT MUST BE SATISFIED BY A
CERTIFICATION AUTHORITY BEFORE EITHER OF THE FOLLOWING OCCURS: 1,139
(1) THE SERVICES OF THE CERTIFICATION AUTHORITY ARE USED 1,141
BY ANY STATE AGENCY FOR THE ISSUANCE, PUBLICATION, REVOCATION, 1,142
AND SUSPENSION OF CERTIFICATES TO SUCH AGENCY OR ITS EMPLOYEES OR 1,143
AGENTS.
(2) THE CERTIFICATES ISSUED BY THE CERTIFICATION AUTHORITY 1,145
WILL BE ACCEPTED FOR PURPOSES OF VERIFYING DIGITALLY SIGNED 1,146
ELECTRONIC RECORDS SENT TO ANY STATE AGENCY BY ANY PERSON. 1,147
(F) WHERE APPROPRIATE, THE RULES ADOPTED BY THE DEPARTMENT 1,149
PURSUANT TO THIS SECTION SHALL SPECIFY DIFFERING LEVELS OF 1,151
MINIMUM STANDARDS FROM WHICH IMPLEMENTING STATE AGENCIES SHALL
SELECT THE STANDARD MOST APPROPRIATE FOR A PARTICULAR 1,152
APPLICATION.
(G) THE GENERAL ASSEMBLY AND THE SUPREME COURT ALSO MAY 1,154
ADOPT RULES PERTAINING TO THE USE OF ELECTRONIC RECORDS AND 1,155
ELECTRONIC SIGNATURES BY THEIR RESPECTIVE AGENCIES. 1,156
(H) FOR PURPOSES OF THIS SECTION, "STATE AGENCY" DOES NOT 1,158
INCLUDE THE GENERAL ASSEMBLY OR THE SUPREME COURT. 1,159
Sec. 1306.37. TO THE EXTENT REASONABLE UNDER THE 1,161
CIRCUMSTANCES, RULES ADOPTED BY THE DEPARTMENT OF ADMINISTRATIVE 1,162
SERVICES, THE ELECTRONIC COMMERCE COMMISSION, OR ANY OTHER STATE 1,163
AGENCY PURSUANT TO SECTION 1306.13, 1306.17, 1306.35, OR 1306.36 1,164
OF THE REVISED CODE AND RELATING TO THE USE OF ELECTRONIC RECORDS 1,166
OR ELECTRONIC SIGNATURES SHALL ENCOURAGE AND PROMOTE CONSISTENCY 1,167
AND INTEROPERABILITY WITH SIMILAR REQUIREMENTS ADOPTED BY 1,168
AGENCIES OF OTHER STATES AND THE FEDERAL GOVERNMENT.
Sec. 1306.38. INFORMATION THAT WOULD DISCLOSE OR MAY LEAD 1,170
TO THE DISCLOSURE OF SECRET OR CONFIDENTIAL INFORMATION, CODES, 1,171
ALGORITHMS, PROGRAMS, OR PRIVATE KEYS INTENDED TO BE USED TO 1,172
CREATE ELECTRONIC OR DIGITAL SIGNATURES UNDER SECTIONS 1306.01 TO 1,173
1306.38 OF THE REVISED CODE ARE NOT PUBLIC RECORDS FOR PURPOSES 1,174
30
OF SECTION 149.43 OF THE REVISED CODE. 1,175
Sec. 1306.99. (A) WHOEVER VIOLATES DIVISION (A) OR (D) OF 1,178
SECTION 1306.24 OF THE REVISED CODE IS GUILTY OF A MISDEMEANOR OF 1,179
THE FIRST DEGREE.
(B) WHOEVER VIOLATES DIVISION (B) OR (C) OF SECTION 1,182
1306.24 OF THE REVISED CODE IS GUILTY OF A FELONY OF THE FOURTH 1,184
DEGREE.
(C) WHOEVER VIOLATES DIVISION (B) OR (C) OF SECTION 1,187
1306.24 OF THE REVISED CODE AND PREVIOUSLY HAS VIOLATED DIVISION 1,188
(B) OR (C) OF THAT SECTION IS GUILTY OF A FELONY OF THE THIRD 1,189
DEGREE.
(D) WHOEVER VIOLATES DIVISION (B), (C), OR (D) OF SECTION 1,192
1306.24 OF THE REVISED CODE IN FURTHERANCE OF ANY SCHEME OR 1,193
ARTIFICE TO DEFRAUD IN EXCESS OF FIFTY THOUSAND DOLLARS IS GUILTY 1,194
OF A FELONY OF THE SECOND DEGREE.
(E) WHOEVER VIOLATES DIVISION (D) OF SECTION 1306.24 OF 1,196
THE REVISED CODE TEN TIMES IN A TWELVE-MONTH PERIOD OR IN 1,197
FURTHERANCE OF ANY SCHEME OR ARTIFICE TO DEFRAUD IS GUILTY OF A 1,198
FELONY OF THE FOURTH DEGREE. 1,199
(F) WHOEVER VIOLATES DIVISION (E) OF SECTION 1306.24 OF 1,201
THE REVISED CODE IS GUILTY OF A FELONY OF THE THIRD DEGREE. 1,202
(G) WHOEVER VIOLATES DIVISION (E) OF SECTION 1306.24 OF 1,204
THE REVISED CODE IN FURTHERANCE OF A SCHEME OR ARTIFICE TO 1,205
DEFRAUD IS GUILTY OF A FELONY OF THE SECOND DEGREE. 1,206
Sec. 2913.31. (A) No person, with purpose to defraud, or 1,215
knowing that the person is facilitating a fraud, shall do any of 1,216
the following: 1,217
(1) Forge any writing of another without the other 1,219
person's authority; 1,220
(2) Forge any writing so that it purports to be genuine 1,222
when it actually is spurious, or to be the act of another who did 1,223
not authorize that act, or to have been executed at a time or 1,224
place or with terms different from what in fact was the case, or 1,225
to be a copy of an original when no such original existed; 1,226
31
(3) Utter, or possess with purpose to utter, any writing 1,228
that the person knows to have been forged. 1,229
(B) No person shall knowingly do either of the following: 1,231
(1) Forge an identification card; 1,233
(2) Sell or otherwise distribute a card that purports to 1,235
be an identification card, knowing it to have been forged. 1,236
As used in this division, "identification card" means a 1,238
card that includes personal information or characteristics of an 1,239
individual, a purpose of which is to establish the identity of 1,240
the bearer described on the card, whether the words "identity," 1,241
"identification," "identification card," or other similar words 1,242
appear on the card. 1,243
(C) NO PERSON SHALL KNOWINGLY USE A SIGNATURE DEVICE OF 1,245
ANOTHER PERSON TO CREATE AN ELECTRONIC SIGNATURE OF THAT OTHER 1,246
PERSON. AS USED IN THIS DIVISION, "SIGNATURE DEVICE" AND 1,247
"ELECTRONIC SIGNATURE" HAVE THE SAME MEANINGS AS IN SECTION 1,248
1306.01 OF THE REVISED CODE.
(D)(1)(a) Whoever violates division (A) of this section is 1,250
guilty of forgery. 1,251
(b) Except as otherwise provided in this division or 1,254
division (C)(D)(1)(c) of this section, forgery is a felony of the 1,255
fifth degree. If property or services are involved in the 1,256
offense or the victim suffers a loss, forgery is one of the 1,257
following:
(i) If the value of the property or services or the loss 1,259
to the victim is five thousand dollars or more and is less than 1,262
one hundred thousand dollars, a felony of the fourth degree; 1,263
(ii) If the value of the property or services or the loss 1,267
to the victim is one hundred thousand dollars or more, a felony 1,268
of the third degree.
(c) If the victim of the offense is an elderly person or 1,270
disabled adult, division (C)(D)(1)(c) of this section applies to 1,272
the forgery. Except as otherwise provided in division 1,273
(C)(D)(1)(c) of this section, forgery is a felony of the fifth 1,274
32
degree. If property or services are involved in the offense or 1,275
if the victim suffers a loss, forgery is one of the following: 1,276
(i) If the value of the property or services or the loss 1,279
to the victim is five hundred dollars or more and is less than 1,280
five thousand dollars, a felony of the fourth degree; 1,281
(ii) If the value of the property or services or the loss 1,285
to the victim is five thousand dollars or more and is less than 1,286
twenty-five thousand dollars, a felony of the third degree; 1,287
(iii) If the value of the property or services or the loss 1,290
to the victim is twenty-five thousand dollars or more, a felony 1,291
of the second degree.
(2) Whoever violates division (B) of this section is 1,293
guilty of forging identification cards or selling or distributing 1,294
forged identification cards. Except as otherwise provided in 1,296
this division, forging identification cards or selling or
distributing forged identification cards is a misdemeanor of the 1,297
first degree. If the offender previously has been convicted of a 1,298
violation of division (B) of this section, forging identification 1,299
cards or selling or distributing forged identification cards is a 1,301
misdemeanor of the first degree and, in addition, the court shall 1,302
impose upon the offender a fine of not less than two hundred 1,303
fifty dollars.
(3) WHOEVER VIOLATES DIVISION (C) OF THIS SECTION IS 1,305
GUILTY OF FORGING AN ELECTRONIC SIGNATURE, A FELONY OF THE THIRD 1,306
DEGREE.
Section 2. That existing section 2913.31 of the Revised 1,308
Code is hereby repealed. 1,309
Section 3. The Electronic Commerce Commission shall file 1,311
the original version of the proposed rules pursuant to divisions 1,312
(B) and (H) of section 119.03 of the Revised Code no later than 1,313
ninety days after the effective date of this act. 1,314
Section 4. Section 1306.32 of the Revised Code is hereby 1,316
repealed four years after the effective date of this act. 1,318