Georgia Digital Signature Act.

DRAFT
Georgia Digital Signature Act

To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, so as to provide for a system of digital signatures to authenticate computer communications; to provide for a short title, purposes, and definitions; to provide for the Secretary of State, or the designee thereof, to be a certification authority and to impose sanctions regarding certificates; to provide for accessible data bases and publications relating thereto; to provide for rules and powers; to provide for requirements for certification authority licenses; to provide for license classifications and sanctions; to provide for recognition of other licenses; to provide for the effectiveness of digital signatures; to provide for audits of certification authorities and compliance categories; to provide for audit exemptions; to provide for investigations of and sanctions against certification authorities and provide for civil penalties and costs; to provide for administrative procedures, judicial review, injunctive relief, and civil enforcement; to prohibit certain conduct creating unreasonable risks and provide for publication of violators and protests thereby and proceedings relating thereto; to provide for use of certain trustworthy systems; to require certain disclosures; to provide for qualifications for certificate subscribers and for sanctions and procedures relating thereto; to provide for warranties by and obligations of certification authorities and subscribers; to prohibit certain disclaimers and limitations; to provide for rights in private keys and fiduciary relationships relating thereto; to provide for certificate suspensions and revocations; to prohibit certain misrepresentations; to provide for criminal penalties; to provide for certificate contents; to provide for reliance limits and limitations upon liability; to provide for obligations and liabilities of guarantors and guaranties; to provide standards for digital signatures; to provide for tax documents; to provide for reliance upon digital signatures and assumption of certain risks; to provide for validity and enforeceability of certain messages and copies thereof; to provide for acknowlegments of digital signatures; to provide for rebuttable presumptions; to provide for recognition of repositories and publications thereby and liabilities thereof; to provide for an exemption from the inspection of public records; to repeal conflicting laws; and for other purposes.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA

SECTION 1.

Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is amended by adding at the end thereof a new chapter to read as follows:

CHAPTER 12 ARTICLE 1

10 12 1.

This chapter shall be known and may be cited as the 'Georgia Digital Signature Act.'

10 12 2.

This chapter shall be construed consistent with what is commercially reasonable under the circumstances to effectuate the following purposes:

(1) To facilitate commerce by means of reliable electronic messages;

(2) To minimize the incidence of forged digital signatures and fraud in electronic commerce;

(3) To implement legally the general import of relevant standards, such as x.509 of the International Telecommunication Union (formerly CCITT or International Telegraph and Telephone Consultative Committee); and

(4) To establish, in coordination with multiple states, uniform rules regarding the authentication and reliability of electronic messages.

10 12 3.

As used in this chapter, the term:

(1) 'Accept a certificate' means either to:

(A) Manifest approval of a certificate, while knowing or having notice of its contents; or

(B) Apply to a licensed certification authority for a certificate without canceling or revoking the application by delivering notice of the cancellation or revocation to the certification authority and obtaining a signed, written receipt from the certification authority, if the certification authority subsequently issues a certificate based on the application.

(2) 'Asymmetric cryptosystem' means an algorithm or series of algorithms which provide a secure key pair.

(3) 'Certificate' means a computer based record which:

(A) Identifies the certification authority issuing it;

(B) Names or identifies its subscriber;

(D) Is digitally signed by the certification authority issuing it.

(4) 'Certification authority' means a person who issues a certificate.

(5) 'Certification authority disclosure record' means an on line, publicly accessible record which concerns a licensed certification authority and is kept by the division.

(6) 'Certification practice statement' means a declaration of the practices which a certification authority employs in issuing certificates generally or employed in issuing a material certificate.

(7) 'Certify' means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all materials facts.

(8) 'Confirm' means to ascertain through inquiry and investigation.

(9) 'Correspond,' with reference to keys, means to belong to the same key pair.

(10) 'Digital signature' means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine:

(A) Whether the transformation was created using the private key that corresponds to the signer's public key; and

(B) Whether the message has been altered since the transformation was made.

(11) 'Division' means the Secretary of State or the Secretary's designated representative.

(12) 'Forge a digital signature' means either:

(A) To create an apparent digital signature without the authorization of the rightful holder of the private key; or

(B) To create a digital signature verifiable by a certificate listing as subscriber a person who either:

(i) Does not exist; or

(ii) Does not hold the private key corresponding to the public key listed in the certificate.

(13) 'Hold a private key' means to be able to utilize a private key.

(14) 'Incorporate by reference' means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated.

(15) 'Issue a certificate' means the acts of a certification authorization in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate.

(16) 'Key pair' means a private key and its corresponding public key in an asymmetric cryptosystem; keys which have the property that the public key can verify a digital signature that the private key creates.

(17) 'Licensed certification authority' means a certification authority to whom a license has been issued by the division and whose license is in effect.

(18) 'Message' means a digital representation of information.

(19) 'Notify' means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person.

(20) 'Operative personnel' means one or more natural persons acting as a certification authority or its agent, or in the employment of or under contract with a certification authority, and who have:

(A) Managerial or policy making responsibilities for the certification authority; or

(B) Duties directly involving the issuance of certificates, creation of private keys, or administration of a certification authority's computing facilities.

(21) 'Person' means a human being or any other organization capable of signing a document, either legally or as a matter of fact.

(22) 'Private key' means the key of a key pair used to create a digital signature.

(23) 'Public key' means the key of a key pair used to verify a digital signature.

(24) 'Publish' means to record or file in a repository.

(25) 'Qualified right to payment' means an award of damages against a licensed certification authority by a court having jurisdiction over the certification authority in a civil action for violation of this chapter.

(26) 'Recipient' means a person who receives or has a digital signature and is in a position to rely on it.

(27) 'Recognized repository' means a repository recognized by the division pursuant to Code Section 10 12 50.

(28) 'Recommended reliance limit' means the monetary amount recommended for reliance on a certificate pursuant subsection (a) of Code Section 10 12 38.

(29) 'Repository' means a person who has established a system for storing and retrieving certificates and other information relevant to digital signatures, or, where the context requires, the system itself.

(30) 'Revoke a certificate' means to make a certificate ineffective permanently from a specified time forward. Revocation is effected by notation or inclusion in a set of revoked certificates and does not imply that a revoked certificate is destroyed or made illegible.

(31) 'Rightfully hold a private key' means to utilize a private key: (A) Which the holder or the holder's agent has not revealed to any person in violation of subsection (a) of Code Section 10 12 34; and

(B) Which the holder has not obtained through theft, deceit, eavesdropping, or other unlawful means.

(32) 'Signer' means a person who creates a digital signature for a message.

(33) 'Subscriber' means a person who:

(A) Is the subject listed in a certificate;

(B) Accepts the certificate; and

(34)(A) 'Suitable guaranty' means either a surety bond executed by a surety firm authorized by the Office of Insurance Commissioner of the State of Georgia to do business in this state or an irrevocable letter of credit issued by a financial institution authorized to do business in this state by the Georgia Department of Banking and Finance, which, in either event, satisfies all of the following requirements;

(i) It is issued payable to the division for the benefit of persons holding qualified rights of payment against the licensed certification authority named as the principal of the bond or customer of the letter of credit;

(ii) It is in an amount specified by rule of the division pursuant to Code Section 10 12 4;

(iii) It states that it is issued for filing pursuant to this chapter;

(iv) It specifies a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority; and

(v) It is in a form prescribed or approved by division rule.

(B) A suitable guaranty may provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty.

(35) 'Suspend a certificate' means to make the certificate ineffective temporarily for a specified time forward.

(36) 'Time stamp' means either:

(A) To append or attach to a message, digital signature, or certificate a digitally signed notation indicating at least the date, time, and identity of the person appending the notation; or

(B) The notation thus appended or attached.

(37) 'Transactional certificate' means a valid certificate incorporating by reference one or more digital signatures.

(38) 'Trustworthy system' means computer hardware and software which:

(A) Are reasonably secure from intrusion and misuse;

(B) Provide a reasonable level of availability, reliability, and correct operation; and

(39) 'Valid certificate' means a certificate which:

(A) A licensed certification authority has issued;

(B) The subscriber listed in it has accepted;

(D) Has not expired,provided that a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference.

(40) 'Verify a digital signature' means, in relation to a given digital signature, message, and public key, to determine accurately that:

(A) The digital signature was created by the private key corresponding to the public key; and

(B) The message has not been altered since its digital signature was created.

10 12 4.

(a) The division shall be a certification authority and may issue, suspend, and revoke certificates in the manner prescribed for licensed certification authorities. The requirements of this chapter imposed upon certification authorities apply to the division with respect to the certificates it issues.

(b) The division shall maintain a publicly accessible data base containing a certification authority disclosure record for each licensed certification authority. The division shall publish the contents of the data base in at least one recognized repository.

(1) To govern licensed certification authorities, their practice, and the termination of a certification authority's practice;

(2) To determine an amount appropriate for a suitable guaranty, in light of:

(A) The burden a suitable guaranty places upon licensed certification authorities; and

(B) The assurance of financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities;

(3) To review software for use in creating digital signatures and publish reports concerning software;

(4) To specify reasonable requirements for the form of certificates issued by licensed certification authorities, in accordance with generally accepted standards for digital signature certificates; (5) To specify reasonable requirements for record keeping by licensed certification authorities;

(6) To specify reasonable requirements for the content, form, and sources of information in certification authority disclosure records, the updating and timeliness of such information, and other practices and policies relating to certification authority disclosure records;

(7) To specify the form of certification practice statements; and

(8) Otherwise to give effect to and implement this chapter.

ARTICLE 2

10 12 20.

(a) To obtain or retain a license, a certification authority shall:

(1) Be the subscriber of a certificate published in a recognized repository;

(2) Employ as operative personnel only persons who have not been convicted within the past 15 years of a felony or a crime involving fraud, false statement, or deception;

(3) Employ as operative personnel only persons who have demonstrated knowledge and proficiency in following the requirements of this chapter;

(4) File with the division a suitable guaranty, unless the certification authority is the Governor, a department or division of state government, the Attorney General, the Judicial Council of Georgia, a city, or a county, provided that:

(A) Each of the above entities act through designated officials authorized by law to perform certification authority functions; and

(B) This state or one of the above entities is the subscriber of all certificates issued by such certification authority;

(5) Have the right to use a trustworthy system, including a secure means for controlling usage of its private key;

(6) Maintain an office in this state and have established a registered agent for service of process in this state; and

(7) Comply with all further licensing requirements established by rule of the division.

(b) The division shall issue a license to a certification authority which:

(1) Is qualified pursuant to subsection (a) of this Code section;

(2) Applies in writing to the division for a license; and

(3) Pays a filing fee prescribed by rule of the division.

(c) The division may classify licenses according to specified limitations, such as a maximum number of outstanding certificates, cumulative maximum of recommended reliance limits in certificates issued by the certification authority, or issuance only within a single firm or organization, and the division may issue licenses restricted according to the limits of each classification. A certification authority acts as an unlicensed certification authority in issuing a certificate exceeding the restrictions of the certification authority's license. The division shall provide by rule for disclosure of the unlicensed nature of the issuance of such certificates to subscribers of the certificates, to the division, and to other appropriate persons and the timing and methods of such disclosure.

(d) The division may revoke or suspend a certification authority's license for failure to comply with this chapter or for failure to remain qualified pursuant to subsection (a) of this Code section, in accordance with the procedures for adjudicative proceedings prescribed by Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act.' The division shall provide by rule for disclosure of such revocations and suspensions to subscribers of certificates issued by the certification authority and to other appropriate persons and the timing and methods of such disclosure. Certificates issued by a certification authority prior to the suspension or revocation of its license will remain valid certificates until suspended under Code Section 10 12 35, revoked under Code Section 10 12 36 or expired under Code Section 10 12 37.

(e) The division may recognize the licensing or authorization of certification authorities by other governmental entities through an order signed by the Secretary of State or his or her designee, provided that those licensing or authorization requirements are substantially similar to those of this state. If licensing by another governmental entity is so recognized:

(1) Article 4 of this chapter, which relates to presumptions and legal effects, applies to certificates issued by the certification authorities licensed or authorized by that governmental entity in the same manner as it applies to licensed certification authorities of this state; and

(2) The liability limits of Code Section 10 12 38 apply to the certification authorities licensed or authorized by that governmental entity in the same manner as they apply to licensed certification authorities of this state.

(f) Unless the parties provide otherwise by contract between themselves, the licensing requirements in this Code section do not affect the effectiveness, enforceability, or validity of any digital signature, except that Article 4 of this chapter shall not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority. Further, the liability limits of Code Section 10 12 38 do not apply to unlicensed certification authorities.

10 12 21.

(a) A certified public accountant having expertise in computer security or an accredited computer security professional shall audit the operations of each licensed certification authority at least once each year to evaluate compliance with this chapter. The division may specify qualifications for auditors in greater detail by rule.

(b) Based on information gathered in the audit, the auditor shall categorize the licensed certification authority's compliance as one of the following:

(1) Full compliance: The certification authority appears to conform to all applicable statutory and regulatory requirements;

(2) Substantial compliance: The certification authority appears generally to conform to applicable statutory and regulatory requirements; however, one or more instances of noncompliance or of inability to demonstrate compliance were found in an audited sample but were likely to be inconsequential;

(3) Partial compliance: The certification authority appears to comply with some statutory and regulatory requirements but was found not to have complied or not to be able to demonstrate compliance with one or more important safeguards; or

(4) Noncompliance: The certification authority complies with few or none of the statutory and regulatory requirements, fails to keep adequate records to demonstrate compliance with more than a few requirements, or refuses to submit to an audit. The division shall publish in the certification authority disclosure record it maintains for the certification authority the date of the audit and the resulting categorization of the certification authority.

(a) of this Code section, if:

(1) The certification authority to be exempted requests exemption in writing;

(2) The most recent performance audit, if any, of the certification authority resulted in a finding of full or substantial compliance; and

(3) The certification authority declares under oath or affirmation that one or more of the following is true with respect to the certification authority:

(A) The certification authority has issued fewer than six certificates during the past year and the total of the recommended reliance limits of all such certificates does not exceed $10,000.00;

(B) The aggregate lifetime of all certificates issued by the certification authority during the past year is less than 30 days and the total of the recommended reliance limits of all such certificates does not exceed $10,000.00; or

(C) The recommended reliance limits of all certificates outstanding and issued by the certification authority total less than $1,000.00. If the certification authority's declaration pursuant to this subsection falsely states a material fact, the certification authority shall have failed to comply with the performance audit requirement of this Code section. If a licensed certification authority is exempt pursuant to this subsection, the division shall publish in the certification authority disclosure record it maintains for the certification authority a statement that the certification authority is exempt from the performance audit requirement.

10 12 22.

(a) The division may investigate the activities of a licensed certification authority material to its compliance with this chapter and issue orders to a certification authority to further its investigation and secure compliance with this chapter.

(b) The division may restrict a certification authority's license as provided in subsection (c) of Code Section 10 12 20, for its failure to comply with an order of the division, or may suspend or revoke the license of a certification authority, as provided in subsection (d) of Code Section 10 12 20.

(c) Any person who knowingly or intentionally violates any provision of this chapter or any rule or order of the division pursuant to this Code section is subject to a civil penalty of not more than $5,000.00 per violation or 90 percent of the recommended reliance limit of a material certificate, whichever is less. (d) The division may order a certification authority which it has found to violate this chapter to pay the costs incurred by the division in prosecuting and adjudicating proceedings relative to the order and in enforcing it.

(e) The division shall exercise its authority pursuant to this Code section in accordance with the procedures for adjudicative proceedings prescribed by Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act,' and a licensed certification authority may obtain judicial review of the division's actions as prescribed by Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act.' The division may also seek injunctive relief to compel compliance with any of its orders.

10 12 23.

(a) No certification authority, whether licensed or not, shall conduct its business in a manner that creates an unreasonable risk of loss to subscribers of the certification authority, to persons relying on certificates issued by the certification authority, or to a repository.

(b) The division may publish in one or more recognized repositories brief statements advising subscribers, persons relying on digital signatures, persons relying on repositories, or persons relying on both about any activities of a certification authority, whether licensed or not, which create a risk prohibited by subsection (a) of this Code section. The certification authority named in a statement as creating or causing such a risk may protest the publication of the statement by filing a brief, written defense. Upon receipt of such a protest, the division shall publish the written defense along with the division's statement and shall promptly give the protesting certification authority notice and an opportunity to be heard. Following the hearing, the division shall rescind the advisory statement if its publication was unwarranted pursuant to this Code section, cancel it if its publication is no longer warranted, continue or amend it if it remains warranted, or take further legal action to eliminate or reduce a risk prohibited by subsection (a) of this Code section. The division shall publish its decision in one or more recognized repositories.

(c) In the manner provided by Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act,' the division may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this Code section, regardless of whether the certification authority is licensed. This Code section does not create a right of action in any person other than the division.

ARTICLE 3

10 12 30.

(a) A licensed certification authority or subscriber shall use only a trustworthy system:

(1) To issue, suspend, or revoke a certificate;

(2) To publish or give notice of the issuance, suspension, or revocation of a certificate; or

(3) To create a private key.

(b) A licensed certification authority shall disclose any material certification practice statement and any fact material to either the reliability of a certificate which it has issued or its ability to perform its services. A certification authority may require a signed, written, and reasonably specific inquiry from an identified person and payment of reasonable compensation as conditions precedent to effecting a disclosure required in this subsection.

10 12 31.

(a) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:

(1) The certification authority has received a request for issuance signed by the prospective subscriber; and

(2) The certification authority has confirmed that:

(A) The prospective subscriber is the person to be listed in the certificate to be issued;

(B) If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;

(D) The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

(E) The prospective subscriber holds a private key capable of creating a digital signature; and

(F) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.

The requirements of this subsection may not be waived or disclaimed by the licensed certification authority, the subscriber, or both.

(b) If the subscriber accepts the issued certificate, the certification authority shall publish a signed copy of the certificate in a recognized repository, as the certification authority and the subscriber named in the certificate may agree, unless a contract between the certification authority and the subscriber provides otherwise. If the subscriber does not accept the certificate, a licensed certification authority shall not publish it or shall cancel its publication if the certificate has already been published.

(c) Nothing in this Code section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.

(d) After issuing a certificate, a licensed certification authority shall revoke it immediately upon confirming that it was not issued as required by this Code section. A licensed certification authority may also suspend a certificate which it has issued for a reasonable period not exceeding 48 hours as needed for an investigation to confirm grounds for revocation pursuant to this subsection. The certification authority shall give notice to the subscriber as soon as practicable upon to revoking or suspending pursuant to this subsection.

(e) The division may order the licensed certification authority to suspend or revoke a certificate which the certification authority issued if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act,' the division determines that:

(1) The certificate was issued without substantial compliance with this Code section; and

(2) The noncompliance poses a significant risk to persons reasonably relying on the certificate.
Upon determining that an emergency requires an immediate remedy and in accordance with Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act,' the division may itself suspend a certificate for a period not exceeding 48 hours.

10 12 32.

(a) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that:

(1) The certificate contains no information known to the certification authority to be false;

(2) The certificate satisfies all material requirements of this chapter; and

(3) The certification authority has not exceeded any limits of its license in issuing the certificate.
The certification authority shall not disclaim or limit the warranties of this subsection. (b) Unless the subscriber and certification authority otherwise agree, a certification authority, by issuing a certificate, promises to the subscriber:

(1) To act promptly to suspend or revoke a certificate in accordance with Code Sections 10 12 35 or 10 12 36; and

(2) To notify the subscriber within a reasonable time of any facts known to the certification authority which significantly affect the validity or reliability of the certificate once it is issued.

(c) By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that:

(1) The information in the certificate and listed as confirmed by the certification authority is accurate;

(2) All information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;

(3) The subscriber has accepted the certificate; and

(4) The licensed certification authority has complied with all applicable laws of this state governing issuance of the certificate.

(d) By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the certification authority has issued the certificate to the subscriber.

10 12 33.

(a) By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that:

(1) The subscriber rightfully holds the private key corresponding to the public key listed in the certificate;

(2) All representations made by the subscriber to the certification authority and material to information listed in the certificate are true;

(3) All material representations made by the subscriber to a certification authority or made in the certificate and not confirmed by the certification authority in issuing the certificate are true.

(b) By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, the requesting person certifies in that person's own right to all who reasonably rely on the information contained in the certificate that the requesting person:

(1) Holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and

(2) Has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, adequate safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.

(c) No person may disclaim or contractually limit the application of this Code section, nor obtain indemnity for its effects, if the disclaimer, limitation, or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.

(d) By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for any loss or damage caused by issuance or publication of a certificate in reliance on:

(1) A false and material representation of fact by the subscriber; or

(2) The failure by the subscriber to disclose a material factif the representation or failure to disclose was made either with intent to deceive the certification authority or a person relying on the certificate or with negligence. If the certification authority issued the certificate at the request of one or more agents of the subscriber, the agent or agents personally undertake to indemnify the certification authority pursuant to this subsection as if they were accepting subscribers in their own right. The indemnity provided in this subsection may not be disclaimed or contractually limited in scope; however, a contract may provide consistent, additional terms regarding the indemnification.

(e) In obtaining information of the subscriber material to issuance of a certificate, the certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation of truthfulness and under penalty of criminal prohibitions against false sworn statements.

10 12 34.

(a) By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature.

(b) A private key is the personal property of the subscriber who rightfully holds it.

(c) If a certification authority holds the private key corresponding to a public key listed in a certificate which it has issued, the certification authority holds the private key as a fiduciary of the subscriber named in the certificate and may use that private key only with the subscriber's prior, written approval, unless the subscriber expressly grants the private key to the certification authority and expressly permits the certification authority to hold the private key according to other terms.

10 12 35.

(a) Unless the certification authority and the subscriber agree otherwise, the licensed certification authority which issued a certificate which is not a transactional certificate shall suspend the certificate for a period not exceeding 48 hours:

(1) Upon request by a person identifying himself or herself as the subscriber named in the certificate or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee, or member of the immediate family of the subscriber; or

(2) By order of the division pursuant to subsection (e) of Code Section 10 12 31. The certification authority need not confirm the identity or agency of the person requesting suspension.

(b) Unless the certificate provides otherwise or the certificate is a transactional certificate, the division may suspend a certificate issued by a licensed certification authority for a period of 48 hours if:

(1) A person identifying himself or herself as the subscriber named in the certificate or as an agent, business associate, employee, or member of the immediate family of the subscriber requests suspension; and

(2) The requester represents that the certification authority which issued the certificate is unavailable. The division may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding his or her identity, authorization, or the unavailability of the issuing certification authority and may decline to suspend the certificate in its discretion. The division, law enforcement agencies, or both, may investigate suspensions by the division for possible wrongdoing by persons requesting suspension.

(c) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority shall publish signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension. If one or more repositories are thus specified, then the licensed certification authority shall publish signed notice of the suspension in all such repositories. If any repository thus specified no longer exists or refuses to accept publication, or if no such repository is recognized pursuant to Code Section 10 12 50, the licensed certification authority shall also publish the notice in a recognized repository. If a certificate is suspended by the division, the division shall give notice as required in this subsection for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.

(d) A certification authority shall terminate a suspension initiated by request only:

(1) If the subscriber named in the suspended certificate requests termination of the suspension, and the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or

(2) When the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber, provided that this subsection does not require the certification authority to confirm a request for suspension.

(e) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority or may provide otherwise for termination of a requested suspension. However, if the contract limits or precludes suspension by the division when the issuing certification authority is unavailable, the limitation or preclusion shall be effective only if notice of it is published in the certificate.

(f) No person shall knowingly or intentionally misrepresent to a certification authority his or her identity or authorization in requesting suspension of a certificate. Violation of this subsection is a misdemeanor.

(g) The subscriber is released from the duty to keep the private key secure pursuant to subsection (a) of Code Section 10 12 34 while the certificate is suspended.

10 12 36.

(a) A licensed certification authority shall revoke a certificate which it issued but which is not a transactional certificate after:

(1) Receiving a request for revocation by the subscriber named in the certificate; and (2) Confirming that the person requesting revocation is that subscriber or is an agent of that subscriber with authority to request the revocation.

(b) A licensed certification authority shall confirm a request for revocation and revoke a certificate within 24 hours after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity and any agency of the person requesting the suspension.

(1) Within 48 hours of receiving a certified copy of the subscriber's death certificate or within 48 hours of confirming by other evidence that the subscriber is dead, whichever occurs sooner; or

(2) Within 48 hours of presentation of documents effecting a dissolution of the subscriber or within 48 hours of confirming by other evidence that the subscriber has been dissolved or has ceased to exist, whichever is sooner.

(d) A licensed certification authority may revoke one or more certificates which it issued if the certificates are or become unreliable, regardless of whether the subscriber consents to the revocation.

(e) Within 48 hours of revocation of a certificate by a licensed certification authority, the licensed certification authority shall publish signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation. If one or more repositories are thus specified, then the licensed certification authority shall publish signed notice of the revocation within the same time period in all such repositories. If any repository thus specified no longer exists or refuses to accept publication or if no such repository is recognized pursuant to Code Section 12 10 50, the licensed certification authority shall also publish the notice in a recognized repository within the same time period.

(f) A subscriber ceases to certify as provided in Code Section 10 12 33 and has no further duty to keep the private key secure as required by Code Section 10 12 34 in relation to a certificate whose revocation the subscriber has requested, beginning either:

(1) When notice of the revocation is published as required in subsection (e) of this Code section; or

(2) Forty eight hours after the subscriber requests revocation in writing, supplies to the issuing certification authority information reasonably sufficient to confirm the request, and pays any contractually required fee, whichever occurs first.

(g) Upon notification as required by subsection (e) of this Code section, a licensed certification authority is discharged of its warranties based on issuance of the revoked certificate and ceases to certify as provided in subsections (b) and (c) of Code Section 10 12 32 in relation to the revoked certificate.

10 12 37.

(a) A certificate shall indicate the date on which it expires.

(b) When a certificate expires, the subscriber and certification authority cease to certify as provided in this chapter and the certification authority is discharged of its duties based on issuance in relation to the expired certificate.

10 12 38.

(a) By specifying a recommended reliance limit in a certificate, the issuing certification authority and accepting subscriber recommend that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

(b) Unless a licensed certification authority waives application of this subsection, a licensed certification authority shall:

(1) Not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the false or forged digital signature, the certification authority complied with all material requirements of this chapter; and

(2) Not be liable in excess of the amount specified in the certificate as its recommended reliance limit for either:

(A) A loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm; or

(B) Failure to comply with Code Section 10 12 31 in issuing the certificate.

10 12 39.

(a) Notwithstanding any provision in the suitable guaranty to the contrary:

(1) If the suitable guaranty is a surety bond, a person may recover from the surety the full amount of a qualified right to payment against the principal named in the bond, or, if there is more than one such qualified right to payment during the term of the bond, a ratable share, up to a maximum total liability of the surety equal to the amount of the bond; or

(2) If the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution the full amount of a qualified right to payment against the customer named in the letter of credit, or, if there is more than one such qualified right to payment during the term of the letter of credit, a ratable share, up to a maximum total liability of the issuer equal to the amount of the credit.

Claimants may recover successively on the same suitable guaranty, provided that the total liability on the suitable guaranty to all persons making qualified rights of payment during its term shall not exceed the amount of the suitable guaranty.

(b) In addition to recovering the amount of a qualified right to payment, a claimant may recover from the proceeds of the guaranty, until depleted, the attorney fees, reasonable in amount, and court costs incurred by the claimant in collecting the claim, provided that the total liability on the suitable guaranty to all persons making qualified rights of payment or recovering attorney fees during its term shall not exceed the amount of the suitable guaranty.

(1) File written notice of the claim with the division stating the name and address of the claimant, the amount claimed, and the grounds for the qualified right to payment and any other information required by rule of the division; and

(2) Append to the notice a certified copy of the judgment on which the qualified right to payment is based. Recovery of a qualified right to payment from the proceeds of the suitable guaranty shall be barred unless the claimant substantially complies with this subsection.

(d) Recovery of a qualified right to payment from the proceeds of a suitable guaranty shall be forever barred unless notice of the claim is filed as required in subsection (c) of this Code section within three years after the occurrence of the violation of this chapter which is the basis for the claim.

ARTICLE 4

10 12 40.

(a) Where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature if:

(1) That digital signature is verified by reference to the public key listed in a valid certificate;

(2) That digital signature was affixed by the signer with the intention of signing the message; and

(3) The recipient has no knowledge or notice that the signer either:

(A) Breached a duty as a subscriber; or

(B) Does not rightfully hold the private key used to affix the digital signature.

(b) Nothing in this chapter shall preclude any symbol from being valid as a signature under other applicable law.

(c) This Code section does not limit the authority of the state revenue commissioner to prescribe the form of tax returns or other documents filed with the Department of Revenue.

10 12 41.

Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged if reliance on the digital signature is not reasonable under the circumstances. If the recipient determines not to rely on a digital signature pursuant to this Code section, the recipient shall promptly notify the subscriber of its determination.

10 12 42.

(a) A message is as valid, enforceable, and effective as if it had been written on paper if it:

(1) Bears in its entirety a digital signature; and

(2) That digital signature is verified by the public key listed in a certificate which:

(A) Was issued by a licensed certification authority; and

(B) Was valid at the time the digital signature was created.

(b) Nothing in this chapter precludes any document or record from being considered written or in writing under other applicable law.

10 12 43.

A copy of a digitally signed message is as effective, valid, and enforceable as the original of the message, unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, effective, and enforceable message.

10 12 44.

Unless otherwise provided by law or contract, a certificate issued by a licensed certification authority is an acknowledgment of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgment appear with the digital signature and regardless of whether the signer physically appeared before the certification authority when the digital signature was created if that digital signature is:

(1) Verifiable by that certificate; and

(2) Affixed when that certificate was valid.

10 12 45.

In adjudicating a dispute involving a digital signature, it shall rebuttably be presumed that:

(1) A certificate digitally signed by a licensed certification authority and either:

(A) Published in a recognized repository; or

(B) Made available by the issuing certification authority or by the subscriber listed in the certificate

is issued by the certification authority which digitally signed it and is accepted by the subscriber listed in it;

(2) The information listed in a valid certificate is accurate;

(3) If a digital signature is verified by the public key listed in a valid certificate:

(A) That digital signature is the digital signature of the subscriber listed in that certificate;

(B) That digital signature was affixed by the signer with the intention of signing the message; and

(i) Breached a duty as a subscriber; or

(ii) Does not rightfully hold the private key used to affix the digital signature; and

(4) A digital signature was created before it was time stamped by a disinterested person utilizing a trustworthy system.

ARTICLE 5

10 12 50.

(a) The division shall recognize one or more repositories after finding that a repository to be recognized complies with reasonable requirements prescribed by rules promulgated by the division.

(b) A repository may apply to the division for recognition by filing a written request and providing evidence to the division sufficient for the division to find that the conditions for recognition are satisfied. The division shall determine whether to grant or deny the request in accordance with Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act.'

(c) A repository may discontinue its recognition by filing 30 days' written notice with the division. In addition, the division may discontinue recognition of a repository:

(1) Upon passage of an expiration date specified by the division in granting recognition; or

(2) In accordance with Chapter 13 of Title 50, the 'Georgia Administrative Procedure Act,' if it concludes that the repository no longer satisfies the conditions for recognition set forth in rules of the division.

10 12 51.

(a) A repository shall publish notice of a suspension or revocation of a certificate within 24 hours after receipt of notice of suspension or revocation.

(b) A recognized repository shall not be liable:

(1) For failure to publish suspension or revocation of a certificate if it published such suspension or revocation within the time prescribed in subsection (a) of this Code section;

(2) For breach of subsection (a) of this Code section in excess of the amount specified in the certificate as the recommended reliance limit;

(3) For misrepresentation in a certificate published by a licensed certification authority;

(4) For accurately recording or reporting information which a licensed certification authority has published as required or permitted in this chapter or a rule of the division, including information about suspension or revocation of a certificate; or

(5) For reporting information about a certification authority, a certificate, or a subscriber if such information is published as required or permitted in this chapter or a rule of the division or is published by order of the division in the performance of its licensing and regulatory duties pursuant to this chapter.

ARTICLE 6

10 12 60.

Article 4 of Chapter 18 of Title 50, relating to inspection of public records, shall not apply to the following:

(1) Records containing information that would disclose or might lead to the disclosure of private keys, asymmetric cryptosystems, or algorithms; or

(2) Public records, the disclosure of which might jeopardize the security of an issued certificate or a certificate to be issued."

SECTION 2.

All laws and parts of laws in conflict with this Act are repealed.