OFT-35-10-00006-P Electronic Signatures and Records Act (ESRA)  

PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following proposed rule:

Amendment of Part 540 of Title 9 NYCRR.

Electronic Signatures and Records Act (ESRA).

The Amendment will support Executive Order 17 and reduce the impact of existing mandates on local governments.

PART 540

ELECTRONIC SIGNATURES AND RECORDS ACT

(Statutory authority: State Technology Law, § § 103, [104, 105, 107] 303, 304(1) and 305(1) [; Executive Law, § 206-a)]

Section 540.1(a) is amended to read as follows:

(a) The purpose of this Part is to establish standards and procedures governing the use and authentication of electronic signatures and the utilization of electronic records in accordance with Article III of the State Technology Law, which establishes the Electronic Signatures and Records Act (ESRA). ESRA requires the Office for Technology (OFT), as the electronic facilitator, to establish rules governing the use of electronic signatures and records. ESRA recognizes the importance of technology to the State and the need to build a foundation for its acceptance, implementation and use by State agencies, local government, the private sector and citizens. Consistent with legislative intent, ESRA establishes that electronic signatures and records have the same force and effect as signatures and records produced by non-electronic means and should be utilized to facilitate both business in, as well as the business of, New York State.

A new Subdivision (g) of Section 540.2 is added to read as follows:

Subdivisions (g), (h), (i), (j) and (k) of Section 540.2 are re-lettered to read as follows:

[(g)] (h) Governmental entity means any State department, board, bureau, division, commission, committee, public authority, public benefit corporation, council, office, or other governmental entity or officer of the State having statewide authority, except the State Legislature, and any political subdivision of the State.

[(h)] (i) Material change means a substantial change in the operating practices of a certification authority that affects the issuance, revocation, security, disposition, and any other aspect of the management of a certificate.

[(i)] (j) Person means a natural person, corporation, trust, estate, partnership, incorporated or unincorporated association or any other legal entity, and also includes any department, agency, authority, or instrumentality of the State or its political subdivisions.

[(j)] (k) Public Key, for purposes of public key cryptography, means the key made public for encryption.

[(k)] (l) Receiving device means any physical or virtual point capable of receiving electronic records including, but not limited to, a website, e-mail address, hardware device or application.

The opening paragraph of Section 540.3(a) is amended to read as follows:

(a) OFT, as the Electronic Facilitator, is responsible for administering this Part. In accordance with ESRA [and Article 10-A of the Executive Law], OFT has the following functions, powers and duties, including, but not limited to:

Section 540.4(c) is amended to read as follows:

(c) A governmental entity shall complete and document a business analysis and risk assessment when selecting an electronic signature to be used or accepted by that governmental entity in an electronic transaction. A governmental entity may elect to collaborate with other governmental entities in the completion and documentation of a business analysis and risk assessment when selecting an electronic signature for use or acceptance in an electronic transaction common to such governmental entities. A governmental entity may elect to adopt an existing business analysis and risk assessment completed and documented by another governmental entity when selecting an electronic signature for use or acceptance in the same type of electronic transaction to which the existing business analysis and risk assessment applies.

Section 540.4(d)(1)(xi) is amended to read as follows:

(xi) personal privacy policy - reciting the certification authority's statutory obligation to maintain the confidentiality of personal information in accordance with the provisions of subdivision two of section [108] 308 of the State Technology Law and section 540.6 of this Part;

The opening paragraph of Section 540.5(b) is amended to read as follows:

(b) Pursuant to ESRA and this Part, governmental entities are authorized and empowered[, but not required,] to produce, receive, accept, acquire, record, file, transmit, forward and store electronic records. If any governmental entity uses electronic records it shall:

John Aveni, Esq., Office for Technology, State Capitol, ESP, P.O. Box 2062, Albany, New York 12220-0062, (518) 473-5115, email: john.aveni@cio.ny.gov

Same as above.

45 days after publication of this notice.

1. Statutory Authority: Sections 103, 303(2)(a), 304(1) and 305(1) of the State Technology Law authorize the Office for Technology (OFT) to promulgate rules and regulations to implement the Electronic Signatures and Records Act (ESRA), State Technology Law, Article III, including rules and regulations governing the use and authentication of electronic signatures and the utilization of electronic records.

2. Legislative Objectives: ESRA was enacted in 1999 to support and encourage electronic commerce and electronic government by allowing the people of New York State to use electronic signatures and electronic records in lieu of handwritten signatures and paper documents in private and public sector transactions. In accordance with ESRA, OFT adopted Part 540 as a rule to establish implementation standards and procedures necessary for the use and authentication of electronic signatures and the utilization of electronic records in both private and public sector transactions. In the year 2000, the federal Electronic Signatures in Global and National Commerce Act (E-Sign Law) was adopted to permit and encourage the expansion of electronic commerce in interstate and foreign commercial transactions. Like ESRA, this federal law authorizes the use and acceptance of electronic signatures and electronics records in the context of these commercial transactions. By Chapter 314 of the Laws of 2002, ESRA was amended to ensure that these two Laws are interpreted and applied compatibly and consistently, to better achieve their shared purpose to promote the use of electronic technology in the everyday lives and transactions of citizens, businesses and governments. In particular, ESRA's definition of an electronic signature was amended to conform to the definition of electronic signature in the E-Sign Law.

Consistent with this amendment to ESRA, Part 540 was amended in 2003 by deleting from the then existing State regulation certain implementation standards and procedures for the use and authentication of electronic signatures that were no longer relevant under the amended ESRA. In addition, this prior regulatory amendment supported the Legislature's objective, as set forth in the Introducer's Memorandum in Support of Chapter 314 of the Laws of 2002, of protecting the public's interest in the use of sound and appropriate practices when engaging in electronic transactions with governmental entities. As noted in the Introducer's Memorandum in Support, the Legislature specifically recognized that OFT retained its authority to delineate, in regulations and guidelines, a process for government entities to determine the type of electronic signature that should be employed in a given electronic transaction. In support of this objective, the amendments to Part 540 that were promulgated in 2003 mandated the employment of a business analysis and risk assessment process by state agencies and local governments when selecting electronic signatures for use or acceptance by such entities in given electronic transactions. Subsequently, OFT published guidelines that governmental entities can use in completing and documenting such business analyses and risk assessments.

The currently proposed regulatory amendment to Part 540 continues to support this legislative objective while furthering the Governor's objectives in the recently issued Executive Order No. 17 (EO 17) to reduce the impact of existing regulatory mandates on local governments.

3. Needs and Benefits: The proposed regulatory amendments further the goals and objectives of EO 17 to evaluate and lessen the costs of state mandates on local governments in order to advance property tax relief. EO 17 required state agencies to review existing agency regulations and identify those opportunities for regulatory amendments that would achieve these local government savings. The proposed regulatory amendment was identified by OFT as such an action. This action will alleviate the impact existing mandates have on local governments by allowing governmental entities to conduct joint business analyses and risk assessments when selecting an appropriate electronic signature solution for use or acceptance in electronic transactions common to such entities. The proposed amendment to § 540.4(c) will accomplish this by allowing all governmental entities to collaborate in the completion and documentation of those business analyses and risk assessments involving electronic transactions common to such entities. The proposed changes also will allow a governmental entity to adopt as its own a business analysis and risk assessment that has been completed and documented by another governmental entity that involves that same electronic transaction. By combining and leveraging efforts to select appropriate electronic signature solutions for use in government electronic transactions, governmental entities, including local governments, will be able to eliminate redundant, time-consuming and costly activities.

This proposed action also modifies Part 540 by adding a definition for the term "electronic transaction", a term that has appeared in the regulation since 2003, to § 540.2(g). This definition is needed to better explain the proposed amendment to § 540.4(c). Other technical modifications are proposed for purposes of conforming the rule to numbering and language changes that occurred in ESRA since 2003. In particular, these changes were made to the statutory authority portion of the heading to Part 540, and the following sections of Part 540: § 540.1(a), § 540.3(a), § 540.4(d)(1)(xi), and § 540.5(b). Finally, § 540.2(h-l) were re-lettered for formatting purposes. These modifications amount to nonsubstantive changes and do not materially alter the purpose, meaning or effect of the original text.

4. Costs: The adoption of these amendments does not mandate any costs on persons or entities electing to use electronic signatures and records. Moreover, this rule making does not impose any additional reporting, record keeping or other compliance requirements on persons electing to use such technologies. In fact, this rule making allows governmental entities, who are required under Part 540 to complete and document a business analysis and risk assessment of any electronic transaction in which a governmental entity will use or accept an electronic signature, to collaborate in the completion and documentation of those business analyses and risk assessments involving electronic transactions common to such entities, thereby eliminating redundant and costly activities. Typically, governmental entities employ their own internal staff in completing the business analysis and risk assessment process required under Part 540. This rule making does not increase the usual costs associated with this process. On the contrary, this regulatory change reduces a barrier to entry for local governments desiring to deliver more information and provide services online, by allowing such entities to collaborate and share resources in the completion of this process. There will likely be a resulting cost savings to local governments which have limited time, resources, and expertise to conduct their own unique business analysis/risk assessment.

There are no additional costs imposed on OFT, the State or local governments by the implementation of this rule making.

5. Local Government Mandates: This rule making does not impose any program, service, duty or responsibility upon any local government. Under the existing rule, local governments who choose to engage in electronically signed transactions are already required to complete and document a business analysis and risk assessment for such a transaction before selecting an electronic signature solution for use in that transaction. This rule making will not impose additional mandates on those entities, but will instead provide government entities with an alternative method of complying with those requirements more efficiently.

6. Paperwork: This rule making does not impose any reporting requirements on anyone who elects to use or accept an electronic signature or record. No specific forms or paperwork are required to be filed with OFT or other governmental entities by any party. Nor does this rule making impose any reporting requirements on OFT beyond those already established in existing statutes.

7. Duplication: There are no State or federal government rules or legal requirements that duplicate, overlap or conflict with this rule making.

8. Alternatives: The option to allow governmental entities flexibility in meeting the requirements for a business analysis and risk assessment is not required under any new or existing law. OFT could have simply made minor technical modifications to the text of Part 540, conforming the rule to numbering and language changes that occurred in ESRA since 2003. Instead, and in support of the Governor's objective of reducing the impact of existing regulatory mandates on local governments as expressed in EO 17, OFT has decided to make the changes to § 540.4(c) as outlined above. In so doing, OFT decided to not only allow governmental entities to collaborate in the completion and documentation of business analyses and risk assessments in those electronic transactions common to such entities, but to maximize the flexibility afforded to governmental agencies engaged in this process by allowing a governmental entity to adopt as its own a business analysis and risk assessment that has been completed and documented by another governmental entity that involves that same electronic transaction.

9. Federal Standards: On June 30, 2000, the federal government enacted Public Law 106-229, Electronic Signatures in Global and National Commerce Act (E-Sign Law), effective October 1, 2000. The E-Sign Law authorizes the use and acceptance of electronic signatures and electronic records in lieu of handwritten signatures and paper documents in interstate and international commercial transactions. As noted above, ESRA does the same for purposes of private and public sector transactions in New York State. Chapter 314 of the Laws of 2002 amended ESRA to conform State law to that provision of the E-Sign Law that defined an electronic signature. Part 540 was subsequently amended to reflect that change. This rule making is consistent with that amendment and ensures that ESRA's implementing regulation continues to promote the use of electronic technology in New York State.

10. Compliance Schedule: This rule making will be effective upon publication of the notice of its adoption in the State Register.

A Regulatory Flexibility Analysis (RFA) is not attached, because this amended rule will not impose any adverse economic impact or reporting, record keeping or other compliance requirements on small businesses or local governments. This finding is based upon the fact that this amended rule addresses standards and procedures related to the voluntary use of electronic signatures and records by private and public parties, including small businesses and local governments. Neither the Electronic Signatures and Records Act (ESRA), which authorizes the adoption of this rule, nor the amended rule itself requires anyone to use an electronic signature or create an electronic record. For those who elect to use such technologies, this amended rule does not impose any reporting, record keeping or other compliance requirements beyond those that are already directed by existing statute, other rules or typical business practices. Instead, this proposed rule making provides all governmental entities, including local governments, with greater flexibility in complying with existing regulatory requirements.

A Rural Area Flexibility Analysis (RAFA) is not attached, because this amended rule will not impose any adverse economic impact on rural areas or reporting, recordkeeping or other compliance requirements on public or private entities in rural areas. This finding is based on the fact that this amended rule addresses standards and procedures related to the voluntary use of electronic signatures and records by private and public parties, including those located in rural areas or rural communities in the State. Neither the Electronic Signatures and Records Act (ESRA), which authorizes the adoption of this rule, nor the amended rule itself requires anyone to use an electronic signature or create an electronic record. For those who elect to use such technologies, this rule does not impose any reporting, recordkeeping or other compliance requirements other than those that are already directed by existing statute, other rules or typical business practices. Instead, this proposed rule making provides public entities in rural areas, including local governments, with greater flexibility in complying with existing regulatory requirements.

A Job Impact Statement (JIS) is not attached, because amendments made to 9 NYCRR Part 540 will not have a substantial adverse impact on jobs and employment opportunities as apparent from the amended rule’s continued nature and purpose. This rule will continue to address standards and procedures to implement the Electronic Signatures and Records Act (ESRA) in relation to electronic transactions voluntarily conducted by private and public parties. ESRA and this amended rule encourage individuals, public and private entities to use electronic signatures and records to facilitate, advance and improve commercial transactions and government operations throughout the State. Such use will improve commerce and provide economic growth in this State. Consequently, this amended rule will have a positive impact on jobs and employment opportunities.