ESRA Regulations

(a) The purpose of this Part is to establish standards and procedures governing the use and authentication of electronic signatures and the utilization of electronic records in accordance with Article I of the State Technology Law, which establishes the Electronic Signatures and Records Act (ESRA). ESRA requires the Office for Technology (OFT), as the electronic facilitator, to establish rules governing the use of electronic signatures and records. ESRA recognizes the importance of technology to the State and the need to build a foundation for its acceptance, implementation and use by State agencies, local government, the private sector and citizens. Consistent with legislative intent, ESRA establishes that electronic signatures and records have the same force and effect as signatures and records produced by non-electronic means and should be utilized to facilitate both business in, as well as the business of, New York State.

(b) ESRA and this Part, among other things, ensure that persons who voluntarily elect to use electronic signatures or electronic records can do so with confidence that they carry the same force and effect as non-electronic signatures and records. Consistent with ESRA and this Part, parties agreeing to engage in electronic transactions may deploy electronic signatures and records in a manner that meets their practices and needs.

(c) New technologies are frequently being introduced. The intent of this Part is to be flexible enough to embrace future technologies that comply with ESRA and all other applicable statutes and regulations. The electronic facilitator shall conduct periodic reviews of the regulations to ensure that the regulations facilitate and promote the use of technological advancements and address privacy and confidentiality issues.

(d) Neither ESRA nor this Part requires any person to use a document bearing an electronic signature. Under ESRA and this Part, the use or acceptance of electronic records by governmental entities is voluntary.

(e) In accordance with ESRA, the use of an electronic signature as defined in ESRA shall have the same validity and effect as the use of a signature affixed by hand. Neither ESRA, nor this Part, shall in whole, or in part, be construed to limit any legal rights or privileges, contractual or otherwise, that parties may have in the use of electronic signatures and records.

(f) ESRA and this Part are designed to, among other things, afford governmental entities the greatest latitude to determine the most effective protocols for producing, receiving, accepting, acquiring, recording, filing, transmitting, forwarding and storing electronic signatures and electronic records within the confines of existing statutory and regulatory requirements regarding privacy, confidentiality and records retention.

For the purposes of this Part, the terms below have the following meanings:

(a) Business analysis and risk assessment means identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process.

(b) Certificate means a data structure used in a public key system to bind a particular authenticated individual to a particular public key conforming to widely used industry standards.

(c) Certification Authority means a trusted party in a public key system that vouches for the authenticity of the individual or system in question by issuing certificates that are used for verification of electronic signatures produced by corresponding private keys. For purposes of this regulation, a trusted party that issues certificates which only that same trusted party uses for electronic signature verification purposes is not considered a certification authority. A certification authority is also commonly referred to as a certificate authority.

(d) Certificate Revocation List (CRL) means a publicly available list of certificates that have been revoked before their expiration date.

(e) Cryptographic Keys means the items of information used by a given algorithm to transform data into an unreadable format.

(f) Electronic signatory means the person authorized to generate an electronic signature.

(g) Governmental entity means any state department, board, bureau, division, commission, committee, public authority, public benefit corporation, council, office, or other governmental entity or officer of the state having statewide authority, except the state legislature, and any political subdivision of the state.

(h) Material change means a substantial change in the operating practices of a certification authority that affects the issuance, revocation, security, disposition, and any other aspect of the management of a certificate.

(i) Person means a natural person, corporation, trust, estate, partnership, incorporated or unincorporated association or any other legal entity, and also includes any department, agency, authority, or instrumentality of the state or its political subdivisions.

(j) Public Key, for purposes of public key cryptography, means the key made public for encryption.

(k) Receiving device means any physical or virtual point capable of receiving electronic records including, but not limited to, a website, e-mail address, hardware device or application.

(a) OFT, as the Electronic Facilitator, is responsible for administering this Part. In accordance with ESRA and Article 10-A of the Executive Law, OFT has the following functions, powers and duties, including, but not limited to:

(1) coordinate and facilitate statewide planning and establish statewide policy on the use of electronic signatures and records by governmental entities;

(2) request and receive information from governmental entities enabling OFT to properly carry out its functions, powers and duties under ESRA and this Part;

(3) identify and evaluate electronic technologies that meet the ESRA definition of an electronic signature. These duties shall include, but not be limited to, the following:

(i) establish a process to gather information on, review and evaluate these technologies; and

(ii) disseminate information about criteria for the selection and use of electronic signature technologies through preferred technology standards, guidelines and advisory services;

(4) develop guidelines that identify preferred technology standards, including, but not limited to, interoperability, consistency, security, confidentiality and privacy of electronic signatures and records;

(5) periodically review OFT's policies, technology standards and guidelines to ensure that they are consistent with national and international standards and current technology and business practices;

(6) review and coordinate the purchase of technology related to electronic signatures and records solutions by state agencies. Such review and coordination shall promote consistency with the goals of interoperability, statewide technology standards, guidelines, security of confidential records and proper dissemination of public information;

(7) advise and assist in developing policies, plans and programs for acquisition, deployment and use of electronic signature and records technology; and

(8) establish advisory committees, working groups, or other bodies to assist and advise OFT in carrying out the above duties and responsibilities.

(b) Governmental entities may define additional standards for electronic signatures and records after consulting with OFT to ensure that such standards are consistent with ESRA and this Part.

(a) The use of an electronic signature as defined in ESRA shall have the same validity and effect as the use of a signature affixed by hand.

(b) In accordance with ESRA, an electronic signature is an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record. An electronic signature is considered to be “attached to or logically associated with an electronic record” if the electronic signature is linked to the record during transmission and storage.

(c) A governmental entity shall complete and document a business analysis and risk assessment when selecting an electronic signature to be used or accepted by that governmental entity.

(d) Where a governmental entity agrees to use or accept an electronic signature that involves the services of a certification authority, the certification authority shall meet the following standards and operating practices:

(1) produce and maintain a certification practice statement or other documents containing, but not limited to, the following information:

(i) Community and applicability - describing the types of entities that the certificate authority certifies and the applications for which certificates may be used, and any restrictions relating to their use;

(ii) Identification and authentication policy - the policies used to bind a public key to an individual, including those policies addressing initial registration, reissuing a certificate with a new public key, reissuing a certificate with a new public key after revocation, revocation request and how name disputes, if any, are resolved;

(iii) Key management policy - describing the security measures taken by the certificate authority to protect its cryptographic keys and critical security parameters including the life-cycle management of keys from generation, through storage and usage, to archiving and destruction;

(iv) Local security policy - describing the physical, personnel and procedural controls used by the certificate authority to perform certificate authority functions securely, including key generation, user authentication, certificate registration, certificate revocation, audit, and archival and records management;

(v) Technical security policy - describing the software, hardware and network security controls used by a certificate authority to perform certificate authority functions including key generation, user authentication, certificate registration, certificate revocation, audit, and archival and records management;

(vi) Operations policy - describing the frequency of routine Certificate Revocation List (CRL) issuance, frequency of special CRL issuance (e.g., key compromise CRL), and frequency of certificate authority key changeover;

(vii) Legal provisions - describing the liability and obligations of the parties. This information must be prominently displayed in the documents required by this paragraph;

(viii) Certificate and CRL standards - describing the standards, versions and data included;

(ix) Policy administration - defining the authority that is responsible for the registration, maintenance and interpretation of policy including contact information and practice statement change procedures;

(x) Audit policy – describing the type and frequency of internal and external audits;

(xi) personal privacy policy - reciting the certification authority's statutory obligation to maintain the confidentiality of personal information in accordance with the provisions of subdivision two of section 108 of the State Technology Law and section 540.6 of this Part;

(2) make the certification practice statement or other documents maintained in accordance with paragraph (1) of this subdivision available to any person who requests the same;

(3) have an audit performed by a certified public accounting firm that reports on the policies and procedures of the certification authority as set forth and maintained in accordance with the provisions of this subdivision, and tests the operational effectiveness of such procedures during the first year in service to a governmental entity, and every two years thereafter or when there is material change to its certification practices, whichever comes first; and

(4) make available to the public the final opinion letter resulting from an audit performed under paragraph (3) of this subdivision.

(a) An electronic record used by a person shall have the same force and effect as those records not produced by electronic means.

(b) Pursuant to ESRA and this Part, governmental entities are authorized and empowered, but not required, to produce, receive, accept, acquire, record, file, transmit, forward and store electronic records. If any governmental entity uses electronic records it shall:

(1) ensure that anyone who uses the services of such governmental entity may obtain access to records as permitted by law, and may receive copies of such records in paper form in accordance with fees prescribed by law;

(2) not refuse to accept hard copy, non-electronic forms, reports, and other paper documents for submission or filing, except as otherwise provided by law; and

(3) not require the submission or filing of any record electronically, except as otherwise provided by law.

(c) All laws applicable to government records shall be applicable to electronic records maintained by governmental entities, including, but not limited to, retention, accessibility and disposition requirements established under the Arts and Cultural Affairs Law or the Judiciary Law.

(d) Governmental entities shall employ procedures and controls designed to ensure the authenticity, integrity, security and, when appropriate, the confidentiality of electronic records.

(e) Governmental entities using electronic records shall, in the absence of specific statutory or regulatory requirements, have the authority to specify the manner and format in which electronic records will be received, produced, accepted, acquired, recorded, filed, transmitted, forwarded, acknowledged and stored. For the purposes of ensuring the receipt of electronic records, governmental entities must designate the receiving device.

As required by ESRA:

(a) For purposes of the Freedom of Information Law, as set forth in article six of the Public Officers Law, and the Personal Privacy Protection Law, as set forth in article six-a of the Public Officers Law, electronic records shall be considered and treated in the same manner as any other record.

(b) Except to the extent disclosure of personal information is required by a court order or a statute, or if the information is used solely for statistical purposes in aggregate form, no person acting as a certification authority shall disclose to a third party any personal information reported to the certification authority by the electronic signatory other than the information necessary to issue or authenticate the certificate. Information reported to a certification authority for purposes other than issuing a certificate shall not be subject to this subdivision. For purposes of this subdivision the phrase "personal information" shall mean, but not be limited to, the following types of information which could identify a specific person: home and work address, telephone number, e-mail address, social security number, birth date, gender, marital status, mother's maiden name, and health data.

Last Updated 5/07/03