Chapter 19.34 RCW

WASHINGTON ELECTRONIC AUTHENTICATION ACT

Sections

19.34.010Purpose and construction.
19.34.020Definitions.
19.34.030SecretaryDuties.
19.34.040SecretaryFeesDisposition.
19.34.100Certification authoritiesLicensureQualificationsRevocation and suspension.
19.34.101Expiration of licensesRenewalRules.
19.34.110Compliance audits.
19.34.111Qualifications of auditor signing report of opinionCompliance audits under state auditor's authority.
19.34.120Licensed certification authoritiesEnforcementSuspension or revocationPenaltiesRulesCostsProcedureInjunctions.
19.34.130Certification authoritiesProhibited activitiesStatement by secretary advising of certification authorities creating prohibited risksProtestHearingDispositionNoticeProcedure.
19.34.200Licensed certification authoritiesRequirements.
19.34.210CertificateIssuanceConfirmation of informationConfirmation of prospective subscriberStandards, statements, plans, requirements more rigorous than chapterRevocation, suspensionInvestigationNoticeProcedure.
19.34.220Licensed certification authoritiesWarranties, obligations upon issuance of certificateNotice.
19.34.230SubscribersRepresentations and duties upon acceptance of certificate.
19.34.231City or county as certification authority.
19.34.240Private keyControlPublic disclosure exemption.
19.34.250Suspension of certificateEvidenceInvestigationNoticeTerminationLimitation or preclusion by contractMisrepresentationPenaltyContracts for regional enforcement by agenciesRules.
19.34.260Revocation of certificateConfirmationNoticeRelease from security dutyDischarge of warranties.
19.34.270CertificateExpiration.
19.34.280Recommended reliance limitLiabilityDamages.
19.34.290Collection based on suitable guarantyProceedsAttorneys' feesCostsNoticeRecovery of qualified right of payment.
19.34.291Discontinuation of certification authority servicesDuties of authorityContinuation of guarantyProcess to maintain and update recordsRulesCosts.
19.34.300Satisfaction of signature requirements.
19.34.305Acceptance of digital signature in reasonable manner.
19.34.310Unreliable digital signaturesRisk.
19.34.311Reasonableness of relianceFactors.
19.34.320Digital message as written on paperRequirementsOther requirements not affectedException from uniform commercial code.
19.34.321Acceptance of certified court documents in electronic formRequirementsRules of court on use in proceedings.
19.34.330Digital message deemed original.
19.34.340Certificate as acknowledgmentRequirementsExceptionResponsibility of certification authority.
19.34.350Adjudicating disputesPresumptions.
19.34.351Alteration of chapter by agreementExceptions.
19.34.360Presumptions of validity/limitations on liabilityConformance with chapter.
19.34.400Recognition of repositoriesApplicationDiscontinuanceProcedure.
19.34.410RepositoriesLiabilityExemptionsLiquidation, limitation, alteration, or exclusion of damages.
19.34.420Confidentiality of certain recordsLimited access to state auditor.
19.34.500Rule making.
19.34.501Chapter supersedes and preempts local actions.
19.34.502Criminal prosecution not precludedRemedies not exclusiveInjunctive relief availability.
19.34.503Jurisdiction, venue, choice of laws.
19.34.900Short title.
19.34.901Effective date1996 c 250.

NOTES:

Digital signature violations: RCW 9.38.060.


Purpose and construction.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
This chapter shall be construed consistently with what is commercially reasonable under the circumstances and to effectuate the following purposes:
(1) To facilitate commerce by means of reliable electronic messages;
(2) To ensure that electronic signatures are not denied legal recognition solely because they are in electronic form;
(3) To provide a voluntary licensing mechanism for digital signature certification authorities by which businesses, consumers, courts, government agencies, and other entities can reasonably be assured as to the integrity, authenticity, and nonrepudiation of a digitally signed electronic communication;
(4) To establish procedures governing the use of digital signatures for official public business to provide reasonable assurance of the integrity, authenticity, and nonrepudiation of an electronic communication;
(5) To minimize the incidence of forged digital signatures and fraud in electronic commerce;
(6) To implement legally the general import of relevant standards; and
(7) To establish, in coordination with states and other jurisdictions, uniform rules regarding the authentication and reliability of electronic messages.

NOTES:

Effective date1999 c 287: "This act is necessary for the immediate preservation of the public peace, health, or safety, or support of the state government and its existing public institutions, and takes effect immediately [May 13, 1999]." [ 1999 c 287 § 20.]



Definitions.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter:
(1) "Accept a certificate" means to manifest approval of a certificate, while knowing or having notice of its contents. Such approval may be manifested by the use of the certificate.
(2) "Accept a digital signature" means to verify a digital signature or take an action in reliance on a digital signature.
(3) "Asymmetric cryptosystem" means an algorithm or series of algorithms that provide a secure key pair.
(4) "Certificate" means a computer-based record that:
(a) Identifies the certification authority issuing it;
(b) Names or identifies its subscriber;
(c) Contains the subscriber's public key; and
(d) Is digitally signed by the certification authority issuing it.
(5) "Certification authority" means a person who issues a certificate.
(6) "Certification authority disclosure record" means an online, publicly accessible record that concerns a licensed certification authority and is kept by the secretary.
(7) "Certification practice statement" means a declaration of the practices that a certification authority employs in issuing certificates.
(8) "Certify" means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts.
(9) "Confirm" means to ascertain through appropriate inquiry and investigation.
(10) "Correspond," with reference to keys, means to belong to the same key pair.
(11) "Digital signature" means an electronic signature that is a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine:
(a) Whether the transformation was created using the private key that corresponds to the signer's public key; and
(b) Whether the initial message has been altered since the transformation was made.
(12) "Electronic" means electrical, digital, magnetic, optical, electromagnetic, or any other form of technology that entails capabilities similar to these technologies.
(13) "Electronic record" means a record generated, communicated, received, or stored by electronic means for use in an information system or for transmission from one information system to another.
(14) "Electronic signature" means a signature in electronic form attached to or logically associated with an electronic record, including but not limited to a digital signature.
(15) "Financial institution" means a national or state-chartered commercial bank or trust company, savings bank, savings association, or credit union authorized to do business in the state of Washington and the deposits of which are federally insured.
(16) "Forge a digital signature" means either:
(a) To create a digital signature without the authorization of the rightful holder of the private key; or
(b) To create a digital signature verifiable by a certificate listing as subscriber a person who either:
(i) Does not exist; or
(ii) Does not hold the private key corresponding to the public key listed in the certificate.
(17) "Hold a private key" means to be authorized to utilize a private key.
(18) "Incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated.
(19) "Issue a certificate" means the acts of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate.
(20) "Key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates.
(21) "Licensed certification authority" means a certification authority to whom a license has been issued by the secretary and whose license is in effect.
(22) "Message" means a digital representation of information.
(23) "Notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person.
(24) "Official public business" means any legally authorized transaction or communication among state agencies, tribes, and local governments, or between a state agency, tribe, or local government and a private person or entity.
(25) "Operative personnel" means one or more natural persons acting as a certification authority or its agent, or in the employment of, or under contract with, a certification authority, and who have:
(a) Duties directly involving the issuance of certificates, or creation of private keys;
(b) Responsibility for the secure operation of the trustworthy system used by the certification authority or any recognized repository;
(c) Direct responsibility, beyond general supervisory authority, for establishing or adopting policies regarding the operation and security of the certification authority; or
(d) Such other responsibilities or duties as the secretary may establish by rule.
(26) "Person" means a human being or an organization capable of signing a document, either legally or as a matter of fact.
(27) "Private key" means the key of a key pair used to create a digital signature.
(28) "Public key" means the key of a key pair used to verify a digital signature.
(29) "Publish" means to make information publicly available.
(30) "Qualified right to payment" means an award of damages against a licensed certification authority by a court having jurisdiction over the certification authority in a civil action for violation of this chapter.
(31) "Recipient" means a person who has received a certificate and a digital signature verifiable with reference to a public key listed in the certificate and is in a position to rely on it.
(32) "Recognized repository" means a repository recognized by the secretary under RCW 19.34.400.
(33) "Recommended reliance limit" means the monetary amount recommended for reliance on a certificate under RCW 19.34.280(1).
(34) "Repository" means a system for storing and retrieving certificates and other information relevant to digital signatures.
(35) "Revoke a certificate" means to make a certificate ineffective permanently from a specified time forward. Revocation is effected by notation or inclusion in a set of revoked certificates, and does not imply that a revoked certificate is destroyed or made illegible.
(36) "Rightfully hold a private key" means the authority to utilize a private key:
(a) That the holder or the holder's agents have not disclosed to a person in violation of RCW 19.34.240(1); and
(b) That the holder has not obtained through theft, deceit, eavesdropping, or other unlawful means.
(37) "Secretary" means the secretary of state.
(38) "Subscriber" means a person who:
(a) Is the subject listed in a certificate;
(b) Applies for or accepts the certificate; and
(c) Holds a private key that corresponds to a public key listed in that certificate.
(39) "Suitable guaranty" means either a surety bond executed by a surety authorized by the insurance commissioner to do business in this state, or an irrevocable letter of credit issued by a financial institution authorized to do business in this state, which, in either event, satisfies all of the following requirements:
(a) It is issued payable to the secretary for the benefit of persons holding qualified rights of payment against the licensed certification authority named as the principal of the bond or customer of the letter of credit;
(b) It is in an amount specified by rule by the secretary under RCW 19.34.030;
(c) It states that it is issued for filing under this chapter;
(d) It specifies a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority; and
(e) It is in a form prescribed or approved by rule by the secretary.
A suitable guaranty may also provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty.
(40) "Suspend a certificate" means to make a certificate ineffective temporarily for a specified time forward.
(41) "Time stamp" means either:
(a) To append or attach a digitally signed notation indicating at least the date, time, and identity of the person appending or attaching the notation to a message, digital signature, or certificate; or
(b) The notation thus appended or attached.
(42) "Transactional certificate" means a valid certificate incorporating by reference one or more digital signatures.
(43) "Trustworthy system" means computer hardware and software that:
(a) Are reasonably secure from intrusion and misuse; and
(b) Conform with the requirements established by the secretary by rule.
(44) "Valid certificate" means a certificate that:
(a) A licensed certification authority has issued;
(b) The subscriber listed in it has accepted;
(c) Has not been revoked or suspended; and
(d) Has not expired.
However, a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference.
(45) "Verify a digital signature" means, in relation to a given digital signature, message, and public key, to determine accurately that:
(a) The digital signature was created by the private key corresponding to the public key; and
(b) The message has not been altered since its digital signature was created.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



SecretaryDuties.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) The secretary must publish a certification authority disclosure record for each licensed certification authority, and a list of all judgments filed with the secretary, within the previous five years, under RCW 19.34.290.
(2) The secretary may adopt rules consistent with this chapter and in furtherance of its purposes:
(a) To license certification authorities, recognize repositories, certify operative personnel, and govern the practices of each;
(b) To determine the form and amount reasonably appropriate for a suitable guaranty, in light of the burden a suitable guaranty places upon licensed certification authorities and the assurance of quality and financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities;
(c) To specify reasonable requirements for information to be contained in or the form of certificates, including transactional certificates, issued by licensed certification authorities, in accordance with generally accepted standards for digital signature certificates;
(d) To specify reasonable requirements for recordkeeping by licensed certification authorities;
(e) To specify reasonable requirements for the content, form, and sources of information in certification authority disclosure records, the updating and timeliness of the information, and other practices and policies relating to certification authority disclosure records;
(f) To specify the form of and information required in certification practice statements, as well as requirements regarding the publication of certification practice statements;
(g) To specify the procedure and manner in which a certificate may be suspended or revoked, as consistent with this chapter;
(h) To specify the procedure and manner by which the laws of other jurisdictions may be recognized, in order to further uniform rules regarding the authentication and reliability of electronic messages; and
(i) Otherwise to give effect to and implement this chapter.
(3) The secretary may act as a certification authority, and the certificates issued by the secretary shall be treated as having been issued by a licensed certification authority.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective date1997 c 27: "Sections 1 through 23, 25 through 27, and 29 through 34 of this act take effect January 1, 1998." [ 1997 c 27 § 35.]
Severability1997 c 27: "If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected." [ 1997 c 27 § 36.]



SecretaryFeesDisposition.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
The secretary may adopt rules establishing reasonable fees for all services rendered by the secretary under this chapter, in amounts that are reasonably calculated to be sufficient to compensate for the costs of all services under this chapter, but that are not estimated to exceed those costs in the aggregate. All fees recovered by the secretary must be deposited in the state general fund.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Certification authoritiesLicensureQualificationsRevocation and suspension.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) To obtain or retain a license, a certification authority must:
(a) Provide proof of identity to the secretary;
(b) Employ only certified operative personnel in appropriate positions;
(c) File with the secretary an appropriate, suitable guaranty, unless the certification authority is a city or county that is self-insured or the consolidated technology services agency;
(d) Use a trustworthy system;
(e) Maintain an office in this state or have established a registered agent for service of process in this state; and
(f) Comply with all further licensing and practice requirements established by rule by the secretary.
(2) The secretary may by rule create license classifications according to specified limitations, and the secretary may issue licenses restricted according to the limits of each classification.
(3) The secretary may impose license restrictions specific to the practices of an individual certification authority. The secretary shall set forth in writing and maintain as part of the certification authority's license application file the basis for such license restrictions.
(4) The secretary may revoke or suspend a certification authority's license, in accordance with the administrative procedure act, chapter 34.05 RCW, for failure to comply with this chapter or for failure to remain qualified under subsection (1) of this section. The secretary may order the summary suspension of a license pending proceedings for revocation or other action, which must be promptly instituted and determined, if the secretary includes within a written order a finding that the certification authority has either:
(a) Utilized its license in the commission of a violation of a state or federal criminal statute or of chapter 19.86 RCW; or
(b) Engaged in conduct giving rise to a serious risk of loss to public or private parties if the license is not immediately suspended.
(5) The secretary may recognize by rule the licensing or authorization of certification authorities by other governmental entities, in whole or in part, provided that those licensing or authorization requirements are substantially similar to those of this state. If licensing by another government is so recognized:
(a) RCW 19.34.300 through 19.34.350 apply to certificates issued by the certification authorities licensed or authorized by that government in the same manner as it applies to licensed certification authorities of this state; and
(b) The liability limits of RCW 19.34.280 apply to the certification authorities licensed or authorized by that government in the same manner as they apply to licensed certification authorities of this state.
(6) A certification authority that has not obtained a license is not subject to the provisions of this chapter, except as specifically provided.

NOTES:

Effective date2015 3rd sp.s. c 1 §§ 401-405, 409, 411, and 412: See note following RCW 2.36.057.
Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Expiration of licensesRenewalRules.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
Licenses issued under this chapter expire one year after issuance, except that the secretary may provide by rule for a longer duration. The secretary shall provide, by rule, for a system of license renewal, which may include requirements for continuing education.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Compliance audits.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A licensed certification authority shall obtain a compliance audit at such times and in such manner as directed by rule of the secretary. If the certification authority is also a recognized repository, the audit must include the repository.
(2) The certification authority shall file a copy of the audit report with the secretary. The secretary may provide by rule for filing of the report in an electronic format and may publish the report in the certification authority disclosure record it maintains for the certification authority.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Qualifications of auditor signing report of opinionCompliance audits under state auditor's authority.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) An auditor signing a report of opinion as to a compliance audit required by RCW 19.34.110 must:
(a) Be a certified public accountant, licensed under chapter 18.04 RCW or equivalent licensing statute of another jurisdiction; and
(b) Meet such other qualifications as the secretary may establish by rule.
(2) The compliance audits of state agencies and local governments who are licensed certification authorities, and the secretary, must be performed under the authority of the state auditor. The state auditor may contract with private entities as needed to comply with this chapter.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Licensed certification authoritiesEnforcementSuspension or revocationPenaltiesRulesCostsProcedureInjunctions.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) The secretary may investigate the activities of a licensed certification authority material to its compliance with this chapter and issue orders to a certification authority to further its investigation and secure compliance with this chapter.
(2) The secretary may suspend or revoke the license of a certification authority for its failure to comply with an order of the secretary.
(3) The secretary may by order impose and collect a civil penalty against a licensed certification authority for a violation of this chapter. The penalty shall not exceed ten thousand dollars per incident, or ninety percent of the recommended reliance limit of a material certificate, whichever is less. In case of a violation continuing for more than one day, each day is considered a separate incident. The secretary may adopt rules setting forth the standards governing the exercise of the secretary's discretion as to penalty amounts. In the case of a state agency authorized by law to be a licensed certification authority, the sole penalty imposed under this subsection shall consist of specific findings of noncompliance and an order requiring compliance with this chapter and the rules of the secretary. Any penalty imposed under this chapter and chapter 34.05 RCW shall be enforceable in any court of competent jurisdiction.
(4) The secretary may order a certification authority, which it has found to be in violation of this chapter, to pay the costs incurred by the secretary in prosecuting and adjudicating proceedings relative to the order, and enforcing it.
(5) The secretary must exercise authority under this section in accordance with the administrative procedure act, chapter 34.05 RCW, and a licensed certification authority may obtain judicial review of the secretary's actions as prescribed by chapter 34.05 RCW. The secretary may also seek injunctive relief to compel compliance with an order.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Certification authoritiesProhibited activitiesStatement by secretary advising of certification authorities creating prohibited risksProtestHearingDispositionNoticeProcedure.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) No certification authority, whether licensed or not, may conduct its business in a manner that creates an unreasonable risk of loss to subscribers of the certification authority, to persons relying on certificates issued by the certification authority, or to a repository.
(2) The secretary may publish brief statements advising subscribers, persons relying on digital signatures, or other repositories about activities of a certification authority, whether licensed or not, that create a risk prohibited by subsection (1) of this section. The certification authority named in a statement as creating or causing such a risk may protest the publication of the statement by filing a written defense of ten thousand bytes or less. Upon receipt of such a protest, the secretary must publish the protest along with the secretary's statement, and must promptly give the protesting certification authority notice and an opportunity to be heard. Following the hearing, the secretary must rescind the advisory statement if its publication was unwarranted under this section, cancel it if its publication is no longer warranted, continue or amend it if it remains warranted, or take further legal action to eliminate or reduce a risk prohibited by subsection (1) of this section. The secretary must publish its decision in the repository it provides.
(3) In the manner provided by the administrative procedure act, chapter 34.05 RCW, the secretary may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this section, regardless of whether the certification authority is licensed. This section does not create a right of action in a person other than the secretary.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.



Licensed certification authoritiesRequirements.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A licensed certification authority shall use only a trustworthy system to issue, suspend, or revoke certificates. A licensed certification authority shall use a recognized repository to publish or give notice of the issuance, suspension, or revocation of a certificate.
(2) A licensed certification authority shall publish a certification practice statement in accordance with the rules established by the secretary. The secretary shall publish the certification practice statements of licensed certification authorities submitted as part of the licensing process in a manner similar to the publication of the certification authority disclosure record.
(3) A licensed certification authority shall knowingly employ as operative personnel only persons who have not been convicted within the past seven years of a felony and have never been convicted of a crime involving fraud, false statement, or deception. For purposes of this subsection, a certification authority knowingly employs such a person if the certification authority knew of a conviction, or should have known based on information required by rule of the secretary. Operative personnel employed by a licensed certification authority must also be persons who have demonstrated knowledge and proficiency in following the requirements of this chapter. The secretary may provide by rule for the certification of operative personnel, and provide by rule for the manner in which criminal background information is provided as part of the certification process, as well as the manner in which knowledge and proficiency in following the requirements of this chapter may be demonstrated.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



CertificateIssuanceConfirmation of informationConfirmation of prospective subscriberStandards, statements, plans, requirements more rigorous than chapterRevocation, suspensionInvestigationNoticeProcedure.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:
(a) The certification authority has received a request for issuance signed by the prospective subscriber; and
(b) The certification authority has confirmed that:
(i) The prospective subscriber is the person to be listed in the certificate to be issued;
(ii) If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;
(iii) The information in the certificate to be issued is accurate;
(iv) The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(v) The prospective subscriber holds a private key capable of creating a digital signature;
(vi) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber; and
(vii) The certificate provides information sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.
(c) The requirements of this subsection may not be waived or disclaimed by either the licensed certification authority, the subscriber, or both.
(2) In confirming that the prospective subscriber is the person to be listed in the certificate to be issued, a licensed certification authority shall make a reasonable inquiry into the subscriber's identity in light of:
(a) Any statements made by the certification authority regarding the reliability of the certificate;
(b) The reliance limit of the certificate;
(c) Any recommended uses or applications for the certificate; and
(d) Whether the certificate is a transactional certificate or not.
(3) A certification authority shall be presumed to have confirmed that the prospective subscriber is the person to be listed in a certificate where:
(a) The subscriber appears before the certification authority and presents identification documents consisting of at least one of the following:
(i) A current identification document issued by or under the authority of the United States, or such similar identification document issued under the authority of another country;
(ii) A current driver's license issued by a state of the United States; or
(iii) A current personal identification card issued by a state of the United States; and
(b) Operative personnel certified according to law or a notary has reviewed and accepted the identification information of the subscriber.
(4) The certification authority may establish policies regarding the publication of certificates in its certification practice statement, which must be adhered to unless an agreement between the certification authority and the subscriber provides otherwise. If the certification authority does not establish such a policy, the certification authority must publish a signed copy of the certificate in a recognized repository.
(5) Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.
(6) After issuing a certificate, a licensed certification authority must revoke it immediately upon confirming that it was not issued as required by this section. A licensed certification authority may also suspend a certificate that it has issued for a period not exceeding five business days as needed for an investigation to confirm grounds for revocation under this subsection. The certification authority must give notice to the subscriber as soon as practicable after a decision to revoke or suspend under this subsection.
(7) The secretary may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued, if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary determines that:
(a) The certificate was issued without substantial compliance with this section; and
(b) The noncompliance poses a significant risk to persons relying on the certificate.
Upon determining that an emergency requires an immediate remedy, and in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary may issue an order suspending a certificate for a period not to exceed five business days.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Licensed certification authoritiesWarranties, obligations upon issuance of certificateNotice.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that:
(a) The certificate contains no information known to the certification authority to be false;
(b) The certificate satisfies all material requirements of this chapter; and
(c) The certification authority has not exceeded any limits of its license in issuing the certificate.
The certification authority may not disclaim or limit the warranties of this subsection.
(2) Unless the subscriber and certification authority otherwise agree, a certification authority, by issuing a certificate, promises to the subscriber:
(a) To act promptly to suspend or revoke a certificate in accordance with RCW 19.34.250 or 19.34.260; and
(b) To notify the subscriber within a reasonable time of any facts known to the certification authority that significantly affect the validity or reliability of the certificate once it is issued.
(3) By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate, or on a digital signature verifiable by the public key listed in the certificate, that:
(a) The information in the certificate and listed as confirmed by the certification authority is accurate;
(b) All information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;
(c) The subscriber has accepted the certificate; and
(d) The licensed certification authority has complied with all applicable laws of this state governing issuance of the certificate.
(4) By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the certification authority has issued the certificate to the subscriber.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



SubscribersRepresentations and duties upon acceptance of certificate.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that:
(a) The subscriber rightfully holds the private key corresponding to the public key listed in the certificate;
(b) All representations made by the subscriber to the certification authority and material to the information listed in the certificate are true; and
(c) All material representations made by the subscriber to a certification authority or made in the certificate and not confirmed by the certification authority in issuing the certificate are true.
(2) By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, the requesting person certifies in that person's own right to all who reasonably rely on the information contained in the certificate that the requesting person:
(a) Holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and
(b) Has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, adequate safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.
(3) No person may disclaim or contractually limit the application of this section, nor obtain indemnity for its effects, if the disclaimer, limitation, or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.
(4) By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for loss or damage caused by issuance or publication of a certificate in reliance on:
(a) A false and material representation of fact by the subscriber; or
(b) The failure by the subscriber to disclose a material fact;
if the representation or failure to disclose was made either with intent to deceive the certification authority or a person relying on the certificate, or with negligence. If the certification authority issued the certificate at the request of one or more agents of the subscriber, the agent or agents personally undertake to indemnify the certification authority under this subsection, as if they were accepting subscribers in their own right. The indemnity provided in this section may not be disclaimed or contractually limited in scope. However, a contract may provide consistent, additional terms regarding the indemnification.
(5) In obtaining information of the subscriber material to issuance of a certificate, the certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation of truthfulness and under penalty of perjury.



City or county as certification authority.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
A city or county may become a licensed certification authority under RCW 19.34.100 for purposes of providing services to local government, if authorized by ordinance adopted by the city or county legislative authority.

NOTES:

Effective datePurpose2011 1st sp.s. c 43: See notes following RCW 43.19.003.
Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Private keyControlPublic disclosure exemption.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to a person not authorized to create the subscriber's digital signature. The subscriber is released from this duty if the certificate expires or is revoked.
(2) A private key is the personal property of the subscriber who rightfully holds it.
(3) A private key in the possession of a state agency or local agency, as those terms are defined by RCW 42.17A.005, is exempt from public inspection and copying under chapter 42.56 RCW.

NOTES:

Effective date2011 c 60: See RCW 42.17A.919.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Suspension of certificateEvidenceInvestigationNoticeTerminationLimitation or preclusion by contractMisrepresentationPenaltyContracts for regional enforcement by agenciesRules.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) Unless the certification authority provides otherwise in the certificate or its certification practice statement, the licensed certification authority that issued a certificate that is not a transactional certificate must suspend the certificate for a period not to exceed five business days:
(a) Upon request by a person whom the certification authority reasonably believes to be: (i) The subscriber named in the certificate; (ii) a person duly authorized to act for that subscriber; or (iii) a person acting on behalf of the unavailable subscriber; or
(b) By order of the secretary under RCW 19.34.210(7).
The certification authority need not confirm the identity or agency of the person requesting suspension. The certification authority may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding the requestor's identity, authorization, or the unavailability of the subscriber. Law enforcement agencies may investigate suspensions for possible wrongdoing by persons requesting suspension.
(2) Unless the certification authority provides otherwise in the certificate or its certification practice statement, the secretary may suspend a certificate issued by a licensed certification authority for a period not to exceed five business days, if:
(a) A person identifying himself or herself as the subscriber named in the certificate, a person authorized to act for that subscriber, or a person acting on behalf of that unavailable subscriber requests suspension; and
(b) The requester represents that the certification authority that issued the certificate is unavailable.
The secretary may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding his or her identity, authorization, or the unavailability of the issuing certification authority, and may decline to suspend the certificate in its discretion. Law enforcement agencies may investigate suspensions by the secretary for possible wrongdoing by persons requesting suspension.
(3) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority must give notice of the suspension according to the specification in the certificate. If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the suspension in all the repositories. If a repository no longer exists or refuses to accept publication, or if no repository is recognized under RCW 19.34.400, the licensed certification authority must also publish the notice in a recognized repository. If a certificate is suspended by the secretary, the secretary must give notice as required in this subsection for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.
(4) A certification authority must terminate a suspension initiated by request only:
(a) If the subscriber named in the suspended certificate requests termination of the suspension, the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or
(b) When the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber. However, this subsection (4)(b) does not require the certification authority to confirm a request for suspension.
(5) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority, or may provide otherwise for termination of a requested suspension. However, if the contract limits or precludes suspension by the secretary when the issuing certification authority is unavailable, the limitation or preclusion is effective only if notice of it is published in the certificate.
(6) No person may knowingly or intentionally misrepresent to a certification authority his or her identity or authorization in requesting suspension of a certificate. Violation of this subsection is a gross misdemeanor.
(7) The secretary may authorize other state or local governmental agencies to perform any of the functions of the secretary under this section upon a regional basis. The authorization must be formalized by an agreement under chapter 39.34 RCW. The secretary may provide by rule the terms and conditions of the regional services.
(8) A suspension under this section must be completed within twenty-four hours of receipt of all information required in this section.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Revocation of certificateConfirmationNoticeRelease from security dutyDischarge of warranties.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A licensed certification authority must revoke a certificate that it issued but which is not a transactional certificate, after:
(a) Receiving a request for revocation by the subscriber named in the certificate; and
(b) Confirming that the person requesting revocation is the subscriber, or is an agent of the subscriber with authority to request the revocation.
(2) A licensed certification authority must confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity and any agency of the person requesting the revocation.
(3) A licensed certification authority must revoke a certificate that it issued:
(a) Upon receiving a certified copy of the subscriber's death certificate, or upon confirming by other evidence that the subscriber is dead; or
(b) Upon presentation of documents effecting a dissolution of the subscriber, or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist, except that if the subscriber is dissolved and is reinstated or restored before revocation is completed, the certification authority is not required to revoke the certificate.
(4) A licensed certification authority may revoke one or more certificates that it issued if the certificates are or become unreliable, regardless of whether the subscriber consents to the revocation and notwithstanding a provision to the contrary in a contract between the subscriber and certification authority.
(5) Immediately upon revocation of a certificate by a licensed certification authority, the licensed certification authority must give notice of the revocation according to the specification in the certificate. If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the revocation in all repositories. If a repository no longer exists or refuses to accept publication, or if no repository is recognized under RCW 19.34.400, then the licensed certification authority must also publish the notice in a recognized repository.
(6) A subscriber ceases to certify, as provided in RCW 19.34.230, and has no further duty to keep the private key secure, as required by RCW 19.34.240, in relation to the certificate whose revocation the subscriber has requested, beginning at the earlier of either:
(a) When notice of the revocation is published as required in subsection (5) of this section; or
(b) One business day after the subscriber requests revocation in writing, supplies to the issuing certification authority information reasonably sufficient to confirm the request, and pays any contractually required fee.
(7) Upon notification as required by subsection (5) of this section, a licensed certification authority is discharged of its warranties based on issuance of the revoked certificate, as to transactions occurring after the notification, and ceases to certify as provided in RCW 19.34.220 (2) and (3) in relation to the revoked certificate.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



CertificateExpiration.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A certificate must indicate the date on which it expires.
(2) When a certificate expires, the subscriber and certification authority cease to certify as provided in this chapter and the certification authority is discharged of its duties based on issuance, in relation to the expired certificate.



Recommended reliance limitLiabilityDamages.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) By clearly specifying a recommended reliance limit in a certificate and in the certification practice statement, the issuing certification authority recommends that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.
(2) Subject to subsection (3) of this section, unless a licensed certification authority waives application of this subsection, a licensed certification authority is:
(a) Not liable for a loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the certification authority complied with all material requirements of this chapter;
(b) Not liable in excess of the amount specified in the certificate as its recommended reliance limit for either:
(i) A loss caused by reliance on a misrepresentation in the certificate of a fact that the licensed certification authority is required to confirm; or
(ii) Failure to comply with RCW 19.34.210 in issuing the certificate;
(c) Not liable for:
(i) Punitive or exemplary damages. Nothing in this chapter may be interpreted to permit punitive or exemplary damages that would not otherwise be permitted by the law of this state; or
(ii) Damages for pain or suffering.
(3) Nothing in subsection (2)(a) of this section relieves a licensed certification authority of its liability for breach of any of the warranties or certifications it gives under RCW 19.34.220 or for its lack of good faith, which warranties and obligation of good faith may not be disclaimed. However, the standards by which the performance of a licensed certification authority's obligation of good faith is to be measured may be determined by agreement or notification complying with subsection (4) of this section if the standards are not manifestly unreasonable. The liability of a licensed certification authority under this subsection is subject to the limitations in subsection (2)(b) and (c) of this section unless the limits are waived by the licensed certification authority.
(4) Consequential or incidental damages may be liquidated, or may otherwise be limited, altered, or excluded unless the limitation, alteration, or exclusion is unconscionable. A licensed certification authority may liquidate, limit, alter, or exclude consequential or incidental damages as provided in this subsection by agreement or by notifying any person who will rely on a certificate of the liquidation, limitation, alteration, or exclusion before the person relies on the certificate.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Collection based on suitable guarantyProceedsAttorneys' feesCostsNoticeRecovery of qualified right of payment.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1)(a) If the suitable guaranty is a surety bond, a person may recover from the surety the full amount of a qualified right to payment against the principal named in the bond, or, if there is more than one such qualified right to payment during the term of the bond, a ratable share, up to a maximum total liability of the surety equal to the amount of the bond.
(b) If the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution only in accordance with the terms of the letter of credit.
Claimants may recover successively on the same suitable guaranty, provided that the total liability on the suitable guaranty to all persons making qualified rights of payment during its term must not exceed the amount of the suitable guaranty.
(2) In addition to recovering the amount of a qualified right to payment, a claimant may recover from the proceeds of the guaranty, until depleted, the attorneys' fees, reasonable in amount, and court costs incurred by the claimant in collecting the claim, provided that the total liability on the suitable guaranty to all persons making qualified rights of payment or recovering attorneys' fees during its term must not exceed the amount of the suitable guaranty.
(3) To recover a qualified right to payment against a surety or issuer of a suitable guaranty, the claimant must:
(a) File written notice of the claim with the secretary stating the name and address of the claimant, the amount claimed, and the grounds for the qualified right to payment, and any other information required by rule by the secretary; and
(b) Append to the notice a certified copy of the judgment on which the qualified right to payment is based.
Recovery of a qualified right to payment from the proceeds of the suitable guaranty is barred unless the claimant substantially complies with this subsection (3).
(4) Recovery of a qualified right to payment from the proceeds of a suitable guaranty are forever barred unless notice of the claim is filed as required in subsection (3)(a) of this section within three years after the occurrence of the violation of this chapter that is the basis for the claim. Notice under this subsection need not include the requirement imposed by subsection (3)(b) of this section.



Discontinuation of certification authority servicesDuties of authorityContinuation of guarantyProcess to maintain and update recordsRulesCosts.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A licensed certification authority that discontinues providing certification authority services shall:
(a) Notify all subscribers listed in valid certificates issued by the certification authority, before discontinuing services;
(b) Minimize, to the extent commercially reasonable, disruption to the subscribers of valid certificates and relying parties; and
(c) Make reasonable arrangements for preservation of the certification authority's records.
(2) A suitable guaranty of a licensed certification authority may not be released until the expiration of the term specified in the guaranty.
(3) The secretary may provide by rule for a process by which the secretary may, in any combination, receive, administer, or disburse the records of a licensed certification authority or a recognized repository that discontinues providing services, for the purpose of maintaining access to the records and revoking any previously issued valid certificates in a manner that minimizes disruption to subscribers and relying parties. The secretary's rules may include provisions by which the secretary may recover costs incurred in doing so.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Satisfaction of signature requirements.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature, if:
(a) The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
(b) The digital signature was affixed by the signer with the intention of signing the message; and
(c) The recipient has no knowledge or notice that the signer either:
(i) Breached a duty as a subscriber; or
(ii) Does not rightfully hold the private key used to affix the digital signature.
(2) Nothing in this chapter:
(a) Precludes a mark from being valid as a signature under other applicable law;
(b) May be construed to obligate a recipient or any other person asked to rely on a digital signature to accept a digital signature or to respond to an electronic message containing a digital signature except as provided in RCW 19.34.321; or
(c) Precludes the recipient of a digital signature or an electronic message containing a digital signature from establishing the conditions under which the recipient will accept a digital signature.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Acceptance of digital signature in reasonable manner.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
Acceptance of a digital signature may be made in any manner reasonable in the circumstances.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Unreliable digital signaturesRisk.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Reasonableness of relianceFactors.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
The following factors, among others, are significant in evaluating the reasonableness of a recipient's reliance upon a certificate and upon the digital signatures verifiable with reference to the public key listed in the certificate:
(1) Facts which the relying party knows or of which the relying party has notice, including all facts listed in the certificate or incorporated in it by reference;
(2) The value or importance of the digitally signed message, if known;
(3) The course of dealing between the relying person and subscriber and the available indicia of reliability or unreliability apart from the digital signature; and
(4) Usage of trade, particularly trade conducted by trustworthy systems or other computer-based means.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Digital message as written on paperRequirementsOther requirements not affectedException from uniform commercial code.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
A message is as valid, enforceable, and effective as if it had been written on paper, if it:
(1) Bears in its entirety a digital signature; and
(2) That digital signature is verified by the public key listed in a certificate that:
(a) Was issued by a licensed certification authority; and
(b) Was valid at the time the digital signature was created.
Nothing in this chapter shall be construed to eliminate, modify, or condition any other requirements for a contract to be valid, enforceable, and effective. No digital message shall be deemed to be an instrument under Title 62A RCW unless all parties to the transaction agree, including financial institutions affected.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Acceptance of certified court documents in electronic formRequirementsRules of court on use in proceedings.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) A person may not refuse to honor, accept, or act upon a court order, writ, or warrant upon the basis that it is electronic in form and signed with a digital signature, if the digital signature was certified by a licensed certification authority or otherwise issued under court rule. This section applies to a paper printout of a digitally signed document, if the printout reveals that the digital signature was electronically verified before the printout, and in the absence of a finding that the document has been altered.
(2) Nothing in this chapter shall be construed to limit the authority of the supreme court to adopt rules of pleading, practice, or procedure, or of the court of appeals or superior courts to adopt supplementary local rules, governing the use of electronic messages or documents, including rules governing the use of digital signatures, in judicial proceedings.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Digital message deemed original.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
A digitally signed message shall be deemed to be an original of the message.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.



Certificate as acknowledgmentRequirementsExceptionResponsibility of certification authority.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) Unless otherwise provided by law or contract, if so provided in the certificate issued by a licensed certification authority, a digital signature verified by reference to the public key listed in a valid certificate issued by a licensed certification authority satisfies the requirements for an acknowledgment under RCW 42.45.010(1) and for acknowledgment of deeds and other real property conveyances under RCW 64.04.020 if words of an express acknowledgment appear with the digital signature regardless of whether the signer personally appeared before either the certification authority or some other person authorized to take acknowledgments of deeds, mortgages, or other conveyance instruments under RCW 64.08.010 when the digital signature was created, if that digital signature is:
(a) Verifiable by that certificate; and
(b) Affixed when that certificate was valid.
(2) If the digital signature is used as an acknowledgment, then the certification authority is responsible to the same extent as a notary up to the recommended reliance limit for failure to satisfy the requirements for an acknowledgment. The certification authority may not disclaim or limit, other than as provided in RCW 19.34.280, the effect of this section.

NOTES:

Effective date2017 c 281: See RCW 42.45.905.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Adjudicating disputesPresumptions.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
In adjudicating a dispute involving a digital signature, it is rebuttably presumed that:
(1) A certificate digitally signed by a licensed certification authority and either published in a recognized repository, or made available by the issuing certification authority or by the subscriber listed in the certificate is issued by the certification authority that digitally signed it and is accepted by the subscriber listed in it.
(2) The information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate.
(3) If a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority:
(a) That digital signature is the digital signature of the subscriber listed in that certificate;
(b) That digital signature was affixed by that subscriber with the intention of signing the message;
(c) The message associated with the digital signature has not been altered since the signature was affixed; and
(d) The recipient of that digital signature has no knowledge or notice that the signer:
(i) Breached a duty as a subscriber; or
(ii) Does not rightfully hold the private key used to affix the digital signature.
(4) A digital signature was created before it was time stamped by a disinterested person utilizing a trustworthy system.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Alteration of chapter by agreementExceptions.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
The effect of this chapter may be varied by agreement, except:
(1) A person may not disclaim responsibility for lack of good faith, but parties may by agreement determine the standards by which the duty of good faith is to be measured if the standards are not manifestly unreasonable; and
(2) As otherwise provided in this chapter.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Presumptions of validity/limitations on liabilityConformance with chapter.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
The presumptions of validity and reasonableness of conduct, and the limitations on liability in this chapter do not apply to electronic records or electronic signatures except for digital signatures created in conformance with all of the requirements of this chapter and rules adopted under this chapter.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.



Recognition of repositoriesApplicationDiscontinuanceProcedure.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) The secretary must recognize one or more repositories, after finding that a repository to be recognized:
(a) Is a licensed certification authority;
(b) Includes, or will include, a database containing:
(i) Certificates published in the repository;
(ii) Notices of suspended or revoked certificates published by licensed certification authorities or other persons suspending or revoking certificates; and
(iii) Other information adopted by rule by the secretary;
(c) Operates by means of a trustworthy system, that may, under administrative rule of the secretary, include additional or different attributes than those applicable to a certification authority that does not operate as a recognized repository;
(d) Contains no significant amount of information that is known or likely to be untrue, inaccurate, or not reasonably reliable;
(e) Keeps a record of certificates that have been suspended or revoked, or that have expired, in accordance with requirements adopted by rule by the secretary; and
(f) Complies with other reasonable requirements adopted by rule by the secretary.
(2) A repository may apply to the secretary for recognition by filing a written request and providing evidence to the secretary sufficient for the secretary to find that the conditions for recognition are satisfied, in accordance with requirements adopted by rule by the secretary.
(3) A repository may discontinue its recognition by filing thirty days' written notice with the secretary, upon meeting any conditions for discontinuance adopted by rule by the secretary. In addition the secretary may discontinue recognition of a repository in accordance with the administrative procedure act, chapter 34.05 RCW, if the secretary concludes that the repository no longer satisfies the conditions for recognition listed in this section or in rules adopted by the secretary.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



RepositoriesLiabilityExemptionsLiquidation, limitation, alteration, or exclusion of damages.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) Notwithstanding a disclaimer by the repository or a contract to the contrary between the repository, a certification authority, or a subscriber, a repository is liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a certificate that has been suspended or revoked by the licensed certification authority that issued the certificate, if loss was incurred more than one business day after receipt by the repository of a request from the issuing licensed certification authority to publish notice of the suspension or revocation, and the repository had failed to publish the notice when the person relied on the digital signature.
(2) Unless waived, a recognized repository or the owner or operator of a recognized repository is:
(a) Not liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;
(b) Not liable under subsection (1) of this section in excess of the amount specified in the certificate as the recommended reliance limit;
(c) Not liable under subsection (1) of this section for:
(i) Punitive or exemplary damages; or
(ii) Damages for pain or suffering;
(d) Not liable for misrepresentation in a certificate published by a licensed certification authority;
(e) Not liable for accurately recording or reporting information that a licensed certification authority, or court clerk, or the secretary has published as required or permitted in this chapter, including information about suspension or revocation of a certificate;
(f) Not liable for reporting information about a certification authority, a certificate, or a subscriber, if the information is published as required or permitted in this chapter or a rule adopted by the secretary, or is published by order of the secretary in the performance of the licensing and regulatory duties of that office under this chapter.
(3) Consequential or incidental damages may be liquidated, or may otherwise be limited, altered, or excluded unless the limitation, alteration, or exclusion is unconscionable. A recognized repository may liquidate, limit, alter, or exclude damages as provided in this subsection by agreement, or by notifying any person who will rely on a digital signature verified by the public key listed in a suspended or revoked certificate of the liquidation, limitation, alteration, or exclusion before the person relies on the certificate.

NOTES:

Effective date1999 c 287: See note following RCW 19.34.010.
Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Confidentiality of certain recordsLimited access to state auditor.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) The following information, when in the possession of the secretary or the state auditor for purposes of this chapter, shall not be made available for public disclosure, inspection, or copying, unless the request is made under an order of a court of competent jurisdiction based upon an express written finding that the need for the information outweighs any reason for maintaining the privacy and confidentiality of the information or records:
(a) A trade secret, as defined by RCW 19.108.010; and
(b) Information regarding design, security, or programming of a computer system used for purposes of licensing or operating a certification authority or repository under this chapter.
(2) The state auditor, or an authorized agent, must be given access to all information referred to in subsection (1) of this section for the purpose of conducting audits under this chapter or under other law, but shall not make that information available for public inspection or copying except as provided in subsection (1) of this section.

NOTES:

Effective datePurpose2011 1st sp.s. c 43: See notes following RCW 43.19.003.



Rule making.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
The secretary of state may adopt rules to implement this chapter beginning July 27, 1997, but the rules may not take effect until January 1, 1998.

NOTES:

Severability1997 c 27: See note following RCW 19.34.030.



Chapter supersedes and preempts local actions.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
This chapter supersedes and preempts all local laws or ordinances regarding the same subject matter.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Criminal prosecution not precludedRemedies not exclusiveInjunctive relief availability.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
This chapter does not preclude criminal prosecution under other laws of this state, nor may any provision of this chapter be regarded as an exclusive remedy for a violation. Injunctive relief may not be denied to a party regarding conduct governed by this chapter on the basis that the conduct is also subject to potential criminal prosecution.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Jurisdiction, venue, choice of laws.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
Issues regarding jurisdiction, venue, and choice of laws for all actions involving digital signatures must be determined according to the same principles as if all transactions had been performed through paper documents.

NOTES:

Effective dateSeverability1997 c 27: See notes following RCW 19.34.030.



Short title.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
This chapter shall be known and may be cited as the Washington electronic authentication act.



Effective date1996 c 250.

*** CHANGE IN 2019 *** (SEE 1908.SL) ***
(1) Sections 101 through 601, 604, and 605, chapter 250, Laws of 1996 take effect January 1, 1998.
(2) Sections 602 and 603, chapter 250, Laws of 1996 take effect July 27, 1997.

NOTES:

Severability1997 c 27: See note following RCW 19.34.030.