(a) The agency is responsible for establishing adequate guidelines and procedures for the management and administration of technologies that are consistent with the risks and consequences associated with the compromise of the information or transaction in accordance with state policies and standards. An electronic signature: - (i) should be unique to the signer within the context in which it is used;
- (ii) should be used to objectively identify the person signing and transmitting the electronic record;
- (iii) should provide reasonable assurance the electronic signature created by such identified person cannot be readily duplicated or compromised; and
- (iv) should be linked to the electronic record to which it relates, in a manner such that if the record or the signature is intentionally or unintentionally changed after signing the electronic signature is invalidated.
(b) The integrity of the data or content contained in the communication or transaction must be: - (i) maintained in verifiable form appropriate to the communication throughout the lifecycle of the data.
- (ii) provide reasonable assurance the transaction record data cannot be readily compromised;
- (iii) linked to the electronic signature to which it relates, in a manner such that if the original transaction record data or the signature is intentionally or unintentionally changes after signing, the transaction record is invalidated.
(c) An Agency accepting an electronic transaction that contains an electronic signature, shall ensure that the level of security used to identify the sender and to authenticate the electronic signature is sufficient for the transaction being conducted, and in accordance with Chapter 3 Electronic Transactions Security.
(d) A State agency shall not be required to accept an electronic signature for specific transactions if the State agency: - (i) Determines that the expense or resources required by the State agency to accept such an electronic signature are unreasonable? and
- (ii) Provides reasonable notice to all interested persons of the fact that such electronic signatures will not be accepted, and of the basis for the determination that the expense or resources required for acceptance are unreasonable.
(e) Any agreements entered into between a sender and the receiving State agency after the effective date of these rules must comply with these rules.
(f) Except as provided by another applicable rule of law, a secure electronic signature is attributable to the person to whom it correlates, whether or not authorized, if: - (i) The electronic signature resulted from acts of a person that obtainedn the signature device or other information necessary to create the signature from a source under the control of the alleged signer, or the access or use occurred under circumstances constituting a failure to exercise reasonable care by the alleged signer? and
- (ii) The receiving party relied reasonably and in good faith to their detriment on the apparent source of the electronic record.