New York State Electronic Signatures and Records Act

Transcription

1 PIANY Doc. No New York State Electronic Signatures and Records Act The information contained within this Resource kit was made available by the New York State Department of State Division of Administrative Rules and is provided as a PIANY member service. To contact PIA for more information, or to request a QuickSource document index, contact: phone: (800) fax: (888) resourcecenter@pia.org website: Think PIA first REV. 12/1

2

3 OFFICIAL COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK TITLE 9. EXECUTIVE DEPARTMENT SUBTITLE N. OFFICE FOR TECHNOLOGY PART 540. ELECTRONIC SIGNATURES AND RECORDS ACT Section Purpose, intent and applicability. (a) The purpose of this Part is to establish standards and procedures governing the use and authentication of electronic signatures and the utilization of electronic records in accordance with article III of the State Technology Law, which establishes the Electronic Signatures and Records Act (ESRA). ESRA requires the Office for Technology (OFT), as the electronic facilitator, to establish rules governing the use of electronic signatures and records. ESRA recognizes the importance of technology to the State and the need to build a foundation for its acceptance, implementation and use by State agencies, local government, the private sector and citizens. Consistent with legislative intent, ESRA establishes that electronic signatures and records have the same force and effect as signatures and records produced by nonelectronic means and should be utilized to facilitate both business in, as well as the business of, New York State. (b) ESRA and this Part, among other things, ensure that persons who voluntarily elect to use electronic signatures or electronic records can do so with confidence that they carry the same force and effect as nonelectronic signatures and records. Consistent with ESRA and this Part, parties agreeing to engage in electronic transactions may deploy electronic signatures and records in a manner that meets their practices and needs. (c) New technologies are frequently being introduced. The intent of this Part is to be flexible enough to embrace future technologies that comply with ESRA and all other applicable statutes and regulations. The electronic facilitator shall conduct periodic reviews of the regulations to ensure that the regulations facilitate and promote the use of technological advancements and address privacy and confidentiality issues. (d) Neither ESRA nor this Part requires any person to use a document bearing an electronic signature. Under ESRA and this Part, the use or acceptance of electronic records by governmental entities is voluntary. (e) In accordance with ESRA, the use of an electronic signature as defined in ESRA shall have the same validity and effect as the use of a signature affixed by hand. Neither ESRA, nor this Part, shall in whole, or in part, be construed to limit any legal rights or privileges, contractual or otherwise, that parties may have in the use of electronic signatures and records. (f) ESRA and this Part are designed to, among other things, afford governmental entities the greatest latitude to determine the most effective protocols for producing, receiving, accepting, acquiring, recording, filing, transmitting, forwarding and storing electronic signatures and electronic records within the confines of existing statutory and regulatory requirements regarding privacy, confidentiality and records retention. (g) This Part also establishes standards to implement chapter 549 of the Laws of 2011 in relation to the electronic recording of instruments affecting real property by recording officers in New York State. Chapter 549 amended ESRA to allow for the use and acceptance of electronic signatures and records with conveyances and other instruments recordable under article nine of the Real Property Law. Chapter 549 also added a new section 291-i to the Real Property Law,

4 permitting, but not requiring, recording officers to participate in electronic recording of instruments affecting real property. Real Property Law section 291-i requires the Office of Information Technology Services (ITS), formerly OFT, as the electronic facilitator, to promulgate rules and regulations governing the use and acceptance of digitized paper documents, electronic records and electronic signatures in the recording of instruments affecting real property. These rules and regulations are to prescribe standards to ensure that electronic records of instruments affecting real property documents are accurate, authentic, adequately preserved for long-term electronic storage and resistant to tampering. Section Definitions. For the purposes of this Part, the terms below have the following meanings: (a) Business analysis and risk assessment means identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process. (b) Certificate means a data structure used in a public key system to bind a particular authenticated individual to a particular public key conforming to widely used industry standards. (c) Certification authority means a trusted party in a public key system that vouches for the authenticity of the individual or system in question by issuing certificates that are used for verification of electronic signatures produced by corresponding private keys. For purposes of this subdivision, a trusted party that issues certificates which only the same trusted party uses for electronic signature verification purposes is not considered a certification authority. A certification authority is also commonly referred to as a certificate authority. (d) Certificate revocation list (CRL) means a publicly available list of certificates that have been revoked before their expiration date. (e) Cryptographic keys means the items of information used by a given algorithm to transform data into an unreadable format. (f) Electronic signatory means the person authorized to generate an electronic signature. (g) Electronic transaction means an action or set of actions occurring through the use of electronic technology by or with a governmental entity. (h) Governmental entity means any State department, board, bureau, division, commission, committee, public authority, public benefit corporation, council, office, or other governmental entity or officer of the State having statewide authority, except the State Legislature, and any political subdivision of the State. (i) Material change means a substantial change in the operating practices of a certification authority that affects the issuance, revocation, security, disposition, and any other aspect of the management of a certificate. (j) Person means a natural person, corporation, trust, estate, partnership, incorporated or unincorporated association or any other legal entity and also includes any department, agency, authority, or instrumentality of the State or its political subdivisions. (k) Public key, for purposes of public key cryptography, means the key made public for encryption. (l) Receiving device means any physical or virtual point capable of receiving electronic records including, but not limited to, a website, address, hardware device or application.

5 (m) Electronic recording means an electronic process by which digitized paper documents or electronic records affecting real property are delivered to a recording officer for incorporation into the public record. (n) PRIA means the Property Records Industry Association, located at 2501 Aerial Center Parkway, Suite 103, Morrisville, NC (o) Recording officer means the county clerk of the county, except in a county having a register, where it means the register of the county. (p) Registered submitter is a person whose identity has been verified and authenticated by a recording officer prior to the submission of digitized paper documents or electronic records to the recording officer for electronic recording. Section Electronic facilitator. (a) OFT, as the electronic facilitator, is responsible for administering this Part. In accordance with ESRA, OFT has the following functions, powers and duties including, but not limited to: (1) coordinate and facilitate statewide planning and establish statewide policy on the use of electronic signatures and records by governmental entities; (2) request and receive information from governmental entities enabling OFT to properly carry out its functions, powers and duties under ESRA and this Part; (3) identify and evaluate electronic technologies that meet the ESRA definition of an electronic signature. These duties shall include, but not be limited to, the following: (i) establish a process to gather information on, review and evaluate these technologies; and (ii) disseminate information about criteria for the selection and use of electronic signature technologies through preferred technology standards, guidelines and advisory services; (4) develop guidelines that identify preferred technology standards, including, but not limited to, interoperability, consistency, security, confidentiality and privacy of electronic signatures and records; (5) periodically review OFT's policies, technology standards and guidelines to ensure that they are consistent with national and international standards and current technology and business practices; (6) review and coordinate the purchase of technology related to electronic signatures and records solutions by State agencies. Such review and coordination shall promote consistency with the goals of interoperability, statewide technology standards, guidelines, security of confidential records and proper dissemination of public information; (7) advise and assist in developing policies, plans and programs for acquisition, deployment and use of electronic signature and records technology; and (8) establish advisory committees, working groups, or other bodies to assist and advise OFT in carrying out the above duties and responsibilities. (b) Governmental entities may define additional standards for electronic signatures and records after consulting with OFT to ensure that such standards are consistent with ESRA and this Part. Section Electronic signatures. (a) The use of an electronic signature as defined in ESRA shall have the same validity and effect as the use of a signature affixed by hand. (b) In accordance with ESRA, an electronic signature is an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by

6 a person with the intent to sign the record. An electronic signature is considered to be "attached to or logically associated with an electronic record" if the electronic signature is linked to the record during transmission and storage. (c) A governmental entity shall complete and document a business analysis and risk assessment when selecting an electronic signature to be used or accepted by that governmental entity in an electronic transaction. A governmental entity may elect to collaborate with other governmental entities in the completion and documentation of a business analysis and risk assessment when selecting an electronic signature for use or acceptance in an electronic transaction common to such governmental entities. A governmental entity may elect to adopt an existing business analysis and risk assessment completed and documented by another governmental entity when selecting an electronic signature for use or acceptance in the same type of electronic transaction to which the existing business analysis and risk assessment applies. (d) Where a governmental entity agrees to use or accept an electronic signature that involves the services of a certification authority, the certification authority shall meet the following standards and operating practices: (1) produce and maintain a certification practice statement or other documents containing, but not limited to, the following information: (i) community and applicability--describing the types of entities that the certificate authority certifies and the applications for which certificates may be used, and any restrictions relating to their use; (ii) identification and authentication policy--the policies used to bind a public key to an individual, including those policies addressing initial registration, reissuing a certificate with a new public key, reissuing a certificate with a new public key after revocation, revocation request and how name disputes, if any, are resolved; (iii) key management policy--describing the security measures taken by the certificate authority to protect its cryptographic keys and critical security parameters including the life- cycle management of keys from generation, through storage and usage, to archiving and destruction; (iv) local security policy--describing the physical, personnel and procedural controls used by the certificate authority to perform certificate authority functions securely, including key generation, user authentication, certificate registration, certificate revocation, audit, and archival and records management; (v) technical security policy--describing the software, hardware and network security controls used by a certificate authority to perform certificate authority functions including key generation, user authentication, certificate registration, certificate revocation, audit, and archival and records management; (vi) operations policy--describing the frequency of routine certificate revocation list (CRL) issuance, frequency of special CRL issuance (e.g., key compromise CRL), and frequency of certificate authority key changeover; (vii) legal provisions--describing the liability and obligations of the parties. This information must be prominently displayed in the documents required by this paragraph; (viii) certificate and CRL standards--describing the standards, versions and data included; (ix) policy administration--defining the authority that is responsible for the registration, maintenance and interpretation of policy including contact information and practice statement change procedures; (x) audit policy--describing the type and frequency of internal and external audits;

7 (xi) personal privacy policy--reciting the certification authority's statutory obligation to maintain the confidentiality of personal information in accordance with the provisions of subdivision 2 of section 308 of the State Technology Law and section of this Part; (2) make the certification practice statement or other documents maintained in accordance with paragraph (1) of this subdivision available to any person who requests the same; (3) have an audit performed by a certified public accounting firm that reports on the policies and procedures of the certification authority as set forth and maintained in accordance with the provisions of this subdivision, and tests the operational effectiveness of such procedures during the first year in service to a governmental entity, and every two years thereafter or when there is material change to its certification practices, whichever comes first; and (4) make available to the public the final opinion letter resulting from an audit performed under paragraph (3) of this subdivision. Section Electronic records. (a) An electronic record used by a person shall have the same force and effect as those records not produced by electronic means. (b) Pursuant to ESRA and this Part, governmental entities are authorized and empowered to produce, receive, accept, acquire, record, file, transmit, forward and store electronic records. If any governmental entity uses electronic records it shall: (1) ensure that anyone who uses the services of such governmental entity may obtain access to records as permitted by law, and may receive copies of such records in paper form in accordance with fees prescribed by law; (2) not refuse to accept hard copy, nonelectronic forms, reports, and other paper documents for submission or filing, except as otherwise provided by law; and (3) not require the submission or filing of any record electronically, except as otherwise provided by law. (c) All laws applicable to government records shall be applicable to electronic records maintained by governmental entities, including, but not limited to, retention, accessibility and disposition requirements established under the Arts and Cultural Affairs Law or the Judiciary Law. (d) Governmental entities shall employ procedures and controls designed to ensure the authenticity, integrity, security and, when appropriate, the confidentiality of electronic records. (e) Governmental entities using electronic records shall, in the absence of specific statutory or regulatory requirements, have the authority to specify the manner and format in which electronic records will be received, produced, accepted, acquired, recorded, filed, transmitted, forwarded, acknowledged and stored. For the purposes of ensuring the receipt of electronic records, governmental entities must designate the receiving device. Section Privacy and confidentiality. As required by ESRA: (a) For purposes of the Freedom of Information Law, as set forth in article six of the Public Officers Law, and the Personal Privacy Protection Law, as set forth in article six-a of the Public Officers Law, electronic records shall be considered and treated in the same manner as any other record.

8 (b) Except to the extent disclosure of personal information is required by a court order or a statute, or if the information is used solely for statistical purposes in aggregate form, no person acting as a certification authority shall disclose to a third party any personal information reported to the certification authority by the electronic signatory other than the information necessary to issue or authenticate the certificate. Information reported to a certification authority for purposes other than issuing a certificate shall not be subject to this subdivision. For purposes of this subdivision, the phrase personal information shall mean, but not be limited to, the following types of information which could identify a specific person: home and work address, telephone number, address, social security number, birth date, gender, marital status, mother's maiden name, and health data. Section Electronic recording of instruments affecting real property. (a) Electronic recording of instruments affecting real property shall, at a minimum, meet the following technical standards and guidelines prescribed by PRIA: PRIA Request Version 2.4.2, August 2007; PRIA Response Version 2.4.2, August 2007; Document Version 2.4.1, October 2007; Notary Version 2.4.1, October 2007; and erecording XML Implementation Guide for Version 2.4.1, Revision 2, March 2007, (collectively, "PRIA Guidelines"), which guidelines are hereby incorporated by reference. PRIA Guidelines may be found on the PRIA website at: and may be viewed at the New York State Office of Information Technology Services, Empire State Plaza, Swan Street Building Core 4, Albany, NY (b) A recording officer who elects to accept electronic recording of instruments affecting real property shall accept one or more of the models of electronic recording supported by PRIA. Recording officers who elect to accept a model containing an electronic signature shall comply with section 540.4(c) and any other applicable section of this Part. (c) An instrument affecting real property submitted to a recording officer for electronic recording shall be submitted and retained in a freely available, readable and searchable format. The utilized format must ensure the preservation of the instrument and its contents and the ability of the instrument to be retrieved in a fashion that prevents content modification or destruction. Examples of such acceptable formats include, but are not limited to, PDF/A (an International Organization for Standardization standardized version of the Portable Document Format) and TIFF (Tagged Image File Format for Image Technology). (d) Recording officers who elect to accept electronic recording of instruments affecting real property shall: (1) ensure that electronic recording complies with the security principles identified in chapter 6 of the PRIA e-recording XML Implementation Guide for Version 2.4.1, Revision 2, March 2007, and applicable security standards established by New York State and local laws; and (2) implement reasonable measures to ensure that digitized paper documents and electronic records of instruments that have been submitted for electronic recording are protected from alteration and unauthorized access from the time of submission to the recording officer throughout such time as the recording officer is required to maintain the document or record. (e) A notary shall perform a notarization of an instrument affecting real property that exists as an electronic record only where the signatory appears in person before the notary at the time of notarization to execute the record or to affirm a prior execution, as permitted by New York State law. The methods that a notary uses to identify a signatory shall be as prescribed by New York State law. Electronic signatures used by a notary on an instrument affecting real property shall comply with section 291-i (c) of the Real Property Law, and shall be:

9 (1) unique to the notary; (2) capable of independent verification; (3) under the notary's sole control; (4) attached to, or logically associated with, the electronic record in such a manner that it can be determined if any data contained in the electronic record has been changed subsequent to the electronic notarization; and (5) implemented in accordance with New York State law, rules and regulations and PRIA notary version 2.4.1, October 2007 standards. (f) A recording officer is not required to verify or authenticate electronic signatures or notarizations on an instrument affecting real property. (g) Recording officers who elect to accept electronic recording of instruments affecting real property shall accept such electronic instruments only from registered submitters whose identity has been electronically verified and authenticated. A recording officer shall maintain a listing of persons so registered by the recording officer. (h) Prior to submitting electronic instruments to a recording officer for recording, a registered submitter shall: (1) comply with the standards and specifications set forth in this regulation; and (2) agree to terms and conditions required by the recording officer, which shall include the terms and conditions set forth in subdivision (i) of this section. (i) A recording officer shall require its registered submitters to agree to terms and conditions which shall include the rights and responsibilities of both the recording officer and the registered submitter when participating in electronic recording. At a minimum, the terms and conditions shall address the following: (1) the manner in which a registered submitter's identity will be electronically verified and authenticated by the recording officer; (2) the manner in which the transmission of electronic instruments will be acknowledged by a recording officer; (3) the models of electronic recording accepted by the recording officer; (4) requirements for electronic submission; (5) payment options for recording fees and applicable taxes; (6) the recording officer's business hours; (7) requirements and procedures for acceptance or rejection of digitized paper documents or electronic records for recording purposes; (8) provisions for amending or terminating a person's registration as a registered submitter; and (9) rules for amending the terms and conditions agreement. (j) For purposes of electronic recording of instruments affecting real property, recording officers may accept by electronic means any recording fee, filing fee or tax authorized to be collected by New York State or local law or regulation, in a manner compatible with the recording officer's internal software and financial practices. Upon receipt of a payment by electronic means, a recording officer shall cause an electronic receipt of payment to be provided to the party making the payment. (k) Recording officers who elect to accept electronic recording of instruments affecting real property shall ensure that such electronic instruments are retained and preserved in accordance with the rules and regulations promulgated by the New York State Commissioner of Education which govern the retention and preservation of electronic records by local governments, including, but not limited to, Title 8 NYCRR Part 185, and any records retention and disposition

10 schedules published by the New York State Archives. Recording officers also shall ensure compliance with New York State and local laws and regulations concerning the backup of real property instruments for disaster recovery purposes.