Current through Register Vol. 50, No. 11, November 20, 2024
A. This Section applies to all written electronic communications which are sent to a state agency over the Internet or other electronic network or by another means that is acceptable to the state agency, for which the identity of the sender or the contents of the message must be authenticated, and for which no prior agreement between the sender and the receiving state agency regarding message authentication existed as of the effective date of this Section. This Section does not apply to or supersede the use and expansion of existing systems which are not in conflict with the Federal "Electronic Signatures in Global and National Commerce Act": 1. for the receipt of electronically filed documents pursuant to applicable Louisiana statutory law and promulgated rules and regulations, where the purpose of the written electronic communication is to comply with statutory filing requirements and the receiving state agency or local government is not a party to the underlying transaction which is the subject of the communication; or2. for the electronic approval of payment vouchers under rules adopted by the State Treasurer pursuant to applicable law.B. Prior to accepting a digital signature, a state agency shall ensure that the level of security used to identify the signer of a message and to transmit the signature is sufficient for the transaction being conducted. A state agency that accepts digital signatures may not effectively discourage the use of digital signatures by imposing unreasonable or burdensome requirements on persons wishing to use digital signatures to authenticate written electronic communications sent to the state agency.C. A state agency that accepts digital signatures shall not be required to accept a digital signature that has been created by means of a particular acceptable technology described in Subsection D of this Section if the state agency: 1. determines that the expense that would necessarily be incurred by the state agency in accepting such a digital signature is excessive and unreasonable;2. provides reasonable notice to all interested persons of the fact that such digital signatures will not be accepted, and of the basis for the determination that the cost of acceptance is excessive and unreasonable; and3. files an electronic copy (in html format) of the notice with the Division of Administration. The Division of Administration shall make a copy of such notice available to the general public via the World Wide Web.D. A state agency shall ensure that all written electronic communications received by the state agency and authenticated by means of a digital signature in accordance with this Section, as well as any information resources necessary to permit access to the written electronic communications, are retained by the state agency as necessary to comply with applicable law pertaining to audit and records retention requirements.E. Guidelines Agencies Should Use in Adopting an Electronic Signature Technology 1. An agency's determination of which technology is appropriate for a given transaction must include a risk assessment, and an evaluation of targeted customer or user needs. The initial use of the risk assessment is to identify and mitigate risks in the context of available technologies and their relative total costs and effects on the program being analyzed. The assessment also should be used to develop baselines and verifiable performance measures that track the agency's mission, strategic plans, and performance objectives. Agencies must strike a balance, recognizing that achieving absolute security is likely to be in most cases highly improbable and prohibitively expensive.2. The identity of participants to a transaction may not need to be authenticated. If authentication is required, several options are available: ID and passwords for a web-based transaction may be sufficient, however the user login session should be encrypted using either Secured Sockets Layer (SSL) or Virtual Private Networks (VPN) or an equivalent encryption technology.3. Digital Signatures/Certificates may offer increased security (positive ID), however this will vary depending on:a. who issues the certificates;b. what is the identity-proofing process (e.g., are you using Social Security number, photo IDs, biometrics); andc. is the certificate issued remotely via software or mail, or is "in person" identification required?4. In determining whether an electronic signature is required or is sufficiently reliable for a particular purpose, agencies should consider the relationships between the parties, the value of the transaction, and the likely need for accessible, persuasive information regarding the transaction at some later date (e.g., audit or legal evidence). The types of transactions may require different security control measures, based on security risks and legal obligations: a. transactions involving the transfer of funds;b. transactions where the parties commit to actions or contracts that may give rise to financial or legal liability;c. transactions involving information protected under state or federal law or other agency-specific statutes obliging that access to the information be restricted;d. transactions where the party is fulfilling a legal responsibility which, if not performed, creates a legal liability (criminal or civil);e. transactions where no funds are transferred, no financial or legal liability is involved and no privacy or confidentiality issues are involved.5. Agency transactions fall into five general categories, each of which may be vulnerable to different security risks: a. intra-agency transactions;b. inter-agency transactions (i.e., those between state agencies);c. transactions between a state agency and federal or local government agencies;d. transactions between a state agency and a private organization-contractor, non-profit organization, or other entity;e. transactions between an agency and a member of the general public.6. Agencies should follow several privacy tenets:a. electronic authentication should only be required where needed. Many transactions do not need, and should not require, detailed information about the individual;b. when electronic authentication is required for a transaction, do not collect more information from the user than is required for the application;c. the entity initiating a transaction with a state agency should be able to decide the scope of their electronic means of authentication.7. When agencies evaluate the retention requirements for specific records, they should consider the following if the record was signed with an electronic signature. a.Low Risk-simple electronic signature (e.g., typed name on an e-mail message).b.High Risk-digitally-signed communication, a message that has been processed by a computer in such a manner that ties the message to the individual that signed the message. The digital signature must be linked to the message of the document in such a way that it would be computationally infeasible to change the data in the message or the digital signature without invalidating the digital signature.8. If the record contains a digital signature, the following additional documents may be required:a. a copy of the Public Key;b. a copy of the Certificate Revocation List (CRL) showing the validity period of the certificate or a copy of the On-line Certificate Status Protocol (OCSP) results;c. Certification Practice Statement (CPS).La. Admin. Code tit. 4, § I-705
Promulgated by the Office of the Governor, Division of Administration, LR 27:525 (April 2001).AUTHORITY NOTE: Promulgated in accordance with R.S. 39:4(c).