Current through Register Vol. 50, No. 9, September 20, 2024
A. This Section
applies to all written electronic communications which are sent to a state
agency over the Internet or other electronic network or by another means that
is acceptable to the state agency, for which the identity of the sender or the
contents of the message must be authenticated, and for which no prior agreement
between the sender and the receiving state agency regarding message
authentication existed as of the effective date of this Section. This Section
does not apply to or supersede the use and expansion of existing systems which
are not in conflict with the Federal "Electronic Signatures in Global and
National Commerce Act":
1. for the receipt of
electronically filed documents pursuant to applicable Louisiana statutory law
and promulgated rules and regulations, where the purpose of the written
electronic communication is to comply with statutory filing requirements and
the receiving state agency or local government is not a party to the underlying
transaction which is the subject of the communication; or
2. for the electronic approval of payment
vouchers under rules adopted by the State Treasurer pursuant to applicable
law.
B. Prior to
accepting a digital signature, a state agency shall ensure that the level of
security used to identify the signer of a message and to transmit the signature
is sufficient for the transaction being conducted. A state agency that accepts
digital signatures may not effectively discourage the use of digital signatures
by imposing unreasonable or burdensome requirements on persons wishing to use
digital signatures to authenticate written electronic communications sent to
the state agency.
C. A state agency
that accepts digital signatures shall not be required to accept a digital
signature that has been created by means of a particular acceptable technology
described in Subsection D of this Section if the state agency:
1. determines that the expense that would
necessarily be incurred by the state agency in accepting such a digital
signature is excessive and unreasonable;
2. provides reasonable notice to all
interested persons of the fact that such digital signatures will not be
accepted, and of the basis for the determination that the cost of acceptance is
excessive and unreasonable; and
3.
files an electronic copy (in html format) of the notice with the Division of
Administration. The Division of Administration shall make a copy of such notice
available to the general public via the World Wide Web.
D. A state agency shall ensure that all
written electronic communications received by the state agency and
authenticated by means of a digital signature in accordance with this Section,
as well as any information resources necessary to permit access to the written
electronic communications, are retained by the state agency as necessary to
comply with applicable law pertaining to audit and records retention
requirements.
E. Guidelines
Agencies Should Use in Adopting an Electronic Signature Technology
1. An agency's determination of which
technology is appropriate for a given transaction must include a risk
assessment, and an evaluation of targeted customer or user needs. The initial
use of the risk assessment is to identify and mitigate risks in the context of
available technologies and their relative total costs and effects on the
program being analyzed. The assessment also should be used to develop baselines
and verifiable performance measures that track the agency's mission, strategic
plans, and performance objectives. Agencies must strike a balance, recognizing
that achieving absolute security is likely to be in most cases highly
improbable and prohibitively expensive.
2. The identity of participants to a
transaction may not need to be authenticated. If authentication is required,
several options are available: ID and passwords for a web-based transaction may
be sufficient, however the user login session should be encrypted using either
Secured Sockets Layer (SSL) or Virtual Private Networks (VPN) or an equivalent
encryption technology.
3. Digital
Signatures/Certificates may offer increased security (positive ID), however
this will vary depending on:
a. who issues the
certificates;
b. what is the
identity-proofing process (e.g., are you using Social Security number, photo
IDs, biometrics); and
c. is the
certificate issued remotely via software or mail, or is "in person"
identification required?
4. In determining whether an electronic
signature is required or is sufficiently reliable for a particular purpose,
agencies should consider the relationships between the parties, the value of
the transaction, and the likely need for accessible, persuasive information
regarding the transaction at some later date (e.g., audit or legal evidence).
The types of transactions may require different security control measures,
based on security risks and legal obligations:
a. transactions involving the transfer of
funds;
b. transactions where the
parties commit to actions or contracts that may give rise to financial or legal
liability;
c. transactions
involving information protected under state or federal law or other
agency-specific statutes obliging that access to the information be
restricted;
d. transactions where
the party is fulfilling a legal responsibility which, if not performed, creates
a legal liability (criminal or civil);
e. transactions where no funds are
transferred, no financial or legal liability is involved and no privacy or
confidentiality issues are involved.
5. Agency transactions fall into five general
categories, each of which may be vulnerable to different security risks:
a. intra-agency transactions;
b. inter-agency transactions (i.e., those
between state agencies);
c.
transactions between a state agency and federal or local government
agencies;
d. transactions between a
state agency and a private organization-contractor, non-profit organization, or
other entity;
e. transactions
between an agency and a member of the general public.
6. Agencies should follow several privacy
tenets:
a. electronic authentication should
only be required where needed. Many transactions do not need, and should not
require, detailed information about the individual;
b. when electronic authentication is required
for a transaction, do not collect more information from the user than is
required for the application;
c.
the entity initiating a transaction with a state agency should be able to
decide the scope of their electronic means of authentication.
7. When agencies evaluate the
retention requirements for specific records, they should consider the following
if the record was signed with an electronic signature.
a.
Low Risk-simple
electronic signature (e.g., typed name on an e-mail message).
b.
High
Risk-digitally-signed communication, a message that has been processed
by a computer in such a manner that ties the message to the individual that
signed the message. The digital signature must be linked to the message of the
document in such a way that it would be computationally infeasible to change
the data in the message or the digital signature without invalidating the
digital signature.
8. If
the record contains a digital signature, the following additional documents may
be required:
a. a copy of the Public
Key;
b. a copy of the
Certificate Revocation List (CRL) showing the validity period of the
certificate or a copy of the On-line Certificate Status Protocol (OCSP)
results;
c. Certification Practice
Statement (CPS).
AUTHORITY NOTE:
Promulgated in accordance with
R.S.
39:4(c).
