State
Liability Provisions
(from May 97 download) - Compiled by Elise Reed, Old Republic National Title Insurance Company
Alabama
No legislation
Alaska
No legislation
Arizona - ARS 41-121, enacted 4/18/96
No liability provisions
Arkansas
No legislation
California - proposed
DS regs 4/22/97
No liability provisions
Colorado
No applicable legislation
Connecticut
No applicable legislation
Delaware
No applicable legislation
Florida - Senate bill
942
No liability provisions
Georgia - Senate bill
103
Section 5, which proposes adding section 10-12-5: "A person whose electronic signature is used in a unauthorized fashion may recover...against the
person who [used it], provided that the use...was negligent, reckless, or intentional: [actual damages, equitable relief, punitive damages, attorneys'
fees, and any other relief which the court deems proper]....[T]he term person' means a natural person...or any other legal entity."
Hawaii - Senate bill
961 - Digital
Signature Act
Section 11 (e)(2): The limitation of liability created in section 28 does not apply to a certificate issued by an unlicensed CA.
Section 22 (c): A person may not disclaim or rebut this section or obtain indemnity, if the effect of the disclaimer or indemnity is to limit liability for
wrongful issuance of a certificate as against persons relying on the certificate. (d): If a subscriber makes a false, material, and written representation of
fact, or fails to disclose a material fact, with either the intent to deceive or with negligence, the subscriber, by accepting a certificate, becomes
obligated to indemnify the issuing CA for any loss caused by the misrepresentation or negligence. This indemnity may not be disclaimed or superseded
by contract between the CD and the subscriber.
Section 25 (h): One who intentionally misrepresents himself to a CA when requesting suspension of a certificate is guilty of a misdemeanor.
Section 28: (a) By specifying a recommended reliance limit in a certificate, the issuing CA and accepting subscriber recommend that persons rely on
the certificate only in transaction in which the total amount as risk does not exceed the reliance limit. (b) Except as designated in section 11, a licensed
CA is (1) not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the DS, the CA complied with
this chapter; (2) not liable for a misrepresentation in the certificate, or for error in issuing the certificate in excess of the amount specified in the
certificate as its recommended reliance limit; and (3) not liable for punitive or exemplary damages, except as provided in section 14.
Section 29: A person may recover from the surety under a surety bond (or the financial institution under a letter of credit) the full amount against the
principal named in the bond or, if there is more than one such claim, a ratable share, up to a maximum total liability of the surety equal to the face
amount of the bond. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty to all persons making
claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the guaranty. A claim
against a guaranty must be filed with the division and the surety or issuer within one year after the claim arose. An action or suit must be filed within
one year after the claim is filed with the department. Except as prohibited by department rule, a guaranty, by contract, may alter the obligations under
this subsection.
Section 53: A recognized repository, the department, or the department's repository operator is not liable for loss from: (1) misrepresentation in a
certificate published by a licensed CA; (2) accurately reporting information which a licensed CA, a court, or the department has published; (3)
reporting info about a CA, a certificate, or a subscriber, if the info is properly published; and (4) failure to record publication of a certificate,
suspension, or revocation, unless the repository has received notice of publication and a commercially reasonable time of not more than one business
day has elapsed.
Idaho
No legislation
Illinois - Draft: Elec-tronic Commerce &
Security Act, 1/97
Section 405 provides that unless otherwise provided by law or contract, relying party assumes the risk that a DS is invalid, if reliance on the DS is not
reasonable under the circumstances, in accordance with section 404.
Indiana - House bill
1945
No liability provisions
Iowa
No applicable legislation
Kansas - H.B. 2059
No liability provisions
Kentucky
No legislation
Louisiana
No applicable legislation
Maine
No applicable legislation
Maryland - House bill
1015 - Digital
Signature Act
Section 20-202, subsections (E) and (F): The Secretary may recognize the licensing of CAs by other governmental entities, provided that those
licensing requirements are substantially similar. If that licensing is so recognized, the liability limits of 20-309 apply to those CAs in the same manner
as they apply to licensed CAs of this state. The liability limits of 20-309 do not apply to unlicensed CAs.
Section 20-304, subd.(D): A subscriber undertakes to indemnify the CA for any loss caused by issuance of a certificate in reliance on a false and
material representation of fact by the subscriber, or the failure to disclose a material fact if the representation or failure to disclose was made with intent
to deceive the CA or a person relying on the certificate, or was made with negligence. The indemnity may not be disclaimed or contractually limited;
however, a contract may provide consistent, additional terms regarding the indemnification.
Section 20-309: (A) By specifying a recommended reliance limit in a certificate, the issuing CA and the accepting subscriber recommend that persons
rely on the certificate only to the extent that the total amount as risk does not exceed the reliance limit. (B) Unless a licensed CA waives application of
this subsection, the CA is (1) not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the DS,
the CA complied with this chapter; (2) not liable in excess of the amount specified in the certificate as its recommended reliance limit for either: (i) a
loss caused by reliance on a misrepresentation in the certificate of any fact that the CA is required to confirm; or (ii) failure to comply with 20-302 in
issuing the certificate; (3) liable only for direct, compensatory damages, which damages do not include punitive or exemplary damages; damages for
lost profits, savings, or opportunity; or damages for pain or suffering.
Section 20-310: A person may recover from the surety under a surety bond (or the financial institution under a letter of credit) the full amount against
the principal named in the bond or, if there is more than one such qualified right to payment, a ratable share, up to a maximum total liability of the
surety equal to the amount of the bond. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty to all
persons making claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the
guaranty. To recover at all, the claimant must file written notice of the claim with the division. Such recovery will be barred unless the claimant
complies with the particulars of the written notice subsection, and files the notice of claim within 2 years after the occurrence of the violation of this
chapter which is the basis for the claim.
Section 20-402: Unless otherwise provided by law or contract, the recipient of a DS assumes the risk that a DS is forged, if reliance on the DS is not
reasonable under the circumstances.
Section 20-502: (A) Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository is liable for loss incurred by a
person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if: (1) the loss was incurred more
than 1 business day after receipt by the repository of a request to publish notice of the suspension or revocation; and (2) the repository had failed to
publish the notice of suspension or revocation when the person relied on the DS. (B) Unless waived, a recognized repository is (1) not liable: (i) for
failure to publish notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has elapsed since the
notice was received; (ii) for any damages pursuant to subd one in excess of the recommended reliance limit in the certificate; (iii) for misrepresentation
in a certificate published by a licensed CA; (iv) for accurately reporting information which a licensed CA, the department, or a county clerk has
published, including info about suspension or revocation of a certificate; or (v) for reporting info about a CA, a certificate, or a subscriber, if such
information is published as provided herein and (2) liable pursuant to subsection (A) only for direct compensatory damages, which do not include
punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Massachusetts - Elec.
Records & Sig. Act
No liability provisions
Michigan
Section 201, subsections (6) and (7): The Secretary may recognize the licensing of CAs by other governmental entities, provided that those licensing
requirements are substantially similar. If that licensing is so recognized, the liability limits of section 309 apply to those CAs in the same manner as
they apply to licensed CAs of this state. The liability limits of 309 do not apply to unlicensed CAs.
Section 304, subd.(4): A subscriber undertakes to indemnify the CA for any loss caused by issuance of a certificate in reliance on a false and material
representation of fact by the subscriber, or the failure to disclose a material fact if the representation or failure to disclose was made with intent to
deceive the CA or a person relying on the certificate, or was made with negligence. The indemnity may not be disclaimed or contractually limited;
however, a contract may provide consistent, additional terms regarding the indemnification.
Section 309: (1) By specifying a recommended reliance limit in a certificate, the issuing CA and the accepting subscriber recommend that persons rely
on the certificate only to the extent that the total amount as risk does not exceed the reliance limit. (2) Unless a licensed CA waives application of this
subsection, the CA is (a) not liable for a loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the DS, the CA
complied with this chapter; (b) not liable in excess of the amount specified in the certificate as its recommended reliance limit for either: (i) a loss
caused by reliance on a misrepresentation in the certificate of any fact that the CA is required to confirm; or (ii) failure to comply with 302 in issuing
the certificate; (C) liable only for direct, compensatory damages in an action to recover a loss due to reliance on the certificate, which damages do not
include punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Section 310: A person may recover from the surety under a surety bond (or the financial institution under a letter of credit) the full amount against the
principal named in the bond or, if there is more than one such qualified right to payment, a ratable share, up to a maximum total liability of the surety
equal to the amount of the bond. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty to all
persons making claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the
guaranty. To recover at all, the claimant must file written notice of the claim with the division. Such recovery will be barred unless the claimant
complies with the particulars of the written notice subsection, and files the notice of claim within 2 years after the occurrence of the violation of this
chapter which is the basis for the claim.
Section 402: Unless otherwise provided by law or contract, the recipient of a DS assumes the risk that a DS is forged, if reliance on the DS is not
reasonable under the circumstances.
Section 502: (1) Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository is liable for loss incurred by a person
reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if: (a) the loss was incurred more than 1
business day after receipt by the repository of a request to publish notice of the suspension or revocation; and (b) the repository had failed to publish
the notice of suspension or revocation when the person relied on the DS. (2) Unless waived, a recognized repository is not liable for 1 or more of the
following: (a) the failure to publish notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has
elapsed since the notice was received; (b) damages under subsection 1 in excess of the recommended reliance limit in the certificate; (c)
misrepresentation in a certificate published by a licensed CA; (d) accurately reporting information which a licensed CA, the department, or a county
clerk has published, including info about suspension or revocation of a certificate; or (e) reporting info about a CA, a certificate, or a subscriber, if such
information is published as provided herein. (3) A repository is liable under subsection (1) only for direct compensatory damages, which do not
include punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Minnesota -
Electronic
Authentication Act,
enacted 5/19/97
Section 13, subd. 4: A subscriber undertakes to indemnify the issuing CA for loss caused by issuance or publication of a certificate in reliance on (1) a
false representation by the subscriber, or (2) failure by the subscriber to disclose a material fact if made with intent to deceive the CA or a person
relying on the certificate, or with negligence.
Section 25, subd. 2: Courts shall give effect to liability allocations between the parties provided by contract to the extent not inconsistent with this
chapter.
Mississippi-H.B. 752
No liability provisions
Missouri
No applicable legislation
Montana - House Bill
468, enacted 4/18/97
Section 1 (4): The secretary of state is not liable for any loss or damages arising from errors in or omissions from information entered into the
electronic filing system.
Nebraska-leg bill 286
No liability provisions
Nevada
No applicable legislation
New Hampshire - S.
Bill 207- Dig Sig Act
No liability provisions
New Jersey
No applicable legislation
New Mexico - title 1,
ch. 3, pt. 51-proposed
rule
No liability provisions
New York - Senate
Bill 2238 and
Assembly Bill 6183
Section 5-1733, subd. 2: Unless a licensed CA waives application of this subdivision, the CA is: (A) not liable for any loss caused by reliance on a
false or forged DS of a subscriber if the CA complied with this title, (B) not liable in excess of the recommended reliance limit in the certificate for
either: (I) loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed CA is required to confirm; or (ii) failure to
comply with section 5-1719 of this title in issuing the certificate; (C) liable only for direct, compensatory damages in an action to recover a loss due to
reliance on the certificate, which damages do not include punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages
for pain or suffering.
Section 5-1709, subd.5: The department may recognize the licensing of CA's by other governmental entities, if their licensing requirements are
substantially similar to NY's. If licensing by another governmental entity is so recognized, the liability limits of section 5-1733 apply to those CA's as
well. The liability limits of 5-1733 shall not apply to unlicensed CA's.
Section 5-1713, subd.3: Any person who intentionally violates an order issued pursuant to this section or section 5-1715 is subject to a civil penalty of
up to $5000 per violation or 90% of the recommended reliance limit of a material certificate, whichever is less.
Section 5-1723, subd.3: A person may not disclaim or contractually limit the application of this section, nor obtain indemnity for its effects, if the
disclaimer, limitation or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate. Subd 4: By
accepting a certificate, a subscriber undertakes to indemnify the issuing CA for any loss or damage caused by issuance or publication of a certificate in
reliance on a false and material representation by the subscriber, or his failure to disclose a material fact if the representation or failure to disclose was
made either with intent to deceive or was made with negligence. The indemnity may not be disclaimed or contractually limited in scope but a contract
may provide consistent, additional terms regarding the indemnification.
Section 5-1727, subd.6: A person shall not intentionally misrepresent to a CA his identity or authorization in requesting suspension of a certificate.
Violation shall be a class B misdemeanor.
Section 5-1751: 1. Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository I liable for loss incurred by a person
reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if: (A)the loss was incurred more than 1
business day after receipt by the repository of a request to publish notice of the suspension or revocation; and (B) the repository had failed to publish
the notice of suspension or revocation when the person relied on the DS. 2. Unless waived, a recognized repository is (A) not liable: (i) for failure to
publish notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has elapsed since the notice was
received; (ii) for any damages pursuant to subd one in excess of the recommended reliance limit in the certificate; (iii) for misrepresentation in a
certificate published by a licensed CA; (iv) for accurately reporting information which a licensed CA, the department, or a county clerk has published,
including info about suspension or revocation of a certificate; or (v) for reporting info about a CA, a certificate, or a subscriber, if such information is
published as provided herein and (B) liable pursuant to subdivision 1 only for direct compensatory damages, which do not include punitive or
exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
North Carolina
No applicable legislation
North Dakota
No applicable legislation
Ohio
No applicable legislation
Oklahoma
No applicable legislation
Oregon - H.B. 3046 -
Elec. Signature Act
No liability provisions
Pennsylvania
No legislation
Rhode Island - Senate
Bill 612 - Digital
Signature Act
Section 42-127-5, subdivisions. 5 and 6: The division may recognize the licensing of CAs by other governmental entities, provided that those
licensing requirements are substantially similar. If licensing is so recognized, the liability limits of 42-127-17 apply to those CAs in the same manner
as they apply to licensed CAs of this state. The liability limits of 42-127-17 do not apply to unlicensed CAs.
Section 42-127-12, subd.4: A subscriber undertakes to indemnify the CA for any loss caused by issuance of a certificate in reliance on a false and
material representation of fact by the subscriber, or the failure to disclose a material fact if the representation or failure to disclose was made with intent
to deceive the CA or a person relying on the certificate, or was made with negligence. The indemnity may not be disclaimed or contractually limited;
however, a contract may provide consistent, additional terms regarding the indemnification.
Section 42-127-17: (1) By specifying a recommended reliance limit in a certificate, the issuing CA and the accepting subscriber recommend that
persons rely on the certificate only to the extent that the total amount as risk does not exceed the reliance limit. (2) Unless a licensed CA waives
application of this subsection, the CA is (a) not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with
respect to the DS, the CA complied with this chapter; (b) not liable in excess of the amount specified in the certificate as its recommended reliance
limit for either; (I) a loss caused by reliance on a misrepresentation in the certificate of any fact that the CA is required to confirm; or (ii) failure to
comply with 42-127-10 in issuing the certificate; (c) liable only for direct, compensatory damages, which damages do not include punitive or
exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Section 42-127-18: A person may recover from the surety under a surety bond (or the financial institution under a letter of credit) the full amount
against the principal named in the bond or, if there is more than one such qualified right to payment, a ratable share, up to a maximum total liability of
the surety equal to the amount of the bond. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty
to all persons making claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the
guaranty. To recover at all, the claimant must file written notice of the claim with the division. Such recovery will be barred unless the claimant
complies with the particulars of the written notice subsection, and files the notice of claim within 2 years after the occurrence of the violation of this
chapter which is the basis for the claim.
Section 42-127-20: Unless otherwise provided by law or contract, the recipient of a DS assumes the risk that a DS is forged, if reliance on the DS is
not reasonable under the circumstances.
Section 42-127-26: 1. Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository is liable for loss incurred by a
person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if: (a) the loss was incurred more
than 1 business day after receipt by the repository of a request to publish notice of the suspension or revocation; and (b) the repository had failed to
publish the notice of suspension or revocation when the person relied on the DS. 2. Unless waived, a recognized repository is (a) not liable: (i) for
failure to publish notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has elapsed since the
notice was received; (ii) for any damages pursuant to subd one in excess of the recommended reliance limit in the certificate; (iii) for misrepresentation
in a certificate published by a licensed CA; (iv) for accurately reporting information which a licensed CA, the department, or a county clerk has
published, including info about suspension or revocation of a certificate; or (v) for reporting info about a CA, a certificate, or a subscriber, if such
information is published as provided herein and (b) liable pursuant to subsection 1 only for direct compensatory damages, which do not include
punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
South Carolina
No legislation
South Dakota
No legislation
Tennessee
No applicable legislation
Texas - several bills
recently enacted
No liability provisions
Utah
Section 46-3-304: (4)(a) By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for any loss or damage
caused by issuance or publication of a certificate in reliance on a false and material representation of fact by the subscriber, or the failure by the
subscriber to disclose a material fact if the representation or failure to disclose was made either with intent to deceive the certification authority
or a person relying on the certificate or was made with negligence. (b).... The indemnity provided in Subsection (a) may not be disclaimed or
contractually limited in scope, however, a contract may provide consistent, additional terms regarding the
indemnification.
Section 46-3-309: (1) By specifying a recommended reliance limit in a certificate, the issuing certification authority and the accepting subscriber
recommend that persons rely on the certificate only to the extent that the total amount at
risk does not exceed the recommended reliance limit. (2) Unless a licensed certification authority waives application of this
subsection, a licensed certification authority is: (a) not liable for any loss caused by reliance on a false or forged digital
signature of a subscriber, if, with respect to the false or forged digital signature, the certification authority complied with all material
requirements of this chapter; (b) not liable in excess of the amount specified in the certificate as its
recommended reliance limit for either: (i) a loss caused by reliance on a misrepresentation in the certificate of
any fact that the licensed certification authority is required to confirm; or (ii) failure to comply with Section 46-3-302 in issuing the certificate;
(c) liable only for direct, compensatory damages in any action to recover a loss due to reliance on the certificate, which do not include punitive or
exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Section 46-3-310.: A person may recover from the surety under a surety bond (or the financial institution under a letter of credit) the full amount
against the principal named in the bond or, if there is more than one such qualified right to payment, a ratable share, up to a maximum total liability of
the surety equal to the amount of the bond. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty
to all persons making claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the
guaranty. To recover at all, the claimant must file written notice of the claim with the division. Such recovery will be barred unless the claimant
complies with the particulars of the written notice subsection, and files the notice of claim within 2 years after the occurrence of the violation of this
chapter which is the basis for the claim.
Section 46-3-502: (1) Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository is liable for loss incurred by a
person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if: (a) the loss was incurred more
than 1 business day after receipt by the repository of a request to publish notice of the suspension or revocation; and (b) the repository had failed to
publish the notice of suspension or revocation when the person relied on the DS. (2) Unless waived, a recognized repository is (a) not liable: (i) for
failure to publish notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has elapsed since the
notice was received; (ii) for any damages pursuant to subsection (1) in excess of the recommended reliance limit in the certificate; (iii) for
misrepresentation in a certificate published by a licensed CA; (iv) for accurately reporting information which a licensed CA, the department, or a
county clerk has published, including info about suspension or revocation of a certificate; or (v) for reporting info about a CA, a certificate, or a
subscriber, if such information is published as provided herein and (b) liable pursuant to subsection (1) only for direct compensatory damages, which
do not include punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Vermont H.B. 60
Section 4624, subdivisions (e) and (f): The division may recognize the licensing of CAs by other governmental entities, provided that those licensing
requirements are substantially similar. If licensing is so recognized, the liability limits of 42-127-17 apply to those CAs in the same manner as they
apply to licensed CAs of this state. The liability limits of 4635 do not apply to unlicensed CAs.
Section 4630: A subscriber undertakes to indemnify the CA for any loss caused by issuance of a certificate in reliance on a false and material
representation of fact by the subscriber, or the failure to disclose a material fact if the representation or failure to disclose was made with intent to
deceive the CA or a person relying on the certificate, or was made with negligence. The indemnity may not be disclaimed or contractually limited;
however, a contract may provide consistent, additional terms regarding the indemnification.
Section 4632 (f): A person may not intentionally misrepresent to a CA his identity or authoization in requesting suspension of a certificate. A person
who violates this subsection shall be fined not more than $500.00(sic) or imprisoned more than 10 years, or both.
Section 4635: (a) By specifying a recommended reliance limit in a certificate, the issuing CA and the accepting subscriber recommend that persons
rely on the certificate only to the extent that the total amount as risk does not exceed the reliance limit. (b) Unless a licensed CA waives application of
this subsection, the CA is (1) not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the DS,
the CA complied with this chapter; (2) not liable in excess of the amount specified in the certificate as its recommended reliance limit for either; (A) a
loss caused by reliance on a misrepresentation in the certificate of any fact that the CA is required to confirm; or (B) failure to comply with 4628 in
issuing the certificate; (3) liable only for direct, compensatory damages, which damages do not include punitive or exemplary damages; damages for
lost profits, savings, or opportunity; or damages for pain or suffering.
Section 4636: A person may recover from the surety under a surety bond (or the financial institution under a letter of credit) the full amount against
the principal named in the bond or, if there is more than one such qualified right to payment, a ratable share, up to a maximum total liability of the
surety equal to the amount of the bond. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty to all
persons making claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the
guaranty. To recover at all, the claimant must file written notice of the claim with the division. Such recovery will be barred unless the claimant
complies with the particulars of the written notice subsection, and files the notice of claim within 2 years after the occurrence of the violation of this
chapter which is the basis for the claim.
Section 4638: Unless otherwise provided by law or contract, the recipient of a DS assumes the risk that a DS is forged, if reliance on the DS is not
reasonable under the circumstances.
Section 4643: (a) Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository is liable for loss incurred by a person
reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if: (1) the loss was incurred more than 1
business day after receipt by the repository of a request to publish notice of the suspension or revocation; and (2) the repository had failed to publish
the notice of suspension or revocation when the person relied on the DS. (b) Unless waived, a recognized repository is (1) not liable: (A) for failure to
publish notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has elapsed since the notice was
received; (Bi) for any damages pursuant to subsection (a) in excess of the recommended reliance limit in the certificate; (C) for misrepresentation in a
certificate published by a licensed CA; (D for accurately reporting information which a licensed CA, the secretary of state, or superior court clerk has
published, including info about suspension or revocation of a certificate; or (E) for reporting info about a CA, a certificate, or a subscriber, if such
information is published as provided herein and (2) liable pursuant to subsection (a) only for direct compensatory damages, which do not include
punitive or exemplary damages; damages for lost profits, savings, or opportunity; or damages for pain or suffering.
Virginia - house joint
resolution no. 195;
Code of VA 59.1-467
et seq.
No liability provisions
Washington - 1996
S.B. 6423
Section 201, subdivisions 3, 5, and 7: The secretary may recognize the licensing of CAs by other governmental entities, provided that those licensing
requirements are substantially similar. If licensing is so recognized, the liability limits of RCW 19.34.280 apply to those CAs in the same manner as
they apply to licensed CAs of this state. The liability limits of RCW 19.34.280 do not apply to a certificate issued by a CA that exceed the restrictions
of the CA's license.
Section 203: The secretary may be order impose and collect a civil monetary penalty against a licensed CA for a violation of this chapter in an amount
not to exceed $10,000 per incident, or ninety percent of the recommended reliance limit of a material certificate, whichever is less.
Section 304 (4): By accepting a certificate, a subscriber undertakes to indemnify the issuing CA for loss or damage caused by issuance or publication
of a certificate in reliance on: (a) a false and material representation of fact by the subscriber; or (b) the failure by the subscriber to disclose a material
fact; if the representation or failure to disclose was made either with intent to deceive the CA or a person relying on the certificate, or with negligence.
The indemnity provided in this section may not be disclaimed or contractually limited in scope. However, a contract may provide consistent, additional
terms regarding the indemnification.
Section 309: (1) By specifying a recommended reliance limit in a certificate, the issuing CA recommends that persons rely on the certificate only to the
extent that the total amount at risk does not exceed the recommended reliance limit. (2) Subject to subsection (3) of this section, unless a licensed CA
waives application of this subsection, the CA is: (a) not liable for a loss caused by reliance on a false or forged digital signature of a subscriber, if the
CA complied with all material requirements of this chapter; (b) not liable in excess of the amount specified in the certificate as its recommended
reliance limit for either: (i) a loss caused by reliance on a misrepresentation in the certificate of a fact that the licensed CA is required to confirm; or (ii)
failure to comply with sRCW 19.34.210 in issuing the certificate; (c) Not liable for punitive or exemplary damages; or damages for pain or suffering.
(3) Nothing in subsection (2)(a) of this section relieves a licensed CA ofits liability for breach of any of the warranties or certifications it gives under
RCW 19.34.220 or for its lack of good faith, which warranties and obligation of good faith may not be disclaimed....The liability of a licensed CA
under this subsection is subject to the limitations in subsection (2)(b) and (c) unless the limits are waived by the licensed CA. (4) Consequential or
incidental damages may be liquidated, or may otherwise be limited, altered, or excluded unless the limitation, alteration, or exclusion is
unconscionable. A licensed CA may liquidate, limit, alter, or exclude such damages by agreement or by notifying any person who will rely on a
certificate before the person relies on the certificate.
Section 310: A person may recover from the surety under a surety bond the full amount of a qualified right to payment against the principal named in
the bond or, if there is more than one such qualified right to payment, a ratable share, up to a maximum total liability of the surety equal to the amount
of the bond. If the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution only in accordance with the terms
of the letter of credit. Claimants may recover successively on the same guaranty, provided that the total liability on the guaranty to all persons making
claims may not exceed the amount of the guaranty. Claimants may recover attorney fees and court costs from the proceeds of the guaranty. To recover
at all, the claimant must file written notice of the claim with the division. Such recovery will be barred unless the claimant complies with the
particulars of the written notice subsection, and files the notice of claim within 3 years after the occurrence of the violation of this chapter which is the
basis for the claim.
Section 502: (1) Notwithstanding any disclaimer by the repository or any contract to the contrary, a repository is liable for loss incurred by a person
reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate, if loss was incurred more than 1
business day after receipt by the repository of a request to publish notice of the suspension or revocation, and the repository had failed to publish the
notice of suspension or revocation when the person relied on the DS. (2) Unless waived, a recognized repository is (a) not liable for failure to publish
notice of suspension or revocation, unless the repository has received notice of publication and 1 business day has elapsed since the notice was
received; (b) not liable under subsection (1) in excess of the amount specified in the certificate as the recommended reliance limit; (c) not liable under
subsection (1) for punitive or exemplary damages; or damages for pain or suffering; (d) not liable for misrepresentation in a certificate published by a
licended CA; (d) for accurately reporting information which a licensed CA, or court clerk, or the secretary has published, including info about
suspension or revocation of a certificate; (f) not liable for reporting info about a CA, a certificate, or a subscriber, if such information is published as
provided herein. (3) Consequential or incidental damages may be liquidated, or may otherwise be limited, altered, or excluded unless the limitation,
alteration, or exclusion is unconscionable. A recognized repository may liquidate, limit, alter, or exclude such damages by agreement or by notifying
any person who will rely on a certificate before the person relies on the certificate.
West Virginia
No legislation
Wisconsin
No legislation
Wyoming - proposed
section 9-1-306:
electronic filing
system
No liability provisions
France - Telecom bill
imposes criminal liability for persons who imports or exports encryption device or service without proper approval or authorization, or in order to
facilitate a crime (also for persons who refuse to cooperate in an investigation of the above)
France - Decree No.
92-1358 of 28
December 1992, Title
3, Article 15
One who supplies (or uses) cryptographic material without the authorization provided in article 28 of the law of 29 December 1990 shall be liable to
the fines provided for infractions of the 5th class. One who supplies or exports cryptographic services without the prior declaration provided by that
law having been filed shall be liable to the fines provided for infractions of the 5th class. One who supplies any cryptographic materials without the
prior declaration provided by that law having been filed shall be liable to the fines provided for infractions of the 4th class. One who uses a
cryptographic service or material without the prior declaration provided by that law having been filed shall be liable to the fines provided for
infractions of the 4th class.
The law of 29 Dec. 1990 provides that one who exports cryptographic material or causes to be supplied cryptographic service without the
authorization shall be liable to a fine of 6,000F to 500,000 F or to imprisonment for 1 to 3 months, or both.
Germany - final draft
of DS law, 12/96
No liability provisions
Malaysia - Digital
Signature Bill 1997
40. No person may disclaim or contractually limit the application of this Chapter, nor obtain indemnity for its effects, if the disclaimer, limitation or
indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.
41.(1) By accepting a certificate, a subscriber undertakes to indemnify the issuing licensed certification authority for any loss or damage caused by issuance
or publication of the certificate in reliance on- (a) a false and material representation of fact by the subscriber; or (b) the failure by the subscriber to disclose
a material fact, if the representation or failure to disclose was made either with intent to deceive the licensed certification authority or a person relying on
the certificate, or with negligence. (2) Where the licensed certification authority issued the certificate at the request of one or more agents of the subscriber,
the agent or agents personally undertake to indemnify the licensed CA under this section, as if they were accepting subscribers in their own right. (3) The
indemnity provided in this section shall not be disclaimed or contractually limited in scope.
61. Unless a licensed CA waives the application of this section, a licensed CA -- (a) shall not be liable for any loss caused by reliance on a false or forged
digital signature of a subscriber, if, with respect to the false or forged digital signature, the licensed CA complied with the requirements of this Act; (b)
shall not be liable in excess of the amount specified in the certificate as its recommended reliance limit for either- (i) a loss caused by reliance on a
misrepresentation in the certificate of any fact that the licensed CA is required to confirm; or (ii) failure to comply with sections 29 and 30 in issuing the
certificate; and (c) shall not be liable for- (i) punitive or exemplary damages; or (ii) damages for pain or suffering.
Part VI - Repositories and Date/Time Stamp Services
69. (1) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository and a licensed CA or a subscriber, a
repository shall be liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked
certificate, if loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation, and
the repository had failed to publish the notice when the person relied on the digital signature.
(2) Unless waived, a recognised repository or the owner or operator of a recognised repository- (a) shall not be liable for failure to record publication of
a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;
(b) shall not be liable under subsection (1) in excess of the amount specified in the certificate as the recommended reliance limit; (c) shall not be liable
under subsection (1) for- (i) punitive or exemplary damages; or (ii) damages for pain or suffering; (d) shall not be liable for misrepresentation in a
certificate published by a CA; (e) shall not be liable for accurately recording or reporting information which a licensed CA, a court or the Controller
has published as required or permitted under this Act, including information about the suspension or revocation of a certificate; and (f) shall not be
liable for reporting information about a CA, a certificate or a subscriber, if such information is published as required or permitted under this Act
or is published by order of the Controller in the performance of his licensing and regulatory duties under this Act.
73. A person who makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this
Act which is untrue, inaccurate or misleading in any particular commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred
thousand ringgit or to imprisonment for a term not exceeding ten years or to both.
83. (1) A person who commits an offence under this Act for which no penalty is expressly provided shall, on conviction, be liable to a fine not exceeding
two hundred thousand ringgit or to imprisonment for a term not exceeding four years or to both, and in the case of a continuing offence shall in addition
be liable to a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed.
(2) For the purposes of this section, "this Act" does not include the regulations made under this Act.
UK - "Licensing of
trusted third parties
for the provision of
encryption services",
public consultation
paper on detailed
proposals for
legislation
72. Prohibits providing encryption services to the public without a license. Unlicensed TTPs (Trusted Third Parties) outside the UK are prohibited
from offering encryption services to the UK public. (Encryption services encompasses digital signatures)
75. The legislation will also prohibit a UK licensed TTP from contracting with any non licensed TTP for the purpose of carrying out encryption
services (with certain exceptions)
86. TTPs will be liable for the protection of the private keys. They will also be liable for the protection of hierarchical keys upon which the secrecy of
client keys or system keys are dependent. In the event of loss or disclosure (whether deliberate or accidental) of keys the TTP will be required to have
in place adequate arrangements to compensate any loss suffered by its clients or clients of other TTPs. The TTP will be required to demonstrate that
such arrangements have been made. TTPs will also have vicarious liability for acts of their employees.
87. TTPs will be strictly liable for compromise or disclosure of a client's private key if such key was disclosed other than by agreement with its client.
It would be a defence for the TTP to show that the client itself was responsible for the loss or compromise of his own private keys. The government
proposes to limit the amount of compensation payable by TTPs to the client if disclosure of the key was established by the Court.
88. In cases of judgment against the TTP, there would be an automatic referral to a Tribunal, which would determine whether there had been legal
access under warrant to the key, and, if so, whether the responsibility for the disclosure lay with the central repository or the law enforcement agency.
If so, the Tribunal would compensate the TTP for the loss it had paid the client and would publish its findings. Liability cover and compensation above
the minimum level will be at the discretion of the TTP and its clients and will be dealt with by individual contract.
UNCITRAL
No liability provisions
United States -
Electronic Data
Security Act of 1997,
draft 3/12/97
Section 403: "It shall be unlawful for any person -- (A) if a Certificate Authority registered under this Act, intentionally to issue a public key
certificate in violation of section 203 of this Act; (B) intentionally to disclose recovery information in violation of this Act; (C) intentionally to obtain
or use recovery information without lawful authority, or, having received such information with lawful authority, intentionally to exceed such authority
for the purpose of decrypting data or communications; (D) if a Key Recovery Agent, or officer, employee, or agent thereof, intentionally to disclose
the facts or circumstances of any release of recovery information or requests therefor in violation of this Act; (E) intentionally to issue a public key
certificate under this Act, or to fail to revoke such a certificate, knowing that the person from whom the certificate is issued does not meet the
requirements of this Act or the regulations promulgated thereunder; (F) intentionally to apply for or obtain a public key certificate under this Act,
knowing that the person to be identified in the public key certificate does not meet the requirements of this Act or the Regulations promulgated
thereunder; or (G) knowingly to issue a public key certificate in furtherance of the commission of a criminal offense which may be prosecuted in a
court of competent jurisdiction.
Any person who violates this section shall be fined under title 18,
United States Code, or imprisoned not more than five years, or both.
Section 404.: (A) Whoever knowingly encrypts data or communications in furtherance of the commission of a criminal offense for which the person
may be
prosecuted in a court of competent jurisdiction shall, in addition to
any penalties for the underlying criminal offense, be fined under title
18, United States Code, or imprisoned not more than five years, or both.
Section 401(B): Any person who violates section 403 shall be subject to a civil penalty in an amount not to exceed $10,000 per violation, unless the
violation was willful, or was committed by a Key Recovery Agent or a CA not registered under this Act.
