Administrative Rule Review Report  #AR07-023

Legislative Service Office

03-Apr-07

 

AGENCY:                                        Department of Administration and Information, Chief Information Officer

 

DATE SUBMITTED:                        April 2, 2007.

 

SUBJECT:                                        Chapters 1 through 6, Electronic Transactions.

 

NATURE OF RULES:                      Legislative and Procedural.

 

STATUTORY AUTHORITY:           W.S. 9-2-2501 and 40-21-118

 

DETERMINATION OF PROCEDURAL COMPLIANCE BASED UPON INFORMATION

SUBMITTED BY THE AGENCY TO LSO:  

 

Apparently complete to date. Four agencies/boards responded to the notice of intent to adopt rules with comments.  At least some of the comments were incorporated into the final adopted rules.  The changes made appear to be nonsubstantive and  therefore comport with the "substantial compliance" requirement of the Wyoming Administrative Procedure Act (W.S. 16-3-103(c)).  The "new rule" letter required to be sent to legislative sponsors and committees acting upon the legislation authorizing the rules by W.S. 28-9-103(d), was sent out late by LSO.  No comments have been received at the time of preparation of this report.  Any comments received will be forwarded to Management Council.

 

SUMMARY OF RULES:

 

These are the first set of rules adopted by the Department of Administration and Information to govern electronic transactions conducted by state agencies.  The stated "purpose of these rules is to facilitate electronic filing, acceptance, preservation, maintenance, availability, and confidentiality of documents with State of Wyoming agencies and promote efficient delivery of services from State agencies by means of reliable electronic records."  The rules are divided into six chapters.

 

Chapter 1. Electronic Transactions General Provisions.  Contains authority to promulgate rules, the purpose of the rules, definitions, coverage, interpretation, enforcement, policies, severability and an effective date.

 

Chapter 2. Electronic Transactions, Standards for the Conduct of Electronic Business.       This chapter is reserved.

 

Chapter 3. Electronic Transactions, Security.  Security procedures shall be: 1) commercially reasonable under the circumstances, 2) applied in a trustworthy manner, 3) reasonably and in good faith relied upon by the party utilizing the procedure, 4) capable of providing reliable evidence that an electronic record has not been altered, and 5) consistent with the risks and consequences associated with the compromise of the information or transaction.  A security procedure is acceptable for the purposes of these rules if it is generally accepted in the information security or scientific community as being suitable for the intended purposes.  Section 2 covers state agency and employee responsibilities required to protect electronic information.

 

Chapter 4. Electronic Signatures.  Subsection 1(a) applies to all non-verbal electronic communications or transactions conducted with a State agency over the internet or other electronic network for which: 1) the sender of the communication or transaction must be verified, or 2) the identity of the signer of the communication or transaction must be verified or authenticated, or 3) the integrity of the data contained in the communication must be maintained in an appropriately verifiable form.  Subsection 1(b) then lists the communications or transactions for which the requirements of Chapter 4 do not apply, notably electronically filed documents, filed electronically to comply with applicable statutory law and e-mails used to conduct business with the State that do not meet the conditions of Subsection 1(a).  Section 2 outlines acceptable electronic signature authentication procedures.  Section 3 provides guidelines to determine when a secure electronic signature is attributable to the person to whom it correlates.  Section 4 lists the types of technologies acceptable for use for electronic signature and further states that the agency is responsible for establishing adequate guidelines to administer the technology it employs.  Section 5 states what attributes an acceptable transaction record authentication procedure must possess under these rules.

 

Chapter 5. Electronic Records.  Agencies must first conduct an assessment of the benefits, level of effort and risks associated with various categories of records that may be accepted in electronic form prior to initiating electronic procedures and records.    The remainder of Chapter 5 deals with the integrity and retention of electronic records.

 

Chapter 6.  Interoperability. The state chief information officer may encourage and promote consistency and interoperability with systems adopted by state agencies for the receipt and retention of electronic transactions.

 

FINDINGS:  The rules appear to be within the scope of statutory authority and legislative intent.

 

TECHNICAL NOTE FOR AGENCY CONSIDERATION:

That the Council recommend the agency make the following technical correction:

 

Chapter 5, Section 1 (page 5-1), it appears "impact of agency operations" should be "impact on agency operations".

 

STAFF RECOMMENDATION:  That the Council recommend that the Governor direct the Department to amend the rules to address the technical error. This is purely a nonsubstantive change which can be made without repromulgating the rules.

 

 

                                                                        _______________________

                                                                        Matthew D. Obrecht

                                                                        Staff Attorney

 

                                                                        _______________________

                                                                        David K. Gruver

                                                                        Assistant Director

 

 

NOTE:  Due to the length of the proposed rules, a copy is not attached to this report.  The complete set of rules is on file with LSO and is available for review upon request.