Wyo. Code R. 077-0001-4
Director's Office
Chapter 4: Electronic Transactions Electronic Signatures
Effective Date: 05/11/2007 to 06/08/2016
Rule Type: Superceded Rules & Regulations
Reference Number: 077.0001.4.05112007
(a) This chapter applies to all non-verbal electronic communications or transactions conducted with a State agency over the Internet or other electronic network or by another means that is acceptable to the State agency, for which:
(i) The sender of the communication or transaction must be verified; or (ii) The identity of the signer of the communication or transaction must be verified or authenticated; or (iii) The integrity of the data contained in the communication or transaction must be maintained in verifiable form appropriate to the communication throughout the lifecycle of the data.
(b) This chapter does not apply to:
(i) The receipt of electronically filed documents pursuant to Wyoming statutes or other applicable statutory law where the purpose of the written electronic communication is to comply with statutory filing; or (ii) The processing of electronic transactions under rules adopted by the Wyoming State Auditor's Office pursuant to applicable law; or (iii) The use of e-mail to conduct business with the State where the conditions in Section 1(a) do not apply; or (iv) As otherwise excluded by Wyoming Statute, or applicable statutory law.
(c) Any agreements entered into between a sender and the receiving State agency after the effective date of these rules must comply with these rules. (d) Prior to accepting a non-verbal electronic communication, a State agency shall ensure that the level of security used to identify the sender of a message and to authenticate the electronic signature is sufficient for the transaction being conducted. (e) A State agency that accepts non-verbal electronic communications may not effectively discourage the use of non-verbal electronic communications by imposing unreasonable or burdensome requirements on persons wishing to use non-verbal electronic communications sent to the State agency.
(f) A State agency shall not be required to accept an electronic signature for specific transactions if the State agency:
(i) Determines that the expense or resources required by the State agency to accept such an electronic signature are unreasonable; and
(ii) Provides reasonable notice to all interested persons of the fact that such electronic signatures will not be accepted, and of the basis for the determination that the expense or resources required for acceptance are unreasonable.
(g) A State agency shall review and consider any applicable guidelines and recommendations that have been adopted by the ETS in determining whether and to what extent the State agency shall accept an electronic signature.
(h) A State agency shall ensure the following are retained by the State agency as necessary to comply with applicable law pertaining to audit and records retention requirements:
(i) All non-verbal electronic records received by the State agency and electronic signatures authenticated in accordance with Section 2 and Section 5 below; and
(ii) Any information resources necessary to permit access to the written electronic communications.
For purposes of this Chapter an acceptable electronic signature authentication procedure is one that demonstrates, in a trustworthy manner, that the electronic signature:
(a) Is unique to the signer within the context in which it is used;
(b) Can be used to objectively identify the person signing and transmitting the electronic record;
(c) Provides reasonable assurance the electronic signature created by such identified person cannot be readily duplicated or compromised; and
(d) Is linked to the electronic record to which it relates, in a manner such that if the record or the signature is intentionally or unintentionally changed after signing the electronic signature is invalidated.
Except as provided by another applicable rule of law, a secure electronic signature is attributable to the person to whom it correlates, whether or not authorized, if:
(a) The electronic signature resulted from acts of a person that obtained the signature device or other information necessary to create the signature from a source under the control of the alleged signer, or the access or use occurred under circumstances constituting a failure to exercise reasonable care by the alleged signer; and
(b) The receiving party relied reasonably and in good faith to their detriment on the apparent source of the electronic record.
The technology or technologies selected by an agency for use of electronic signatures may change over time. Existing technologies shall be implemented in a manner consistent with the requirements of these rules. The types of technologies acceptable for use for electronic signatures include:
(a) Non-Cryptographic technology that employs the use of passwords, personal identification numbers (PIN), smart card or similar technology.
(i) The agency is responsible for establishing adequate guidelines and procedures for the management and administration of non-cryptographic technologies that are consistent with the risks and consequences associated with the compromise of the information or transaction.
(b) Cryptographic technology that employs principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification, or prevent its unauthorized use.
(i) The agency is responsible for:
(A) Establishing adequate guidelines and procedures for the management and administration of cryptographic technologies that are consistent with the risks and consequences associated with the compromise of the information or transaction; or
(B) Using a qualified cryptographic technology service provider for the management and administration of cryptographic technologies that are consistent with the risks and consequences associated with the compromise of the information or transaction.
For purposes of this chapter an acceptable transaction record authentication procedure is one that demonstrates, in a trustworthy manner, that the transaction record data:
(a) Is maintained in such a manner that the original data can be verified throughout the lifecycle of the record;
(b) Provides reasonable assurance the transaction record data cannot be readily compromised;
(c) Is linked to the electronic signature to which it relates, in a manner such that if the original transaction record data or the signature is intentionally or unintentionally changed after signing the transaction record is invalidated.