/akn/my/act/act/1997/562

DIGITAL SIGNATURE ACT 1997

The full official text, structured for quick navigation. Copy any provision or jump straight to a section.

Type
Act
Status
In force
Enacted
1997
Sections
88
Languages
MS · EN

Quick answer

About this act

DIGITAL SIGNATURE ACT 1997 is Malaysia Act, cited as Act 562 1997, currently marked in force and first recorded in 1997.

Opening note

Preamble

Suggest a correction
  1. An Act to make provision for, and to regulate the use of, digital signatures and to provide for matters connected therewith. [1 October 1998, P.U. (B) 397/1998] BE IT ENACTED by the Seri Paduka Baginda Yang di-Pertuan Agong with the advice and consent of the Dewan Negara and Dewan Rakyat in Parliament assembled, and by the authority of the same, as follows:

Part I

PART I

Section 1

Open as pageSuggest a correction

This Act may be cited as the Digital Signature Act 1997 and shall come into force on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.

Section 2

Interpretation

Open as pageSuggest a correction

(a)

to manifest approval of a certificate, while knowing or having notice of its contents; or

Suggest a correction

(b)

to apply to a licensed certification authority for a certificate, without revoking the application by delivering notice of the revocation to the licensed certification authority, and obtaining a signed, written receipt from the licensed certification authority, if the licensed certification authority subsequently issues a certificate based on the application;

10

“asymmetric cryptosystem” means an algorithm or series of algorithms which provide a secure key pair;

“authorized officer” means an officer authorized under section 75;

“certificate” means a computer-based record which—

Suggest a correction

(a)

identifies the certification authority issuing it;

Suggest a correction

(d)

is digitally signed by the certification authority issuing it;

“certification authority” means a person who issues a certificate;

“certification authority disclosure record” means an on-line and publicly accessible record which concerns a licensed certification authority which is kept by the Commission under subsection 3(5);

“certification practice statement” means a declaration of the practices which a certification authority employs in issuing certificates generally, or employed in issuing a particular certificate;

“certify” means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts;

*“Commission” means the Malaysian Communications and

Multimedia Commission established under the Malaysian

Communications and Multimedia Commission Act 1998 [Act 589];

“confirm” means to ascertain through diligent inquiry and investigation;

“correspond”, with reference to keys, means to belong to the same key pair;

*NOTE—Upon the commencement of Act A1121, previous references to the Controller of

Certification Authorities (“Controller”) or any officer and servant appointed by the Controller, shall be construed as references to the Commission or its authorized officer—see section 19 of

Act A1121.

Digital Signature 11

“digital signature” means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine—

Suggest a correction

(a)

whether the transformation was created using the private key that corresponds to the signer’s public key; and

Suggest a correction

(b)

whether the message has been altered since the transformation was made;

“forge a digital signature” means—

Suggest a correction

(a)

to create a digital signature without the authorization of the rightful holder of the private key; or

Suggest a correction

(b)

to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist or does not hold the private key corresponding to the public key listed in the certificate;

“hold a private key” means to be able to utilize a private key;

“incorporate by reference” means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated;

“issue a certificate” means the act of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate;

“key pair” means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates;

“licensed certification authority” means a certification authority to whom a licence has been issued by the Commission and whose licence is in effect;

“message” means a digital representation of information;

“notify” means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person;

12

“person” means a natural person or a body of persons, corporate or unincorporate, capable of signing a document, either legally or as a matter of fact;

“prescribed” means prescribed by or under this Act or any regulations made under this Act;

“private key” means the key of a key pair used to create a digital signature;

“public key” means the key of a key pair used to verify a digital signature;

“publish” means to record or file in a repository;

“qualified certification authority” means a certification authority that satisfies the requirements under section 5;

“recipient” means a person who receives or has a digital signature and is in a position to rely on it;

“recognized date/time stamp service” means a date/time stamp service recognized by the Commission under section 70;

“recognized repository” means a repository recognized by the

Commission under section 68;

“recommended reliance limit” means the monetary amount recommended for reliance on a certificate under section 60;

“repository” means a system for storing and retrieving certificates and other information relevant to digital signatures;

“revoke a certificate” means to make a certificate ineffective permanently from a specified time forward;

“rightfully hold a private key” means to be able to utilize a private key—

Suggest a correction

(a)

which the holder or the holder’s agents have not disclosed to any person in contravention of this Act; and

Suggest a correction

(b)

which the holder has not obtained through theft, deceit, eavesdropping or other unlawful means;

Digital Signature 13

“subscriber” means a person who—

Suggest a correction

(c)

holds a private key which corresponds to a public key listed in that certificate;

“suspend a certificate” means to make a certificate ineffective temporarily for a specified time forward;

“this Act” includes any regulations made under this Act;

“time-stamp” means—

Suggest a correction

(a)

to append or attach to a message, digital signature or certificate a digitally signed notation indicating at least the date, time and identity of the person appending or attaching the notation; or

Suggest a correction

(b)

the notation so appended or attached;

“transactional certificate” means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction;

“trustworthy system” means computer hardware and software which—

Suggest a correction

(a)

are reasonably secure from intrusion and misuse;

Suggest a correction

(b)

provide a reasonable level of availability, reliability and correct operation; and

Suggest a correction

(c)

are reasonably suited to performing their intended functions;

“valid certificate” means a certificate which—

Suggest a correction

(b)

has been accepted by the subscriber listed in it;

Suggest a correction

(d)

has not expired:

Provided that a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference;

14

“verify a digital signature” means, in relation to a given digital signature, message and public key, to determine accurately that—

Suggest a correction

(a)

the digital signature was created by the private key corresponding to the public key; and

Suggest a correction

(b)

the message has not been altered since its digital signature was created;

“writing” or “written” includes any handwriting, typewriting, printing, electronic storage or transmission or any other method of recording information or fixing information in a form capable of being preserved.

Suggest a correction

(2)

For the purposes of this Act, a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates.

Suggest a correction

(3)

The revocation of a certificate does not mean that it is destroyed or made illegible.

Suggest a correction

Part II

PART II

THE COMMISSION AND THE LICENSING OF

Suggest a correction

CERTIFICATION AUTHORITIES

Appointment of Commission

Section 3

Open as pageSuggest a correction

(4)

The Commission and its employees shall exercise their powers under this Act subject to such directions as to general policy and orders as may be given or made by the Minister.

Digital Signature 15

Suggest a correction

(5)

The Commission shall maintain a publicly accessible data base containing a certification authority disclosure record for each licensed certification authority which shall contain all the particulars required under the regulations made under this Act.

Suggest a correction

(6)

The Commission shall publish the contents of the data base in at least one recognized repository.

Certification authorities to be licensed

Suggest a correction

Section 4

Open as pageSuggest a correction

(2)

A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed.

Suggest a correction

(3)

The Minister may, on an application in writing being made in accordance with this Act, exempt—

(a)

a person operating as a certification authority within an organization where certificates and key pairs are issued to members of the organization for internal use only; and

Suggest a correction

(b)

such other person or class of persons as the Minister considers fit, from the requirements of this section.

Suggest a correction
Suggest a correction

(4)

The Minister may delegate his powers under subsection (3)

to the Commission and such powers may be exercised by the

Commission in the name and on behalf of the Minister.

Suggest a correction

(5)

A delegation under subsection (4) shall not preclude the

Minister himself from exercising at any time the powers so delegated.

Suggest a correction

(6)

The liability limits specified in Chapter 8 of Part IV shall not apply to an exempted certification authority and Part V shall not apply in relation to a digital signature verified by a certificate issued by an exempted certification authority.

16

Qualifications of certification authorities

Suggest a correction

Section 5

Open as pageSuggest a correction

(2)

The Minister may at any time vary or amend the qualification requirements prescribed under subsection (1) provided that any such variation or amendment shall not be applied to a certification authority holding a valid licence under this Act until the expiry of that licence.

Functions of licensed certification authorities

Suggest a correction

Section 6

Open as pageSuggest a correction

(2)

The licensed certification authority shall, before issuing any certificate under this Act, take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate.

Suggest a correction

(3)

The licensed certification authority shall, on the issuance of any certificate under this Act, cause the application for the certificate to be certified by a notary public duly appointed under the Notaries

Public Act 1959 [Act 115].

Application for licence

Suggest a correction

Section 7

Open as pageSuggest a correction

(2)

Every application under subsection (1) shall be accompanied by such documents or information as may be prescribed and the

Commission may, orally or in writing at any time after receiving the application and before it is determined, require the applicant to provide such additional documents or information as may be considered necessary by the Commission for the purposes of determining the suitability of the applicant for the licence.

Digital Signature 17

Suggest a correction

(3)

Where any additional document or information required under subsection (2) is not provided by the applicant within the time specified in the requirement or any extension thereof granted by the Commission, the application shall be deemed to be withdrawn and shall not be further proceeded with, without prejudice to a fresh application being made by the applicant.

Grant or refusal of licence

Suggest a correction

Section 8

Open as pageSuggest a correction

(2)

Every licence granted under subsection (1) shall set out the duration of the licence and the licence number.

Suggest a correction

(3)

The terms and conditions imposed under the licence may at any time be varied or amended by the Commission provided that the licensee is given a reasonable opportunity of being heard.

Suggest a correction

(4)

Where the Commission refuses to grant a licence, it shall immediately notify the applicant in writing of its refusal.

Revocation of licence

Suggest a correction

Section 9

Open as pageSuggest a correction

(a)

the licensed certification authority has failed to comply with any obligation imposed upon it by or under this Act;

Suggest a correction

(b)

the licensed certification authority has contravened any condition imposed under the licence, any provision of this Act or any other written law, regardless that there has been no prosecution for an offence in respect of such contravention;

Suggest a correction

(c)

the licensed certification authority has, either in connection with the application for the licence or at any time after the grant of the licence, provided the Commission with false, misleading or inaccurate information or a document

18

or declaration made by or on behalf of the licensed certification authority or by or on behalf of any person who is or is to be a director, controller or manager of the licensed certification authority which is false, misleading or inaccurate;

Suggest a correction

(d)

the licensed certification authority is carrying on its business in a manner which is prejudicial to the interest of the public or to the national economy;

Suggest a correction

(e)

the licensed certification authority has insufficient assets to meet its liabilities;

Suggest a correction

(f)

a winding up order has been made against the licensed certification authority or a resolution for its voluntary winding up has been passed;

Suggest a correction

(g)

the licensed certification authority or any of its officers holding a managerial or an executive position has been convicted of any offence involving dishonesty, fraud or moral turpitude;

Suggest a correction

(h)

the licensed certification authority or its director, controller or manager has been convicted of any offence under this

Act; or

Suggest a correction

(i)

the licensed certification authority has ceased to be a qualified certification authority.

Suggest a correction

(2)

Before revoking a licence, the Commission shall give the licensed certification authority a notice in writing of its intention to do so and require the licensed certification authority to show cause within a period specified in the notice as to why the licence should not be revoked.

Suggest a correction

(3)

Where the Commission decides to revoke the licence, it shall immediately inform the certification authority concerned of its decision by a notice in writing.

Suggest a correction

(4)

The revocation of a licence shall take effect—

(a)

where there is no appeal against such revocation, on the expiration of fourteen days from the date on which the notice of revocation is served on the licensed certification authority; or

Suggest a correction

(b)

where there is an appeal against such revocation, when the revocation is confirmed by the Minister.

Digital Signature 19

Suggest a correction
Suggest a correction

(5)

Where an appeal has been made against the revocation of a licence, the certification authority whose licence has been so revoked shall not issue any certificates until the appeal has been disposed of and the revocation has been set aside by the Minister but nothing in this subsection shall prevent the certification authority from fulfilling its other obligations to its subscribers during such period.

Suggest a correction

(6)

A person who contravenes subsection (5) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both.

Suggest a correction

(7)

Where the revocation of a licence has taken effect, the

Commission shall, as soon as practicable, cause such revocation to be published in the certification authority disclosure record that it maintains for the certification authority concerned and advertised in at least one national language and one English language national daily newspaper for at least three consecutive days.

Suggest a correction

(8)

Any delay or failure in publishing or advertising such notice of revocation shall not in any manner affect the validity of the revocation.

Appeal

Suggest a correction

Section 10

Open as pageSuggest a correction

(a)

the refusal of the Commission to license any certification authority under section 8 or to renew any such licence under section 17; or

Suggest a correction

(b)

the revocation of any licence under section 9, may appeal in writing to the Minister within fourteen days from the date on which the notice of refusal or revocation is served on that person.

Suggest a correction

(2)

The decision of the Minister under this section shall be final and conclusive.

Surrender of licence

Suggest a correction

Section 11

Open as pageSuggest a correction

(2)

The surrender shall take effect on the date the Commission receives the licence and the notice under subsection (1), or where a later date is specified in the notice, on that date.

Suggest a correction

(3)

The licensed certification authority shall, not later than fourteen days after the date referred to in subsection (2), cause such surrender to be published in the certification authority disclosure record of the certification authority concerned and advertised in at least one national language and one English language national daily newspaper for at least three consecutive days.

Effect of revocation, surrender or expiry of licence

Suggest a correction

Section 12

Open as pageSuggest a correction

(2)

Notwithstanding subsection (1), the Minister may, on the recommendation of the Commission, authorize the licensed certification authority in writing to carry on its business for such duration as the Minister may specify in the authorization for the purpose of winding up its affairs.

Suggest a correction

(3)

Notwithstanding subsection (1), a licensed certification authority whose licence has expired shall be entitled to carry on its business as if its licence had not expired upon proof being submitted to the Commission that the licensed certification authority has applied for a renewal of the licence and that such application is pending determination.

Suggest a correction

(4)

A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed.

Suggest a correction

(5)

Without prejudice to the Commission’s powers under section 33, the revocation of a licence under section 9 or its surrender under section 11 or its expiry shall not affect the validity or effect of any certificate issued by the certification authority concerned before such revocation, surrender or expiry.

Digital Signature 21

Suggest a correction

(6)

For the purposes of subsection (5), the Commission shall appoint another licensed certification authority to take over the certificates issued by the certification authority whose licence has been revoked or surrendered or has expired and such certificates shall, to the extent that they comply with the requirements of the appointed licensed certification authority, be deemed to have been issued by that licensed certification authority.

Suggest a correction

(7)

Nothing in subsection (6) shall preclude the appointed licensed certification authority from requiring the subscriber to comply with its requirements in relation to the issuance of certificates or from issuing a new certificate to the subscriber for the unexpired period of the original certificate provided that any additional fees or charges to be imposed shall only be imposed with the prior written approval of the Commission.

Suggest a correction

(8)

Where the Commission has appointed a licensed certification authority to take over the certificates of a certification authority under subsection (6), the certification authority shall pay to the appointed licensed certification authority such part of the prescribed fee paid by the subscribers to it as the Commission may determine.

Effect of lack of licence

Suggest a correction

Section 13

Open as pageSuggest a correction

(2)

Part V shall not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.

Suggest a correction

(3)

In any other case, unless the parties expressly provide otherwise by contract between themselves, the licensing requirements under this Act shall not affect the effectiveness, enforceability or validity of any digital signature.

Return of licence

Suggest a correction

Section 14

Open as pageSuggest a correction

(2)

A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed, and the court shall retain the licence and forward it to the Commission.

Restricted licence

Suggest a correction

Section 15

Open as pageSuggest a correction

(b)

cumulative maximum of recommended reliance limits in certificates issued by the licensed certification authority;

and

Suggest a correction

(c)

issuance only within a single firm or organization.

Suggest a correction

(2)

The Commission may issue licences restricted according to the limits of each classification.

Suggest a correction

(3)

A licensed certification authority that issues a certificate exceeding the restrictions of its licence commits an offence.

Suggest a correction

(4)

Where a licensed certification authority issues a certificate exceeding the restrictions of its licence, the liability limits specified in Chapter 8 of Part IV shall not apply to the licensed certification authority in relation to that certificate.

Suggest a correction

(5)

Nothing in subsection (3) or (4) shall affect the validity or effect of the issued certificate.

Restriction on use of expression “certification authority”

Suggest a correction

Section 16

Open as pageSuggest a correction

Except with the written consent of the Commission, no person, not being a licensed certification authority, shall assume or use the expressions “certification authority” or “licensed certification authority”, as the case may be, or any derivative of these expressions

Digital Signature 23

in any language, or any other words in any language capable of being construed as indicating the carrying on or operation of such business, in relation to the business or any part of the business carried on by such person, or make any representation to such effect in any bill head, letter, paper, notice, advertisement or in any other manner.

Section 17

Renewal of licence

Open as pageSuggest a correction

(2)

The prescribed fee shall be payable upon approval of the application.

Suggest a correction

(3)

If any licensed certification authority has no intention of renewing its licence, the licensed certification authority shall, at least thirty days before the expiry of the licence, publish such intention in the certification authority disclosure record of the certification authority concerned and advertise such intention in at least one national language and one English language national daily newspaper for at least three consecutive days.

Suggest a correction

(4)

Without prejudice to any other grounds, the Commission may refuse to renew a licence where the requirements of subsection

Suggest a correction

Section 18

Open as pageSuggest a correction

(2)

The licensed certification authority shall, as soon as practicable, submit an application for a replacement licence accompanied by all such information and documents as may be required by the

Commission together with the prescribed fee.

24

Recognition of other licences

Suggest a correction

Section 19

Open as pageSuggest a correction

(2)

Where a licence or other authorization of a governmental entity is recognized under subsection (1),—

(a)

the recommended reliance limit, if any, specified in a certificate issued by the certification authority licensed or otherwise authorized by the governmental entity shall have effect in the same manner as a recommended reliance limit specified in a certificate issued by a licensed certification authority of Malaysia; and

Suggest a correction

(b)

Part V shall apply to the certificates issued by the certification authority licensed or otherwise authorized by the governmental entity in the same manner as it applies to a certificate issued by a licensed certification authority of Malaysia.

Performance audit

*20. (1) The operations of a licensed certification authority shall be audited a least once a year to evaluate its compliance with this

Act.

Suggest a correction
Suggest a correction

(2)

The audit shall be carried out by a certified public accountant having expertise in computer security or by an accredited computer security professional.

Suggest a correction

(3)

The qualifications of the auditors and the procedure for an audit shall be as may be prescribed by regulations made under this

Act.

Suggest a correction

(4)

The Commission shall publish in the certification authority disclosure record that it maintains for the licensed certification authority concerned the date and result of the audit.

*NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as “RENTAS”—see P.U. (A) 300/1999.

Digital Signature 25

Exemption from performance audit

Suggest a correction

Section 21

Open as pageSuggest a correction

(a)

the licensed certification authority requests in writing for exemption;

Suggest a correction

(b)

the most recent performance audit, if any, of the licensed certification authority resulted in a finding of full or substantial compliance with this Act; and

Suggest a correction

(c)

the licensed certification authority declares under oath or affirmation that one or more of the following is true with respect to the licensed certification authority:

Suggest a correction

(i)

the licensed certification authority has issued fewer than six certificates during the past year and the total of the recommended reliance limits of all such certificates does not exceed twenty-five thousand ringgit;

(ii)

the aggregate lifetime of all certificates issued by the licensed certification authority during the past year is less than thirty days and the total of the recommended reliance limits of all such certificates does not exceed twenty-five thousand ringgit;

Suggest a correction

(iii)

the recommended reliance limits of all certificates outstanding an issued by the licensed certification authority total less than two thousand five hundred ringgit.

Suggest a correction
Suggest a correction

(2)

Where the licensed certification authority’s declaration under paragraph (1)(c) falsely states a material fact, the licensed certification authority shall be deemed to have failed to comply with the performance audit requirement under section 20.

Suggest a correction

(3)

Where a licensed certification authority is exempted under subsection (1), the Commission shall publish in the certification authority disclosure record that it maintains for the licensed certification authority concerned a statement that the licensed certification authority is exempted from the performance audit requirement under section 20.

26

Suggest a correction

Part III

PART III

REQUIREMENTS OF LICENSED CERTIFICATION

Suggest a correction

AUTHORITIES

Activities of licensed certification authorities

Section 22

Open as pageSuggest a correction

(2)

A licensed certification authority shall carry on its activities in accordance with this Act and any regulations made under this

Act.

Requirement to display licence

Suggest a correction

Section 23

Open as pageSuggest a correction

A licensed certification authority shall at all times display its licence in a conspicuous place at its place of business.

Requirement to submit information and particulars relating to business operations

*24. (1) A licensed certification authority shall submit to the

Commission such information and particulars including financial statements, audited balance sheets and profit and loss accounts relating to its entire business operations as may be required by the

Commission within such time as it may determine.

(2)

A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed.

Notification of change of information

*25. (1) Every licensed certification authority shall, before making any amendment or alteration to any of its constituent documents, or before any change in its director or chief executive officer, furnish the Commission particulars in writing of any such proposed amendment, alteration or change.

*NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as “RENTAS”—see P.U. (A) 300/1999.

Digital Signature 27

Suggest a correction

(2)

Every licensed certification authority shall immediately notify the Commission of any amendment or alteration to any information or document which has been furnished to the Commission in connection with the licence.

Requirements as to advertisement 26.

A licensed certification authority shall not publish, whether in a newspaper, brochure or otherwise, any advertisement or information relating to or in connection with the business of a certification authority without including—

(b)

the business name under which it carries on business and the address at which such business is carried on; and

Suggest a correction

(c)

any other particulars relating to any services offered as the Commission considers necessary.

Suggest a correction
Suggest a correction

Part IV

PART IV

DUTIES OF LICENSED CERTIFICATION AUTHORITIES

Suggest a correction

AND SUBSCRIBERS

Chapter

CHAPTER 1

General requirements for licensed certification authorities

Suggest a correction

Use of trustworthy systems

Section 27

Open as pageSuggest a correction

(b)

to publish or give notice of the issuance, suspension or revocation of a certificate; and

Suggest a correction

(c)

to create a private key, whether for itself or for a subscriber.

Suggest a correction

(2)

A subscriber shall only use a trustworthy system to create a private key.

28

Disclosures on inquiry

Suggest a correction

Section 28

Open as pageSuggest a correction

(2)

A licensed certification authority may require a signed, written and reasonably specific inquiry from an identified person, and payment of the prescribed fee, as conditions precedent to effecting a disclosure required under subsection (1).

Prerequisites to issuance of certificate to subscriber

Suggest a correction

Section 29

Open as pageSuggest a correction

(a)

the licensed certification authority has received a request for issuance signed by the prospective subscriber; and

Suggest a correction

(b)

the licensed certification authority has confirmed that—

Suggest a correction

(i)

the prospective subscriber is the person to be listed in the certificate to be issued;

(ii)

if the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber’s private key and to request issuance of a certificate listing the corresponding public key;

Suggest a correction

(iii)

the information in the certificate to be issued is accurate;

Suggest a correction

(iv)

the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

Suggest a correction
Suggest a correction

(v)

the prospective subscriber holds a private key capable of creating a digital signature; and

(vi)

the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.

Suggest a correction
Suggest a correction

(2)

The requirements of subsection (l) shall not be waived or disclaimed by the licensed certification authority, the subscriber, or both.

Digital Signature 29

Publication of issued and accepted certificate

Suggest a correction

Section 30

Open as pageSuggest a correction

(2)

Where the subscriber does not accept the certificate, a licensed certification authority shall not publish it, or shall cancel its publication if the certificate has already been published.

Adoption of more rigorous requirements permitted

Suggest a correction

Section 31

Open as pageSuggest a correction

Nothing in sections 29 and 30 shall preclude a licensed certification authority from conforming to standards, certification practice statements, security plans or contractual requirements more rigorous than, but nevertheless consistent with, this Act.

Section 32

Suspension or revocation of certificate for faulty issuance

Open as pageSuggest a correction

(2)

A licensed certification authority may suspend a certificate which it has issued for a reasonable period not exceeding forty-eight hours as may be necessary for an investigation to be carried out to confirm the grounds for a revocation under subsection (1).

Suggest a correction

(3)

The licensed certification authority shall immediately notify the subscriber of a revocation or suspension under this section.

Suspension or revocation of certificate by order

Suggest a correction

Section 33

Open as pageSuggest a correction

(a)

the certificate was issued without compliance with sections 29 and 30; and

Suggest a correction

(b)

the non-compliance poses a significant risk to persons reasonably relying on the certificate.

30

Suggest a correction

(2)

Before making a determination under subsection (1), the

Commission shall give the licensed certification authority and the subscriber a reasonable opportunity of being heard.

Suggest a correction

(3)

Notwithstanding subsections (1) and (2), where in the opinion of the Commission there exists an emergency that requires an immediate remedy, the Commission may, after consultation with the Minister, suspend a certificate for a period not exceeding forty-eight hours.

Suggest a correction

Chapter

CHAPTER 2

Warranties and obligations of licensed certification authorities

Suggest a correction

Warranties to subscriber

Section 34

Open as pageSuggest a correction

(a)

the certificate contains no information known to the licensed certification authority to be false;

Suggest a correction

(b)

the certificate satisfies all the requirements of this Act;

and

Suggest a correction

(c)

the licensed certification authority has not exceeded any limits of its licence in issuing the certificate.

Suggest a correction

(2)

A licensed certification authority shall not disclaim or limit the warranties under subsection (1).

Continuing obligations to subscriber

Suggest a correction

Section 35

Open as pageSuggest a correction

Unless the subscriber and licensed certification authority otherwise agree, a licensed certification authority, by issuing a certificate, promises to the subscriber—

(a)

to act promptly to suspend or revoke a certificate in accordance with Chapter 5 or 6; and

Suggest a correction

(b)

to notify the subscriber within a reasonable time of any facts known to the licensed certification authority which significantly affect the validity or reliability of the certificate once it is issued.

Digital Signature 31

Representations upon issuance

Suggest a correction

Section 36

Open as pageSuggest a correction

By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that—

(a)

the information in the certificate and listed as confirmed by the licensed certification authority is accurate;

Suggest a correction

(b)

all information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;

Suggest a correction

(c)

the subscriber has accepted the certificate; and

Suggest a correction

(d)

the licensed certification authority has complied with all applicable laws governing the issuance of the certificate.

Representations upon publication

Suggest a correction

Section 37

Open as pageSuggest a correction

By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the licensed certification authority has issued the certificate to the subscriber.

Chapter

CHAPTER 3

Representations and duties upon acceptance of certificate

Suggest a correction

Implied representations by subscriber

Section 38

Open as pageSuggest a correction

By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that—

(a)

the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;

Suggest a correction

(b)

all representations made by the subscriber to the licensed certification authority and material to information listed in the certificate are true; and

32

Suggest a correction

(c)

all material representations made by the subscriber to a licensed certification authority or made in the certificate and not confirmed by the licensed certification authority in issuing the certificate are true.

Representations by agent of subscriber

Suggest a correction

Section 39

Open as pageSuggest a correction

By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, the requesting person certifies in that person’s own right to all who reasonably rely on the information contained in the certificate that the requesting person—

(a)

holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and

Suggest a correction

(b)

has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, adequate safeguards exist to prevent a digital signature exceeding the bounds of the person’s authority.

Disclaimer or indemnity limited

Suggest a correction

Section 40

Open as pageSuggest a correction

No person may disclaim or contractually limit the application of this Chapter, nor obtain indemnity for its effects, if the disclaimer, limitation or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.

Section 41

Indemnification of licensed certification authority by subscriber

Open as pageSuggest a correction

(a)

a false and material representation of fact by the subscriber;

or

Suggest a correction

(b)

the failure by the subscriber to disclose a material fact, if the representation or failure to disclose was made either with intent to deceive the licensed certification authority or a person relying on the certificate, or with negligence.

Digital Signature 33

Suggest a correction

(2)

Where the licensed certification authority issued the certificate at the request of one or more agents of the subscriber, the agent or agents personally undertake to indemnify the licensed certification authority under this section, as if they were accepting subscribers in their own right.

Suggest a correction

(3)

The indemnity provided in this section shall not be disclaimed or contractually limited in scope.

Certification of accuracy of information given

Suggest a correction

Section 42

Open as pageSuggest a correction

In obtaining information of the subscriber material to the issuance of a certificate, the licensed certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation.

Chapter

CHAPTER 4

Control of private key

Suggest a correction

Duty of subscriber to keep private key secure

Section 43

Open as pageSuggest a correction

By accepting a certificate issued by a licensed certification authority, the subscriber named in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber’s digital signature.

Section 44

Property in private key

Open as pageSuggest a correction

A private key is the personal property of the subscriber who rightfully holds it.

Section 45

Licensed certification authority to be fiduciary if holding subscriber’s private key

Open as pageSuggest a correction

Where a licensed certification authority holds the private key corresponding to a public key listed in a certificate which it has issued, the licensed certification authority shall hold the private key as a fiduciary of the subscriber named in the certificate, and may use that private key only with the subscriber’s prior written

34

approval, unless the subscriber expressly and in writing grants the private key to the licensed certification authority and expressly and in writing permits the licensed certification authority to hold the private key according to other terms.

Chapter

CHAPTER 5

Suspension of certificate

Suggest a correction

Suspension of certificate by issuing licensed certification authority

Section 46

Open as pageSuggest a correction

(a)

upon request by a person identifying himself as the subscriber named in the certificate, or as a person in a position likely to know of a compromise of the security of a subscriber’s private key, such as an agent, business associate, employee or member of the immediate family of the subscriber; or

Suggest a correction

(2)

The licensed certification authority shall take reasonable measures to check the identity or agency of the person requesting suspension.

Suspension of certificate by Commission or court

Suggest a correction

Section 47

Open as pageSuggest a correction

(a)

a person identifying himself as the subscriber named in the certificate or as an agent, business associate, employee or member of the immediate family of the subscriber requests suspension; and

Suggest a correction

(b)

the requester represents that the licensed certification authority which issued the certificate is unavailable.

Digital Signature 35

Suggest a correction

(2)

The Commission or court may require the person requesting suspension to provide evidence, including a statement under oath or affirmation regarding his identity and authorization, and the unavailability of the issuing licensed certification authority, and may decline to suspend the certificate in its discretion.

Suggest a correction

(3)

The Commission or other law enforcement agency may investigate suspensions by the Commission or court for possible wrongdoing by persons requesting suspension.

Notice of suspension

Suggest a correction

Section 48

Open as pageSuggest a correction

(2)

Where one or more repositories are specified, the licensed certification authority shall publish signed notices of the suspension in all such repositories.

Suggest a correction

(3)

Where any repository specified no longer exists or refuses to accept publication, or if no such repository is recognized under section 68, the licensed certification authority shall also publish the notice in a recognized repository.

Suggest a correction

(4)

Where a certificate is suspended by the Commission or a court, the Commission or court shall give notice as required in this section for a licensed certification authority provided that the person requesting suspension pays in advance any prescribed fee required by a repository for publication of the notice of suspension.

Termination of suspension initiated by request

Suggest a correction

Section 49

Open as pageSuggest a correction

A licensed certification authority shall terminate a suspension initiated by request—

(a)

where the subscriber named in the suspended certificate requests termination of the suspension, only if the licensed certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or

36

Suggest a correction

(b)

where the licensed certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber.

Alternate contractual procedures

Suggest a correction

Section 50

Open as pageSuggest a correction

(2)

Where the contract limits or precludes suspension by the

Commission or a court when the issuing licensed certification authority is unavailable, the limitation or preclusion shall be effective only if notice of it is published in the certificate.

Prohibition against false or unauthorized request for suspension of certificate

Suggest a correction

Section 51

Open as pageSuggest a correction

No person shall knowingly or intentionally misrepresent to a licensed certification authority his identity or authorization in requesting suspension of a certificate.

Section 52

Effect of suspension of certificate

Open as pageSuggest a correction

Nothing in this Chapter shall release the subscriber from the duty under section 43 to keep the private key secure while a certificate is suspended.

Chapter

CHAPTER 6

Section 53

Open as pageSuggest a correction

(a)

upon receiving a request for revocation by the subscriber named in the certificate; and

Suggest a correction

(b)

upon confirming that the person requesting revocation is that subscriber or is an agent of that subscriber with authority to request the revocation.

Digital Signature 37

Suggest a correction

(2)

A licensed certification authority shall confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber’s written request and evidence reasonably sufficient to confirm the identity of the person requesting the revocation or of the agent.

Revocation on subscriber’s death or dissolution

Suggest a correction

Section 54

Open as pageSuggest a correction

(a)

upon receiving a certified copy of the subscriber’s death certificate or upon confirming by other evidence that the subscriber is dead; or

Suggest a correction

(b)

upon presentation of documents effecting a dissolution of the subscriber or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist.

Revocation of unreliable certificates

Suggest a correction

Section 55

Open as pageSuggest a correction

(2)

Nothing in subsection (1) shall prevent the subscriber from seeking damages or other relief against the licensed certification authority in the event of wrongful revocation.

Notice of revocation

Suggest a correction

Section 56

Open as pageSuggest a correction

(2)

Where one or more repositories are specified, the licensed certification authority shall publish signed notices of the revocation in all such repositories.

38

Suggest a correction

(3)

Where any repository specified no longer exists or refuses to accept publication, or if no such repository is recognized under section 68, the licensed certification authority shall also publish the notice in a recognized repository.

Effect of revocation request on subscriber

Suggest a correction

Section 57

Open as pageSuggest a correction

Where a subscriber has requested for the revocation of a certificate, the subscriber ceases to certify as provided in Chapter 3 and has no further duty to keep the private key secure as required under section 43—

(a)

when notice of the revocation is published as required under section 56; or

Suggest a correction

(b)

when two business days have lapsed after the subscriber requests for the revocation in writing, supplies to the issuing licensed certification authority information reasonably sufficient to confirm the request, and pays any prescribed fee, whichever occurs first.

Effect of notification on licensed certification authority

Suggest a correction

Section 58

Open as pageSuggest a correction

Upon notification as required under section 56, a licensed certification authority shall be discharged of its warranties based on issuance of the revoked certificate and ceases to certify as provided in sections 35 and 36 in relation to the revoked certificate.

Chapter

CHAPTER 7

Expiration of certificate

Section 59

Open as pageSuggest a correction

(2)

A certificate may be issued for any period not exceeding three years from the date of issuance.

Digital Signature 39

Suggest a correction

(3)

When a certificate expires, the subscriber and licensed certification authority shall cease to certify as provided under this

Act and the licensed certification authority shall be discharged of its duties based on issuance in relation to the expired certificate.

Suggest a correction

(4)

The expiry of a certificate shall not affect the duties and obligations of the subscriber and licensed certification authority incurred under and in relation to the expired certificate.

Suggest a correction

Chapter

CHAPTER 8

Recommended reliance limits and liability

Suggest a correction

Recommended reliance limit

*60. (1) A licensed certification authority shall, in issuing a certificate to a subscriber, specify a recommended reliance limit in the certificate.

Section 61

Open as pageSuggest a correction

Unless a licensed certification authority waives the application of this section, a licensed certification authority—

(a)

shall not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the licensed certification authority complied with the requirements of this Act;

Suggest a correction

(b)

shall not be liable in excess of the amount specified in the certificate as its recommended reliance limit for either—

Suggest a correction

(i)

a loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm; or

(ii)

failure to comply with sections 29 and 30 in issuing the certificate; and

*NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as “RENTAS”–see P.U. (A) 300/1999.

40

Suggest a correction
Suggest a correction

(2)

The licensed certification authority may specify different limits in different certificates as it considers fit.

Liability limits for licensed certification authorities

Suggest a correction

Part V

PART V

EFFECT OF DIGITAL SIGNATURE

Suggest a correction

Satisfaction of signature requirements

Section 62

Open as pageSuggest a correction

(a)

that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;

Suggest a correction

(b)

that digital signature was affixed by the signer with the intention of signing the message; and

Suggest a correction

(c)

the recipient has no knowledge or notice that the signer—

Suggest a correction

(i)

has breached a duty as a subscriber; or

(ii)

does not rightfully hold the private key used to affix the digital signature.

Suggest a correction
Suggest a correction

(2)

Notwithstanding any written law to the contrary—

(a)

a document signed with a digital signature in accordance with this Act shall be as legally binding as a document signed with a handwritten signature, an affixed thumb-print or any other mark; and

Suggest a correction

(b)

a digital signature created in accordance with this Act shall be deemed to be a legally binding signature.

Suggest a correction
Suggest a correction

(3)

Nothing in this Act shall preclude any symbol from being valid as a signature under any other applicable law.

Unreliable digital signatures

Suggest a correction

Section 63

Open as pageSuggest a correction

(2)

Where the recipient determines not to rely on a digital signature under this section, the recipient shall promptly notify the signer of its determination not to rely on a digital signature and the grounds for that determination.

Digitally signed message deemed to be written document

Suggest a correction

Section 64

Digital Signature 41

Open as pageSuggest a correction

(a)

it bears in its entirety a digital signature; and

Suggest a correction

(b)

that digital signature is verified by the public key listed in a certificate which—

Suggest a correction

(i)

was issued by a licensed certification authority;

and

(ii)

was valid at the time the digital signature was created.

Suggest a correction
Suggest a correction

(2)

Nothing in this Act shall preclude any message, document, or record from being considered written or in writing under any other applicable law.

Digitally signed message deemed to be original document

Suggest a correction

Section 65

Open as pageSuggest a correction

A copy of a digitally signed message shall be as valid, enforceable and effective as the original of the message unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, enforceable and effective message.

Section 66

Authentication of digital signatures

Open as pageSuggest a correction

A certificate issued by a licensed certification authority shall be an acknowledgement of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgement appear with the digital signature and regardless of whether the signer physically appeared before the licensed certification authority when the digital signature was created, if that digital signature is—

(b)

affixed when that certificate was valid.

42

Presumptions in adjudicating disputes

Suggest a correction

Section 67

In adjudicating a dispute involving a digital signature, a court shall presume—

Open as pageSuggest a correction

(a)

that a certificate digitally signed by a licensed certification authority and—

Suggest a correction

(i)

published in a recognized repository; or

(ii)

made available by the issuing licensed certification authority or by the subscriber listed in the certificate, is issued by the licensed certification authority which digitally signed it and is accepted by the subscriber listed in it;

Suggest a correction
Suggest a correction

(b)

that the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate;

Suggest a correction

(c)

that where a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority—

Suggest a correction

(i)

that digital signature is the digital signature of the subscriber listed in that certificate;

(ii)

that digital signature was affixed by that subscriber with the intention of signing the message; and

Suggest a correction

(iii)

the recipient of that digital signature has no knowledge or notice that the signer—

Suggest a correction
Suggest a correction

(B)

does not rightfully hold the private key used to affix the digital signature; and

Suggest a correction

(d)

that a digital signature was created before it was time-stamped by a recognized date/time stamp service utilizing a trustworthy system.

Suggest a correction

Part VI

PART VI

REPOSITORIES AND DATE/TIME STAMP SERVICES

Suggest a correction

Recognition of repositories

Section 68

Open as pageSuggest a correction

(2)

The procedure for recognition of repositories shall be as may be prescribed by regulations made under this Act.

Suggest a correction

(3)

The Commission shall publish a list of recognized repositories in such form and manner as it may determine.

Liability of repositories

Suggest a correction

Section 69

Digital Signature 43

Open as pageSuggest a correction

(2)

Unless waived, a recognized repository or the owner or operator of a recognized repository—

(a)

shall not be liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;

Suggest a correction

(b)

shall not be liable under subsection (1) in excess of the amount specified in the certificate as the recommended reliance limit;

Suggest a correction

(c)

shall not be liable under subsection (1) for—

Suggest a correction

(d)

shall not be liable for misrepresentation in a certificate published by a certification authority;

Suggest a correction

(e)

shall not be liable for accurately recording or reporting information which a licensed certification authority, a court or the Commission has published as required or permitted under this Act, including information about the suspension or revocation of a certificate; and

44

Suggest a correction

(f)

shall not be liable for reporting information about a certification authority, a certificate or a subscriber, if such information is published as required or permitted under this Act or is published by order of the Commission in the performance of its licensing and regulatory duties under this Act.

Recognition of date/time stamp services

Suggest a correction
Suggest a correction

Section 70

Open as pageSuggest a correction

(2)

The procedure for recognition of date/time stamp services shall be as may be prescribed by regulations made under this Act.

Suggest a correction

(3)

The Commission shall publish a list of recognized date/time stamp services in such form and manner as it may determine.

Suggest a correction

Part VII

PART VII

Section 71

Open as pageSuggest a correction

(2)

The Commission may publish in one or more recognized repositories brief statements advising subscribers, persons relying on digital signatures and repositories about any activities of a certification authority, whether licensed or not, which create a risk prohibited under subsection (1).

Suggest a correction

(3)

The certification authority named in a statement as creating or causing a risk may protest the publication of the statement by filing a brief written defence.

Digital Signature 45

Suggest a correction

(4)

On receipt of a protest made under subsection (3), the

Commission shall publish the written defence together with the

Commission’s statement, and shall immediately give the protesting certification authority notice and a reasonable opportunity of being heard.

Suggest a correction

(5)

Where, after a hearing, the Commission determines that the publication of the advisory statement was unwarranted, the

Commission shall revoke the advisory statement.

Suggest a correction

(6)

Where, after a hearing, the Commission determines that the advisory statement is no longer warranted, the Commission shall revoke the advisory statement.

Suggest a correction

(7)

Where, after a hearing, the Commission determines that the advisory statement remains warranted, the Commission may continue or amend the advisory statement and may take further legal action to eliminate or reduce the risk prohibited under subsection (1).

Suggest a correction

(8)

The Commission shall publish its decision under subsection

Suggest a correction

(5)

, (6) or (7), as the case may be, in one or more recognized repositories.

Obligation of secrecy

Suggest a correction

Section 72

Open as pageSuggest a correction

(2)

A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

False information

Suggest a correction

Section 73

Open as pageSuggest a correction

A person who makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Act which is untrue, inaccurate or misleading in any particular commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both.

46

Section 74

Offences by body corporate

Open as pageSuggest a correction

(a)

may be charged severally or jointly in the same proceedings with the body corporate; and

Suggest a correction

(b)

where the body corporate is found guilty of the offence, shall be deemed to be guilty of that offence unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves—

Suggest a correction

(i)

that the offence was committed without his knowledge, consent or connivance; and

(ii)

that he took all reasonable precautions and had exercised due diligence to prevent the commission of the offence.

Suggest a correction
Suggest a correction

(2)

Where any person would be liable under this Act to any punishment or penalty for any act, omission, neglect or default, he shall be liable to the same punishment or penalty for every such act, omission, neglect or default of any employee or agent of his, or of the employee of such agent, if such act, omission, neglect or default was committed—

(a)

by his employee in the course of his employment;

Suggest a correction

(c)

by the employee of such agent in the course of his employment by such agent or otherwise on behalf of the agent.

Authorized officer

Suggest a correction
Suggest a correction

Section 75

Open as pageSuggest a correction

(2)

Any officer authorized under subsection (1) shall be deemed to be a public servant within the meaning of the Penal Code

[Act 574].

Digital Signature 47

Suggest a correction

(3)

In exercising any of the powers of enforcement under this

Act, an authorized officer shall on demand produce to the person against whom he is acting the authority issued to him by the

Minister.

Enforcement by police officers

Suggest a correction

Section 75A

Open as pageSuggest a correction

(2)

In exercising any of the powers of enforcement conferred under this Act on a police officer not below the rank of Inspector, such police officer shall, if not in uniform, on demand declare his office and produce to the person against whom he is acting the authority card as the Inspector General of Police may direct to be carried by such police officer.

Power to investigate

Suggest a correction

Section 76

Open as pageSuggest a correction

(2)

For the purposes of subsection (1), the Commission may issue orders to a certification authority to further its investigation and secure compliance with this Act.

Suggest a correction

(3)

Further, in any case relating to the commission of an offence under this Act, any authorized officer carrying on an investigation may exercise all or any of the special powers in relation to police investigation in seizable cases given by the Criminal Procedure

Code [Act 593].

Search by warrant

Suggest a correction

Section 77

Open as pageSuggest a correction

(a)

copies of any books, accounts or other documents, including computerized data, which contain or are reasonably suspected to contain information as to any offence so suspected to have been committed;

Suggest a correction

(b)

any signboard, card, letter, pamphlet, leaflet, notice or other device representing or implying that the person is a licensed certification authority; and

Suggest a correction

(c)

any other document, article or item that is reasonably believed to furnish evidence of the commission of such offence.

Suggest a correction

(2)

A police officer or an authorized officer conducting a search under subsection (1) may, if in his opinion it is reasonably necessary to do so for the purpose of investigating into the offence, search any person who is in or on such premises.

Suggest a correction

(3)

A police officer or an authorized officer making a search of a person under subsection (2) may seize, detain or take possession of any book, accounts, document, computerized data, card, letter, pamphlet, leaflet, notice, device, article or item found on such person for the purpose of the investigation being carried out by such officer.

Suggest a correction

(4)

No female person shall be searched under this section except by another female person.

Suggest a correction

(5)

Where, by reason of its nature, size or amount, it is not practicable to remove any book, accounts, document, computerized data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item seized under this section, the seizing officer shall, by any means, seal such book, accounts, document, computerized data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item in the premises or container in which it is found.

Suggest a correction

(6)

A person who, without lawful authority, breaks, tampers with or damages the seal referred to in subsection (5) or removes any book, accounts, document, computerized data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item under seal or attempts to do so commits an offence.

Digital Signature 49

Search and seizure without warrant

Suggest a correction

Section 78

Open as pageSuggest a correction

If a police officer not below the rank of Inspector in any of the circumstances referred to in section 77 has reasonable cause to believe that by reason of delay in obtaining a search warrant under that section the investigation would be adversely affected or evidence of the commission of an offence is likely to be tampered with, removed, damaged or destroyed, such officer may enter such premises and exercise in, upon and in respect of the premises all the powers referred to in section 77 in as full and ample a manner as if he were authorized to do so by a warrant issued under that section.

Section 79

Access to computerized data

Open as pageSuggest a correction

(2)

For the purposes of this section, “access” includes being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data.

List of things seized

Suggest a correction

Section 80

Open as pageSuggest a correction

(2)

Where the premises are unoccupied, the seizing officer shall whenever possible post a list of the things seized conspicuously on the premises.

Obstruction of authorized officer

Suggest a correction

Section 81

Open as pageSuggest a correction

Any person who obstructs, impedes, assaults or interferes with any authorized officer in the performance of his functions under this Act commits an offence.

50

Section 82

Additional powers

Open as pageSuggest a correction

An authorized officer shall, for the purposes of the execution of this Act, have power to do all or any of the following:

(a)

to require the production of records, accounts, computerized data and documents kept by a licensed certification authority and to inspect, examine and copy any of them;

Suggest a correction

(b)

to require the production of any identification document from any person in relation to any case or offence under this Act;

Suggest a correction

(c)

to make such inquiry as may be necessary to ascertain whether the provisions of this Act have been complied with.

General penalty

Suggest a correction

Section 84

Open as pageSuggest a correction

Where the Commission finds that a certification authority has contravened this Act, the Commission may order the certification authority to pay the costs incurred by the Commission in prosecution and adjudication proceedings in relation to the order and in enforcing it.

Section 85

No costs or damages arising from seizure to be recoverable

Open as pageSuggest a correction

No person shall, in any proceedings before any court in respect of the seizure of any book, accounts, document, computerized data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item seized in the exercise or the purported exercise of any

Digital Signature 51

power conferred under this Act, be entitled to the costs of such proceedings or to any damages or other relief unless such seizure was made without reasonable cause.

Section 86

Institution and conduct of prosecution

Open as pageSuggest a correction

(2)

Any officer of the Commission duly authorized in writing by the Public Prosecutor may conduct the prosecution for any offence under this Act.

Jurisdiction to try offences

Suggest a correction

Section 87

Open as pageSuggest a correction

Notwithstanding any written law to the contrary, a Court of a Magistrate of the First Class shall have jurisdiction to try any offence under this Act and to impose the full punishment for any such offence.

Section 88

Protection of Commission and officers

Open as pageSuggest a correction

No action or prosecution shall be brought, instituted or maintained in any court against—

(a)

the Commission or any officer duly authorized under this

Act for or on account of or in respect of any act ordered or done for the purpose of carrying into effect this Act;

and

Suggest a correction

(b)

any other person for or on account of or in respect of any act done or purported to be done by him under the order, direction or instruction of the Commission or any officer duly authorized under this Act if the act was done in good faith and in a reasonable belief that it was necessary for the purpose intended to be served thereby.

Power to exempt

Suggest a correction

Section 89

Open as pageSuggest a correction

(2)

The Minister may impose any terms and conditions as he thinks fit on any exemption under subsection (1).

Limitation on disclaiming or limiting application of Act

Suggest a correction

Section 90

Open as pageSuggest a correction

Unless it is expressly provided for under this Act, no person may disclaim or contractually limit the application of this Act.

Section 91

Regulations

Open as pageSuggest a correction

(a)

prescribing the qualification requirements for certification authorities;

Suggest a correction

(b)

prescribing the manner of applying for licences and certificates under this Act, the particulars to be supplied by an applicant, the manner of licensing and certification, the fees payable therefor, the conditions or restrictions to be imposed and the form of licences and certificates;

Suggest a correction

(c)

regulating the operations of licensed certification authorities;

Suggest a correction

(d)

prescribing the requirements for the content, form and sources of information in certification authority disclosure records, the updating and timeliness of such information and other practices and policies relating to certification authority disclosure records;

Suggest a correction

(e)

prescribing the form of certification practice statements;

Suggest a correction

(f)

prescribing the qualification requirements for auditors and the procedure for audits;

Suggest a correction

(g)

prescribing the requirements for repositories and the procedure for recognition of repositories;

Suggest a correction

(h)

prescribing the requirements for date/time stamp services and the procedure for recognition of date/time stamp services;

Digital Signature 53

Suggest a correction

(i)

prescribing the procedure for the review of software for use in creating digital signatures and of the applicable standards in relation to digital signatures and certification practice and for the publication of reports on such software and standards;

Suggest a correction

(j)

prescribing the forms for the purposes of this Act;

Suggest a correction

(k)

prescribing the fees and charges payable under this Act and the manner for collecting and disbursing such fees and charges;

Suggest a correction

(l)

providing for such other matters as are contemplated by, or necessary for giving full effect to, the provisions of this Act and for their due administration.

Suggest a correction

(2)

Regulations made under subsection (1) may prescribe any act in contravention of the regulations to be an offence and may prescribe penalties of a fine not exceeding one hundred thousand ringgit or imprisonment for a term not exceeding two years or both.

Savings and transitional

Suggest a correction

Section 92

Open as pageSuggest a correction

(2)

Where a certification authority referred to in subsection (l)

fails to obtain a licence after the period prescribed in subsection

Suggest a correction

(1)

, it shall be deemed to be an unlicensed certification authority and the provisions of this Act shall apply to it and the certificates issued by it accordingly.

Suggest a correction

(3)

Where a certification authority referred to in subsection (1)

has obtained a licence in accordance with this Act within the period prescribed in subsection (1), all certificates issued by such certification authority before the commencement of this Act, to the extent that they are not inconsistent with this Act, shall be deemed to have been issued under this Act and shall have effect accordingly.

54

Act 562

LIST OF AMENDMENTS

Amending law

Short title

In force from

Act A1121

Digital Signature (Amendment)

01-11-2001

Act 2001

Digital Signature 55

Act 562

LIST OF SECTIONS AMENDED

Section

Amending authority

In force from 2

Act A1121 01-11-2001 3

Suggest a correction

Act A1121 01-11-2001 8

Act A1121 01-11-2001 9

Act A1121 01-11-2001 20

Act A1121 01-11-2001 21

Act A1121 01-11-2001 24

Act A1121 01-11-2001 47

Act A1121 01-11-2001 68

Act A1121 01-11-2001 69

Act A1121 01-11-2001 70

Act A1121 01-11-2001 71

Act A1121 01-11-2001 75

Act A1121 01-11-2001 75A

Act A1121 01-11-2001 88

Throughout the Act the word

“Commission” is substituted for

“Controller”

KUALA LUMPUR

Suggest a correction

Common questions

What is AKTA TANDATANGAN DIGITAL 1997?
DIGITAL SIGNATURE ACT 1997 is Malaysia Act, cited as Act 562 1997, currently marked in force and first recorded in 1997.
Is AKTA TANDATANGAN DIGITAL 1997 still in force?
Yes — AKTA TANDATANGAN DIGITAL 1997 is currently in force.
When did AKTA TANDATANGAN DIGITAL 1997 take effect?
AKTA TANDATANGAN DIGITAL 1997 was first recorded in 1997.
How many sections does AKTA TANDATANGAN DIGITAL 1997 have?
AKTA TANDATANGAN DIGITAL 1997 contains 88 sections.
Where can I read the official version of AKTA TANDATANGAN DIGITAL 1997?
The official text of AKTA TANDATANGAN DIGITAL 1997 is published at lom.agc.gov.my.