71. Prohibition against dangerous activities

(1) No certification authority, whether licensed or not, shall conduct its business in a manner that creates an unreasonable risk of loss to the subscribers of the certification authority, to persons relying on certificates issued by the certification authority or to a repository.

(2) The Controller may publish in one or more recognised repositories brief statements advising subscribers, persons relying on digital signatures and repositories about any activities of a certification authority, whether licensed or not, which create a risk prohibited under subsection (1).

(3) The certification authority named in a statement as creating or causing a risk may protest the publication of the statement by filing a brief written defence.

(4) On receipt of a protest made under subsection (3), the Controller shall publish the written defence together with the Controller's statement, and shall immediately give the protesting certification authority notice and a reasonable opportunity of being heard.

(5) Where, after a hearing, the Controller determines that the publication of the advisory statement was unwarranted, the Controller shall revoke the advisory statement.

(6) Where, after a hearing, the Controller determines that the advisory statement is no longer warranted, the Controller shall revoke the advisory statement.

(7) Where, after a hearing, the Controller determines that the advisory statement remains warranted, the Controller may continue or amend the advisory statement and may take further legal action to eliminate or reduce the risk prohibited under subsection (1).

(8) The Controller shall publish his decision under subsection (5), (6) or (7), as the case may be, in one or more recognised repositories.

72. Obligation of secrecy

(1) Except for the purposes of this Act, no person who has access to any record, book, register, correspondence, information, document or other material obtained under this Act shall disclose such record, book, register, correspondence, information, document or other material to any other person.

(2) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

73. False information

A person who makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Act which is untrue, inaccurate or misleading in any particular commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both.

74. Offences by body corporate

(1) Where a body corporate commits an offence under this Act, any person who at the time of the commission of the offence was a director, manager, secretary or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management-
(a) may be charged severally or jointly in the same proceedings with the body corporate; and
(b) where the body corporate is found guilty of the offence, shall be deemed to be guilty of that offence unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves-
(i) that the offence was committed without his knowledge, consent or connivance; and
(ii) that he took all reasonable precautions and had exercised due diligence to prevent the commission of the offence.

(2) Where any person would be liable under this Act to any punishment or penalty for any act, omission, neglect or default, he shall be liable to the same punishment or penalty for every such act, omission, neglect or default of any employee or agent of his, or of the employee of such agent, if such act, omission, neglect or default was committed-

(a) by his employee in the course of his employment;
(b) by the agent when acting on his behalf; or
(c) by the employee of such agent in the course of his employment by such agent or otherwise on behalf of the agent.

75. Authorised officer

(1) The Minister may in writing authorise any public officer or officer of the Controller to exercise the powers of enforcement under this Act.

(2) Any such officer shall be deemed to be a public servant within the meaning of the Penal Code.

(3) In exercising any of the powers of enforcement under this Act, an authorised officer shall on demand produce to the person against whom he is acting the authority issued to him by the Minister.

76. Power to investigate

(1) The Controller may investigate the activities of a certification authority material to its compliance with this Act.

(2) For the purposes of subsection (1), the Controller may issue orders to a certification authority to further its investigation and secure compliance with this Act.

(3) Further, in any case relating to the commission of an offence under this Act, any authorised officer carrying on an investigation may exercise all or any of the special powers in relation to police investigation in seizable cases given by the Criminal Procedure Code.

77. Search by warrant

(1) If it appears to a Magistrate, upon written information on oath and after such inquiry as he considers necessary, that there is reasonable cause to believe that an offence under this Act is being or has been committed on any premises, the Magistrate may issue a warrant authorising any police officer not below the rank of Inspector, or any authorised officer named therein, to enter the premises at any reasonable time by day or by night, with or without assistance and if need be by force, and there to search for and seize-
(a) copies of any books, accounts or other documents, including computerised data, which contain or are reasonably suspected to contain information as to any offence so suspected to have been committed;
(b) any signboard, card, letter, pamphlet, leaflet, notice or other device representing or implying that the person is a licensed certification authority; and
(c) any other document, article or item that is reasonably believed to furnish evidence of the commission of such offence.

(2) A police officer or an authorised officer conducting a search under subsection (1) may, if in his opinion it is reasonably necessary to do so for the purpose of investigating into the offence, search any person who is in or on such premises.

(3) A police officer or an authorised officer making a search of a person under subsection (2) may seize, detain or take possession of any book, accounts, document, computerised data, card, letter, pamphlet, leaflet, notice, device, article or item found on such person for the purpose of the investigation being carried out by such officer.

(4) No female person shall be searched under this section except by another female person.

(5) Where, by reason of its nature, size or amount, it is not practicable to remove any book, accounts, document, computerised data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item seized under this section, the seizing officer shall, by any means, seal such book, accounts, document, computerised data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item in the premises or container in which it is found.

(6) A person who, without lawful authority, breaks, tampers with or damages the seal referred to in subsection (5) or removes any book, accounts, document, computerised data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item under seal or attempts to do so commits an offence.

78. Search and seizure without warrant

If a police officer not below the rank of Inspector in any of the circumstances referred to in section 77 has reasonable cause to believe that by reason of delay in obtaining a search warrant under that section the investigation would be adversely affected or evidence of the commission of an offence is likely to be tampered with, removed, damaged or destroyed, such officer may enter such premises and exercise in, upon and in respect of the premises all the powers referred to in section 77 in as full and ample a manner as if he were authorised to do so by a warrant issued under that section.

79. Access to computerised data

(1) A police officer conducting a search under section 77 or 78 or an authorised officer conducting a search under section 77 shall be given access to computerised data whether stored in a computer or otherwise.

(2) For the purposes of this section, "access" includes being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerised data.

80. List of things seized

(1) Except as provided in subsection (2), where any book, accounts, document, computerised data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item is seized under section 77 or 78, the seizing officer shall prepare a list of the things seized and immediately deliver a copy of the list signed by him to the occupier of the premises which have been searched, or to his agent or servant, at those premises.

(2) Where the premises are unoccupied, the seizing officer shall whenever possible post a list of the things seized conspicuously on the premises.

81. Obstruction of authorised officer

Any person who obstructs, impedes, assaults or interferes with any authorised officer in the performance of his functions under this Act commits an offence.

82. Additional powers

An authorised officer shall, for the purposes of the execution of this Act, have power to do all or any of the following:
(a) to require the production of records, accounts, computerised data and documents kept by a licensed certification authority and to inspect, examine and copy any of them;
(b) to require the production of any identification document from any person in relation to any case or offence under this Act;
(c) to make such inquiry as may be necessary to ascertain whether the provisions of this Act have been complied with.

83. General penalty

(1) A person who commits an offence under this Act for which no penalty is expressly provided shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding four years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed.

(2) For the purposes of this section, "this Act" does not include the regulations made under this Act.

84. Recovery of procedural costs

Where the Controller finds that a certification authority has contravened this Act, the Controller may order the certification authority to pay the costs incurred by the Controller in prosecution and adjudication proceedings in relation to the order and in enforcing it.

85. No costs or damages arising from seizure to be recoverable

No person shall, in any proceedings before any court in respect of the seizure of any book, accounts, document, computerised data, signboard, card, letter, pamphlet, leaflet, notice, device, article or item seized in the exercise or the purported exercise of any power conferred under this Act, be entitled to the costs of such proceedings or to any damages or other relief unless such seizure was made without reasonable cause.

86. Institution and conduct of prosecution

(1) No prosecution for or in relation to any offence under this Act shall be instituted without the written consent of the Public Prosecutor.

(2) Any officer of the Controller duly authorised in writing by the Public Prosecutor may conduct the prosecution for any offence under this Act.

87. Jurisdiction to try offences

Notwithstanding any written law to the contrary, a Court of a Magistrate of the First Class shall have jurisdiction to try any offence under this Act and to impose the full punishment for any such offence.

88.Protection of officers

No action or prosecution shall be brought, instituted or maintained in any court against -
(a) the Controller or any officer duly authorised under this Act for or on account of or in respect of any act ordered or done for the purpose of carrying into effect this Act; and
(b) any other person for or on account of or in respect of any act done or purported to be done by him under the order, direction or instruction of the Controller or any officer duly authorised under this Act if the act was done in good faith and in a reasonable belief that it was necessary for the purpose intended to be served thereby.

89. Power to exempt

(1) The Minister may, by order published in the Gazette, exempt any person or class of persons from all or any of the provisions of this Act, except section 4.

(2) The Minister may impose any terms and conditions as he thinks fit on any exemption under subsection (1).

90. Limitation on disclaiming or limiting application of Act

Unless it is expressly provided for under this Act, no person may disclaim or contractually limit the application of this Act.

91. Regulations

(1) The Minister may make regulations for all or any of the following purposes:
(a) prescribing the qualification requirements for certification authorities;
(b) prescribing the manner of applying for licences and certificates under this Act, the particulars to be supplied by an applicant, the manner of licensing and certification, the fees payable therefor, the conditions or restrictions to be imposed and the form of licences and certificates;
(c) regulating the operations of licensed certification authorities;
(d) prescribing the requirements for the content, form and sources of information in certification authority disclosure records, the updating and timeliness of such information and other practices and policies relating to certification authority disclosure records;
(e) prescribing the form of certification practice statements;
(f) prescribing the qualification requirements for auditors and the procedure for audits;
(g) prescribing the requirements for repositories and the procedure for recognition of repositories;
(h) prescribing the requirements for date/time stamp services and the procedure for recognition of date/time stamp services;
(i) prescribing the procedure for the review of software for use in creating digital signatures and of the applicable standards in relation to digital signatures and certification practice and for the publication of reports on such software and standards;
(j) prescribing the forms for the purposes of this Act;
(k) prescribing the fees and charges payable under this Act and the manner for collecting and disbursing such fees and charges;
(l) providing for such other matters as are contemplated by, or necessary for giving full effect to, the provisions of this Act and for their due administration.

(2) Regulations made under subsection (1) may prescribe any act in contravention of the regulations to be an offence and may prescribe penalties of a fine not exceeding one hundred thousand ringgit or imprisonment for a term not exceeding two years or both.

92. Savings and transitional.

(1) A certification authority that has been carrying on or operating as a certification authority before the commencement of this Act shall, not later than three months from such commencement, obtain a licence under this Act.

(2) Where a certification authority referred to in subsection (1) fails to obtain a licence after the period prescribed in subsection (1), it shall be deemed to be an unlicensed certification authority and the provisions of this Act shall apply to it and the certificates issued by it accordingly.

(3) Where a certification authority referred to in subsection (1) has obtained a licence in accordance with this Act within the period prescribed in subsection (1), all certificates issued by such certification authority before the commencement of this Act, to the extent that they are not inconsistent with this Act, shall be deemed to have been issued under this Act and shall have effect accordingly.

This Bill seeks to make provision for, and to regulate the use of, digital signatures and to provide for matters connected therewith.

2. Part 1 contains preliminary matters.

Clause 1 contains the short title and provisions on the commencement of the proposed Act.

Clause 2 contains the definitions of several expressions used in the proposed Act.

3. Part II deals with the Controller of Certification Authorities and the licensing of certification authorities.

Clause 3 seeks to empower the Minister to appoint a Controller of Certification Authorities. It also seeks to empower the Controller, after consultation with the Minister, to appoint such number of officers and servants as the Controller considers necessary. The function of the Controller is primarily to license certification authorities and to monitor and oversee the activities of certification authorities.

Clause 4 seeks to introduce a mandatory licensing scheme for certification authorities. The mandatory licensing scheme is proposed to establish a minimum regulatory system to provide a basic level of reliability in certification authority practice without undermining the reliability of any signature by invalidating it for lack of a regulatory licence. Under the proposed scheme, a digital signature may nevertheless be reliable and legally valid if verified by a certificate issued by an unlicensed certification authority or without verification by any certificate at all. However, in such cases and as expressly provided in clause 13 of the proposed Act, neither the liability limits specified in Chapter 8 of Part IV of the proposed Act nor Part V of the proposed Act shall apply.

Subclause 4(3) seeks to allow the Minister to exempt a person operating as a certification authority within an organisation where certificates and key pairs are issued to members of the organisation for internal use only and such other person or class of persons as the Minister considers fit.

Clause 5 seeks to empower the Minister to prescribe the qualification requirements for certification authorities by regulations made under the proposed Act.

Clause 6 seeks to make provision for the functions of licensed certification authorities. It also seeks to impose a duty on the licensed certification authority to take all reasonable measures to check for proper identification of a subscriber before issuing a certificate.

Clauses 7 to 11 seek to make provision for the application for licences and the issue, surrender and revocation of licences.

Clause 12 seeks to provide for the effect of the revocation, surrender or expiry of licences. Subclauses 12(5) to (8) seek to make provision for the certificates issued by a certification authority where its licence has been revoked or surrendered or has expired.

Clause 13 seeks to clarify the effect of the lack of a licence, that is, Chapter 8 of Part IV of the proposed Act will not apply to the unlicensed certification authority and Part V of the proposed Act will not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.

Clause 14 seeks to require the return of revoked or expired licences.

Clause 15 seeks to allow the Controller to classify licences according to specified limitations and provides that where a licensed certification authority issues a certificate exceeding the restrictions of its licence, the licensed certification authority commits an offence. Further, the liability limits specified in Chapter 8 of Part IV shall not apply to it. However, this shall not affect the validity or effect of the issued certificate.

Clause 16 seeks to restrict the use of the expression "certification authority" and "licensed certification authority".

Clause 17 seeks to provide for the renewal of licences whilst clause 18 seeks to provide for the replacement of lost licences.

Clause 19 seeks to allow the Controller, by order published in the Gazette, to recognise foreign certification authorities thereby allowing the recommended reliance limits specified in the certificates issued by the foreign certification authorities to apply and Part V of the proposed Act to apply to the certificates issued by it.

Clause 20 seeks to provide for performance audits of licensed certification authorities to evaluate its compliance with the proposed Act. Clause 21 seeks to provide limited exemptions from performance audits to small businesses.

4. Part Ill (clauses 22 to 26) deals with the requirements imposed on licensed certification authorities and includes requiring the licensed certification authority to only carry on activities specified in its licence, to display its licence and to submit information relating to its business operations.

5. Part IV (clauses 27 to 61) deals with the duties of licensed certification authorities and subscribers. The duties of a licensed certification authority include using a trustworthy system to issue, suspend or revoke a certificate, to publish or give notice thereof and to create a private key, to publish issued and accepted certificates and to suspend or revoke certificates immediately where the need arises.

Clause 31 provides that a licensed certification authority may conform to standards, certification practice statements, security plans or contractual requirements more rigorous than the proposed Act provided that they are not inconsistent therewith.

The duties of a subscriber include retaining control of the private key and practising safe key management. Clause 44 provides that the private key is the personal property of the subscriber who rightfully holds it.

Clauses 34 to 42 seek to provide the warranties and obligations of the licensed certification authority and subscriber on the issue and acceptance of a certificate.

Clauses 60 and 61 seek to provide for a recommended reliance limit. By specifying a recommended reliance limit in a certificate, the issuing certification authority and accepting subscriber recommend that a person rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

6. Part V deals with the effect of digital signatures.

Clause 62 seeks to provide that a digital signature created in accordance with the proposed Act shall satisfy the requirements of law with respect to signatures and that notwithstanding any written law to the contrary, a document signed with a digital signature in accordance with the proposed Act shall be as legally binding as a document signed with a handwritten signature, an affixed thumbprint or any other mark.However, the proposed Act does not preclude any symbol from being valid as a signature under any other applicable law.

Clause 63 seeks to provide that the recipient of a digital signature assumes the risk that a digital signature is forged if under the circumstances reliance on it is not reasonable. It also seeks to impose a duty on the recipient who does not rely on a digital signature to notify the signer of its determination and the grounds for that determination.

Clause 64 seeks to deem a digitally signed document to be a written document whilst clause 65 seeks to deem a digitally signed document to be an original document.

Clause 66 seeks to provide for the authentication of digital signatures.

Clause 67 seeks to provide certain presumptions in adjudicating disputes.

7. Part VI deals with repositories and date/time stamp services. Clauses 68 and 69 seek to provide for the recognition of repositories and their liabilities.

Clause 70 seeks to provide for the recognition of date/time stamp services.

8. Part VII deals with general matters.

Clause 72 seeks to impose an obligation of secrecy on persons who have access to confidential information obtained under the proposed Act.

Clause 73 seeks to make it an offence to furnish untrue, inaccurate or misleading information.

Clause 74 seeks to provide for offences committed by a body corporate.

Clause 75 seeks to empower the Minister to authorise any public officer or officer of the Controller to exercise the powers of enforcement under the proposed Act.