You are on page 1of 55

Digitalhttp://perjanjian.

org
Signature 1

LAWS OF MALAYSIA
REPRINT

Act 562

DIGITAL SIGNATURE ACT 1997
Incorporating all amendments up to 1 January 2006

PUBLISHED BY
THE COMMISSIONER OF LAW REVISION, MALAYSIA
UNDER THE AUTHORITY OF THE REVISION OF LAWS ACT 1968
IN COLLABORATION WITH
PERCETAKAN NASIONAL MALAYSIA BHD
2006

Adam Haida & Co
http://peguam.org

2
http://perjanjian.org

DIGITAL SIGNATURE ACT 1997

Date of Royal Assent … ... ... ... ... 18 June 1997

Date of publication in the Gazette ... ... ... 30 June 1997

PREVIOUS REPRINT

First Reprint ... ... ... ... ... 2002

Adam Haida & Co
http://peguam.org

3
http://perjanjian.org
LAWS OF MALAYSIA

Act 562

DIGITAL SIGNATURE ACT 1997

ARRANGEMENT OF SECTIONS

P ART I

PRELIMINARY

Section

1. Short title and commencement
2. Interpretation

P ART II

THE COMMISSION AND THE LICENSING OF
CERTIFICATION AUTHORITIES

3. Appointment of Commission
4. Certification authorities to be licensed
5. Qualifications of certification authorities
6. Functions of licensed certification authorities
7. Application for licence
8. Grant or refusal of licence
9. Revocation of licence
10. Appeal
11. Surrender of licence
12. Effect of revocation, surrender or expiry of licence
13. Effect of lack of licence
14. Return of licence
15. Restricted licence
16. Adam
Restriction on use of expression Haida & authority”
“certification Co
http://peguam.org

4 Laws of Malaysia ACT 562
http://perjanjian.org
Section

17. Renewal of licence
18. Lost licence
19. Recognition of other licences
20. Performance audit
21. Exemption from performance audit

P ART III

REQUIREMENTS OF LICENSED CERTIFICATION
AUTHORITIES

22. Activities of licensed certification authorities
23. Requirement to display licence
24. Requirement to submit information and particulars relating to business
operations
25. Notification of change of information
26. Requirements as to advertisement

PART IV

DUTIES OF LICENSED CERTIFICATION AUTHORITIES
AND SUBSCRIBERS

CHAPTER 1

GENERAL REQUIREMENTS FOR LICENSED
CERTIFICATION AUTHORITIES

27. Use of trustworthy systems
28. Disclosures on inquiry
29. Prerequisites to issuance of certificate to subscriber
30. Publication of issued and accepted certificate
31. Adoption of more rigorous requirements permitted
32. Suspension or revocation of certificate for faulty issuance
33. Adam
Suspension or revocation of certificate Haida
by order & Co
http://peguam.org

Digitalhttp://perjanjian.org
Signature 5
CHAPTER 2

WARRANTIES AND OBLIGATIONS OF LICENSED
CERTIFICATION AUTHORITIES

Section

34. Warranties to subscriber
35. Continuing obligations to subscriber
36. Representations upon issuance
37. Representations upon publication

CHAPTER 3

REPRESENTATIONS AND DUTIES UPON ACCEPTANCE
OF CERTIFICATE

38. Implied representations by subscriber
39. Representations by agent of subscriber
40. Disclaimer or indemnity limited
41. Indemnification of licensed certification authority by subscriber
42. Certification of accuracy of information given

CHAPTER 4

CONTROL OF PRIVATE KEY

43. Duty of subscriber to keep private key secure
44. Property in private key
45. Licensed certification authority to be fiduciary if holding subscriber’s
private key

CHAPTER 5

SUSPENSION OF CERTIFICATE

46. Suspension of certificate by issuing licensed certification authority
47. Suspension of certificate by Commission or court
48. Notice of suspension Adam Haida & Co
http://peguam.org

Liability limits for licensed certification authorities PART V EFFECT OF DIGITAL SIGNATURE 62. Effect of notification on licensed certification authority CHAPTER 7 EXPIRATION OF CERTIFICATE 59.org Section 49. Recommended reliance limit 61. Unreliable digital signatures 64. Prohibition against false or unauthorized request for suspension of certificate 52. Revocation on subscriber’s death or dissolution 55.org . Digitally signed message deemed to be written document 65. Revocation of unreliable certificates 56. Authentication of digital signatures 67. Effect of suspension of certificate CHAPTER 6 REVOCATION OF CERTIFICATE 53. Termination of suspension initiated by request 50. Revocation on request 54. Satisfaction of signature requirements 63.6 Laws of Malaysia ACT 562 http://perjanjian. Alternate contractual procedures 51. Expiration of certificate CHAPTER 8 RECOMMENDED RELIANCE LIMITS AND LIABILITY 60. Presumptions in adjudicating disputes Adam Haida & Co http://peguam. Digitally signed message deemed to be original document 66. Effect of revocation request on subscriber 58. Notice of revocation 57.

List of things seized 81. Recognition of date/time stamp services PART VII GENERAL 71. Power to exempt 90. Enforcement by police officers 76. Access to computerized data 80.org Signature 7 PART VI REPOSITORIES AND DATE/TIME STAMP SERVICES Section 68. Obligation of secrecy 73. General penalty 84. Obstruction of authorized officer 82. Liability of repositories 70. Digitalhttp://perjanjian. Prohibition against dangerous activities 72. Regulations 92. Institution and conduct of prosecution 87. Search by warrant 78. Offences by body corporate 75.org . Additional powers 83. Search and seizure without warrant 79. Limitation on disclaiming or limiting application of Act 91. False information 74. Jurisdiction to try offences 88. Recognition of repositories 69. Savings and transitional Adam Haida & Co http://peguam. Recovery of procedural costs 85. Protection of Commission and officers 89. Authorized officer 75 A. Power to investigate 77. No costs or damages arising from seizure to be recoverable 86.

org .8 Laws of Malaysia ACT 562 http://perjanjian.org Adam Haida & Co http://peguam.

and obtaining a signed.U. Interpretation 2. This Act may be cited as the Digital Signature Act 1997 and shall come into force on a date to be appointed by the Minister by notification in the Gazette.org Signature 9 LAWS OF MALAYSIA Act 562 DIGITAL SIGNATURE ACT 1997 An Act to make provision for. written receipt from the licensed certification authority. unless the context otherwise requires— “accept a certificate” means— (a) to manifest approval of a certificate.org . P. without revoking the application by delivering notice of the revocation to the licensed certification authority. or (b) to apply to a licensed certification authority for a certificate. (1) In this Act. [1 October 1998. as follows: PART I PRELIMINARY Short title and commencement 1. Digitalhttp://perjanjian. if the licensed certification authority Adam Haida subsequently issues a certificate & on based Cothe application. and to regulate the use of. and by the authority of the same. and the Minister may appoint different dates for different provisions of this Act. (B) 397/1998] BE IT ENACTED by the Seri Paduka Baginda Yang di-Pertuan Agong with the advice and consent of the Dewan Negara and Dewan Rakyat in Parliament assembled. http://peguam. while knowing or having notice of its contents. digital signatures and to provide for matters connected therewith.

“authorized officer” means an officer authorized under section 75. (c) contains the subscriber’s public key. and (d) is digitally signed by the certification authority issuing it. shall be construed as references to the Commission or its authorized officer—see section 19 of Act A1121. “certification authority” means a person who issues a certificate.10 Laws of Malaysia ACT 562 http://perjanjian. previous references to the Controller of Certification Authorities (“Controller”) or any officer and servant appointed by the Controller. with ample opportunity to reflect. “certify” means to declare with reference to a certificate. (b) names or identifies its subscriber. *“Commission” means the Malaysian Communications and Multimedia Commission established under the Malaysian Communications and Multimedia Commission Act 1998 [Act 589]. Adam Haida & Co http://peguam. *NOTE—Upon the commencement of Act A1121. “certification practice statement” means a declaration of the practices which a certification authority employs in issuing certificates generally. or employed in issuing a particular certificate. “certificate” means a computer-based record which— (a) identifies the certification authority issuing it.org “asymmetric cryptosystem” means an algorithm or series of algorithms which provide a secure key pair. “confirm” means to ascertain through diligent inquiry and investigation. and with a duty to apprise oneself of all material facts.org . means to belong to the same key pair. “certification authority disclosure record” means an on-line and publicly accessible record which concerns a licensed certification authority which is kept by the Commission under subsection 3(5). “correspond”. with reference to keys.

“hold a private key” means to be able to utilize a private key. “issue a certificate” means the act of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate. “notify” means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person. “message” means a digital representation of information. Adam Haida & Co http://peguam. “incorporate by reference” means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated. “key pair” means a private key and its corresponding public key in an asymmetric cryptosystem.org Signature 11 “digital signature” means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine— (a) whether the transformation was created using the private key that corresponds to the signer’s public key. where the public key can verify a digital signature that the private key creates.org . Digitalhttp://perjanjian. “licensed certification authority” means a certification authority to whom a licence has been issued by the Commission and whose licence is in effect. and (b) whether the message has been altered since the transformation was made. “forge a digital signature” means— (a) to create a digital signature without the authorization of the rightful holder of the private key. or (b) to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist or does not hold the private key corresponding to the public key listed in the certificate.

“revoke a certificate” means to make a certificate ineffective permanently from a specified time forward.org “person” means a natural person or a body of persons. “prescribed” means prescribed by or under this Act or any regulations made under this Act. eavesdropping or other unlawful Haida & Co http://peguam.12 Laws of Malaysia ACT 562 http://perjanjian. “recognized repository” means a repository recognized by the Commission under section 68. “publish” means to record or file in a repository. either legally or as a matter of fact. and (b) which the holder has not obtained through theft. Adammeans. “repository” means a system for storing and retrieving certificates and other information relevant to digital signatures. “recommended reliance limit” means the monetary amount recommended for reliance on a certificate under section 60. corporate or unincorporate. “private key” means the key of a key pair used to create a digital signature. “recognized date/time stamp service” means a date/time stamp service recognized by the Commission under section 70. “recipient” means a person who receives or has a digital signature and is in a position to rely on it. deceit. “qualified certification authority” means a certification authority that satisfies the requirements under section 5. capable of signing a document.org . “public key” means the key of a key pair used to verify a digital signature. “rightfully hold a private key” means to be able to utilize a private key— (a) which the holder or the holder’s agents have not disclosed to any person in contravention of this Act.

digital signature or certificate a digitally signed notation indicating at least the date. “suspend a certificate” means to make a certificate ineffective temporarily for a specified time forward. (b) has been accepted by the subscriber listed in it. time and identity of the person appending or attaching the notation. “this Act” includes any regulations made under this Act. “transactional certificate” means a certificate. (c) has not been revoked or suspended. http://peguam. issued and valid for a specific transaction. reliability and correct operation. and (d) has not expired: Provided that a transactional certificate is a valid certificate Adam only in relation to the digital signature Haida & Co incorporated in it by reference. and (c) are reasonably suited to performing their intended functions.org Signature 13 “subscriber” means a person who— (a) is the subject listed in a certificate. incorporating by reference one or more digital signatures. “trustworthy system” means computer hardware and software which— (a) are reasonably secure from intrusion and misuse. (b) provide a reasonable level of availability. “valid certificate” means a certificate which— (a) a licensed certification authority has issued.org . “time-stamp” means— (a) to append or attach to a message. or (b) the notation so appended or attached. and (c) holds a private key which corresponds to a public key listed in that certificate. Digitalhttp://perjanjian. (b) accepts the certificate.

printing. http://peguam. typewriting. (2) (Deleted by Act A1121). (3) The revocation of a certificate does not mean that it is destroyed or made illegible. in relation to a given digital signature. electronic storage or transmission or any other method of recording information or fixing information in a form capable of being preserved. duties and functions under this Act for the purpose of monitoring and overseeing the activities of certification authorities. to determine accurately that— (a) the digital signature was created by the private key corresponding to the public key. a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates. and (b) the message has not been altered since its digital signature was created. enforcing. (3) (Deleted by Act A1121). (4) The Commission and its employees shall exercise their powers under this Act subject to such directions as to general policy and orders as may be given or made by Adam Haida & Co the Minister.14 Laws of Malaysia ACT 562 http://perjanjian. carrying out and giving effect to the provisions of this Act and shall exercise. (2) For the purposes of this Act.org . PART II THE COMMISSION AND THE LICENSING OF CERTIFICATION AUTHORITIES Appointment of Commission 3. “writing” or “written” includes any handwriting.org “verify a digital signature” means. (1) The Commission shall be responsible for administering. discharge and perform the powers. message and public key.

as a certification authority unless that person holds a valid licence issued under this Act. (1) No person shall carry on or operate. (5) A delegation under subsection (4) shall not preclude the Minister himself from exercising at any time the powers so delegated. (2) A person who contravenes subsection (1) commits an offence and shall. on an application in writing being made in accordance with this Act. on conviction.org Signature 15 (5) The Commission shall maintain a publicly accessible data base containing a certification authority disclosure record for each licensed certification authority which shall contain all the particulars required under the regulations made under this Act. (6) The Commission shall publish the contents of the data base in at least one recognized repository. from the requirements of this section. Certification authorities to be licensed 4. exempt— (a) a person operating as a certification authority within an organization where certificates and key pairs are issued to members of the organization for internal use only. Digitalhttp://perjanjian. and (b) such other person or class of persons as the Minister considers fit. and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed. or hold himself out as carrying on or operating. issued by an exempted certification Haida & Co http://peguam. be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both. (3) The Minister may. (6) The liability limits specified in Chapter 8 of Part IV shall not apply to an exempted certification authority and Part V shall not apply in relation to a digital signature verified by a certificate Adamauthority. (4) The Minister may delegate his powers under subsection (3) to the Commission and such powers may be exercised by the Commission in the name and on behalf of the Minister.org .

on the issuance of any certificate under this Act. take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate. Functions of licensed certification authorities 6. (3) The licensed certification authority shall. cause the application for the certificate to be certified by a notary public duly appointed under the Notaries Public Act 1959 [Act 115]. require the applicant to provide such additional documents or information as may be considered necessary by the Commission for the purposes of Adam Haida determining the suitability of the applicant for the&licence.org Qualifications of certification authorities 5. (1) The function of a licensed certification authority shall be to issue a certificate to a subscriber upon application and upon satisfaction of the licensed certification authority’s requirements as to the identity of the subscriber to be listed in the certificate and upon payment of the prescribed fees and charges. (2) The Minister may at any time vary or amend the qualification requirements prescribed under subsection (1) provided that any such variation or amendment shall not be applied to a certification authority holding a valid licence under this Act until the expiry of that licence. prescribe the qualification requirements for certification authorities. (1) The Minister shall. Application for licence 7. (1) An application for the grant of a licence under this Act shall be made in writing to the Commission in such form as may be prescribed. by regulations made under this Act. Co http://peguam.org . (2) Every application under subsection (1) shall be accompanied by such documents or information as may be prescribed and the Commission may.16 Laws of Malaysia ACT 562 http://perjanjian. before issuing any certificate under this Act. (2) The licensed certification authority shall. orally or in writing at any time after receiving the application and before it is determined.

without prejudice to a fresh application being made by the applicant. (2) Every licence granted under subsection (1) shall set out the duration of the licence and the licence number. Grant or refusal of licence 8. (4) Where the Commission refuses to grant a licence. Digitalhttp://perjanjian. Revocation of licence 9. or refuse to grant a licence. (1) The Commission may revoke a licence granted under section 8 if it is satisfied that— (a) the licensed certification authority has failed to comply with any obligation imposed upon it by or under this Act. regardless that there has been no prosecution for an offence in respect of such contravention. any provision of this Act or any other written law.org . misleading or inaccurate & Co or a document information http://peguam. (c) the licensed certification authority has. either in connection with the application for the licence or at any time after the grant of the licence. it shall immediately notify the applicant in writing of its refusal. provided the Commission with Adam Haida false. (1) The Commission shall. grant the licence with or without conditions. (3) The terms and conditions imposed under the licence may at any time be varied or amended by the Commission provided that the licensee is given a reasonable opportunity of being heard. consider the application. (b) the licensed certification authority has contravened any condition imposed under the licence. the application shall be deemed to be withdrawn and shall not be further proceeded with. and upon payment of the prescribed fee. and where it is satisfied that the applicant is a qualified certification authority and a suitable licensee.org Signature 17 (3) Where any additional document or information required under subsection (2) is not provided by the applicant within the time specified in the requirement or any extension thereof granted by the Commission. on an application having been duly made in accordance with section 7 and after being provided with all such documents and information as it may require.

or (i) the licensed certification authority has ceased to be a qualified certification authority. it shall immediately inform the certification authority concerned of its decision by a notice in writing. or (b) where there is an appeal against such revocation. the Commission shall give the licensed certification authority a notice in writing of its intention to do so and require the licensed certification authority to show cause within a period specified in the notice as to why the licence should not be revoked. controller or manager of the licensed certification authority which is false. misleading or inaccurate.org .18 Laws of Malaysia ACT 562 http://perjanjian. (4) The revocation of a licence shall take effect— (a) where there is no appeal against such revocation. (d) the licensed certification authority is carrying on its business in a manner which is prejudicial to the interest of the public or to the national economy. http://peguam. (3) Where the Commission decides to revoke the licence. (h) the licensed certification authority or its director. (2) Before revoking a licence. fraud or moral turpitude. (e) the licensed certification authority has insufficient assets to meet its liabilities. (f) a winding up order has been made against the licensed certification authority or a resolution for its voluntary winding up has been passed. when the revocation is confirmed Adam by theHaida & Co Minister.org or declaration made by or on behalf of the licensed certification authority or by or on behalf of any person who is or is to be a director. on the expiration of fourteen days from the date on which the notice of revocation is served on the licensed certification authority. controller or manager has been convicted of any offence under this Act. (g) the licensed certification authority or any of its officers holding a managerial or an executive position has been convicted of any offence involving dishonesty.

or (b) the revocation of any licence under section 9. be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both.org . may appeal in writing to the Minister within fourteen days from the date on which the notice of refusal or revocation is served on that person. the Commission shall. on conviction. Digitalhttp://perjanjian. (2) The decision of the Minister under this section shall be final and conclusive. (1) A licensed certification authority may surrender its licence by forwarding it to the Commission with a written notice of its surrender. cause such revocation to be published in the certification authority disclosure record that it maintains for the certification authority concerned and advertised in at least one national language and one English language national daily newspaper for at least three consecutive days. (6) A person who contravenes subsection (5) commits an offence and shall. (1) Any person who is aggrieved by— (a) the refusal of the Commission to license any certification authority under section 8 or to renew any such licence under section 17. Surrender of licence 11. (8) Any delay or failure in publishing or advertising such notice of revocation shall not in any manner affect the validity of the revocation. Adam Haida & Co http://peguam. the certification authority whose licence has been so revoked shall not issue any certificates until the appeal has been disposed of and the revocation has been set aside by the Minister but nothing in this subsection shall prevent the certification authority from fulfilling its other obligations to its subscribers during such period. as soon as practicable.org Signature 19 (5) Where an appeal has been made against the revocation of a licence. (7) Where the revocation of a licence has taken effect. Appeal 10.

on the recommendation of the Commission. or where the licence has expired. a licensed certification authority whose licence has expired shall be entitled to carry on its business as if its licence had not expired upon proof being submitted to the Commission that the licensed certification authority has applied for a renewal of the licence and that such application is pending determination. cause such surrender to be published in the certification authority disclosure record of the certification authority concerned and advertised in at least one national language and one English language national daily newspaper for at least three consecutive days. on conviction. be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both. the revocation of a licence under section 9 or its surrender under section 11 or its expiry shall not affect the validity or effect of any certificate issued by the certification authority concerned before such revocation. the Minister may. Effect of revocation. (4) A person who contravenes subsection (1) commits an offence and shall. (5) Without prejudice to the Commission’s powers under section 33.20 Laws of Malaysia ACT 562 http://perjanjian. or where a later date is specified in the notice. surrender or Adam expiry. (1) Where the revocation of a licence under section 9 or its surrender under section 11 has taken effect.Haida & Co http://peguam.org (2) The surrender shall take effect on the date the Commission receives the licence and the notice under subsection (1). (2) Notwithstanding subsection (1). authorize the licensed certification authority in writing to carry on its business for such duration as the Minister may specify in the authorization for the purpose of winding up its affairs. and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed. (3) The licensed certification authority shall. (3) Notwithstanding subsection (1). not later than fourteen days after the date referred to in subsection (2). the licensed certification authority shall immediately cease to carry on or operate any business in respect of which the licence was granted.org . on that date. surrender or expiry of licence 12.

(7) Nothing in subsection (6) shall preclude the appointed licensed certification authority from requiring the subscriber to comply with its requirements in relation to the issuance of certificates or from issuing a new certificate to the subscriber for the unexpired period of the original certificate provided that any additional fees or charges to be imposed shall only be imposed with the prior written approval of the Commission. unless the parties expressly provide otherwise by contract between themselves.org .org Signature 21 (6) For the purposes of subsection (5). (2) Part V shall not apply in relation to a digital signature which cannot be verified by a certificate issued by a licensed certification authority. (8) Where the Commission has appointed a licensed certification authority to take over the certificates of a certification authority under subsection (6). Digitalhttp://perjanjian. (1) The liability limits specified in Chapter 8 of Part IV shall not apply to unlicensed certification authorities. Effect of lack of licence 13. the certification authority shall pay to the appointed licensed certification authority such part of the prescribed fee paid by the subscribers to it as the Commission may determine. or where the licence has expired and no application for its renewal has been submitted within the period specified or where an application for renewal has been refused under section 17. Return of licence 14. (1) Where the revocation of a licence under section 9 has taken effect. be deemed to have been issued by that licensed certification authority. the licensing requirements under this Act shall not affect the effectiveness. the Commission shall appoint another licensed certification authority to take over the certificates issued by the certification authority whose licence has been revoked or surrendered or has expired and such certificates shall. enforceability or validity of any digital signature. to the extent that they comply with the requirements of the appointed licensed certification authority. the licensed certification authority shall within fourteen days Adam Haida & Co return the licence to the Commission. (3) In any other case. http://peguam.

shall assume or use the expressions “certification authority” or “licensed certification Adam Haida authority”. on conviction.org . not being a licensed certification authority. as the case may be. (1) The Commission may classify licences according to specified limitations including— (a) maximum number of outstanding certificates. (b) cumulative maximum of recommended reliance limits in certificates issued by the licensed certification authority. Restricted licence 15. (2) The Commission may issue licences restricted according to the limits of each classification. Restriction on use of expression “certification authority” 16. or any derivative & Co of these expressions http://peguam. be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both. (4) Where a licensed certification authority issues a certificate exceeding the restrictions of its licence.22 Laws of Malaysia ACT 562 http://perjanjian. (3) A licensed certification authority that issues a certificate exceeding the restrictions of its licence commits an offence. and the court shall retain the licence and forward it to the Commission. Except with the written consent of the Commission. (5) Nothing in subsection (3) or (4) shall affect the validity or effect of the issued certificate. no person. and (c) issuance only within a single firm or organization. and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding five thousand ringgit for each day the offence continues to be committed.org (2) A person who contravenes subsection (1) commits an offence and shall. the liability limits specified in Chapter 8 of Part IV shall not apply to the licensed certification authority in relation to that certificate.

(2) The prescribed fee shall be payable upon approval of the application.org . (1) Where a licensed certification authority has lost its licence. or make any representation to such effect in any bill head. it shall immediately notify the Commission in writing of the loss. at least thirty days before the expiry of the licence. the licensed certification authority shall.org Signature 23 in any language. notice. advertisement or in any other manner. submit an application for a replacement licence accompanied by all such information and documents as may be required by the Adam Haida Commission together with the prescribed & Co fee. the Commission may refuse to renew a licence where the requirements of subsection (1) have not been complied with. Renewal of licence 17. or any other words in any language capable of being construed as indicating the carrying on or operation of such business. http://peguam. letter. (2) The licensed certification authority shall. (3) If any licensed certification authority has no intention of renewing its licence. Digitalhttp://perjanjian. in relation to the business or any part of the business carried on by such person. paper. Lost licence 18. (4) Without prejudice to any other grounds. days before the date of expiry of the licence and such application shall be accompanied by such documents and information as may be required by the Commission. but not more than sixty. publish such intention in the certification authority disclosure record of the certification authority concerned and advertise such intention in at least one national language and one English language national daily newspaper for at least three consecutive days. (1) Every licensed certification authority shall submit an application to the Commission in such form as may be prescribed for the renewal of its licence at least thirty. as soon as practicable.

certification authorities licensed or otherwise authorized by governmental entities outside Malaysia that satisfy the prescribed requirements. if any.24 Laws of Malaysia ACT 562 http://perjanjian. (1) The operations of a licensed certification authority shall be audited a least once a year to evaluate its compliance with this Act. (4) The Commission shall publish in the certification authority disclosure record that it maintains for the licensed certification authority concerned the date and result of the audit. by order published in the Gazette. (1) The Commission may recognize. *NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as “RENTAS”—see P.org .U. Adam Haida & Co http://peguam.— (a) the recommended reliance limit. (A) 300/1999. (2) Where a licence or other authorization of a governmental entity is recognized under subsection (1). specified in a certificate issued by the certification authority licensed or otherwise authorized by the governmental entity shall have effect in the same manner as a recommended reliance limit specified in a certificate issued by a licensed certification authority of Malaysia. and (b) Part V shall apply to the certificates issued by the certification authority licensed or otherwise authorized by the governmental entity in the same manner as it applies to a certificate issued by a licensed certification authority of Malaysia. Performance audit *20.org Recognition of other licences 19. (2) The audit shall be carried out by a certified public accountant having expertise in computer security or by an accredited computer security professional. (3) The qualifications of the auditors and the procedure for an audit shall be as may be prescribed by regulations made under this Act.

of the licensed certification authority resulted in a finding of full or substantial compliance with this Act. Digitalhttp://perjanjian. (iii) the recommended reliance limits of all certificates outstanding an issued by the licensed certification authority total less than two thousand five hundred ringgit. the licensed certification authority shall be deemed to have failed to comply with the performance audit requirement under section 20. (b) the most recent performance audit. the Commission shall publish in the certification authority disclosure record that it maintains for the licensed certification authority concerned a statement that the licensed certification authority is exempted from the performance audit requirement under section 20. (3) Where a licensed certification authority is exempted under subsection (1). and (c) the licensed certification authority declares under oath or affirmation that one or more of the following is true with respect to the licensed certification authority: (i) the licensed certification authority has issued fewer than six certificates during the past year and the total of the recommended reliance limits of all such certificates does not exceed twenty-five thousand ringgit. Adam Haida & Co http://peguam. (2) Where the licensed certification authority’s declaration under paragraph (1)(c) falsely states a material fact. (ii) the aggregate lifetime of all certificates issued by the licensed certification authority during the past year is less than thirty days and the total of the recommended reliance limits of all such certificates does not exceed twenty-five thousand ringgit. if any. (1) The Commission may exempt a licensed certification authority from the requirements of section 20 if— (a) the licensed certification authority requests in writing for exemption.org Signature 25 Exemption from performance audit 21.org .

(1) Every licensed certification authority shall. Notification of change of information *25. Requirement to submit information and particulars relating to business operations *24. (1) A licensed certification authority shall submit to the Commission such information and particulars including financial statements. be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. A licensed certification authority shall at all times display its licence in a conspicuous place at its place of business. (2) A licensed certification authority shall carry on its activities in accordance with this Act and any regulations made under this Act. Adam Haida & Co http://peguam. on conviction. or before any change in its director or chief executive officer. (1) A licensed certification authority shall only carry on such activities as may be specified in its licence.26 Laws of Malaysia ACT 562 http://perjanjian. *NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as “RENTAS”—see P. Requirement to display licence 23. before making any amendment or alteration to any of its constituent documents. alteration or change. audited balance sheets and profit and loss accounts relating to its entire business operations as may be required by the Commission within such time as it may determine.org PART III REQUIREMENTS OF LICENSED CERTIFICATION AUTHORITIES Activities of licensed certification authorities 22.U. (2) A person who contravenes subsection (1) commits an offence and shall. and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed. (A) 300/1999. furnish the Commission particulars in writing of any such proposed amendment.org .

org . A licensed certification authority shall not publish. whether for itself or for a subscriber. and (c) any other particulars relating to any services offered as the Commission considers necessary. suspend or revoke a certificate. (2) A subscriber shall only use a trustworthy system to create a private key. any advertisement or information relating to or in connection with the business of a certification authority without including— (a) the licence number. suspension or revocation of a certificate. brochure or otherwise. PART IV DUTIES OF LICENSED CERTIFICATION AUTHORITIES AND SUBSCRIBERS CHAPTER 1 General requirements for licensed certification authorities Use of trustworthy systems 27.org Signature 27 (2) Every licensed certification authority shall immediately notify the Commission of any amendment or alteration to any information or document which has been furnished to the Commission in connection with the licence. (1) A licensed certification authority shall only use a trustworthy system— (a) to issue. Requirements as to advertisement 26. (b) the business name under which it carries on business and the address at which such business is carried on. Adam Haida & Co http://peguam. (b) to publish or give notice of the issuance. and (c) to create a private key. Digitalhttp://perjanjian. whether in a newspaper.

(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate.org Disclosures on inquiry 28. Adam Haida & Co http://peguam. Prerequisites to issuance of certificate to subscriber 29.28 Laws of Malaysia ACT 562 http://perjanjian. the subscriber. the subscriber duly authorized the agent or agents to have custody of the subscriber’s private key and to request issuance of a certificate listing the corresponding public key.org . (1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied: (a) the licensed certification authority has received a request for issuance signed by the prospective subscriber. (ii) if the prospective subscriber is acting through one or more agents. (2) A licensed certification authority may require a signed. and payment of the prescribed fee. (2) The requirements of subsection (l) shall not be waived or disclaimed by the licensed certification authority. and (vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber. (v) the prospective subscriber holds a private key capable of creating a digital signature. or both. (iii) the information in the certificate to be issued is accurate. (1) A licensed certification authority shall. as conditions precedent to effecting a disclosure required under subsection (1). written and reasonably specific inquiry from an identified person. and (b) the licensed certification authority has confirmed that— (i) the prospective subscriber is the person to be listed in the certificate to be issued. disclose any material certification practice statement and any fact material to either the reliability of a certificate which it has issued or its ability to perform its services. on an inquiry being made to it under this Act.

as the licensed certification authority and the subscriber named in the certificate may agree.org Signature 29 Publication of issued and accepted certificate 30. this Act. (3) The licensed certification authority shall immediately notify the subscriber of a revocation or suspension under this section. and (b) the non-compliance poses a significant risk to persons reasonably relying on Adam Haida & Co the certificate. Nothing in sections 29 and 30 shall preclude a licensed certification authority from conforming to standards. or shall cancel its publication if the certificate has already been published. the licensed certification authority shall immediately revoke it. Suspension or revocation of certificate by order 33. (1) Where after issuing a certificate a licensed certification authority confirms that it was not issued in accordance with sections 29 and 30. but nevertheless consistent with. (1) Where the subscriber accepts the issued certificate. Digitalhttp://perjanjian. certification practice statements. (1) The Commission may order the licensed certification authority to suspend or revoke a certificate issued by it where the Commission determines that— (a) the certificate was issued without compliance with sections 29 and 30. unless a contract between the licensed certification authority and the subscriber provides otherwise. security plans or contractual requirements more rigorous than. Adoption of more rigorous requirements permitted 31. http://peguam. the licensed certification authority shall publish a signed copy of the certificate in a recognized repository. (2) A licensed certification authority may suspend a certificate which it has issued for a reasonable period not exceeding forty-eight hours as may be necessary for an investigation to be carried out to confirm the grounds for a revocation under subsection (1). a licensed certification authority shall not publish it. Suspension or revocation of certificate for faulty issuance 32.org . (2) Where the subscriber does not accept the certificate.

(1) By issuing a certificate. Adam Haida & Co http://peguam. the Commission may. promises to the subscriber— (a) to act promptly to suspend or revoke a certificate in accordance with Chapter 5 or 6. the Commission shall give the licensed certification authority and the subscriber a reasonable opportunity of being heard. and (b) to notify the subscriber within a reasonable time of any facts known to the licensed certification authority which significantly affect the validity or reliability of the certificate once it is issued.org (2) Before making a determination under subsection (1). Continuing obligations to subscriber 35. (b) the certificate satisfies all the requirements of this Act. by issuing a certificate.org . CHAPTER 2 Warranties and obligations of licensed certification authorities Warranties to subscriber 34. where in the opinion of the Commission there exists an emergency that requires an immediate remedy. a licensed certification authority.30 Laws of Malaysia ACT 562 http://perjanjian. (2) A licensed certification authority shall not disclaim or limit the warranties under subsection (1). suspend a certificate for a period not exceeding forty- eight hours. after consultation with the Minister. Unless the subscriber and licensed certification authority otherwise agree. (3) Notwithstanding subsections (1) and (2). and (c) the licensed certification authority has not exceeded any limits of its licence in issuing the certificate. a licensed certification authority warrants to the subscriber named in the certificate that— (a) the certificate contains no information known to the licensed certification authority to be false.

(c) the subscriber has accepted the certificate. the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that— (a) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate. By issuing a certificate. Digitalhttp://perjanjian. (b) all representations made by the subscriber to the licensed certification authority and material to information listed Adam in the certificate are true. CHAPTER 3 Representations and duties upon acceptance of certificate Implied representations by subscriber 38. a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the licensed certification authority has issued the certificate to the subscriber.org Signature 31 Representations upon issuance 36. (b) all information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate. and (d) the licensed certification authority has complied with all applicable laws governing the issuance of the certificate. a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that— (a) the information in the certificate and listed as confirmed by the licensed certification authority is accurate. andHaida & Co http://peguam. By publishing a certificate. By accepting a certificate issued by a licensed certification authority. Representations upon publication 37.org .

Disclaimer or indemnity limited 40.org . the requesting person certifies in that person’s own right to all who reasonably rely on the information contained in the certificate that the requesting person— (a) holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber. http://peguam. if that authority is limited in any way. By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber. if the disclaimer. nor obtain indemnity for its effects. and. Indemnification of licensed certification authority by subscriber 41. and (b) has authority to sign digitally on behalf of the principal.32 Laws of Malaysia ACT 562 http://perjanjian. (1) By accepting a certificate. No person may disclaim or contractually limit the application of this Chapter. adequate safeguards exist to prevent a digital signature exceeding the bounds of the person’s authority. limitation or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate. a subscriber undertakes to indemnify the issuing licensed certification authority for any loss or damage caused by issuance or publication of the certificate in reliance on— (a) a false and material representation of fact by the subscriber.org (c) all material representations made by the subscriber to a licensed certification authority or made in the certificate and not confirmed by the licensed certification authority in issuing the certificate are true. or with negligence. Representations by agent of subscriber 39. if the representation or failure to disclose was made either with intent to deceive the licensed certification authority or a person Adam Haida & Co relying on the certificate. or (b) the failure by the subscriber to disclose a material fact.

Certification of accuracy of information given 42. A private key is the personal property of the subscriber who rightfully holds it. Digitalhttp://perjanjian. In obtaining information of the subscriber material to the issuance of a certificate. the agent or agents personally undertake to indemnify the licensed certification authority under this section. and Adam may use that private key only with theHaida & Co prior written subscriber’s http://peguam.org . as if they were accepting subscribers in their own right. Licensed certification authority to be fiduciary if holding subscriber’s private key 45. Property in private key 44. the subscriber named in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber’s digital signature. the licensed certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation. Where a licensed certification authority holds the private key corresponding to a public key listed in a certificate which it has issued. the licensed certification authority shall hold the private key as a fiduciary of the subscriber named in the certificate. (3) The indemnity provided in this section shall not be disclaimed or contractually limited in scope.org Signature 33 (2) Where the licensed certification authority issued the certificate at the request of one or more agents of the subscriber. CHAPTER 4 Control of private key Duty of subscriber to keep private key secure 43. By accepting a certificate issued by a licensed certification authority.

employee or member of the immediate family of the subscriber. (1) Unless the licensed certification authority and the subscriber agree otherwise. the Commission or a court may suspend a certificate issued by a licensed certification authority for a period of forty-eight hours. shall suspend the certificate for a period not exceeding forty-eight hours— (a) upon request by a person identifying himself as the subscriber named in the certificate. the licensed certification authority which issued a certificate. http://peguam.org . business associate. and (b) the requester represents that the licensed certification Adam Haida authority which issued the certificate & Co is unavailable. Suspension of certificate by Commission or court 47. or as a person in a position likely to know of a compromise of the security of a subscriber’s private key. or (b) by order of the Commission under section 33.34 Laws of Malaysia ACT 562 http://perjanjian.org approval. (2) The licensed certification authority shall take reasonable measures to check the identity or agency of the person requesting suspension. if— (a) a person identifying himself as the subscriber named in the certificate or as an agent. unless the subscriber expressly and in writing grants the private key to the licensed certification authority and expressly and in writing permits the licensed certification authority to hold the private key according to other terms. employee or member of the immediate family of the subscriber requests suspension. CHAPTER 5 Suspension of certificate Suspension of certificate by issuing licensed certification authority 46. which is not a transactional certificate. such as an agent. (1) Unless the certificate provides otherwise or the certificate is a transactional certificate. business associate.

the licensed certification authority shall publish a signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension. (2) Where one or more repositories are specified. and the unavailability of the issuing licensed certification authority. (4) Where a certificate is suspended by the Commission or a court. or if no such repository is recognized under section 68. (3) Where any repository specified no longer exists or refuses to accept publication. (3) The Commission or other law enforcement agency may investigate suspensions by the Commission or court for possible wrongdoing by persons requesting suspension. and may decline to suspend the certificate in its discretion.org Signature 35 (2) The Commission or court may require the person requesting suspension to provide evidence. Termination of suspension initiated by request 49. (1) Immediately upon suspension of a certificate by a licensed certification authority. the Commission or court shall give notice as required in this section for a licensed certification authority provided that the person requesting suspension pays in advance any prescribed fee required by a repository for publication of the notice of suspension. Digitalhttp://perjanjian. or http://peguam. A licensed certification authority shall terminate a suspension initiated by request— (a) where the subscriber named in the suspended certificate requests termination of the suspension.org . only if the licensed certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized Adam Haida the to terminate & Cosuspension. Notice of suspension 48. the licensed certification authority shall also publish the notice in a recognized repository. the licensed certification authority shall publish signed notices of the suspension in all such repositories. including a statement under oath or affirmation regarding his identity and authorization.

Nothing in this Chapter shall release the subscriber from the duty under section 43 to keep the private key secure while a certificate is suspended. (1) A licensed certification authority shall revoke a certificate which it issued but which is not a transactional certificate. (2) Where the contract limits or precludes suspension by the Commission or a court when the issuing licensed certification authority is unavailable.36 Laws of Malaysia ACT 562 http://perjanjian. Prohibition against false or unauthorized request for suspension of certificate 51. Alternate contractual procedures 50.org (b) where the licensed certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber. the limitation or preclusion shall be effective only if notice of it is published in the certificate.— (a) upon receiving a request for revocation by the subscriber named in the certificate. CHAPTER 6 Revocation of certificate Revocation on request 53. Effect of suspension of certificate 52. and (b) upon confirming that the person requesting revocation is that subscriber or is an agent of that subscriber with Adam Haida & Co authority to request the revocation. (1) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the licensed certification authority or may provide otherwise for termination of a requested suspension. No person shall knowingly or intentionally misrepresent to a licensed certification authority his identity or authorization in requesting suspension of a certificate. http://peguam.org .

org . (1) A licensed certification authority shall revoke a certificate which it issued— (a) upon receiving a certified copy of the subscriber’s death certificate or upon confirming by other evidence that the subscriber is dead. Revocation of unreliable certificates 55. (2) Nothing in subsection (1) shall prevent the subscriber from seeking damages or other relief against the licensed certification authority in the event of wrongful revocation. (1) A licensed certification authority may revoke one or more certificates which it issued if the certificates are or become unreliable regardless of whether the subscriber consents to the revocation and notwithstanding any provision to the contrary in a contract between the subscriber and the licensed certification authority. the licensed certification authority shall publish a signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation. the licensed certification authority shall publish signed notices of the revocation in all such repositories. (2) Where one or more repositories are specified. or (b) upon presentation of documents effecting a dissolution of the subscriber or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist. Adam Haida & Co http://peguam. Revocation on subscriber’s death or dissolution 54. (1) Immediately upon revocation of a certificate by a licensed certification authority. Notice of revocation 56. Digitalhttp://perjanjian.org Signature 37 (2) A licensed certification authority shall confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber’s written request and evidence reasonably sufficient to confirm the identity of the person requesting the revocation or of the agent.

CHAPTER 7 Expiration of certificate Expiration of certificate 59. or if no such repository is recognized under section 68. the subscriber ceases to certify as provided in Chapter 3 and has no further duty to keep the private key secure as required under section 43— (a) when notice of the revocation is published as required under section 56.org (3) Where any repository specified no longer exists or refuses to accept publication. a licensed certification authority shall be discharged of its warranties based on issuance of the revoked certificate and ceases to certify as provided in sections 35 and 36 in relation to the revoked certificate. Where a subscriber has requested for the revocation of a certificate. and pays any prescribed fee. whichever occurs first. Effect of revocation request on subscriber 57. http://peguam. the licensed certification authority shall also publish the notice in a recognized repository. Effect of notification on licensed certification authority 58. supplies to the issuing licensed certification authority information reasonably sufficient to confirm the request.org . (2) A certificate may be issued for any period not exceeding Adam Haida & Co three years from the date of issuance. or (b) when two business days have lapsed after the subscriber requests for the revocation in writing. Upon notification as required under section 56. (1) The date of expiry of a certificate shall be specified in the certificate.38 Laws of Malaysia ACT 562 http://perjanjian.

(4) The expiry of a certificate shall not affect the duties and obligations of the subscriber and licensed certification authority incurred under and in relation to the expired certificate.org Signature 39 (3) When a certificate expires. with respect to the false or forged digital signature. (1) A licensed certification authority shall. and *NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also known as “RENTAS”–see P. or (ii) failure to comply with sections 29 and 30 in issuing the certificate. (2) The licensed certification authority may specify different limits in different certificates as it considers fit. (A) 300/1999. the subscriber and licensed certification authority shall cease to certify as provided under this Act and the licensed certification authority shall be discharged of its duties based on issuance in relation to the expired certificate.org . the licensed certification authority complied with the requirements of this Act. Liability limits for licensed certification authorities 61. Unless a licensed certification authority waives the application of this section. (b) shall not be liable in excess of the amount specified in the certificate as its recommended reliance limit for either— (i) a loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm. if. CHAPTER 8 Recommended reliance limits and liability Recommended reliance limit *60. Digitalhttp://perjanjian. specify a recommended reliance limit in the certificate. Adam Haida & Co http://peguam.U. a licensed certification authority— (a) shall not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber. in issuing a certificate to a subscriber.

Adam Haida & Co http://peguam. PART V EFFECT OF DIGITAL SIGNATURE Satisfaction of signature requirements 62. (2) Notwithstanding any written law to the contrary— (a) a document signed with a digital signature in accordance with this Act shall be as legally binding as a document signed with a handwritten signature. an affixed thumb- print or any other mark. if reliance on the digital signature is not reasonable under the circumstances. and (c) the recipient has no knowledge or notice that the signer— (i) has breached a duty as a subscriber. and (b) a digital signature created in accordance with this Act shall be deemed to be a legally binding signature. (1) Unless otherwise provided by law or contract. or (ii) does not rightfully hold the private key used to affix the digital signature.40 Laws of Malaysia ACT 562 http://perjanjian. that rule shall be satisfied by a digital signature where— (a) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority. Unreliable digital signatures 63. or (ii) damages for pain or suffering.org . (3) Nothing in this Act shall preclude any symbol from being valid as a signature under any other applicable law.org (c) shall not be liable for— (i) punitive or exemplary damages. (b) that digital signature was affixed by the signer with the intention of signing the message. the recipient of a digital signature assumes the risk that a digital signature is forged. (1) Where a rule of law requires a signature or provides for certain consequences in the absence of a signature.

Digitally signed message deemed to be original document 65. (1) A message shall be as valid. (2) Nothing in this Act shall preclude any message. or record from being considered written or in writing under any other applicable law. Digitally signed message deemed to be written document 64. regardless of whether words of an express acknowledgement appear with the digital signature and regardless of whether the signer physically appeared before the licensed certification authority when the digital signature was created. Authentication of digital signatures 66. A copy of a digitally signed message shall be as valid. A certificate issued by a licensed certification authority shall be an acknowledgement of a digital signature verified by reference to the public key listed in the certificate. if that digital signature is— (a) verifiable by that certificate. enforceable and effective as if it had been written on paper if— (a) it bears in its entirety a digital signature. and (b) that digital signature is verified by the public key listed in a certificate which— (i) was issued by a licensed certification authority. enforceable and effective message. the recipient shall promptly notify the signer of its determination not to rely on a digital signature and the grounds for that determination. http://peguam. and Adam Haida (b) affixed when that certificate & Co was valid. and (ii) was valid at the time the digital signature was created. enforceable and effective as the original of the message unless it is evident that the signer designated an instance of the digitally signed message to be a unique original. document. in which case only that instance constitutes the valid.org . Digitalhttp://perjanjian.org Signature 41 (2) Where the recipient determines not to rely on a digital signature under this section.

(b) that the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate. is issued by the licensed certification authority which digitally signed it and is accepted by the subscriber listed in it.org requirements prescribed in the regulations made under this Act. PART VI REPOSITORIES AND DATE/TIME STAMP SERVICES Recognition of repositories 68. and (iii) the recipient of that digital signature has no knowledge or notice that the signer— (A) has breached a duty as a subscriber. . a court shall presume— (a) that a certificate digitally signed by a licensed certification authority and— (i) published in a recognized repository. or (B) does not rightfully hold the private key used to affix the digital signature. (ii) that digital signature was affixed by that subscriber with the intention of signing the message. and (d) that a digital signature was created before it was time-stamped by a recognized date/time stamp service utilizing a trustworthy system. or (ii) made available by the issuing licensed certification authority or by the subscriber listed in the certificate. In adjudicating a dispute involving a digital signature.org Presumptions in adjudicating disputes 67. (c) that where a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority— (i) that digital signature is the digital signature of the subscriber listed in that certificate. (1) The Commission may recognize one or more repositories. after determining that a repository toAdam Haida & Co be recognized satisfies the http://peguam.42 Laws of Malaysia ACT 562 http://perjanjian.

(d) shall not be liable for misrepresentation in a certificate published by a certification authority. (c) shall not be liable under subsection (1) for— (i) punitive or exemplary damages. (b) shall not be liable under subsection (1) in excess of the amount specified in the certificate as the recommended reliance limit.org Signature 43 (2) The procedure for recognition of repositories shall be as may be prescribed by regulations made under this Act.org . unless the repository has received notice of publication and one business day has elapsed since the notice was received. or (ii) damages for pain or suffering. including information about the suspension or revocationAdamof Haida & Co and a certificate. and the repository had failed to publish the notice when the person relied on the digital signature. Liability of repositories 69. if loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation. (3) The Commission shall publish a list of recognized repositories in such form and manner as it may determine. a recognized repository or the owner or operator of a recognized repository— (a) shall not be liable for failure to record publication of a suspension or revocation. a repository shall be liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate. http://peguam. (1) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository and a licensed certification authority or a subscriber. a court or the Commission has published as required or permitted under this Act. Digitalhttp://perjanjian. (e) shall not be liable for accurately recording or reporting information which a licensed certification authority. (2) Unless waived.

which create a risk prohibited under subsection (1). (3) The Commission shall publish a list of recognized date/time stamp services in such form and manner as it may determine. whether licensed or not. PART VII GENERAL Prohibition against dangerous activities 71. (2) The Commission may publish in one or more recognized repositories brief statements advising subscribers. a certificate or a subscriber. (2) The procedure for recognition of date/time stamp services shall be as may be prescribed by regulations made under this Act. Adam Haida & Co http://peguam. shall conduct its business in a manner that creates an unreasonable risk of loss to the subscribers of the certification authority. to persons relying on certificates issued by the certification authority or to a repository. (3) The certification authority named in a statement as creating or causing a risk may protest the publication of the statement by filing a brief written defence. Recognition of date/time stamp services 70. (1) No certification authority. (1) The Commission may recognize one or more date/time stamp services. if such information is published as required or permitted under this Act or is published by order of the Commission in the performance of its licensing and regulatory duties under this Act.org .44 Laws of Malaysia ACT 562 http://perjanjian. persons relying on digital signatures and repositories about any activities of a certification authority. whether licensed or not. after determining that a service to be recognized satisfies the requirements prescribed in the regulations made under this Act.org (f) shall not be liable for reporting information about a certification authority.

after a hearing. the Commission determines that the advisory statement remains warranted.org Signature 45 (4) On receipt of a protest made under subsection (3). signs or furnishes any declaration. orally or in writing. after a hearing. (6) Where. after a hearing. (1) Except for the purposes of this Act. the Commission shall revoke the advisory statement. document or other material to any other person. Obligation of secrecy 72. correspondence. and shall immediately give the protesting certification authority notice and a reasonable opportunity of being heard. register. return. Digitalhttp://perjanjian.org . book. the Commission determines that the publication of the advisory statement was unwarranted. inaccurate or misleading in any particular commits an offence and shall. be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both. ten years http://peguam. (5) Where. on conviction. the Commission determines that the advisory statement is no longer warranted. A person who makes. certificate or other document or information required under this Act which is untrue. book. (6) or (7). in one or more recognized repositories. information. False information 73. correspondence. no person who has access to any record. (2) A person who contravenes subsection (1) commits an offence and shall. be liable to a fine not exceeding five hundred thousand ringgit or to Adam Haida imprisonment for a term not exceeding & Co or to both. as the case may be. (8) The Commission shall publish its decision under subsection (5). the Commission shall revoke the advisory statement. (7) Where. information. on conviction. register. the Commission shall publish the written defence together with the Commission’s statement. the Commission may continue or amend the advisory statement and may take further legal action to eliminate or reduce the risk prohibited under subsection (1). document or other material obtained under this Act shall disclose such record.

neglect or default was committed— (a) by his employee in the course of his employment. having regard to the nature of his functions in that capacity and to all circumstances. (2) Where any person would be liable under this Act to any punishment or penalty for any act. (2) Any officer authorized under subsection (1) shall be deemed to be a public servant within the meaning of the Penal Code [Act 574]. (1) Where a body corporate commits an offence under this Act. omission. Adam Haida & Co http://peguam. neglect or default of any employee or agent of his. (1) The Minister may in writing authorize any public officer or officer of the Commission to exercise the powers of enforcement under this Act. any person who at the time of the commission of the offence was a director. and (b) where the body corporate is found guilty of the offence. he proves— (i) that the offence was committed without his knowledge.org Offences by body corporate 74. (b) by the agent when acting on his behalf.46 Laws of Malaysia ACT 562 http://perjanjian. he shall be liable to the same punishment or penalty for every such act. and (ii) that he took all reasonable precautions and had exercised due diligence to prevent the commission of the offence. Authorized officer 75. if such act. secretary or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management— (a) may be charged severally or jointly in the same proceedings with the body corporate.org . or (c) by the employee of such agent in the course of his employment by such agent or otherwise on behalf of the agent. neglect or default. manager. omission. omission. consent or connivance. shall be deemed to be guilty of that offence unless. or of the employee of such agent.

Enforcement by police officers 75A. (3) Further. Digitalhttp://perjanjian. in any case relating to the commission of an offence under this Act. any authorized officer carrying on an investigation may exercise all or any of the special powers in relation to police investigation in seizable cases given by the Criminal Procedure Code [Act 593]. (1) Notwithstanding subsection 75(1). any police officer not below the rank of Inspector shall have and may exercise the powers of enforcement conferred by this Act on an authorized officer. (2) In exercising any of the powers of enforcement conferred under this Act on a police officer not below the rank of Inspector. that there is reasonable cause to believe that an offence under this Act is being or has been committed on any premises. (1) If it appears to a Magistrate. or any authorized officer named&therein. (1) The Commission may investigate the activities of a certification authority material to its compliance with this Act. on demand declare his office and produce to the person against whom he is acting the authority card as the Inspector General of Police may direct to be carried by such police officer.org . if not in uniform. the Commission may issue orders to a certification authority to further its investigation and secure compliance with this Act. upon written information on oath and after such inquiry as he considers necessary. Search by warrant 77. such police officer shall. an authorized officer shall on demand produce to the person against whom he is acting the authority issued to him by the Minister. Power to investigate 76.org Signature 47 (3) In exercising any of the powers of enforcement under this Act. (2) For the purposes of subsection (1). the Magistrate may issue a warrant authorizing any police officer not below the rank Adam Haida of Inspector. Co to enter the http://peguam.

(b) any signboard. letter. accounts. (3) A police officer or an authorized officer making a search of a person under subsection (2) may seize. signboard. accounts or other documents. seal such book. device. document. article or item under seal or attempts to do so commits an offence. notice. (6) A person who. card.Adam Haida & Co http://peguam. pamphlet. letter. letter. with or without assistance and if need be by force. signboard. document. signboard. device. leaflet. pamphlet. without lawful authority. pamphlet. article or item that is reasonably believed to furnish evidence of the commission of such offence. accounts. notice. the seizing officer shall. pamphlet.48 Laws of Malaysia ACT 562 http://perjanjian. accounts. breaks. and (c) any other document. by reason of its nature. article or item in the premises or container in which it is found. computerized data. search any person who is in or on such premises. pamphlet. computerized data. device. accounts. document. notice. notice. leaflet. and there to search for and seize— (a) copies of any books. (2) A police officer or an authorized officer conducting a search under subsection (1) may. leaflet. letter. if in his opinion it is reasonably necessary to do so for the purpose of investigating into the offence. which contain or are reasonably suspected to contain information as to any offence so suspected to have been committed. document. notice or other device representing or implying that the person is a licensed certification authority. article or item seized under this section. card. leaflet. tampers with or damages the seal referred to in subsection (5) or removes any book. computerized data. leaflet.org . detain or take possession of any book. including computerized data. card. size or amount.org premises at any reasonable time by day or by night. card. by any means. card. device. it is not practicable to remove any book. (5) Where. (4) No female person shall be searched under this section except by another female person. letter. article or item found on such person for the purpose of the investigation being carried out by such officer. computerized data.

decryption code. pamphlet. Any person who obstructs. card. the seizing officer shall prepare a list of the things seized and immediately deliver a copy of the list signed by him to the occupier of the premises which have been searched. impedes. document. accounts. the seizing officer shall whenever possible post a list of the things seized conspicuously on the premises. Digitalhttp://perjanjian. or to his agent or servant. “access” includes being provided with the necessary password. letter. List of things seized 80. upon and in respect of the premises all the powers referred to in section 77 in as full and ample a manner as if he were authorized to do so by a warrant issued under that section. such officer may enter such premises and exercise in. http://peguam. device.org . encryption code. assaults or interferes with any authorized officer in the performance of his functions Adam Haida & Co under this Act commits an offence. damaged or destroyed. at those premises. article or item is seized under section 77 or 78. computerized data. (1) Except as provided in subsection (2). where any book.org Signature 49 Search and seizure without warrant 78. signboard. leaflet. If a police officer not below the rank of Inspector in any of the circumstances referred to in section 77 has reasonable cause to believe that by reason of delay in obtaining a search warrant under that section the investigation would be adversely affected or evidence of the commission of an offence is likely to be tampered with. notice. removed. (1) A police officer conducting a search under section 77 or 78 or an authorized officer conducting a search under section 77 shall be given access to computerized data whether stored in a computer or otherwise. Obstruction of authorized officer 81. software or hardware and any other means required to enable comprehension of computerized data. Access to computerized data 79. (2) For the purposes of this section. (2) Where the premises are unoccupied.

document. signboard. pamphlet. for the purposes of the execution of this Act. Where the Commission finds that a certification authority has contravened this Act. computerized data. An authorized officer shall. No costs or damages arising from seizure to be recoverable 85. (2) For the purposes of this section. Recovery of procedural costs 84. No person shall. be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding four years or to both. article or item seized in the exercise or theAdam Haidaexercise purported & Co of any http://peguam. accounts. examine and copy any of them.50 Laws of Malaysia ACT 562 http://perjanjian.org Additional powers 82. General penalty 83. have power to do all or any of the following: (a) to require the production of records. computerized data and documents kept by a licensed certification authority and to inspect. leaflet. letter. (1) A person who commits an offence under this Act for which no penalty is expressly provided shall. notice. (b) to require the production of any identification document from any person in relation to any case or offence under this Act. in any proceedings before any court in respect of the seizure of any book. (c) to make such inquiry as may be necessary to ascertain whether the provisions of this Act have been complied with. device. card. and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed. the Commission may order the certification authority to pay the costs incurred by the Commission in prosecution and adjudication proceedings in relation to the order and in enforcing it. on conviction. “this Act” does not include the regulations made under this Act.org . accounts.

instituted or maintained in any court against— (a) the Commission or any officer duly authorized under this Act for or on account of or in respect of any act ordered or done for the purpose of carrying into effect this Act. a Court of a Magistrate of the First Class shall have jurisdiction to try any offence under this Act and to impose the full punishment for any such offence.org .org Signature 51 power conferred under this Act. Jurisdiction to try offences 87. (1) The Minister may. (1) No prosecution for or in relation to any offence under this Act shall be instituted without the written consent of the Public Prosecutor. be entitled to the costs of such proceedings or to any damages or other relief unless such seizure was made without reasonable cause. & Co http://peguam. Institution and conduct of prosecution 86. by order published in the Gazette. Notwithstanding any written law to the contrary. and (b) any other person for or on account of or in respect of any act done or purported to be done by him under the order. direction or instruction of the Commission or any officer duly authorized under this Act if the act was done in good faith and in a reasonable belief that it was necessary for the purpose intended to be served thereby. exempt any person or class of persons from all or any of the Adam Haida provisions of this Act. No action or prosecution shall be brought. Power to exempt 89. Protection of Commission and officers 88. Digitalhttp://perjanjian. except section 4. (2) Any officer of the Commission duly authorized in writing by the Public Prosecutor may conduct the prosecution for any offence under this Act.

the updating and timeliness of such information and other practices and policies relating to certification authority disclosure records. (1) The Minister may make regulations for all or any of the following purposes: (a) prescribing the qualification requirements for certification authorities. (f) prescribing the qualification requirements for auditors and the procedure for audits.52 Laws of Malaysia ACT 562 http://perjanjian. no person may disclaim or contractually limit the application of this Act. form and sources of information in certification authority disclosure records. the particulars to be supplied by an applicant. (b) prescribing the manner of applying for licences and certificates under this Act. Unless it is expressly provided for under this Act. Regulations 91. (e) prescribing the form of certification practice statements.org . the conditions or restrictions to be imposed and the form of licences and certificates. Adam Haida & Co http://peguam. the fees payable therefor. the manner of licensing and certification. (g) prescribing the requirements for repositories and the procedure for recognition of repositories. Limitation on disclaiming or limiting application of Act 90. (c) regulating the operations of licensed certification authorities.org (2) The Minister may impose any terms and conditions as he thinks fit on any exemption under subsection (1). (h) prescribing the requirements for date/time stamp services and the procedure for recognition of date/time stamp services. (d) prescribing the requirements for the content.

(3) Where a certification authority referred to in subsection (1) has obtained a licence in accordance with this Act within the period prescribed in subsection (1). or necessary for giving full effect to. Digitalhttp://perjanjian. shall be deemed to have been issued under this Act and shall have effect accordingly. it shall be deemed to be an unlicensed certification authority and the provisions of this Act shall apply to it and the certificates issued by it accordingly. (1) A certification authority that has been carrying on or operating as a certification authority before the commencement of this Act shall. to the extent that they are not inconsistent with this Act. (2) Regulations made under subsection (1) may prescribe any act in contravention of the regulations to be an offence and may prescribe penalties of a fine not exceeding one hundred thousand ringgit or imprisonment for a term not exceeding two years or both.org Signature 53 (i) prescribing the procedure for the review of software for use in creating digital signatures and of the applicable standards in relation to digital signatures and certification practice and for the publication of reports on such software and standards. the provisions of this Act and for their due administration. (l) providing for such other matters as are contemplated by. (k) prescribing the fees and charges payable under this Act and the manner for collecting and disbursing such fees and charges. (2) Where a certification authority referred to in subsection (l) fails to obtain a licence after the period prescribed in subsection (1). obtain a licence under this Act. not later than three months from such commencement.org . all certificates issued by such certification authority before the commencement of this Act. Savings and transitional 92. (j) prescribing the forms for the purposes of this Act. Adam Haida & Co http://peguam.

org .org LAWS OF MALAYSIA Act 562 DIGITAL SIGNATURE ACT 1997 LIST OF AMENDMENTS Amending law Short title In force from Act A1121 Digital Signature (Amendment) 01-11-2001 Act 2001 Adam Haida & Co http://peguam.54 Laws of Malaysia ACT 562 http://perjanjian.

org Signature 55 LAWS OF MALAYSIA Act 562 DIGITAL SIGNATURE ACT 1997 LIST OF SECTIONS AMENDED Section Amending authority In force from 2 Act A1121 01-11-2001 PART II Act A1121 01-11-2001 3 Act A1121 01-11-2001 8 Act A1121 01-11-2001 9 Act A1121 01-11-2001 20 Act A1121 01-11-2001 21 Act A1121 01-11-2001 24 Act A1121 01-11-2001 47 Act A1121 01-11-2001 68 Act A1121 01-11-2001 69 Act A1121 01-11-2001 70 Act A1121 01-11-2001 71 Act A1121 01-11-2001 75 Act A1121 01-11-2001 75A Act A1121 01-11-2001 88 Act A1121 01-11-2001 Throughout the Act Act A1121 01-11-2001 the word “Commission” is substituted for “Controller” DICETAK OLEH PERCETAKAN NASIONAL MALAYSIA BERHAD.org . Digitalhttp://perjanjian. KUALA LUMPUR Adam Haida & Co BAGI PIHAK DAN DENGAN PERINTAH KERAJAAN MALAYSIA http://peguam.