325K.06 Performance audits. 

    Subdivision 1.    Annual audit; auditor qualifications; 
 rules.  A certified public accountant having expertise in 
 computer security must audit the operations of each licensed 
 certification authority at least once each year to evaluate 
 compliance with this chapter.  The secretary may by rule specify 
 the qualifications of auditors. 

    Subd. 2.    Compliance categories.  Based on information 
 gathered in the audit, the auditor must categorize the licensed 
 certification authority's compliance as one of the following: 

    (a)    Full compliance.  The certification authority 
 appears to conform to all applicable statutory and regulatory 
 requirements. 

    (b)    Substantial compliance.  The certification 
 authority appears generally to conform to applicable statutory 
 and regulatory requirements.  However, one or more instances of 
 noncompliance or of inability to demonstrate compliance were 
 found in an audited sample, but were likely to be 
 inconsequential. 

    (c)    Partial compliance.  The certification authority 
 appears to comply with some statutory and regulatory 
 requirements, but was found not to have complied or not be able 
 to demonstrate compliance with one or more important safeguards. 

    (d)    Noncompliance.  The certification authority 
 complies with few or none of the statutory and regulatory 
 requirements, fails to keep adequate records to demonstrate 
 compliance with more than a few requirements, or refused to 
 submit to an audit. 

    The secretary shall publish in the certification authority 
 disclosure record it maintains for the certification authority 
 the date of the audit and the resulting categorization of the 
 certification authority. 

    Subd. 3.    Exemption from audit.  The secretary may 
 exempt a licensed certification authority from the requirements 
 of subdivision 1, if: 

    (1) the certification authority to be exempted requests 
 exemption in writing; 

    (2) the most recent performance audit, if any, of the 
 certification authority resulted in a finding of full or 
 substantial compliance; and 

    (3) the certification authority declares under oath, 
 affirmation, or penalty of perjury that one or more of the 
 following is true with respect to the certification authority:  

    (i) the certification authority has issued fewer than six 
 certificates during the past year and the recommended reliance 
 limits of all of the certificates do not exceed $10,000; 

    (ii) the aggregate lifetime of all certificates issued by 
 the certification authority during the past year is less than 30 
 days and the recommended reliance limits of all of the 
 certificates do not exceed $10,000; or 

    (iii) the recommended reliance limits of all certificates 
 outstanding and issued by the certification authority total less 
 than $1,000. 

    Subd. 4.    False declaration.  If the certification 
 authority's declaration under subdivision 3 falsely states a 
 material fact, the certification authority has failed to comply 
 with the performance audit requirements of this section. 

    Subd. 5.    Record of exemption.  If a licensed 
 certification authority is exempt under subdivision 3, the 
 secretary must publish in the certification authority disclosure 
 record it maintains for the certification authority that the 
 certification authority is exempt from the performance audit 
 requirement. 

    HIST: 1997 c 178 s 7