Lesson 5: Priority vs. Non-Priority Reports
Under § 3.2000(b)(5)(vii), CROMERR requires that more specific conditions be met where the electronically signed documents have been designated as Priority Reports As defined in § 3.3 of CROMERR, the reports listed in Appendix 1 to part 3..
Priority Reports are those that EPA has identified as likely to be material to potential enforcement litigation. Given this likelihood, it is important to provide not only for the provability of signature device ownership in principle, but for the practical need to make this proof with the resources typically available to enforcement staff and within the constraints of the judicial process in criminal and civil proceedings. A list of these reports can be found under Appendix 1 to Part 3 of CROMERR.
Access the official version of the final rule "Cross-Media Electronic Reporting" – The official version of this rule (70 FR 59848) was published in the Federal Register on 10/13/2005. Click on the previous hyperlink to access the rule, including Appendix 1 to Part 3.
The CROMERR requirements for determining the identity of someone submitting an electronic report are different for Priority and Non-Priority reports. Select each of the links below for information on these requirements.
Priority Reports
For Priority Reports, the system must determine identity before the e-signature is received by means of either:
- Wet-ink-on-paper e-signature agreements (i.e., subscriber agreements) either submitted to the state or maintained by a responsible company official. While some systems with CROMERR approval require that they be notarized, notarization is not a CROMERR requirement; OR
- Electronic identity-proofing by a disinterested party (such as a public key infrastructure Enables users of a basically unsecure public network, such as the Internet, to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. [PKI Enables users of a basically unsecure public network, such as the Internet, to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.] certificate authority or an agency official) using objectively verifiable information, including at least one government-issued identifier such as a driver's license number or passport; OR
- Identity-proofing using an approach no less stringent than electronic identity-proofing as specified above.
Note: Disinterested party refers to an individual who is not connected with the person in whose name the electronic signature device As defined in § 3.3 of CROMERR, a code or other mechanism that is used to create electronic signatures. Where the device is used to create an individual's electronic signature, then the code or mechanism must be unique to that individual at the time the signature is created and he or she must be uniquely entitled to use it. The device is compromised if the code or mechanism is available for use by any other person. is issued. A disinterested individual As defined in § 3.3 of CROMERR, an individual who is not connected with the person in whose name the electronic signature device is issued. A disinterested individual is not any of the following: The person's employer or employer's corporate parent, subsidiary, or affiliate; the person's contracting agent; member of the person's household; or relative with whom the person has a personal relationship. is not any of the following:
- The person's employer or employer's corporate parent, subsidiary, or affiliate;
- The person's contracting agent;
- A member of the person's household; or
- A relative with whom the person has a personal relationship.
Non-Priority Reports
For Non-Priority Reports, the system must determine identity by collecting and maintaining information sufficient to prove the identity of individuals that sign and submit electronic documents.
Note that CROMERR does not specify when or how this goal is to be achieved.