Public Key Infrastructure: What Every Organization Needs to Know

A PKI-based electronic signature achieves non-repudiation when the signature is created using a private key that only the signer controls, when the signature is linked to the signed document in a manner that detects any post-signature modification, and when a trusted timestamp service records the time at which the signature was applied, and e-SIGN Act counsel advising on electronic signature programs must evaluate whether the organization's signature workflow creates an adequate audit trail that records the signer's identity verification, the signer's affirmative act of signing, and the integrity of the signed document at the time of signing.

A certificate authority that issues digital certificates assumes legal responsibility for verifying the subscriber's identity before issuance, maintaining the certificate's accuracy during its validity period, and promptly revoking any certificate that is known to be compromised, and cybersecurity governance counsel advising on certificate authority liability must evaluate whether the CA's certification practice statement accurately describes the validation procedures applied to each certificate class and whether the CA's liability limitations are enforceable under the law of the jurisdiction where claims are most likely to arise.

An organization's encryption program must satisfy the technical standards specified by applicable data protection regulations, including the requirements that personal data be encrypted both at rest and in transit using algorithms and key lengths that meet current security benchmarks, and data privacy counsel advising on encryption compliance must evaluate whether the organization's encryption specifications satisfy the applicable regulatory standards in each jurisdiction where personal data is processed and whether the organization's encryption policies are adequately documented to support a due care defense in the event of a breach.

An organization's key management practices determine whether its encryption program provides the legal protection that regulations and courts expect, because encryption that uses weak or compromised keys provides no meaningful protection regardless of the underlying algorithm, and cybersecurity legal consulting counsel advising on key management must evaluate whether the organization's key generation, storage, rotation, and destruction procedures satisfy the applicable regulatory standards and whether the organization's key custodian access controls prevent any single individual from having unrestricted access to production keys.

An organization that is held liable for obligations arising from transactions completed using stolen or forged digital certificates must demonstrate that it implemented reasonable security measures to protect its private keys and that the fraudulent transaction was not authorized by the organization, and cybercrime defense counsel must evaluate whether the organization's key protection measures satisfied the applicable standard of care and whether the forensic evidence supports the organization's position that the disputed transaction was unauthorized.

A party that seeks to introduce digital documents as evidence in litigation must demonstrate that the documents are authentic, that they have not been altered since the events they purport to record, and that the chain of custody has been maintained, and eDiscovery counsel advising on digital evidence authentication must evaluate whether PKI-based digital signatures or hash values provide a cryptographically verifiable record of the document's integrity and whether the forensic collection methodology satisfies the requirements for admissibility.

A multinational organization that uses electronic signatures to execute contracts in multiple jurisdictions must ensure that its PKI-based signatures satisfy the legal recognition standards applicable in each jurisdiction, because a signature valid in the US may not satisfy the qualified electronic signature requirements of the EU's eIDAS Regulation or the equivalent requirements of other jurisdictions, and cybersecurity counsel advising on cross-border signature compliance must evaluate whether the organization's certificates are issued by a certificate authority recognized in each target jurisdiction.

The NIST's publication of post-quantum cryptographic standards in 2024 has created an obligation for organizations that rely on PKI-based security to develop a migration plan before quantum computing advances make current asymmetric encryption algorithms breakable, and data breach litigation counsel advising on post-quantum readiness must evaluate whether the organization's current cryptographic inventory identifies all systems that rely on algorithms vulnerable to quantum attack and whether the organization's contracts with certificate authorities include obligations to support the post-quantum standards within the required timeframe.