Incident Handling
15.
1) A Certification Service Provider shall implement an
incident management plan that must provide at the least
for management of the following incidents:
a. compromise of key;
b. penetration of Certification Service Provider’s
system and network;
c. unavailability of infrastructure; and
d. fraudulent registration and generation of
certificates, certificate suspension and revocation
information.
2) If any incident referred to in paragraph (1) occurs, it shall
be reported to the Commission within 24 hours.
Confidentiality
16.
1) Except for any prosecution under any written law or
pursuant to an order of court, every licensed Certification
Service Provider and its authorised agent must keep all
subscriber-specific information confidential.
2) Any disclosure of subscriber-specific information by the
licensed Certification Service Provider or its agent must
be authorised by the subscriber.
3) This regulation shall not apply to subscriber-specific
information which a. is contained in the certificate for public
disclosure;
b. is otherwise provided by the subscriber to the
licensed Certification Service Provider for this
purpose; or
c. relates to the fact that the certificate has been
revoked or suspended.
Liability of
certification service
providers
17.
1) Unless the certification service provider proves that it
was not negligent, it shall, by issuing or guaranteeing a
certificate to the public, be liable for damage caused to
any person who reasonably relies on the certificate:
a) as regards the accuracy, at the time of issuance, of
all information contained in the certificate and as
regards the fact that the certificate contains all the
details prescribed for the certificate;
b) for assurance that at the time of the issuance of
13