Section 40A

Section 40A (inserted by the 2008 Amendment) codifies the subscriber's fundamental obligations in the electronic signature ecosystem — obligations that are essential to the legal integrity of the entire PKI framework. The private key is the secret cryptographic material that generates the subscriber's digital signature. If someone else obtains the private key, they can forge the subscriber's electronic signature on any document, committing identity fraud and potentially exposing the subscriber to liability for transactions they did not authorise. Section 40A addresses this by imposing two duties. First, the duty of exclusive control: the subscriber must take reasonable care to retain exclusive control of their private key and actively prevent its disclosure to unauthorised persons. 'Reasonable care' is a fact-sensitive standard — storing a private key on an unencrypted USB drive left in an unsecured location would likely not meet this standard, whereas using a Hardware Security Module (HSM) with a strong PIN almost certainly would. The exclusive control requirement feeds directly into Section 15's conditions for a 'secure electronic signature' — a signature made with a private key not under the subscriber's exclusive control cannot be deemed secure. Second, the immediate notification duty: if the private key is compromised (or the subscriber has reason to believe it may have been), the subscriber must inform the Certifying Authority without delay. Prompt notification allows the CA to suspend the certificate under Section 37, preventing further fraudulent use. A subscriber who delays notification and whose certificate is subsequently used for fraud will face difficulty arguing they are not civilly liable for the consequences of that delay.