Slides from the October 20, 2011 Silanis Webcast "E-Signature Webcast for Financial Services Legal Counsel"
http://www.silanis.com/resource-center/webcasts/2011/e-signature-webcast-for-financial-services-legal-counsel.html
7. Overview
Federal d State L
F d l and St t Law Validate U of El t i Si
V lid t Use f Electronic Signatures
t
– Federal E-SIGN Act since 2000
– UETA Adopted in 49 jurisdictions
For over a decade, government/industry have relied on ESIGN/UETA’s
decade ESIGN/UETA s
fundamental premise: electronic records and signatures cannot be denied
solely because of their electronic form
Overarching focus in 2011 is moving from understanding legal framework to
implementation
i l t ti
Questions Become:
– How reliable are electronic signatures and records?
– How do authenticate individuals?
– How can I minimize transaction and compliance risk?
– Are contested electronic records and signatures admissible and enforceable?
– Will subsequent transaction parties or the government accept electronic signatures and
records?
1
8. Legal Framework
for eSignatures and eRecords
ESIGN and UETA:
Enable the Presentation of Information (e.g., Disclosures) and Electronically
Signed Agreements Where Ink and Paper Would Have Been Required
Designing Systems to Sign/Store Electronic Records
Requires Firm Grasp Of:
Interaction Between the Electronic Processes Used to Sign and Store
Electronic Records
E-SIGN/UETA R
E SIGN/UETA Requirements
i t
Underlying Substantive Law (e.g., TILA, GLBA, State Disclosure & Record
Retention Laws)
Regulator Acceptance
Judicial Precedent
2
9. ESIGN and UETA Basics
Basic Rules:
– A record or signature may not be denied legal effect or enforceability because it is in
electronic form.
– A contract may not be denied legal effect or enforceability solely because an electronic
record was used in its formation.
– Any law th t requires “ writing” will b satisfied b an electronic record.
A l that i “a iti ” ill be ti fi d by l t i d
– Any “signature” requirement in the law will be met if there is an electronic signature.
Electronic Record: A record, created, generated, sent, communicated, received or
stored by electronic means and is retrievable in perceivable form An electronic
form.
record includes a transferable record.
Electronic Signature:
– Any sound, symbol or process;
– Attached to or logically associated with an electronic record; and
– Executed or adopted with the intent to sign the electronic record.
– May be accomplished through technology, through processes and procedures, or through a
combination of both.
3
10. ESIGN and UETA Basics
ESIGN and UETA:
– Both laws act as overlay statutes;
– Both laws will likely apply to the transaction;
– Both laws recognize electronic signatures – any kind;
– Both laws recognize electronic records – disclosures
and agreements;
4
11. ESIGN and UETA Basics
– Both laws require transaction p y consent;
q party ;
– Both laws accept electronic records for
retention/admission process. The record holder must
be prepared to demonstrate that the electronic record:
– Accurately reflects the information contained in the record at the time it
was signed or delivered;
– Is accessible to anyone entitled to access the record holder’s copy of
the Record under an applicable rule of law or agreement;
– C b accurately reproduced f l t reference; and
Can be t l d d for later f d
– Is capable of being retained (in some cases at the time the record is
provided) by transaction participants to whom it has been made
available for review or signature.
5
12. ESIGN and UETA Basics
– Both laws exclude:
Wills, codicils and testamentary trusts;
Funds transfers (covered by UCC Article 4A);
Letters of Credit (covered by revised UCC Article 5);
Securities (covered by UCC Revised Article 8);
Security interests in goods and intangibles (
y g g (covered by UCC Revised Article
y
9);
Software licensing laws (if State has adopted UCITA);
Most laws concerning checks.
6
13. ESIGN and UETA Basics
– Both apply to:
pp y
Consumer protection laws;
Negotiable instrument equivalents (transferable records);
Laws governing real estate transactions (subject to special rules concerning
documents to be filed of record);
Laws of agency;
Laws covering powers of attorney;
Laws requiring notarization of documents;
Laws governing trusts (except testamentary trusts);
Laws concerning th submission of d
L i the b i i f documents t or i
t to, issuance of d f documents
t
by, government authorities (subject to special rules ).
7
14. Creating a Reliable Electronic Record
Creating reliable electronic signatures and records are
g g
critical for a number of reasons:
– Comply with state or federal “writing,” “signing” and “original” requirements
– Meet state or federal record retention requirements
– Obtain admission of electronic records into evidence in the event of a dispute
(t e e e act that o at o as been created a d sto ed t
(the mere fact t at information has bee c eated and stored within a co pute
computer
system does not make that information reliable or authentic).
8
15. Identifying Risks
Authentication Risk:
The risk is that the signer says “that is not my signature;”
– Is the signer:
» who they say they are
» d th h
do they have th authority t bi d
the th it to bind
Company relying on the signature has to bear the burden of proof.
Compliance Risk:
The risk is that the rules and regulations that govern the transaction are not
met.
For example: Disclosure was not provided in the right format or at the right
time in the transaction (possible statutory penalties).
For example: ESIGN & UETA requirements are not met (consequence may
include statutory penalties based on conclusion that required disclosure was
not provided because ESIGN/UETA consent was not obtained)
obtained).
9
16. Identifying Risks
Repudiation Risk:
p
– The risk is that the signer says “that is not the record that I signed or the
disclosure that I received.”
Admissibility Risk:
– The risk is that the electronic record is not admissible into evidence or for
regulatory purposes.
Introduction into evidence will require proof of integrity:
– Identification to original transaction
– Freedom from alteration
10
17. Regulatory Activity
FRB - Electronic Communication Rules for Consumer protection
statutes (
(e.g., R Z R D R E)
Reg Z, Reg D, Reg
OCC – Bulletins on Consumer Consent and Record Retention
HUD/FHA – Mortgagee Letter on Purchase and Sale Contracts
FFIEC – Authentication in an Online Banking Environment
2011 Supplement: periodic risk assessment, minimum controls, layered
security
it
States – Disclosures, Record Retention, Mail Requirements
11
18. Emerging Principles/Significant Cases Involving
Electronic Records
Authentication and Authority
– The Prudential Ins. Co. of America v. Dukoff, No. 07-1080, 674 F.Supp. 2d 401
(E.D.N.Y. Dec. 18, 2009) (materially false statements made by reasonably
authenticated insurance applicants may be used to challenge the validity of the
application); National Auto Lenders, Inc. v. SysLOCATE, Inc., No. 09-21765, 686
F.Supp.
F Supp 2d 1318 (S.D. Fla Feb 10 2010) (Online agreement held
(S D Fla. Feb. 10,
unenforceable where website operator knew the persons accepting the
agreement lacked actual or apparent authority).
Electronic Signat res meet Stat te of
Signatures Statute
Frauds Writing Requirements
– Shattuck v. Klotzbach, 14 Mass. L. Rptr. 360 (Super. Ct., Mass., December 11,
2001); (Signed emails could be used to prove the existence of a real estate sale
) ( g
contract); but see Rosenfeld v. Zerneck, 4 Misc. 3d 193, 776 N.Y.S.2d 458 (Sup.
Ct., Kings Co. 2004); Vista Developers Corp. v. VFP Realty LLC, 17 Misc. 3d
914, 847 N.Y.S.2d 416 (Sup. Ct., Queens Co. 2007)(no agreement reached on
essential terms of transaction).
12
19. Emerging Principles/Significant Cases Involving
Electronic Records
Clearly Presented Agreements and Disclosures will
be Enforced Unless Unconscionable, No Opportunity to View
Terms, or for Reasons other than being Solely in Electronic Form
– Evans v. Linden Research, 763 F. Supp. 2d 735 (E.D. Pa. 2011) (mandatory forum selection
clause contained in terms of service for on line life community not unconscionable under
on-line
California law where users had to check box to agree to terms each time there was a
change); Berry v. Webloyalty.com, 2011 U.S. Dist. Lexis 39581 (S.D. Cal. April 11, 2011)
(disclosures made on online club enrollment page “sufficient to place reasonable consumers
on notice” and sufficiently “clear and readily understandable” to satisfy the Federal Reserve
Board’s standard for electronic signatures); Fusha v. Delta Airlines, Inc., 2011 U.S. Dist.
Lexis 97295 (D. Md. Aug. 30, 2011) (customer bound by forum selection clause contained in
terms of use, even where she did not remember reading the terms); but see Koch Industries
v. John Does, 2011 U.S. Dist. Lexis 49529 (May 9, 2011) (terms of use unenforceable where
available only through a link at the bottom of with no prominent notice that a user would be
bound by them); Schnabel v. Trilegiant Corp., 2011 U.S. Dist. LEXIS 18132 (D. Conn.
Feb. 24,. 2011) (court refused to enforce arbitration clause in website agreement where
plaintiffs were not presented with chance to view terms before acceptance)
13
20. Emerging Principles/Significant Cases Involving
Electronic Records
Preserving evidence of data integrity, screen shots and process flows is
essential
– Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007). Judge Grimm in Lorraine v. Markel
American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007): [C]onsidering the significant costs associated with
discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to
have it excluded from evidence or rejected from consideration during summary judgment because the
proponent cannot lay a sufficient foundation to get it admitted.
– In Re Vee Vinhnee, 336 B.R. 437 (9th Cir. BAP (Cal.) 2005) – Court refused to admit electronic credit card
transaction records due to inadequate authentication.
11-Factor Foundation For Electronic Records:
– The business uses a computer.
– The computer is reliable
reliable.
– The business has developed a procedure for inserting data into the computer.
– The procedure has built-in safeguards to ensure accuracy and identify errors.
– The business keeps the computer in a good state of repair.
– The witness had the computer readout certain data.
– The witness used the proper p
p p procedures to obtain the readout.
– The computer was in working order at the time the witness obtained the readout.
– The witness recognizes the exhibit as the readout.
– The witness explains how he or she recognizes the readout.
– If the readout contains strange symbols or terms, the witness explains the meaning of the
symbols or terms for the trier of fact. Id. at 14 (citing Edward J. Imwinkelried, Evidentiary
Foundations 4.03[2]
4 03[2] (5th ed 2002))
ed. 2002)).
14
21. Emerging Principles/Significant Cases Involving
Electronic Records
The primary authenticity issue as identified by the court in In Re Vee
Vinhnee,
Vinhnee 336 B.R. 437 (9th Cir BAP (Cal ) 2005), focuses on:
BR Cir. (Cal.) 2005)
– . . . what has, or may have, happened to the record in the interval between when it was
placed in the files and the time of trial. In other words, the record being proffered must be
shown to continue to be an accurate representation of the records that originally was created
. . . . Hence, the focus is not on the circumstances of the creation of the record, but rather on
the circumstances of the preservation of the record during the time it is in the file so as to
assure that the document being proffered is the same as the document that was originally
created.
The court focused on the 4th factor and noted that for electronically
stored information:
– [t]he logical questions extend beyond the identification of the particular computer equipment
and programs used. The entity’s policies and procedures for the use of the equipment,
database, and programs are important. How access to the pertinent database is controlled
and, separately, how access to the specific program is controlled are important questions.
How changes i th d t b
H h in the database are l
logged or recorded, as well as th structure and
d d d ll the t t d
implementation of backup systems and audit procedures for assuring the continuing integrity
of the database, are pertinent to the question of whether the records have been changed
since their creation.
15
22. Emerging Principles/Significant Cases Involving
Electronic Records
American with Disabilities Act and the Internet
– Earll v. eBay, Inc., No. 5:11-cv-00262-JF (N.D. Cal. Sept. 7, 2011)(Class Action
Alleges eBay's Identity Verification Policy Violates the ADA); National Federation
of Blind v. Target Corp., 582 F.Supp.2d 1185, N.D.Cal., 2007.
16
23. ESIGN and UETA – An Analytical Model
Look to UETA Official Comments, and Congressional
, g
Record at time of ESIGN adoption in House and Senate,
for interpretive rules
When interpreting ambiguous provisions, ask: if
Wh i t ti bi i i k
interpretation serves purpose of statute and meets
“common sense” test
What would I do with a paper document?
17
24. Analyzing Systems for Creating, Storing and Retrieving
Binding Agreements – A Provisional Checklist
Agreement to Electronic Transaction
g
– Identify parties who must agree
Direct participants
Vendors and service providers
Indirect stakeholders
– Establish manner of agreement
B2B
C
Consumer ( (special ESIGN rules f consent)
i l l for t)
– Agreement to system rules
18
25. Analyzing Systems for Creating, Storing and Retrieving
Binding Agreements – A Provisional Checklist
Execution
– Signature
Authority to sign
Evidence of intent
Intent to sign
Purpose of signature
– Per document basis
– Logically
L i ll associated with record
i t d ith d
– Process
– Attribution
19
26. Analyzing Systems for Creating, Storing and Retrieving
Binding Agreements – A Provisional Checklist
Document Format and Delivery
y
– Compliance with existing formatting rules
– Standards for document formats
Non-proprietary
Self-contained
– Delivery methods
Mailing or hand delivery currently required
M ili
Mailing or h d d li
hand delivery not currently required
t tl i d
20
27. Analyzing Systems for Creating, Storing and Retrieving
Binding Agreements – A Provisional Checklist
Record Integrity:
g y
– Tracking alterations or versions
– Preventing alteration of executed documents
– Associating records
– Replacing records
– Identifying authoritative copies
– Encryption of executed documents to prevent undetected alteration
– Use f h h l ith
U of hash algorithms and d t and ti
d date d time stamp t h l
t technology
Record Management Controls:
– Control of access to databases
– Recording and logging of changes
– Backup practices
– Audit procedures
21
28. Analyzing Systems for Creating, Storing and Retrieving
Binding Agreements – A Provisional Checklist
Document Access
– Access based on role in transaction
– Access levels
– Methods of access
– Person responsible for providing and maintaining access
Principal
Custodian
S b
Subcontractors
t t
– Timeframe for access
– Data Survivability/Migration
22
29. Controlling Risks with SPeRS (Standards and
Procedure for Electronic Records and Signatures)
g )
A cross-industry initiative to establish commonly understood “rules
rules
of the road” available to all parties seeking to take advantage of the
powers conferred by ESIGN and UETA;
Helps create the implementation guidance not present in ESIGN and
UETA
Initially published 2003; update coming in November 2011;
Founded on the proposition that much of the time and effort being
invested by companies “re-inventing the wheel” could be avoided if
re inventing wheel
cross-industry standards for these elements of electronic
transactions could be established;
Focused on the behavioral and legal aspects of the interaction
between parties to the transaction not on technology SPeRS is
transaction, technology.
intended to be technology neutral;
Standards are not necessarily legal minimums, but implementing the
standards should enhance reliability and sufficiency.
23
30. The SPeRS Structure
SPeRS is divided into five sections:
– A h
Authentication
i i
– Consent
– Agreements, notices and disclosures
– Electronic signatures
– Record retention
Each section provides 5 to 10 high-level standards to guide systems
designers in developing p
g p g processes that will meet the new legal
g
requirements.
Each Standard is supported by:
– Plain-English discussions of the underlying issues,
– Ch kli t outlining specific strategies and options f
Checklists tli i ifi t t i d ti for
implementing the standards,
– Examples and illustrations, and
– Legal commentary to assist in-house counsel
in house counsel.
24
31. Industry Adoption
– Mortgage
(http://www.mersinc.org/MersProducts/index.aspx?mpid=19)
– https://www.efanniemae.com/sf/guides/ssg/relatedsellinginfo/emt
g/pdf/emtgguide.pdf
http://www.freddiemac.com/singlefamily/elm/pdf/eMortgage_Gui
de.pdf
– Student Lending
(http://ifap.ed.gov/dpcletters/attachments/gen0106Arevised.pdf)
– Variable Annuities (http://www.irionline.org/standards)
– Electronic Chattel Paper
p
(http://www.standardandpoors.com/prot/ratings/articles/en/us/?a
ssetID=1245199808682)
– Online Banking g
(http://www.ffiec.gov/pdf/authentication_guidance.pdf)
– SPeRS (http://www.spers.org/spers/index.htm)
25
32. Questions?
Margo H K Tank
H. K.
Buckley Kolar LLP
1250 24th Street, NW
Suite
S ite 700
Washington, DC 20037
D: 202.349.8050
E: t k@b kl k l
E mtank@bucklekolar.com
F: 202.349.8080
www.buckleykolar.com
26
34. Delivering Disclosures, Agreements and Notices –
The Record Management Cycle
Record
Life Generate Deliver Store Manage Destroy
Cycle
Track Create
Active Propagate Extract &
Data Record Audit Trails
Data Index Data
Processes Versions & Reports
Audit Trails
Primary Transaction-specific Screen Shots
Record Boilerplate Docs for Enrollment,
Docs & Process Flows
Categories Delivery/Signing
Secure and Consistent Record Management
Quality & Search and Record Business
Key Access
Systems
S t
Integrity Report Destruction Continuity
Controls
C t l
Issues Controls Capabilities
Record Management Responsibility
Secure Communication
Record Management Audit Trails & Reports
Company Policies and Guidelines
1
35. Delivering Disclosures, Agreements and Notices –
Regulatory Guidance for Record Management
– GLBA Information Security Guidelines
– FFIEC Authentication Guidance
– Identity Theft Red Flags Regulation and
Guidelines
– FFIEC Information Security Booklet
– FFIEC E-Banking Booklet
– FFIEC Supervision of TSPs Booklet
– FFIEC Outsourcing Technology Services Booklet
– FFIEC Development & Acquisition Booklet
– FIL-44-2008, Managing Third Party Risk
2
36. Delivering Disclosures, Agreements and Notices –
Key Requirements from ESIGN and UETA
Key Requirements
– Consent is required if law otherwise requires info delivered
eq i ed la othe ise eq i es deli e ed
in writing
• ESIGN Consumer Consent Process
• B-to-B Consent
– UETA delivery provisions not preempted by ESIGN
• Need Agreement (express or implied) on Delivery Method
• Need to deal with bouncebacks in many cases
– Popular Delivery Options
• Display as part of an interactive session,
• Delivery in the body of an email or as an email attachment, or
• Delivery of an email or other electronic notice that has a URL
e bedded
embedded in it t at the consumer may activate to review the
t that t e co su e ay act ate e e t e
information.
3
37. Delivering Disclosures, Agreements and Notices –
Key Requirements from ESIGN and UETA
More Key Requirements
– Elect onic records a e not enfo ceable against a recipient if
Electronic eco ds are enforceable ecipient
the sender inhibits the recipient’s ability to print or retain a
copy
– Customer must be able to retain a copy for later reference
– Electronic Records retained by sender must be accurate,
remain accessible for later reference
– All formatting, timing and display requirements must be
observed. “Timing” includes:
• Proper sequence within transaction
• Any time frames or deadlines for delivery
• Length of time the information/document remains accessible
4
38. Delivering Disclosures, Agreements and Notices –
General Delivery/Signature Strategy
Clear
Call
to Action
Prompt for Retention/
Offer Retention-Friendly Version
Presented in Scroll Box, PDF or Behind
Clearly-Labeled Hyperlink
Key Information/Document Above or to the Left of Call to Action
Obtain
Obt i
Get Consent Draw Attention Present Document
Signature
5
39. Delivering Disclosures, Agreements and Notices –
The Design Process
Delivery Design Choices Design Execution
– Secure or Unsecure? – Enrollment / consent process – Establish agreement on delivery
– Audit trails and reporting –When deemed delivered
– Push out in email/SMS, or send
– Transmittal message contents –Delivery address
“ready notice” and pull behind
– Authentication process for access
p –Obligation to update address
g p
firewall?
fi ll?
to secure data (if applicable) – Obtain ESIGN Consent
– Embedded hyperlinks in “ready – Record generation and posting to – Generate records
notice” email? delivery system – Send notice or attachments
– Permit target to set delivery – Message or notice – Provide opportunity to retain
preferences? generation/transmission – Generate audit trail
– Permit target to designate multiple – Record retention/destruction process – Handle “bouncebacks”
recipients? – Record generation/posting – Handle withdrawal of consent
– Forced review or bypassable?
Key C id
K Considerations
i
Key Considerations − 2 Factor Authentication required? Key Considerations
- Will the records contain sensitive information? − How will cross-system compatibility/communication − Addressing electronic delivery channels
issues be addressed? − Agreement on what constitutes “sending” and
- Will the records contain required disclosures or notices?
− How much of design will be automated or manual? “receipt” (Note some state UETAs limit variation
- Are multiple delivery methods possible/desirable? − Is system intended for use with targets without prior by agreement)
- Are there “phishing” or “pharming” issues to address?
phishing pharming electronic relationship with sender?
l t i l ti hi ith d ? − Agreement on obligation t update electronic
A t bli ti to d t l t i
- Need to maintain control over display and audit trails? − Regulatory requirements for timing, delivery, addresses
- Need to obtain ESIGN Consumer Consent? proximity, conspicuousness, forced review? − Managing bouncebacks and withdrawal of
consent
6
40. Electronic Signatures –
Key Elements
Electronic Signature Key Elements
Definition of signature -- “Electronic
ESIGN and UETA require that:
Signature” means an electronic identifying
sound, symbol, or process attached to or – The signature be attributable to
logically connected with an electronic the signer and associated with
record and executed or adopted by a the records
person with present intention to
authenticate a record.
th ti t d – The signing party have authority
This definition includes (for example): to sign
– Typed names, – The signing party must have the
– A click-through on a software intent to affix a signature to the
program’s dialog box combined with record
some other identification procedure,
ESIGN and UETA do not require
– Personal identification numbers,
that:
– Biometric measurements,
– A digitized picture of a handwritten – The signature process itself
signature, provide proof of identity
– Use of SecureID™ or Defender™ – The signature process itself
number generators, and protect the record from
– A complex, encrypted authentication
alteration without detection
system.
Note that a click-through probably does
not satisfy the requirements for an
electronic signature under Article 9 of the
UCC.
7
41. Electronic Signatures –
Attribution
Attribution basics Attribution in the electronic world
Legal sufficiency vs. attribution - In an electronic environment,
- UETA and ESIGN’s signature attribution is often proven by
f
rules: associating the signature with use
– Answer the question “is it a of a “credential.” A credential is a
g
signature?” method for establishing the
– Do NOT answer the question identity of the signer, and may
“is it your signature?” involve use of a password,
employment of a token (such as a
Attribution must be proven:
random number generator),
g ),
– Attribution may be proven by biometrics, or demonstration of
any means, including knowledge of a “shared secret,” or
surrounding circumstances or some combination of the above (or
efficacy of agreed-upon similar devices/approaches). Use
security procedure of the credential gives the person
– The burden of proof is usually receiving the signed record a
on the person seeking to reasonable basis to believe that the
enforce signature signature was created by the
intended signer.
8
42. Electronic Signatures –
Attribution
Creating a Credential Notes on credentials
A credential may be: Note that the effectiveness of the credential for
• Assigned to the signer directly by attribution depends on the integrity and
the intended recipient of the signed reliability of the p
y process for first creating and
g
record, either in advance or at the assigning the credential to the individual.
time of signing. • So, if it is easy to get a credential under false
• Assigned to the signer indirectly, pretenses, then the value of the credential for
through a hierarchical model, where attribution is diluted.
the intended recipient gave a “root” • But, if the process for first issuing the
or “master” credential to a person credential to the correct person is
who is then authorized to provide demonstrably reliable, then the later use of
derivative credentials to others the credential will usually constitute strong
(e.g.
(e g Recipient gives a master User evidence of attribution.
attribution
ID and password for its Treasury In more sophisticated applications the customer
Services website to an executive at may be given multiple credentials to permit two
Company X and the executive then or three-factor authentication, depending on the
establishes passwords for other
p risk level of the specific requested transaction.
Company X employees). So, for example, a banking customer may be able
• Created spontaneously (often to access general online banking services using
through the use of biometrics or a a User ID and Password, but then be required to
“shared secret”) at the time it is also provide a one-time password or PIN from a
needed for the signing. random-number generator before completing a
funds transfer during the online session.
9
43. Electronic Signatures –
Attribution
Common Strategies for Credential Creation/Distribution
– Customer-initiated online/mobile
• Validated used existing shared information, or
• Self-asserted (usually just for initial contact/applications)
– Delivered
• May be persistent or one-time (OTP, random number generator)
M b i t t ti (OTP d b t )
• Sent to known address (email or postal) or phone number (sms or
voice)
• May be further validated on first use or each use
y
Use of dedicated hyperlink contained in message to access platform
Confirmation using shared information
– Self-assigned
• Response t invitation
R to i it ti
Use of dedicated hyperlink contained in message to access platform
Created on platform
Sometimes -- Confirmation using shared information
• Assigned via heirarchical model (more later)
10
44. Electronic Signatures –
Authority
ESIGN and UETA incorporate the existing common
law rule requiring that the signing party have the
q g g gp y
authority to sign.
– Individuals – identity, age, capacity – capacity is
usually taken for granted with any person over the
y g yp
age of 18, unless there are indications to the
contrary
– Representatives – identity, age, capacity, and
authorization to take the contemplated action on
h i i k h l d i
behalf of the represented party. The authority to
act is not automatic just because a person is an
appointed representative (e.g. an agent or
(e g
employee). Authority must be either expressly or
implicitly conferred by the represented person.
11
45. Electronic Signatures –
Authority for Representatives
y p
Very often used with small companies. It presumes that in a small company anyone taking action
with respect to bank services must have authority to do so because unauthorized activity is so
difficult to conceal. This involves a “cost/benefit” risk analysis, since historically small business
“Hail Mary” employees have proven quite adept at using bank accounts and banking relationships to commit
fraud under the noses of their co-employees and owners.
In the most formal of situations, a certificate is required from the company’s owners or controlling
body (Board of Directors, General Partners, Members, etc.) confirming the authority of a particular
Certificate of person to sign as a representative of the company. In some cases confirmation of authority is
company cases,
Authority incorporated into an opinion letter from outside counsel, creating a potential claim against outside
counsel in case of a later dispute.
Situational Where authority is not formally established, it may alternatively be established by circumstance.
“actual” or Job titles and/or known supervision and review of the proposed agreement by senior management
“apparent” may establish either actual or apparent authority to act.
y
authority
In this model, the potential recipient of the signed records (e.g. the bank) assigns a master
credential,
credential through a highly reliable and carefully controlled process to a company representative
process,
(e.g. the Senior Vice President for Treasury Management Services) whose authority to establish
The the initial relationship is beyond question (either because of certification or situational
Hierarchical verification). In turn, the recipient’s system of record permits the trusted company representative
Model to create lower-level credentials for other company employees. These credentials come with
assigned rights, which may include the right to enter into additional agreements with the recipient.
Presumably,
Presumably the master agreement between the recipient and the company establishes the
recipient’s right to rely on the “hierarchical model” to establish the authority of the lower-level
employees to sign.
12
46. Electronic Signatures –
Intent to Sign
Elements of Intent Samples of Notices to Establish Intent
The signer’s intent is composed of two
elements:
…By clicking "I Accept" at the end
By I Accept
– The intent to sign of this Agreement, you agree that
– The purpose of the signature you have read and understand this
The intent to sign may be established by the Agreement and that you will be
surrounding circumstances. In an electronic
bound by and comply with all of its
environment,
environment the easiest way to establish an
intent to sign is to advise the signer that the terms…
action he or she is about to take (click through,
…by typing your name in the
entrance of PIN, typing of name, etc.) will
constitute a signature. signature box on the account
Purpose of signature signup page, you are signing and
– There are four basic purposes a signature agreeing to the terms and
i t th t d
may serve with respect to a record:
conditions of this Agreement…
1. I agree to it
2. It came from me
BY CLICKING ON THE “SIGN NOW”
3. I’ve seen it BUTTON BELOW, YOU ARE SIGNING
4.
4 I got it THIS AGREEMENT CLICKING ON
AGREEMENT.
– Which of these purposes is applicable to a THE “SIGN NOW” BUTTON WILL
particular signature may be established by
RESULT IN AN ENFORCEABLE
surrounding circumstances or may be
specifically stated as part of the signature LEGAL CONTRACT, JUST AS IF YOU
process. In many cases the signature HAD SIGNED YOUR NAME TO AN
serves more than one of these purposes.
h f h
AGREEMENT ON PAPER.
The signer’s intent must be established
separately in some manner for each signature
that is applied to the record.
13
47. Electronic Signatures –
Selecting a Process
Three primary criteria
– Boilerplate Document vs. Transaction-
Specific Document
– Size of transaction or liability exposure
– Extent to which transaction “self-validates”
• Physical presence at signing
• Services are personal to signer (e.g. medical, legal)
• Physical product being shipped
• Product or service is customized to individual
14
48. Electronic Signatures –
Selecting a Process
Boilerplate
Per Transaction
Click-Through Capture
Audit Trail
A dit T il
Preserve Process Flows
Preserve Template Document
Preserve Generic Screen Shots
Obtain
Obt i
Establish Identity Present Record Prompt Retention
Click-through
15
49. Electronic Signatures –
Selecting a Process
Transaction-
Specific Signatures Capture
Audit Trail
A dit T il
Anticipate
Obsolescence
Generally, Retain A Copy of the
Dynamic Signed Record, Not
g
Just a Flat File
Document, Once Signed, Should Be Protected
Against Undetected Alt
A i t U d t t d Alteration
ti
Establish Identity Present Record Obtain Signature Prompt Retention
16
50. Introducing Electronic Records into Evidence --
Basis for Admission
The Federal Rules of Evidence and the Uniform Rules of
Evidence contain identical provisions that taken
that,
together, address the admissibility of electronic business
records:
The “Business Record” Rule, and
The “Best Evidence” Rule.
17
51. Introducing Electronic Records into Evidence --
Basis for Admission
The Business Record rule permits the introduction into evidence of
business records of regularly conducted business activity. A business
record will be admissible:
If it is a record, in any form, of acts, events, conditions, opinions, or
diagnoses, made at or near the time by, or from information
transmitted by, a person with knowledge, and if:
Th record is kept in the course of a regularly conducted
The di k i h f l l d d
business activity, and
It was a regular practice of that business activity to make the
memorandum, report, record or data compilation, all as shown
by the testimony of the custodian or other qualified witness, or
y y q ,
by certification that complies with the Rules of Evidence,
Unless the source of information or the method or circumstances of
preparation indicate the record is not trustworthy.
People v. Huehn, 53 P 3d 733 (Colo.App. 2002)
P l H h P.3d (C l A
18
52. Introducing Electronic Records into Evidence --
Basis for Admission
Even though a record is admissible under the business records
exception to the hearsay rule, it must also satisfy the Best Evidence
Rule.
The Best Evidence Rule, sometimes called the “Original Writing
Rule,” provides that in order to “… prove the content of a writing,
recording, or photograph, the original writing, recording, or
photograph is required except as otherwise provided in these rules
required,
or by Act of Congress.”
An “original” is defined as: [T]he writing or recording itself or any
counterpart intended to have the same effect by a person executing
or issuing it. … If data are stored in a computer or similar device,
any printout or other output readable by sight, shown to reflect the
i t t th t t d bl b i ht h t fl t th
data accurately, is an “original.”
People v. McFarlan, 744 N.Y.S.2d 287, (N.Y. Sup. 2002)
19
53. Introducing Electronic Records into Evidence --
Basis for Admission
The UETA and ESIGN extend the existing principles of the “Best
Evidence” rule, providing:
A
Any requirement t preserve or produce an “original” record is
i t to d “ i i l” di
satisfied by an electronic record of the information in the record to
be produced, so long as the electronic record:
Accurately reflects the information in the record to be produced
after it was first generated in its final form and
form,
Remains accessible for later reference.
Evidence of a record may not be excluded solely because it is in
electronic form.
20
54. Introducing Electronic Records into Evidence --
Proof of Document Integrity
Introduction into evidence will require proof of integrity
Id tifi ti
Identification to original transaction
t i i lt ti
Freedom from alteration
21
55. Introducing Electronic Records into Evidence --
Proof of Document Integrity
Courts evaluating the integrity of an electronic record
may be expected to focus on systemic protections --
y p y p
division of labor
complexity of systems
Encryption of executed documents to p
yp prevent
undetected alteration
activity logs
security of copies stored offsite to verify content
22
56. Some Additional Resources
– Standards and Procedures for electronic Records and
Signatures – available for purchase at www.spers.org
FFIEC Information Technology Examination Handbook – available at
http://ithandbook.ffiec.gov/
FFIEC Guidance On Electronic Financial Services And Consumer
Compliance – available at www.ffiec.gov/PDF/EFS.pdf
FTC Guidance on Dot Com Disclosures – available at
http://business.ftc.gov/documents/bus41-dot-com-disclosures-
information-about-online-advertising
g
FTC Staff Report on Improving Consumer Mortgage Disclosures –
available at www.ftc.gov/opa/2007/06/mortgage.shtm
AIIM Recommended Practice Report on Electronic Document
Management Systems (AIIM ARP1 2006) – available at
M S ARP1-2006) il bl
www.aiim.org/documents/standards/arp1-2006.pdf
Lorraine v. Markel American Insurance Co., 241 F.R.D. 534 (D. Md.
May 4, 2007) – available at
y , )
http://www.mdd.uscourts.gov/Opinions/Opinions/Lorraine%20v.%20
Markel%20-%20ESIADMISSIBILITY%20OPINION.pdf
23