Department of Justice Guidelines for Electronic Signatures

Posted Mon, 03/16/2009 - 21:19 by Isaac

Go to the Main Laws page

 

DEPARTMENT OF JUSTICE

The Department of Justice (DOJ) enforces the law and defend the
interests of the United States according to the law; to ensure public
safety against threats foreign and domestic; to provide federal
leadership in preventing and controlling crime; to seek just punishment
for those guilty of unlawful behavior; and to ensure fair and impartial
administration of justice for all Americans.

 

LEGAL CONSIDERATIONS IN DESIGNING AND IMPLEMENTING ELECTRONIC PROCESSES: A GUIDE FOR FEDERAL AGENCIES November 2000 (available online here)

In deciding whether and how to convert any given process from
paper to an electronic one, agencies should consider at least the
following four issues, which are examined in Part II:

A - Availability

B - Legal Sufficiency

C - Reliability

D - Compliance With Other Laws

Part II - LEGAL ISSUES TO CONSIDER IN "GOING PAPERLESS"

A. Availability of Information - To ensure the availability of
information in an electronic process, agencies should ensure:

  1. that an electronic process collects all relevant information; In
    adopting electronic processes, agencies should ascertain whether the
    following four specific types of information should be captured and
    retained:

(1) content of the transaction, including all records that comprise the substance of the transaction or filing;

(2) records that contain information about how the transaction
was processed, including dates received and changes or modifications
that were made in records;

(3) a means to authenticate the identity of all people who
participated in the transaction both inside and outside the agency, and
the scope of each person's participation; and

(4) for appropriate transactions, a means for establishing the
intent of the participants to enter into the transaction or agreement.

  1. that the information is retained properly; and

    2. Electronic systems should be designed and maintained to
    guard against data corruption, whether through accidental deletion,
    equipment failures, storage media deterioration over time, stray
    electromagnetic forces, or myriad other hardware and software problems

     

  2. that the information is readily accessible. The potentially
    lengthy period of time between the collection of information and its
    use in many situations, including litigation, highlights the importance
    of these issues.

    Unlike paper files which, when properly organized and
    maintained in the ordinary course of business, are readily available
    and usable without any special equipment, electronic information is not
    always accessible without special equipment and software.

B. The importance of signatures

  1. An increasing number of statutes and regulations impose the same
    presumptions of identity, intent, or familiarity with content that are
    typically associated with paper signatures. The proper design of legal
    instruments can reduce the need for such presumptions. Until such
    presumptions become widely accepted for electronic signatures, agencies
    should ensure that the electronic signature technologies they adopt
    identify the signers of the document and clearly express their intent
    and familiarity with the document.

C. Reliability of Electronic Information

  1. The legal significance of context surrounding the collection or creation of electronic information

    2. By binding the entire document to the electronic signature with a
    file hash it allows all surrounding context to be captured during the
    collection and creation of the signature in compliance with (C)(1).

  2. The perceived reliability of electronic data

    3. These File Integrity Hashes need to be used by all
    parties to the electronic record to verify that no changes or errors
    have occurred. This addresses reliability issues by "demonstrating
    that there are sufficient electronic procedures in place to prevent
    accidental or unauthorized alteration of information"    .

  3. Persuasiveness of electronic processes and information derived from them

    4. The method of delivery and signature capture needs to be simple and
    easily understood process very simular to the email that many
    businesses have long been using. The document is received, view or
    printed and then the user signs the file that they have already read.
    No software to install or maintain makes this process the easiest to
    use by all. No limitations on which operating system or internet
    browser is ideal. This makes for an electronic signature process that
    anyone can then communicate "in
    a straightforward and sensible manner and should recognize that people
    are likely to have varying degrees of knowledge about such processes."

  4. Admissibility of information derived from electronic processes

    5. By using industry and federally accepted File Integrity Hashes users can submit to courts proof that the evidence is both "authentic" and the "best evidence". File Integrity Hashes can be used by all parties to the electronic record (including the court) to verify that no changes or errors have occurred.

  5. Legal Requirements Affecting Electronic Processes

    6.  

PUBLIC LAW 108-390 - ELECTRONIC SIGNATURE ON FORMS I-9 - (online here)

U.S. Immigration and Customs Enforcement (ICE) and the Department
of Homeland Security (DHS) have received inquiries from many employers
regarding the availability of electronic Employment Eligibility
Verification Forms (Form I-9). Employers have expressed their
frustration with being required to keep paper forms or to store the
forms on microfilm or microfiche when all other aspects of their
business have been automated.

On April 28, 2005, a new law will take effect allowing employers to sign and store Forms I-9 electronically.

On October 30, 2004, the President signed legislation into law (Public Law 108-390)
authorizing employers to retain Forms I-9 in electronic format, in
addition to the current choices of paper, microfilm or microfiche. The
legislation also authorizes attestations on the Form I-9 to be
manifested by an electronic signature. The legislation prescribed an
effective date of April 28, 2005, or the effective date of implementing
regulations, whichever occurred first.

SECTION 1. IMPROVEMENTS TO EMPLOYMENT VERIFICATION SYSTEM.
(a) IN GENERAL.--Section 274A(b) of the Immigration and Nationality Act (8 U.S.C. 1324a(b)) is amended--

(1) in paragraph (1)(A), by inserting before ``A person or
entity has complied'' the following: ``Such attestation may be
manifested by either a hand-written or an electronic signature.'';
(2) in paragraph (2), by adding at the end the following: ``Such
attestation may be manifested by either a hand-written or an electronic
signature.''; and
(3) in paragraph (3), by inserting ``a paper, microfiche, microfilm, or electronic version of'' after ``must retain''.


(b) EFFECTIVE DATE.--The amendments made by subsection (a) shall take effect on the earlier of--

(1) the date on which final regulations implementing such amendments take effect; or
(2) 180 days after the date of the enactment of this Act.

 

 

ATF - ALCOHOL, TOBACCO AND FIREARMS

The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is a
law enforcement agency within the U.S. Department of Justice. Its
unique responsibilities include protecting the public and reducing
violent crime. ATF enforces the Federal laws and regulations relating
to alcohol and tobacco diversion, firearms, explosives, and arson.

ATF regulations are published as Title 27, Code of Federal Regulations (27 CFR) by the Government Printing Office. (Available online here)

27 CFR § 73.3 What terms must I know to understand this part?

Electronic document receiving system. Any set of
apparatus, procedures, software, records, or documentation used to
receive documents communicated to it via a telecommunications network.

Electronic signature. A computer data compilation of
any symbol or series of symbols executed, adopted, or authorized by an
individual to be the legally binding equivalent of the individual's
handwritten signature, and that:

(1) Identifies and authenticates a particular person as the source of the electronic message; and

(2) Indicates such person's approval of the information contained in the electronic message.

§ 73.11 What are the required components and controls for acceptable electronic signatures?

(a) Electronic signatures not based on biometrics. If you use electronic signatures that are not based upon biometrics you must:

(1) Employ at least two distinct identification components such as an identification code and a password;

(2) Use both identification components when executing an electronic signature to an electronic document; and

(3) Ensure that the electronic signature can only be used by the authorized user.

Usernames and Passwords are a secure method to gain access to the document and to then sign for the document.

(b) Electronic signatures based on biometrics. If
you use electronic signatures based upon biometrics, they must be
designed to ensure that they cannot be used by anyone other than their
genuine owners.

§ 73.12 What security controls must I use for identification codes and passwords?

If you use electronic signatures based upon use of
identification codes in combination with passwords, you must employ
controls to ensure their security and integrity. These controls must
include:

(a) Maintaining the uniqueness of each combined
identification code and password, such that no two individuals have the
same combination of identification code and password;

Usernames and passwords need to be unique to the user of the system.

(b) Ensuring that identification code and password
issuances are periodically checked, recalled, or revised (e.g., to
cover such events as password aging);

Passwords on should be changed on a regular basis in compliance with (b).

(c) Following loss management procedures to electronically
deauthorize lost, stolen, missing, or otherwise potentially compromised
tokens, cards, or other devices that bear or generate identification
code or password information, and to issue temporary or permanent
replacements using suitable, rigorous controls;

(d) Using transaction safeguards to prevent unauthorized
use of passwords and/or identification codes, and to detect and report
in an immediate and urgent manner any attempts at their unauthorized
use to the system security unit and, as appropriate, to organizational
management; and

(e) Initial and periodic testing of devices, such as tokens
or cards, that bear or generate identification code or password
information to ensure that they function properly and have not been
altered in any unauthorized manner.

Using secure Username/Passwords, and not just tokens which need additional steps are a good idea as outlined in (e)

§ 73.33 Am I legally bound by a form I sign electronically?

Yes; by electronically signing a form you submit to us, you
are agreeing to be legally bound to the same extent as if you applied a
traditional handwritten signature on a paper document submitted to
satisfy the same reporting requirement. Persons using electronic
signatures shall, upon TTB's
request, provide additional certification or testimony that a specific
electronic signature is the legally binding equivalent of the signer's
handwritten signature.

Electronic signatures are legally binding in accordance with State and Federal Law.