Go to the Main Laws page

The ESIGN Act

Although every state has at least a law pertaining to electronic signatures, it is the federal law that lays out the guidelines for interstate commerce. The general intent of the ESIGN Act is spelled out in the very first section(101.a), that a contract or signature “may not be denied legal effect, validity, or enforceability solely because it is in electronic form”. This simple statement provides that electronic signatures and records are just as good as their paper equivalent, and therefore subject to the same legal scrutiny of authenticity that applies to paper documents.

The next section of the ESIGN Act, sub-section (b), preserves the rights of individuals to NOT USE electronic signatures. Here the law provides that individuals reserve the right to use a paper signature. Sub-section (c) is in direct support of (b) by requiring a “Consumer Disclosure” that the signatory has consented to use an electronic format. Acknowledgement of this disclosure is captured as proof that the consumer was informed, and did accept to use an electronic process. As a side note if the consumer requires a paper copy the law does allow a fee to be applied to recoup the cost of using paper.

As we can clearly see the law outlines a two step process to signing files electronically. First disclosure of the consumer’s right to use paper, which is followed by their consent to the electronic process. The second phase is the actual capture of the electronic signature.

Once the signature is captured the law directs its attention to the electronic record that has now been created. This aspect of the law, while often overlooked, provides the true power and cost savings of electronic signatures – the ability to STORE electronic files. Printing and storing a paper copy of the electronic record defeats the achievements of this law. It is the accessibility and cheap storage costs of electronic files that really amount to long term cost savings. Sub-section (d) details the retention of contracts and records. If a “statute, regulation, or other rule of law requires” the file to be retained then “that requirement is met by retaining an electronic record”.

Accuracy and availability are discussed in both (d.1.B) and (e). The record must be available to all parties involved; this is easily accomplished by allowing each signatory to save an electronic copy of the record on their own computer. The electronic record and signature created must be in a format that is both accurate and accessible. Meaning that the technology to read, display and transfer the record is of a generally acceptable form. This aspect of the law requires businesses to choose electronic signature services that provide them with flexibility. If the solution allows any file type to be electronically signed, it will give each business the ability to select the best electronic format for their clients.

Section 103 does create a list of exceptions; situations in which electronic forms cannot be substituted for paper. These include wills, adoption, divorce, cancellation of utility services, eviction of residence, termination of health insurance, recall of a product where public safety is at risk, and transportation documents for the handling of hazardous materials.

In section 104, the ESIGN Act “supersedes any requirement by a Federal regulatory agency, self-regulatory organization, or State regulatory agency” that requires “specified standards or formats”. The following sub-sections, state that regulations and guidance may be issued concerning the acceptability of electronic forms.

What is Required to Comply with the Law

The definitions for compliance were provided earlier, but there are three consistent concepts acknowledged in virtually every law, opinion or guideline available on the subject of electronic signatures. They are Authentication of the signatory, Integrity of the signed file, and Non-repudiation of the signature and intentions of the signatories. The following section will explain in further detail the intentions of these concepts, as well as assist in the understanding and compliance of the concepts.

Authentication

Authentication is the reasonable basis on which to believe that the entity electronically signing the file is who they say they are. This can be accomplished in many ways. In the traditional world it might be done by checking a driver’s license or other form of identification, but in the electronic world this is not always an option, so other methods must be used.

The most common and popular way of accomplishing this identity check is to use an e-mail based identifier. This is a process most people have experienced at some point while using the Internet. If you signup for a web based service you generally need to create a user name and password. When you create this account many systems will send a verification e-mail to the e-mail address you entered for your record, thus proving that you own this e-mail address. You then copy and paste this verification information into the confirmation system provided by the web site and you become a verified member. That process and most processes that use your e-mail address are known as e-mail based ID systems.

Another way to verify an identity is to use a known third party validation mechanism. In other words, use something that presumably has already verified the entity in question. There are several common methods for achieving this type of authentication. You may have experienced it with a web site requiring you enter in your home zip code, an account number or in some cases a credit card number. Many web sites will have you enter your credit card information into a form, allowing them to cross reference the information you provide them with a credit card merchant. Presumably if you told the credit card company the truth about you, then it will match with the information you provided the website.

The methods available and in use for identifying and authenticating individuals are countless, and presumably the higher the value of the transaction the more authentication methods should be implemented.

Integrity

Integrity simply means providing a reasonable belief that any file electronically signed on a system cannot and has not been tampered with by anyone or anything. The concept is easy to understand and the requirement for it is certainly justified. When you are dealing with paper it is easy to give everyone a copy, and any discrepancies are easily found, but with electronic records it can be difficult to manually or even visually tell if the file has been altered. To demonstrate integrity electronic signature capture services generally use an encryption algorithm to lock a file once it has been signed. Even better services will continually validate a file all the way through the signature process and then create a final version once all signatures are finalized. Most technology used today for identification purposes can be more accurate than human DNA.

Non-repudiation

Think back to the Fax machine illustration. Someone can always say, “That is not my signature” and claim that the signature was forged. After all, someone could have placed an image of a signature on to a document, and faxed it back to you. The point is, under most circumstances you can never be 100% certain the person you are doing business with is who they say they are. Even in-person transactions can be at risk. Identity theft is the fastest-growing crime and criminals are not just buying and signing things online, they are going into banks, opening credit cards and walking into retail establishments. So what can be done to help protect businesses against fraud and abuse if they use electronic signatures?

Just as a notary verifies the intent of the signatory, electronic signatures can use verification methods to insure the signatory understood the purpose and the intent of the signature process. However, the road to a successful electronic signature implementation lies in the careful understanding that the electronic signature super highway has a minimum of three lanes. Each of the signatories has a lane of relationship “traffic” between them and the electronic signature service provider. The lane dedicated to the relationship between the sender and the recipient is just as relevant and important. It is this relationship that will help to legally define the intent of the signatories in various legal matters. Therefore, combining good business practices with a solid electronic signature capturing service will make non-repudiation less of an issue.

How to comply with Authentication and Non-repudiation

These two concepts go hand in hand. The stronger your authentication methods are, the less risk you have regarding non-repudiation.

It is best to authenticate the user yourself. After all it is your client or business partner you are signing the file with and you know if Steve is Steve, or if he is really someone else.

Identification can play an important rule in Authentication as pointed out by the American Bar Association. They described this critical weakness of PKI based signatures in their PKI Assessment Guidelines. PKI authenticates but it fails to identify who a user is, as “The names within certificates are intended to be real names corresponding to real-world people”. However, a person can choose any name they wish to appear on the certificate.

Misrepresentation is not exclusive to the electronic world, as a person could walk into your office and sign a document, claiming to be someone they are not. This requires businesses to establish authentication based on things they know.

A business is really seeking a way to make the signature capturing process an extension of their current business process.

By issuing the appropriate licenses directly to your client, as opposed to using third party vendor verification, PrivaSign helps you to strengthening your case against repudiation. One assumes you know your client or business partner and therefore your authentication of their identity through a recognized e-mail address, phone number and IP address is inherently more compelling than a third party vendor verification that you have never seen. This process will save you time and money over other options on the market when it is time to prove who signed what.

How to comply with Integrity

What you want to look for in an electronic signature and electronic file delivery service is a simple and efficient process that can be integrated into an everyday situation without complex or detailed instruction.

The problem that arises, in most cases, when trying to find this type of solution, is they are not generally the most secure or accurate of the available systems, and therefore you are opening yourself up to data integrity questions.

What it Means

With a better understanding of the ESIGN Act it is logical to take the next step and think about implementation in your organization. What are the key points to remember and where should attention be focused:

• The Electronic Signature laws are technologically neutral. The primary focus is to insure that no file that is signed electronically by two or more willing parties can be deemed invalid simply because the file was signed electronically.

• There are still a small collection of records, signatures and notices that can be required in paper form.

• The Act’s openness to technology allows the market to decide what types of electronic signatures are best in each situation.

• A business needs to understand when electronic signatures can be trusted as authentic and when they are not

• The ESIGN Act supersedes any requirement by a Federal regulatory agency, self-regulatory organization, or State regulatory agency