1. LEGAL AND PRIVACY ISSUES RELATED TO AUTHENTICATION Net @EDU Annual Meeting February 2, 2004 Saundra K. Schuster, Esq. Senior Assistant Attorney General – Ohio Copyright 2004, Saundra K. Schuster

2. AUTHENTICATION FOCUS OF SEMINAR Identify considerations regarding authentication Summarize evolution of the law Discuss relevant law

3. DEFINITIONS AUTHENTICATION: Process of verifying the identity of a user in relation to a “document” Individual Authentication Document Authentication ELECTRONIC SIGNATURE: An electronic sound, symbol or process attached to or logically associated with a “document” and executed or adapted by a person with the intent to sign the “document” DOCUMENT OR RECORD: Information that is inscribed on a tangible medium or stored in an electronic or other medium and is retrievable in perceivable form

4. AUTHENTICATION CONSIDERATIONS IDENTITY AUTHENTICATION The ability of the technology and associated processes to validate the identity of the parties making the entry Something unique to the individual (i.e. physical or biometric characteristic, such as voice, fingerprint, signature) Something an individual knows (i.e. pin or password) Something the individual possesses (i.e. token)

5. AUTHENTICATION CONSIDERATIONS DOCUMENT AUTHENTICATION Non-repudiation - Insuring that the “document” has not been altered once created, and has a nexus with the individual associated with the document PRIVACY/CONFIDENTIALITY Ensures that a document can’t be used by unintended recipients, even if intercepted INTEGRITY OF INFORMATION Information must be protected from unauthorized creation, modification or deletion

6. LEGAL EVOLUTION OF AUTHENTICATION Early commercial transactions – barter replaced by negotiation Banks became focal point for transactions Authenticated instruments by verifying signatures before making payments Price v. Neal (1762) Established liability of banks for forged documents

7. LEGAL EVOLUTION: ROLE OF SIGNATURES Visual s ignature verification was once the sole method to verify authorization of a document Became cost prohibitive due to volume Fraud associated with identity subversion is a major concern Development of expanded Authentication procedures became essential

8. LEGAL EVOLUTION: UNIFORM STANDARDS UNIFORM COMMERCIAL CODE (U.C.C.) Reflects Price v. Neal – est. forgery standard Says signature may be made manually or by word, mark or symbol if intended to authenticate writing

9. LEGAL e-FRAMEWORK Standards for associating an individual with a document and establishing his/her intent to accept or acknowledge its contents grew out of case law and state & federal statutes. The statutes encompass issues of: Validity of electronic format Privacy Security

10. E-LAWS: GENERAL ELECTRONIC RECORDS AND SIGNATURES IN GLOBAL & NATIONAL COMMERCE ACT E-Sign Law, 15 U.S.C. §7001 (June, 2000) Allows electronically signed documents the same legal integrity as paper contracts Does not apply to documents governed by state law

11. E-LAWS: GENERAL GOVERNMENT PAPERWORK ELIMINATION ACT (GEPA) 44 USCA §3504 (OCT., 1998) Applies to Federal Agencies Encourages use & acceptance of electronic signatures where practicable Option of electronic maintenance, submission or disclosure of information as a substitute for paper

12. E-LAWS: GENERAL FEDERAL RECORDS ACT 44 U.S.C. §3101 & 3301 (1994) Requires federal agencies to insure adequate and proper documentation of their policies, decisions, procedures and essential transactions by maintaining “records”

13. E-LAWS: GENERAL UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT (UCITA) July, 1999 Developed as addition to U.C.C. (Art. 2B), evolved to freestanding model law Applies to licensing of software Replaces concept of “signature” with concept of “authentication” To be adopted by the states

14. E-LAWS: GENERAL UNIFORM ELECTRONIC TRANSACTIONS ACT (UETA) (July, 1999) Purpose of law is to remove barriers to electronic transactions relating to business, commercial and government affairs by validating and effectuating electronic records & signatures Developed as model state law, currently adopted by 37 states.

15. PRIVACY Privacy issue is the ability to obtain sufficient information about individuals in order to authenticate them as the subject of the record while, at the same time, respecting their rights to privacy. Privacy concerns include: Misappropriation of the individual’s name or identity Public disclosure of private facts Intentional intrusion in confidential information

16. E-LAWS: PRIVACY FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) 20 U.S.C. §1232G 34 C.F.R. Part 99, (1974) Keystone federal privacy law for education Imposes a cloak of confidentiality around student educational records. Prohibits institutions from disclosing personally identifiable information without permission

17. E-LAWS: PRIVACY ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA) 18 U.S.C. §2510 (1986) Extended provisions of Federal Wiretap Statute to electronic communications Prohibits intentional interception, disclosure or use of an electronic communication Prohibits unauthorized access to or disclosure of electronically stored electronic communications

18. E-LAWS: PRIVACY COMPUTER FRAUD & ABUSE ACT CFAA 18 U.S.C. §1030 Criminalizes unauthorized access to a protected computer with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer

19. E-LAWS: PRIVACY PRIVACY ACT 5 U.S.C. §552a (1998) Imposes certain restrictions on agency use of personal data. Congress primarily concerned with use of sophisticated information systems Requires agency provide notice about how information or records are stored, accessed & used Provides specific standards for computer matching of electronic records

20. E-LAWS: PRIVACY FREEDOM OF INFORMATION ACT 5 U.S.C. §552 (Supp. 1998) Statute requires release of certain information in public agency records to members of the public upon request Statute amended in 1998 to clarify the status of electronic records under public access law All 50 states have “Sunshine Laws” providing access to public documents as well

21. E-LAWS: PRIVACY HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA, 45 C.F.R. §160.201-205(1996) Enacted to protect the rights of patients & participants in certain health plans Institutions who are affiliated with health care providers must provide written notice of their provider’s electronic communication practices

22. E-LAWS: PRIVACY & SECURITY U.S.A PATRIOT ACT Public Law 107-56 (October, 2001) Technology, Education and Copyright Harmonization Act(TEACH) H.R. 2215 (Nov., 2002) Gramm-Leach-Bliley Act 15 U.S.C. §6801 (1999)

23. RISKS & LIABILITIES RISKS AND LIABILITIES Schools are vulnerable to suits under common law negligence if it failed to protect against disclosure of electronic records Schools may face liability for improperly releasing or allowing access to private information or for employing inadequate security measures for access and information

24. RISKS & LIABILITIES LIABILITY CONCERNS: Schools may be liable from action (commission) that arises when they improperly invade the privacy of others Schools may also be liable from inaction (omission) that arises when schools fail to implement appropriate security measures and policies to maintain a secure system

25. CONCLUSION Laws & regulations follow the lead of electronic transaction technology Flurry of legal activity resulting in overlapping system of state & federal regulations as well as accrediting & professional organization standards As abuses & risks are identified, additional legal standards will evolve As disputes occur, the courts will further identify application of the laws