The Electronic Signatures in Global and National Commerce Act Digital Signatures and E-SIGN: Implications for PKIs Michael S. Baum, J.D., M.B.A., CISSP

Agenda  E-SIGN – Some relevant principles  Electronic vs. digital signatures  Nondiscrimination  Validity vs. enforceability  Limitations  E-SIGN - Impact on PKIs  Technology neutrality  Federal preemption  Responsive policy initiatives  The Multi-State Digital Signature Summit  Performance standards and the PAG  Conclusions

E-SIGN in a Nutshell The Electronic Signatures in Global and National Commerce Act  Simply prevents discrimination against electronic acts and records  A psychological boost to E-commerce  In balance, creates demand for PKIs  Issues remain

E-SIGN Provisions Title I: Electronic records and signatures in commerce Title II: Transferable records Title III: Promotion of international e-commerce Title IV: Commission on Online Child Protection This presentation targets E-SIGN’s critical implications for PKIs

E-SIGN Milestones  The reconciliation of HR and S.761  Signed by President Clinton: June 30, 2000  Effective: October 1, 2000  Specified provisions are phased in thru June 2001

E-SIGN defines Electronic not Digital Signature Digital Signature Electronic Signature — means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

“means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.” Record —

Records Retention Satisfied by retaining electronic records that are:  Accurate  Accessible to persons entitled to access it  Capable of accurate reproduction for later reference  Communicated by transmission, printing, or otherwise  Exception: Information whose sole purpose is to enable the contract or other record to be sent, communicated, or received

E-SIGN: Nondiscrimination “A signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form…” E-SIGN § 101(a) General Rules of Validity (emphasis added)

Legal Effect and Validity  Undefined in E-SIGN  Provide only threshold legal assurances  Only gets you into the courthouse

Enforceability  The extent to which you can prove successfully the signature, record or contract and therefore prevail in a dispute  E-SIGN neither precludes nor materially advances enforceability  Enforceability demands evidence  PKI complements E-SIGN by providing strong evidence that can be essential to enforceability

 Complex consumer disclosure and consent  Oral communications and recordings do not qualify as electronic records  Industry-specific benefits  Insurance agents and brokers: liability limited  Banks: electronic check retention permitted  Mortgage industry: e-promissory notes enabled Other Provisions

E-SIGN Does Not Control:  Wills and trusts  Family law matters  Much of the Uniform Commercial Code  Court orders / notices / official court documents  Other essential notices such as for utility services, health insurance and product recalls

Agenda  E-SIGN – Some relevant principles  Electronic vs. digital signatures  Nondiscrimination  Validity vs. enforceability  Limitations  E-SIGN - Impact on PKIs  Technology neutrality  Federal preemption  Responsive policy initiatives  The Multi-State Digital Signature Summit  Performance standards and the PAG  Conclusions

Technology Neutrality  Distinguish:  Nondiscrimination vs. equivalency  Product vs. technology neutrality  UNCITRAL example: “Information certifier”  Implications:  Uncertainty  Potential need for supplemental rules  Sanctioning of ineffective products  Anticompetitive impact on the marketplace  Threatening to consumers?

Effect of Technology Neutrality on Notorial Acts “If a … law requires a signature or record … to be notarized … that requirement is satisfied if the [notarization] is attached to or logically associated with the signature or record.” E-SIGN § 101(g)

E-SIGN and Federal Preemption  What is preemption?  What E-SIGN says it preempts: “A State [law] may modify, limit, or supersede … Section 101 … only if such [law does] not require, or accord greater legal status or effect to, the implementation or application of a specific technology…” E-SIGN § 102(a) (emphasis added)

Scope of Preemption  What E-SIGN preempts  Preempts only State laws that deny effect to electronics solely because they are electronic or where they mandate exclusively a particular technology  UETA (over-simplified rule): Where enacted without material changes, UETA is not preempted by E-SIGN

Uniform Electronic Transaction Act (UETA)  Neither discriminates against nor mandates use of e-signatures / e-records  Permits e-notarizations and e-acknowledgments  Enables electronic records retention  Extends beyond E-SIGN by addressing:  Attribution of e-signatures or records  Changes or errors in e-records during transmission  Nondiscrimination against admissibility into evidence  Time and place of sending and receipt of e-records

Limits on Preemption  What E-SIGN does not preempt  Does not address preemption of state law, other than in the specifically preemptive rules in Section 101  E-SIGN does not generally interfere with U.S. State digital signature laws and CA licensing regimes

Some States Licensing or Approving CAs North Carolina Oregon Texas Washington Utah Minnesota Nebraska California Nevada Arkansas

What Rules does E-SIGN Preempt?  Attribution - No  Favorable presumptions - No  Integrity - No  Certification authority trustworthiness - No  Licensing / accreditation - No  Recognizes only digital signatures as an alternative to handwritten signatures - Yes

Performance Standards Exception  Can be specified by a Federal or State regulatory agency  To assure accuracy, integrity, and accessibility of records

Agenda  E-SIGN – Some relevant principles  Electronic and digital signatures distinguished  Nondiscrimination  Validity and enforceability distinguished  Limitations  E-SIGN - Impact on PKIs  Technology neutrality  Federal preemption  Responsive policy initiatives  The Multi-State Digital Signature Summit  Performance standards and the PAG  Conclusions

Multi-State Digital Signature Summit  Held in August 2000 in San Francisco  Studied digital signature legislation, application, and the effects in the public and private sector  Attendees included Secretaries of States, state digital signature coordinators and policy makers, American Bar Association Information Security Committee members, and other industry leaders  Considerable focus on preemption  Conclusions

UNCITRAL Draft Model Law on E-Signatures Beyond E-SIGN – Default Rules?  Each signatory shall: exercise reasonable care to avoid unauthorized use of its signature creation data Art. 8 Conduct of the signatory  A relying party shall bear the legal consequences of its failure to take reasonable steps to verify the reliability of an electronic signature Art. 11 Conduct of the relying party UNCITRAL

PKI Assessment Guidelines (PAG): A Tool to Establish Performance Standards?  A multidisciplinary initiative to develop objective guidelines for assessing PKI interoperation & quality  Non-sectoral, cross-industry, international  The PAG can assist in developing performance standards PKI Assessment Guidelines

Conclusions  E-SIGN creates both peace of mind and uncertainty  Potential for litigation regarding preemption  Is the technology neutral pendulum swinging?  Future rules needed to support CA quality & interoperation  Harmonize with international initiatives  UNCITRAL Model Law on Electronic Signatures?  APEC-EU-US bilateral/multilateral agreements?  Monitor impact of mandated consumer e-records and e-consent studies under E-SIGN

References

Michael S. Baum, J.D., M.B.A., CISSP