MUETA: What Every Public Sector Lawyer Should Know Department Of Telecommunications And Energy Thursday, December 2, 2004

2 The Once and Future Signature ITraditional Signatures IIBefore E-SIGN: The Law pertaining to Traditional Signatures in Massachusetts IIIE-SIGN IVMUETA VTechnology Neutrality VIThe Myth of “Nonrepudiation”

I TRADITIONAL SIGNATURES

4 Traditional Signatures Authentication: the original biometric Attachment of signature to document Intent of the signor Some comfort re: document integrity

5 Traditional Signature Imperfections Authentication Attachment to document Intent of the signor Document integrity Forgery Electronic copying can disassociate signature from document Signature pages can be replaced Wordprocessed pages can be replaced and altered without detection

II Before E-SIGN, the Law Pertaining to Traditional Signatures in Massachusetts

7 Before E-SIGN Many Massachusetts state statutes and regulations: require signature for a particular transaction Suggest what that signature must consist of Statutes of frauds: Some contracts not valid unless reduced to writing.

8 Before E-SIGN Various sections of the MGL and regulations Defined signatures loosely to include many different kinds of signatures or Defined signatures tightly to exclude many different kinds of signatures or Explicitly prohibited use of electronic signatures

9 Mass. Common Law on Signatures was Liberal Where validity of electronic records not at issue, courts treat in the same way as paper records. In the absence of state statute specifying a “wet” signature, lower level courts have permitted a number of different kinds of signatures. Negotiations conducted through , fax and phone call satisfies Long Arm Statute Lenient with respect to non-traditional signatures and records (e.g. facsimile signature) Telegram is a writing under statute of frauds State trooper report signed via valid

10 IIIE-SIGN In the US, business and legal community concerned about validity of electronic signatures, contracts and other records under state law Some states pass electronic signature laws No uniformity; not technology neutral Global issue United Nations Commission on International Trade Law (“UNCITRAL”) Model Law on Electronic Commerce. Addresses electronic signatures

11 E-SIGN (cont.) 1999 National Conference of Commissioners on Uniform State Laws (NCCUSL) drafts the Uniform Electronic Transactions Act (UETA). Incorporates many provisions from UNCITRAL Model Law. Uniform, technology neutral A few states start enacting UETA ----in a non-uniform manner

12 Federal E-SIGN, effective 10/01/00. Goal: bring uniformity and technology neutrality to electronic signatures, contracts and records law in the US Mechanism: pass Federal law to pressure states to adopt uniform version of UETA Validates electronic signatures, contracts and other records for most transactions Preempts state law to the contrary Reverse preemption provision

13 E-SIGN, cont. Exemptions for: Family law Hazardous waste transportation Some transactions covered by the UCC; but E-SIGN does apply to sections 1-107(waiver or renunciation of claim after breach) and (statute of frauds for contracts pertaining to personalty other than contracts for sale of goods covered by article 2-201, securities and security agreements); and Articles 2 (sale of goods) and 2A (leases).

14 E-SIGN, (Cont). Scope: Documents related to transactions in interstate and foreign commerce Only state government transactions covered are those related to procurement Limits state and Federal government ability to regulate in favor of hard copy records used in private transactions

15 E-SIGN (cont.) Because E-SIGN did not cover most agency transactions, Agency Counsel needed to review Massachusetts statutes and regulations in order to determine whether their agency could use electronic signatures.

16 E-SIGN Reverse Preemption Provision In States that pass National Commission on Uniform State Law version of the Uniform Electronic Transactions Act, section 101 of E- SIGN (the validating provisions) is replaced by the state UETA States that pass non-uniform versions of UETA may have some or all of their state UETA reverse-reverse-preempted by E-SIGN

17 Progress of Reverse Preemption As of today, 44 states have enacted some form of UETA and therefore are not subject to section 101 of E-SIGN UETA (MUETA) enacted in Massachusetts in 2003 (Senate 2076 ).

18 IVMUETA Effective February 18, 2004 Codified at Mass. Gen. L. ch. 100G Chapter 133, Acts of 2003 Applies to any electronic record or electronic signature created, generated, sent, communicated, received, or stored on or after MUETA’s effective date.

19 MUETA and E-SIGN differ in a number of ways, including … MUETA applies to all government transactions, E-SIGN only to government procurement transactions Aside from their explicitly excepted provisions, E-SIGN covers only interstate and foreign commerce transactions, MUETA covers all transactions covered by the law of the state in which MUETA is enacted

20 E-SIGN and UETA Both say…. Electronic signature, cannot be denied legal effect or enforceability solely because it is electronic Signatures subject to E-SIGN/MUETA are also subject to other substantive law Ex: state law regarding age at which person has capacity to create legally binding signature is not affected by E-SIGN

21 Neither E-SIGN nor MUETA says…. To use a particular electronic signature technology; both are “technology neutral”

22 Agency Counsel Need to Know…. Does MUETA Apply? If so, what part? Is the transaction subject to consumer or other disclosure or notice laws? Does the ES comply with the standards issued by SPR, RCB and ITD? Is the use of the ES voluntary? Does the electronic system address the elements required by MUETA?

Does MUETA Apply? If So, What Part of MUETA?

24 MUETA applies to: Both “transactions” and government’s non transactional activity Different sections of MUETA apply to transactional and non transactional activity Transaction is defined as “an action or set of actions occurring between two or more persons relating to the conduct of business, commercial or governmental affairs” Example: issuing a license to a doctor to practice in Massachusetts

25 MUETA applies, cont. Transactions do not include unilateral actions. Example: Using an electronic system to approve timesheets.

26 MUETA applies (cont.) Exemptions: If they apply, electronic signatures and records not necessarily invalid but can’t rely on MUETA to validate. Exclusions include: Creation and execution of wills, codicils or testamentary trusts Massachusetts UCC, other than sections 1-107and , section 2 and section 2A of chapter 106 Adoption, divorce or other matters of family law Court orders or notices, official court documents including briefs, pleadings, and other writings, required to be executed in connection with court proceedings

27 MUETA applies (cont.) Any notice of the cancellation or termination of utility services (water, heat, power); of default acceleration, repo, foreclosure, eviction, or right to cure, under a credit agreement secured by, or a rental agreement for, a primary residence of an individual; Cancellation or termination of health insurance or benefits or life insurance benefits, excluding annuities; Recall of a product Documents required by law to accompany transportation or handling of hazmat, pesticides, or other toxic or dangerous materials.

Transaction Subject to Consumer or other Disclosure or Notice Laws?

29 Disclosure or Notice MUETA is written so that it does not reverse- preempt E-SIGN section 7001(c), a consumer protection provision. Must follow rules for consumer disclosure when engaged in market activity with consumer MUETA’s own rules regarding compliance with notice or disclosure (whether or not consumer related) in connection with electronic transaction. MUETA section 8 Example: state law requiring translation of certain notices

Does the Signature Comply with the Standards Issued by the Supervisor of Public Records, RCB and ITD and, for contracts, OSC?

31 Standards General provisions of MUETA say that SPR, RCB and ITD “shall determine whether, the extent to which and the manner by which such entities shall create, maintain and preserve electronic records, signatures and contracts and the method of converting paper government records to electronic format”

32 Current Standards SPR Bulletins 1-99 ( ) 1-92 (fax transmissions) 1-93 (optical media) 4-96 (access and copying of electronic public record)

33 Current standards (cont.) RCB Statewide Records Retention Schedule 04/04 Guideline for documentation of recordkeeping systems

34 Standards (cont.) ITD Evolving standards for information technology in general, nothing specific re: electronic signatures yet.

35 OSC and Electronic Signatures on Contracts MUETA makes ITD is the agency with authority to say when Executive Department agencies can use electronic records and signatures ITD is currently following OSC’s lead in determining when OSC is comfortable having agencies use electronic signatures for state contracts, since OSC is the subject matter expert in that area. OSC has not yet authorized use of electronic records or signatures for state contracts

Is use of the ES Voluntary?

37 Voluntary MUETA doesn’t require any government agency to use electronic signatures Nor does it require any citizen or business to use an ES when doing business with us; to the contrary, MUETA only validates electronic signatures when used voluntarily in transactions

38 Voluntary (cont.) Practical implication for agencies: always keep a paper option for those with whom your agency engages in transactions. Agency relying on MUETA for validation cannot force citizens or businesses to use electronic signatures for transactions.

Does the Electronic System Address the Elements Required by MUETA for a Valid Electronic Signature?

40 E-SIGN and UETA both define the term electronic signature An electronic signature is: [E-sign] An electronic sign, symbol or process [MUETA] Information or data in electronic form attached to or logically associated with a contract or other record executed or adopted by a person with the intent to sign the record

41 Elements An electronic “sign, symbol or process”, or electronic “information or data”, that constitutes the signature

42 Creating Legally Valid E- Signatures… 1.“By a Person”---Proper authentication of the signor. Authenticate means to determine the signor’s identity Authentication can be complex or simple. Different levels of authentication can be chosen depending on the purpose of transaction. For some transactions, no authentication may be required. Typically, look to factors such as whether signature is likely to be denied by putative signor, and legal significance of signature.

43 Creating Legally Valid Electronic Signatures… Example: U.S.Patent and Trademark Office trademark registration. Mickey Mouse can do it! Mass DOR: Filing taxes Mass. DEP: Filing for environmental permit Compare: online application for welfare benefits

44 Legally valid… Typical means of authentication: something you have, something you know Ex: At ATM machine, you insert your card (something you have) and provide your PIN (something you know) Ex: Criminal History Systems Board provides gun dealers with biometric scanners (fingerprint devices) attached to their PCS so they can authenticate holders of gun licenses

45 Legally valid… 2.“Executed or adopted…” Not enough for user to be identified Has to take some step that indicates that he executed or adopted Click on a button that says “sign”, “I Agree”, etc. Present screens and choices to the signor that make clear what he is signing and that he is signing; capture his intent.

46 Legally valid… 3.Attach the signature to the document, or logically associate signature with document

47 Legally valid….. 4.Protect the integrity of the signed electronic document. Document retrieved from the system must be identical to the document signed. Audit trail with good security Data authentication software Encryption

V TECHNOLOGY NEUTRALITY

49 Any technology that meets the four ESIGN/UETA requirements can be used to create a valid Electronic Signature Click through choices online at an online “Store”. LL Bean Multi-factor authentication and click throughs (use of ATM) Digitized signature Use your credit card at Macy’s Digital Signature

50 Digital Signatures Digital signatures: Are placed on specific data like an or web page Verify integrity of document signed Can be used to verify that the data comes from where it claims to come from Use cryptography Holder of private key encrypts (can’t forge unless you have access to this) Holder of public key can de-encrypt

51 Digital Signatures, cont. Meets all four E-SIGN/ UETA requirements Challenging to administer Can’t use with “strangers” because no widely used digital identities Certification authorities HHS HIPAA Security Regs

VI MYTH OF NONREPUDIATION

53 The Myth of “Nonrepudiation” Statutory and Common Law reasons for repudiating a traditional signature: Forgery or Not forgery, but signature obtained under (1) unconscionable conduct by party to transaction; (2) fraud instigated by third party; (3) undue influence exerted by third party

54 Forgery in Common Law Jurisdictions If a person denies that a signature is his, the relying party has to prove that it is truly that of person denying it. Onus of proof is on person seeking to rely on signature

55 Forgery, cont. Traditional trust mechanism: witnessing the signature. He who would rely on a signature that is denied produces a witness who saw the signature being made.

56 Technical Non Repudiation Authentication that provides “proof” of the integrity and origin of data in an unforgeable relationship, which can be verified by any third party at any time or Authentication that with high assurance can be asserted to be genuine, and that cannot be subsequently refuted.

57 Problems with Technical Non- repudiation Private key theft or illicit usage; identity theft Relies on post-signature events, where traditional trust mechanism relied on event at time of signature (witness) Use of “non-repudiation bits”, extension of digital signature, only verifies that the private key of the person whose public key is specified in the DS was used to affix the digital signature.

58 Legal Nonrepudiation: Legal Movement to Reverse Burden of Proof re: electronic signatures UNCITRAL Model Law on Electronic Commerce Article 13 Alleged signatory would have burden of proof to show that he or she did NOT digitally sign a given document (i.e. that it is a forgery) MUETA does NOT support legal nonrepudiation

59 Take Home Message on Non- Repudiation Not achieved technically Legally indefensible Don’t write it into state law or regulations ITD will not authorize

60 Practical Tips Know your CIO and IT staff and ask them lots of questions Get involved in agency IT development projects from day one Review all ES components as system is being developed Apply the analysis set forth in this presentation

61 MUETA Resources NCCUSL notes on UETA are excellent and judges likely to find them persuasive ITD Little case law on transactions covered by E-SIGN and UETA, but there will be more.

Contact Information Linda Hamel General Counsel Information Technology Division Commonwealth of MA (617)