The Net Effect: Electronic Signatures in Commerce

The Net Effect: Electronic Signatures in Commerce

By Michael S. Yang

There are now an estimated 400 million Internet users worldwide, with approximately one-third of those users to be in the United States. Since 1995, the year Amazon.com brought electronic commerce to the mainstream, over sixty percent of all Americans have established Internet access.  By comparison, it took over thirty years for the telephone to find its way into sixty percent of American homes.

Not only has the number of users around the world been increasing, but the rate of growth of Internet communications traffic has also been accelerating, bound only by the limitations of physical infrastructure.  The volume of this traffic is estimated to be doubling every year , with data traffic volume predicted to surpass voice traffic volume by the end of 2002.  According to the Computer Industry Almanac, it is estimated that by the end of 2005, there will be over 1 billion people with access to the Internet.

As the Internet has grown, so has its versatility. A recurrent theme in the expansion of the Internet as a productivity resource is the idea of using the virtual, digital world to bring convenience to conventional or routine tasks. As a result, electronic commerce and electronic business methods such as online shopping, online banking and financial services, and online publishing and media have seen tremendous growth over the past few years.

Many businesses have realized that utilizing electronic business methods can result in lower operating costs and prices as well as increased efficiency and convenience.  For instance, the airline industry reports that it costs $8 to process a traditional reservation and $1 to process a ticket electronically.  It costs a bank a penny to conduct a transaction over the Internet but more than $1 if handled by a teller.

State and federal governments have also been inspired by the cost and efficiency savings of conducting transactions via the Internet.  The State of Maryland is one of a growing number of governments and businesses taking advantage of the benefits in conducting transactions on-line.  For example, the Maryland State Comptroller of the Treasury’s Office (the “Comptroller”) features a pilot program that assists new businesses in the registration process for state tax accounts.  The Combined Registration Application (“CRA”), completed on-line, is used be the Comptroller to open accounts for sales and use tx, employer withholding, unemployment insurance, admissions and amusement tax, tire recycling fee and transient vendor licenses.  Registrants complete a new registration form by following the prompts and, once submitted, the information is transmitted to the necessary agencies.  Maryland’s electronic CRA system accelerates the business registration process and enables the Comptroller’s office to digitally manage the large volume of business tax registrations.

Regulation of Electronic Contracting

The proliferation of these electronic commerce and business methods evidences the need for legal certainty in electronic contracts.  Practically every state, beginning with Utah in 1994, has enacted some form of legislation governing electronic transactions or electronic communications.  While Utah’s legislation specified the required mode for electronic contracting, most other state legislation has been less specific.  Most states have focused on removing technical barriers to electronic contracting by eliminating inconsistent or otherwise burdensome regulations and addressing issues relating to the legal adequacy of electronic contracts versus paper contracts.  Some states provide that any type of electronic signature is valid , while others require that some minimal form of security is required (such as being able to verify that a message has not been altered).  some state statutes apply only to electronic communications with the government, or only to specific transactions, while other states have adopted broader statues that apply to both the public and private sector.

In Maryland, both the House and Senate of the General Assembly considered versions of the Maryland Digital Signatures Act, which had an approach similar to that of Utah.  Neither version of the Act was ever enacted, nor were various other Acts introduced specifically regarding the use of electronic or digital signatures.  However, the General Assembly enacted the Maryland Digital Signature Pilot Program on May 12, 1998.  This program is limited to communications among governmental entities and is intended to: (a) enable State agencies to conduct electronic transactions in a secure manner, (b) authenticate the involved parties, and (c) provide more efficient service to the citizens of Maryland.  Pursuant to the program , the Secretary of State adopted regulations to implement and administer a method to conduct authenticated electronic transactions using digital signatures.  These regulations are available in SEction 01.02.10 of the Code of Maryland Regulations.

Uniform Electronic Transactions Act

The National Conference of Commissioners Uniform State Laws (NCCUSL) attempted to eliminate the inconsistency of this developing patchwork of state laws by approving and recommending that all states enact their 1999 final draft of the Uniform Electronic Transactions Act (UETA). UETA is a procedural act establishing the framework for enforceable electronic contracts and valid electronic signatures to govern electronic records and electronic signatures relating to specified transactions. UETA has been enacted in some form by 28 states as of April 6, 2001 (with another 18 states considering adoption).

UETA provides that a record or signature may not be denied legal effect or enforceability solely because it is in electronic form.  It also provides that a contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.  UETA applies only to transactions between parties, each of which has agreed to conduct transactions by electronic means.  Whether the parties have agreed to conduct a transaction by electronic means may be determined from the context and surrounding circumstances, including the parties’ conduct. According to UETA, an electronic record or electronic signature is attributable to a person if the record or signature was the act of the person.  The act of a person may be reflected in any manner, including demonstrating the efficacy of any security procedure applied to determine the person to whom the electronic record or electronic signature was attributable.

Maryland enacted a variation of UETA (MUETA) on April 25, 2000.  MUETA differs from the NCCUSL draft in that it makes modifications to the scope of UETA and excludes certain transactions from the scope that are not mentioned in the NCCUSL version.  In particular, MUETA contains variations to certain consumer and security provisions of the NCCUSL version.

Electronic Signatures in Global and National Commerce Act

While Maryland was one of the first states to adopt a version of UETA, not all states have been as quick in adopting the uniform provisions.   In part because of the existence of an array of non-uniform state laws relating to electronic contracting and in response to an increasing demand from the technology and financial sector, Congress enacted the Electronic Signatures in Global and National Commerce Act (E-SIGN) on June 20, 2000, which became effective in large part on October 1, 2000.   Like UETA, E-SIGN is “technology neutral,” meaning that no particular technology or methodology is mandated in order to establish a valid electronic signature. E-SIGN adopts the general rule that any signature, contract, or other record relating to a transaction involving interstate commerce “may not be denied legal effect, validity or enforceability solely because it is in electronic form.”

E-SIGN sets forth disclosure and consent provisions for consumer transactions in addition to those for traditional pen-and-ink transactions.  Under Section 101(c), electronic records can be used in a consumer transaction only after “affirmative consent” is given by the consumer based on disclosure by “clear and conspicuous” notification of rights and information as to any hardware and software requirements necessary for the consumer to access and save such electronic records.

E-SIGN does not require any person to use or accept electronic signatures — only government agencies are required by the Act to accept electronic records. Among the limited exclusions to E-SIGN are statutes governing wills, codicils and testamentary trusts, regulation of family law matters, most provisions of the Uniform Commercial Code (UCC), court orders, and certain classes of consumer notices and documents required to accompany the transportation of hazardous materials.

Both E-SIGN and UETA have the same effect upon the UCC.  E-SIGN and UETA expressly apply to the sale of goods and leases under Articles 2 and 2A of the UCC, and the statute of frauds for the sale of personal property other than goods under Section 1-206 of the UCC.  E-SIGN and UETA also permit electronic waivers of claims after a contract breach under Section 1-107 of the UCC.  E-SIGN and UETA do not, however, cover the use of electronic signatures or records for commercial paper transactions under Article 3 of the UCC, bank deposit and collections under Article 4 of the UCC, documents of title under Article 7 of the UCC, and security interests in personal property under Article 9 of the UCC.

While E-SIGN does not supersede UETA, it preempts all other electronic signature and records statutes as well as any conflicting state-enacted variations of UETA. Consequently, state laws that specify particular technologies (such as Utah that requires the use of digital signature technology) are pre-empted by E-SIGN.  E-SIGN preserves all other state and federal consumer laws except those laws that require signatures, contracts, and records to be in written form.

While many E-SIGN provisions were based on comparable provisions in UETA, there are various distinctions that will raise interpretive issues as determinations are made regarding which state law provisions on electronic signatures and records are preempted by E-SIGN.  The most significant UETA provisions that were not included in E-SIGN are those regarding attribution of electronic signatures, such as determining when messages are deemed to be sent or received, mistakes in electronic contracting, and the admissibility of electronic records as evidence.

States can avoid preemption by E-SIGN if UETA is adopted in the form recommended by NCCUSL without exclusions or the imposition of specific requirements on electronic transactions or records.  States which have adopted variations of UETA relating to consumer and security protections, face uncertainty regarding the preemption of these variations by E-SIGN until judicial or regulatory actions occur.  In Maryland, an amendment to MUETA was enacted on May 15, 2001, which specifically prohibits the provisions of MUETA from modifying, limiting, or superseding provisions of E-SIGN relating to consumers and electronic records.  The amendment also exempts notices of product recall or material failure of a product, documents that accompany toxic or other dangerous materials, and transactions involving family law from MUETA.

Electronic Signatures

Section 101(a) of E-SIGN provides that “a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form.”  The primary inquiry, therefore, is the question of what is a signature “in electronic form” or an “electronic signature.”

An electronic signature is defined under section 106 of E-SIGN as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”  Under this broad definition, virtually any action evidencing intent may be considered an electronic signature.  Electronic signatures may be used to create “electronic records,” defined as “a contract or other record created, generated, sent, communicated, received, or stored by electronic means.”  Although E-SIGN does not affect the availability or validity of ordinary, pen-and-ink signatures on contracts, electronic signatures give parties another medium for creating binding contracts if both parties agree to use them.

The use of electronic signatures is commonplace for most (if not all) computer and Internet users.  One of the most common types of electronic signature is the username-password pair.  The entry of a username and password to log-on to a computer network or website, to place a bid on an online auction item, or to access financial records constitutes an electronic signature under E-SIGN.  Electronic signatures do not have to be secret or hidden; for example, clicking “I Accept” after viewing the terms and conditions of an agreement also constitutes an electronic signature because it is a process that evidences intent to agree to the terms of a contract.  Another method commonly used with consumers is the creation of an electronic signature based on specific, personal data provided by the consumer (e.g., social security number, birth date, street address, etc.). When this data is combined, a unique string of data is formed which can then be used as an electronic signature.

Because E-SIGN is technology neutral, the actual technology used in creating or effecting an electronic signature is at the discretion of the parties to the contract or record. Thus, E-SIGN not only permits flexibility in the types of electronic signatures used, but also leaves the door open to new technologies to be developed.  This may become more significant as alternative means of identification such as voice recognition, biometrics (e.g., retina scans, fingerprint scans, etc.), and smart cards are developed and perfected for mainstream use.

A significant barrier to using electronic signatures is data security.  Under both UETA and E-SIGN, the parties to a contract are free to choose a method that may be secure or insecure, as is appropriate for the nature of the particular contract.  For a system of electronic signatures to become widely accepted, two important areas must be addressed: system architecture and user confidence.

The only way that a valid electronic record may be created is through the use of a system that is functional, reliable, and secure.  In a traditional, face-to-face business situation, issues of authenticity and data security are not typically problematic — parties can easily verify the identity of individuals and can witness the review and execution of documents.  The advantage of being able to conduct transactions via the Internet or a computer network brings with it potential problems of uncertainty with respect to identity, security, and confidentiality.  Therefore, the system architecture must be reliable and secure such that the authenticity of electronic signatures and electronic records may not be invalidated or repudiated.  Usability of a system is also important, as issues of cost and efficiency must be considered in selecting a method that is not overly burdensome and unnecessarily difficult to use.

Users of the systems also must have confidence in the operation and integrity of the systems so that neither party will fear repudiation of the validity of an electronic signature.  It is entirely up to the parties to choose or design a system that will provide data security such that both parties are willing to use and rely upon the integrity of the data transmitted over the system.  Currently, no universal format for the use of electronic signatures exists; therefore, the parties must first agree upon a type or system of electronic signature to use.  Methods commonly used to create confidence in a system include private, limited access networks, data encryption, and data archiving, and the nature of the transaction will dictate the level of data security used. The use of electronic signatures in electronic records will gain widespread acceptance only when the parties to a transaction can be reasonably confident that their use of electronic signatures will not be invalidated or repudiated due to technological issues that would not otherwise arise with traditional pen-and-ink signed documents.

Digital Signatures

A form of electronic signature commonly used to address issues of data security is the digital signature.  A digital signature is not just a “digitized signature” or the graphic rendering of a hand-signature (which may be used as an electronic signature).  Instead, a digital signature is a type of encryption technology that uses asymmetric cryptography to create unique digital keys that, when used together, provide both data security and authenticity.

One type of asymmetric cryptography is public-key encryption, which uses a combination of private and public keys, with the private key available only to one party, and the public key available to anyone.  The private and public keys are generated via a mathematical algorithm and are mathematically related.  Current standard levels of encryption use 128-bit encryption, offering up to 2 to the 128th power     (340,282,366,920,938,463,463,374,607,431,770,000,000) possible combinations (with even stronger levels of encryption available).  Though not an absolutely impossible code to crack, figuring out the exact algorithm has been analogized to finding a particular grain of sand in the Sahara Desert.

Use of digital signatures can also take the form of digital certificates, which represent independent verification that a particular network server or party is trusted by a certificate authority, and in turn trusted by the parties to a transaction.  Essentially, the certificate authority verifies that the parties are who they say they are, and automatically trades public keys for each party.  The use of such certificate authorities eliminates the need for each party to generate and manage public and private keys, and raises the level of usability.

Electronic Records

The section of E-SIGN that deals with retention of contracts and records (Section 101(d)(1), et seq.) provides that any retention requirement for contracts or other records is met by retaining an electronic record that accurately reflects the information set forth in the contract or record and remains accessible by all those entitled to access the contract or record in a form that is capable of being accurately reproduced for later reference.  This requirement is also technology neutral, leaving it up to the parties to determine how they will retain an electronic record.

E-SIGN encourages the electronic storage of records relating to business, consumer and commercial transactions by authorizing federal and state regulatory agencies to set standards for the retention of such electronic records. In general, E-SIGN preempts and supersedes any pre-existing agency requirement that a contract or record be retained in paper format if the contract or record is generated in a business, consumer or commercial transaction. However, the retention of electronic records provision of E-SIGN is not applicable to contracts or records generated for governmental purposes.

The Securities and Exchange Commission (SEC) is an example of a governmental agency that has already addressed the issue of retention of electronic records generated for governmental purposes in light of the provisions of E-SIGN.  On June 14, 2001, the SEC issued an interpretative release stating that issuers are required to retain paper forms of manually-signed signature pages or other authentication documents executed in connection with EDGAR filings despite the provisions of E-SIGN. SEC Release 33-7985, 34-44424.  Regulation S-T requires the issuers of securities to retain manually-signed signature pages or other documents that authenticate or acknowledge the signatures that appear in typed form on an electronically filed document. Under the SEC Release, the SEC took the position that because “authentication documents” constitute records that are generated principally for governmental purposes rather than in connection with a business, consumer or commercial transaction, the requirements to retain paper forms of the authentication documents under Regulation S-T are not subject to the provisions of E-SIGN.

Security and data integrity issues exist with respect to the storage of electronic records, as both parties must be able to ensure that tampering or alteration will not occur after a document has been electronically signed.  The parties must also consider issues relating to storage of electronic records.  While electronic records offer numerous advantages, including reduced storage space, searchability, and ease of access, the parties must ensure that they settle upon a technology that is usable and which will not become obsolete due to advances in hardware or software technology.

Section 101(d)(4) of E-SIGN contains a provision that specifically relates to the retention of checks, stating that if “statute, regulation, or other rule of law requires the retention of a check, that requirement is satisfied by retention of an electronic record of the information on the front and back of the check” consistent with the accuracy and retention provisions of Section 101(d)(1).  This section only relates to the electronic retention of checks, not to electronic payments by check.

The records retention provisions of E-SIGN will eliminate the need to retain paper copies of electronic records for purposes of complying with specific record keeping requirements (e.g., to comply with state law).  The provisions also permit parties who have collected paper records to convert those documents into electronic form, provided that the information is recorded accurately and is accessible.

As a result of E-SIGN, the appearance of certain types of contract documents and agreements will likely change.  Aside from the fact that in most cases there is no longer a requirement for a physical manifestation of a document, the parties are also no longer bound to have a traditional legal contract with a signature page.  Because the parties must retain a document pursuant to the record keeping provisions of E-SIGN, that document may specify, in lieu of a signature page, the nature of the assent or procedures under which it was executed.  The documents will likely be stored in formats that do not provide for alteration (e.g., image formats such as TIFF or file formats such as Adobe’s portable document format (PDF)) and which also provide for other forms of validation (e.g., byte counts, time/date stamps, etc.) to ensure that the document has not been modified or tampered with.

Conclusion

The effects of E-SIGN will become apparent only after universal, commonly agreed-upon systems for electronic signatures are in place.  Though E-SIGN paves the legal pathway for electronic contracting and the use of digital signatures in commercial contexts, at the present time, parties will encounter significant cost barriers to taking  full advantage of E-SIGN.  These costs can, for example, come in terms of the expense to parties in developing or agreeing upon a system or standard to use, updating and ensuring compatibility of existing records in the new system, or educating and familiarizing users (e.g., attorneys) with the system.  Presently, no single standard for electronic signatures exists, and, generally, software and standards developed by one company are not compatible with other companies.

Though we have a glimpse of the future potential of electronic contracting, that potential has not yet been realized, and most likely will not be reached until universal security and protocol standards for electronic signatures are adopted and promulgated.  The significant advantages to be gained by realizing that potential will most likely drive the market to develop such standards and will permit transactions to be closed and hundreds of documents to be signed with the press of a button or click of a mouse.


Reprinted with permission from the November/December 2001 issue of the Maryland Bar Journal.