Electronic Signatures in Global and National Commerce Act

 

By John S. Stolz and John D. Cromie
© 2001 American Bar Association. Reprinted with permission.

On October 1, 2000, the United States took a substantial step toward bringing the business world up to speed with the rapidly evolving landscape of e-commerce when the "Electronic Signatures in Global and National Commerce Act" ("E-Sign") came into legal effect. Despite the importance of this legislation, to most of us, it was just another day. A Sunday no less. Yet, with most of this country unaware of its birth, E-Sign was already up and running.

Essentially, this federal legislation is designed to bridge the gap between business transactions and on-line technology. Its fundamental purpose is to remove existing legal impediments to the use of electronic contracts in order to facilitate the growth of e-commerce.

To accomplish this objective, section 101(a) of E-Sign provides that a signature or contract may not be denied legal effect "solely because it is in electronic form." In turn, an electronic signature is defined as any "electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or accepted by a person with the intent to sign the record." While this definition may seem vague at first, in reality, most of us unknowingly use some form of electronic signature on a regular basis.

For instance, using a PIN or password access an ATM, enter a Web site or purchase merchandise on-line is a common form of electronic signature. In such cases, a birthday, anniversary or the name of a pet serves as a unique identifier that you are who you claim to be and gives you some level of identity in an otherwise impersonal medium. Alternatively, a name typed at the end of an e-mail or even a digitized image of one's handwritten signature could likewise qualify as an electronic signature under E-Sign.

If these methods, however, do not provide the level of security required, then the use of digital signature technology may provide the answer. Since E-Sign was designed to be technology neutral, it does not accord greater legal status or effect to the use of one technology over another in creating, using or transmitting electronic records or signatures.

The ultimate goal of E-Sign is to permit contracting parties to take advantage of the efficiencies that only the digital world can offer. Indeed, the virtually instantaneous exchange of documents between contracting parties eliminates the time lost to traditional carriers such as "snail mail" or the quality degradation which results from repeated faxing.

By giving legal effect to electronic contracts and signatures, it is hoped that E-Sign will foster the overall improvement of e-commerce by enabling contracting parties to reduce customary transaction costs and increase the speed in which deals can be completed. In putting this grand scheme together, Congress even remembered to provide for e-notarization.

However, E-Sign does not apply to all writings. In terms of scope, E-Sign applies to "any transaction in or affecting interstate or foreign commerce." The term "transaction" is defined as "an action or set of actions relating to the conduct of business, consumer, or commercial affairs between two or more persons." E-Sign does not apply to either non-transactional or unilateral actions. Moreover, as a matter of specific exclusion, E-Sign does not apply to wills, family law matters, court orders and certain types of legal notices.

Through the enactment of E-Sign, the federal government has not only acknowledged the critical role of technology in today's business, it has implemented a system of rules governing the use of technology in order to ensure national uniformity in the face of conflicting state laws.

To be sure, a majority of states already have some form of legislation governing the use of electronic signatures, most of which permit the use of electronic signatures only under certain circumstances and only if certain prescribed technologies are used in the process. While these statutes no doubt were designed to facilitate the use of modern technology in business transactions, the potential pitfalls for interstate contracting parties are readily apparent, especially where each party's respective state does not acknowledge the other's specified technology platforms.

To combat these problems, the National Conference of Commissioners on Uniform State Laws ("NCCUSL") in late 1999 recommended the Uniform Electronic Transactions Act ("UETA") for enactment in all States. Simply stated, UETA recognizes that electronically based transactions and records are the "functional equivalent" of their paper counterparts. UETA was designed as model legislation to compliment existing digital signature laws at the state level while, at the same time, provide a clear framework for validating and effectuating electronic records and signatures in e-commerce.

Sound familiar?

E-Sign was carefully drafted to peacefully co-exist and partner with UETA. In fact, Section 102 of E-Sign expressly recognizes the existence of UETA and acknowledges that individual states, through the enactment of UETA, can modify, limit or supersede the provisions of E-Sign without fear of federal preemption unless such enactment is clearly inconsistent with the congressional mandate. To further avoid such inconsistency, any future adoption of UETA by an individual state must expressly refer to E-Sign.

The reality of federal preemption, however, is not great given the fact that both E-Sign and UETA share essentially the same fundamental purpose of fostering the growth of e-commerce by proliferating the expanded use of electronic contracts and signatures. E-Sign, in many ways, mirrors the model language of UETA. Both are minimalist and procedural. Moreover, both provide a uniform framework for the creation and use of electronic signatures and records while, at all times, deferring to applicable substantive law.

As a result, E-Sign is able to provide the same national uniformity in the use of electronic signatures and records that is sought by UETA, without needing to wait for individual state enactments of UETA's model language. While the need for such uniformity is necessary in order to foster the nation-wide growth of e-commerce, there are, nevertheless, a few major issues that must be considered before parties eagerly begin clicking "I agree" at the end of an electronic agreement.

After reading Section 101(a)(1) of E-Sign, the first issue that may come to mind is its impact on the Statute of Frauds. Although its legal significance has greatly diminished over time, the Statute of Frauds' mandate that certain contracts be reduced to a writing has been further expanded by E-Sign. From this point forward, an electronic contract or record shall also qualify as a type of writing which may otherwise satisfy the Statute of Frauds. That much being said, however, the remaining requirements of the Statute of Frauds or other applicable law must still be satisfied. It is only after the requirements of substantive law have been addressed that E-Sign will honor an electronic record with legal effect.

With that in mind, a substantive legal issue raised by electronic contracting concerns the fundamentals behind contract formation. Take, for instance, a typical click-wrap agreement. As its name implies, a click-wrap agreement prompts a user to mouse-click "I agree" at the end of a disclaimer, license or other statement before using software, entering a Web site or perhaps purchasing merchandise on-line. While the "offer" presented by such an agreement may be unambiguous, the form of "acceptance" could, nevertheless, raise a number of questions.

In terms of the manifestation of the willingness to enter into a contract, hornbook law tells us that the requisite intent and manifestation of assent are to be gleaned from the surrounding circumstances. Thus, while there may not be a ceremonial handshake or signature on a dotted line, the use in the 21st century of a mouse-click will likely be interpreted as a sufficient indication of one's intent to enter into a contract.

More pressing, however, is the issue of the person clicking the mouse and the data being transmitted as a result. In order for the system contemplated by E-Sign to work, there must be protocols in place to ensure that issues such as authenticity, integrity, nonrepudiation and security are adequately addressed.

To be sure, when dealing in a faceless medium, it is imperative that the parties involved are confident that electronically transmitted data is secure, will be viewed by the intended party and ultimately provides the foundation for an understanding between two willing parties who have the authority to enter into a binding agreement. Only after these issues are resolved can parties confidently enter into the digital realm without fear that their records are not reliable or enforceable.

Regarding authenticity, there must be some assurance that the person on the other end of the computer is the person he or she actually claims to be. A party acting in reliance of an electronic record must be confident that the message is not a forgery and is attributable to a designated party. The ability to establish the authenticity of an electronic record is also important if its enforceability is challenged.

It is equally important for the underlying system facilitating an electronic transaction to maintain the integrity of the data being transmitted. The document sent must be the same as the one received, with no unauthorized or accidental alterations during or after delivery. The system must permit the parties to access the electronic record and accurately reproduce it in the future. Again, the underlying system must also be proven to be reliable should a dispute arise as to the record's content.

This need to establish authenticity and maintain data integrity naturally leads to the overall enforceability of an electronic transaction. If neither authenticity nor data integrity of an electronic record can be preserved during the course of a transaction, then the underlying deal may be subject to repudiation. Since E-Sign and UETA view electronic records and signatures as the functional equivalent of paper and ink, it is essential that parties be able to rely on the electronic system to generate a product that cannot be repudiated due to some defect in the electronic infrastructure.

Indeed, one of E-Sign's potential pitfalls is its lack of guidance in prescribing the type of technology which must be used in order for an electronic record or signature to meet the functional equivalence standard. In terms of comparison, a paper-based transaction has the built-in security of handwritten signatures, in ink, on agreements reduced to a tangible writing.

In the electronic medium, electronic signatures, encryption techniques, access controls and date/time stamps serve as the functional equivalent. By operating from the standpoint of technological neutrality, E-Sign has left it to the contracting parties to determine for themselves the best method to ensure attribution and data integrity in a given transaction.

Attribution is most commonly addressed through the use of passwords, PINs or some other electronic signature equivalent in conducting e-commerce transactions. While this form of security may be sufficient to assure attribution in typical business-to-business or business-to-consumer retail transactions, the potential insecurity of sharing your password and PIN with a web host or other service provider may be an unwarranted risk under different circumstances. Considering that attribution and integrity are a function of the underlying security system used to facilitate the transaction, the level of security employed should vary depending on the nature of the deal itself.

One popular form of security measure is the use of digital signatures based upon public key infrastructure or PKI. As a specific subset of electronic signature technology, this is not to be confused with a digital rendering of a handwritten signature. By contrast, the digital signature system uses asymmetric or public key cryptography to not only establish authenticity, but to also protect data integrity.

With PKI, before an electronic record can be signed, the sender must first create what is referred to as a public key/private key pair. The private key is kept (as its name implies) private, and is used for creating digital signatures. The public key, on the other hand, is directly attributable to a real person, called a subscriber, and is created and issued through the use of a trusted, third-party intermediary known as a certificate authority ("CA").

The recipient must have software containing the same cryptographic logic used by the sender in order to decrypt the message by using the sender's public key. Only the sender's public key can be used to decrypt a message encrypted with the sender's private key, and attribution is ultimately established when the recipient is able to successfully decrypt the sender's message. Lastly, the software then compares the electronic record sent against the record received and can immediately identify if it had been altered in transit, thereby ensuring data integrity.

Although the use of PKI digital signatures may appear to answer many of the questions raised concerning authenticity and integrity, E-Sign has been careful to leave the choice of technology to the parties themselves. No security measure can be accorded greater significance than another as a matter of law.

Without minimum requirements or prescribed standards for security measures, however, the entire concept of transacting in the digital arena may end up being rife with abuse. On the other hand, perhaps the market will play an active role in the evolution of a technological industry standard for e-commerce transactions. Then again, maybe it is just too soon to tell.

In any event, once the underlying transaction has been completed, its electronic record must be retained in such a manner that it accurately reflects the final form of the information prior to storage. Naturally, the stored record must remain accessible by the designated parties for future reproduction. In order to validate electronic records as functionally equivalent to written documents, the storage medium used must preserve the record's integrity. As with facilitating the electronic transaction itself, the choice of archival technology is left to the parties.

As time goes on, however, issues of technological obsolescence will arise as older records and data must be safely converted to newer storage media. It logically follows that there will be a constant need to adapt and improve the systems that are being used to facilitate electronic contracting. The primary reason for Congress' laissez-faire attitude in terms of dictating technology standards is precisely to enable the market to determine what's best for e-commerce.

While it is too early to tell whether E-Sign's lack of technological standards and guidelines will be the bane of all who dabble in the virtual arena, it cannot be disputed that Congress is headed in the right direction. The public, however, must first be educated to realize that electronic transactions must be taken seriously and should not be entered without an understanding of both the relevant security issues as well as the legal ramifications of their electronic actions.

In the end, the law must be flexible in order to grow and adapt to meet the challenges presented by the technological revolution. This legislation is a bold step toward that goal and permits capable parties to utilize recent innovations to increase efficiency and save money in e-business. There will undoubtedly be bumps along this road, but with the passage of E-Sign leading the charge, the future is only a click away.