The Electronic Signatures in Global and National Commerce Act

Digital Signatures and E-SIGN: Implications for PKIs

Michael S. Baum, J.D., M.B.A., CISSPmichael@verisign.com

Agenda E-SIGN – Some relevant principles Electronic vs. digital signatures Nondiscrimination Validity vs. enforceability Limitations

E-SIGN - Impact on PKIs Technology neutrality Federal preemption

Responsive policy initiatives The Multi-State Digital Signature Summit Performance standards and the PAG

Conclusions

E-SIGN in a Nutshell

The Electronic Signatures in Global and National Commerce Act

Simply prevents discrimination against electronic acts and records

A psychological boost to E-commerce In balance, creates demand for PKIs Issues remain

E-SIGN Provisions

Title I: Electronic records and signatures in commerce

Title II: Transferable records

Title III: Promotion of international e-commerce

Title IV: Commission on Online Child Protection

------This presentation targets E-SIGN’s

critical implications for PKIs

E-SIGN Milestones

The reconciliation of HR. 1714 and S.761 Signed by President Clinton: June 30, 2000 Effective: October 1, 2000 Specified provisions are phased in thru June 2001

E-SIGN defines Electronic not Digital Signature

Digital Signature

Electronic Signature —means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

“means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.”

Record —

Records RetentionSatisfied by retaining electronic records that are:

Accurate Accessible to persons entitled to access it Capable of accurate reproduction for later reference Communicated by transmission, printing, or

otherwise Exception: Information whose sole purpose is to

enable the contract or other record to be sent, communicated, or received

E-SIGN: Nondiscrimination

“A signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form…” E-SIGN § 101(a) General Rules of Validity

(emphasis added)

Legal Effect and Validity

Undefined in E-SIGN Provide only threshold legal assurances Only gets you into the courthouse

Enforceability The extent to which you can prove successfully

the signature, record or contract and therefore prevail in a dispute

E-SIGN neither precludes nor materially advances enforceability

Enforceability demands evidence PKI complements E-SIGN by providing strong

evidence that can be essential to enforceability

Complex consumer disclosure and consent Oral communications and recordings do not

qualify as electronic records Industry-specific benefits

Insurance agents and brokers: liability limited Banks: electronic check retention permitted Mortgage industry: e-promissory notes enabled

Other Provisions

E-SIGN Does Not Control:

Wills and trusts Family law matters Much of the Uniform Commercial Code Court orders / notices / official court documents Other essential notices such as for utility

services, health insurance and product recalls

Agenda E-SIGN – Some relevant principles Electronic vs. digital signatures Nondiscrimination Validity vs. enforceability Limitations

E-SIGN - Impact on PKIs Technology neutrality Federal preemption

Responsive policy initiatives The Multi-State Digital Signature Summit Performance standards and the PAG

Conclusions

Technology Neutrality Distinguish:

Nondiscrimination vs. equivalency Product vs. technology neutrality

UNCITRAL example: “Information certifier” Implications:

Uncertainty Potential need for supplemental rules Sanctioning of ineffective products Anticompetitive impact on the marketplace Threatening to consumers?

Effect of Technology Neutrality on Notorial Acts

“If a … law requires a signature or record … to be notarized … that requirement is satisfied if the [notarization] is attached to or logically associated with the signature or record.”

E-SIGN § 101(g)

E-SIGN and Federal Preemption What is preemption? What E-SIGN says it preempts: “A State [law] may modify, limit, or

supersede … Section 101 … only if such [law does] not require, or accord greater legal status or effect to, the implementation or application of a specific technology…”

E-SIGN § 102(a)(emphasis added)

Scope of Preemption

What E-SIGN preempts Preempts only State laws that deny effect to

electronics solely because they are electronic or where they mandate exclusively a particular technology

UETA (over-simplified rule): Where enacted without material changes, UETA is not preempted by E-SIGN

Uniform Electronic Transaction Act (UETA)

Neither discriminates against nor mandates use of e-signatures / e-records

Permits e-notarizations and e-acknowledgments Enables electronic records retention Extends beyond E-SIGN by addressing:

Attribution of e-signatures or records Changes or errors in e-records during transmission Nondiscrimination against admissibility into evidence Time and place of sending and receipt of e-records

Limits on Preemption

What E-SIGN does not preempt Does not address preemption of state law,

other than in the specifically preemptive rules in Section 101

E-SIGN does not generally interfere with U.S. State digital signature laws and CA licensing regimes

Some States Licensing or Approving CAs

North CarolinaOregonTexas

WashingtonUtah

MinnesotaNebraska

California

Nevada

Arkansas

What Rules does E-SIGN Preempt?

Attribution - No Favorable presumptions - No Integrity - No Certification authority trustworthiness - No Licensing / accreditation - No Recognizes only digital signatures as an

alternative to handwritten signatures - Yes

Performance Standards Exception

Can be specified by a Federal or State regulatory agency

To assure accuracy, integrity, and accessibility of records

Agenda E-SIGN – Some relevant principles Electronic and digital signatures distinguished Nondiscrimination Validity and enforceability distinguished Limitations

E-SIGN - Impact on PKIs Technology neutrality Federal preemption

Responsive policy initiatives The Multi-State Digital Signature Summit Performance standards and the PAG

Conclusions

Multi-State Digital Signature Summit

Held in August 2000 in San Francisco   Studied digital signature legislation, application, and

the effects in the public and private sector Attendees included Secretaries of States, state

digital signature coordinators and policy makers, American Bar Association Information Security Committee members, and other industry leaders

Considerable focus on preemption Conclusions

UNCITRAL Draft Model Law on E-Signatures

Beyond E-SIGN – Default Rules? Each signatory shall: exercise reasonable care to

avoid unauthorized use of its signature creation data Art. 8 Conduct of the signatory

A relying party shall bear the legal consequences of its failure to take reasonable steps to verify the reliability of an electronic signature

Art. 11 Conduct of the relying party

UNCITRAL

PKI Assessment Guidelines (PAG):A Tool to Establish Performance Standards?

A multidisciplinary initiative to develop objective guidelines for assessing PKI interoperation & quality

Non-sectoral, cross-industry, international The PAG can assist in developing

performance standards PKIAssessmentGuidelines

Conclusions E-SIGN creates both peace of mind and uncertainty Potential for litigation regarding preemption Is the technology neutral pendulum swinging? Future rules needed to support CA quality &

interoperation Harmonize with international initiatives

UNCITRAL Model Law on Electronic Signatures? APEC-EU-US bilateral/multilateral agreements?

Monitor impact of mandated consumer e-records and e-consent studies under E-SIGN

References

http://www.verisign.com/repository

Michael S. Baum, J.D., M.B.A., CISSPmichael@verisign.com