The Role of the Business Manager in

The Role of the Business The Role of the Business Manager Manager in in

Implementing an Implementing an Electronic Transaction Electronic Transaction

ProcessProcess

Electronic Signatures and Electronic Electronic Signatures and Electronic Records Under Colorado’sRecords Under Colorado’s

Uniform Electronic Transactions Act Uniform Electronic Transactions Act (UETA)(UETA)

Colorado Department of State, 1700 Broadway, Suite 300, Denver, CO 80290 303-894-2200 Fax: 303-869-4871 www.sos.state.co.us

10/19/05 2

Licensing Division Licensing Division Secretary of State’s OfficeSecretary of State’s Office

Barbara Groth, J.D.Barbara Groth, J.D.UETA Program ManagerUETA Program Manager

Phil GehlichPhil GehlichUETA Program IT AnalystUETA Program IT Analyst

Carrie LondonCarrie LondonAdministrative AssistantAdministrative Assistant

10/19/05 3

Business Manager’s RoleBusiness Manager’s Role

Existing electronic processes or records Database information collection,

storage and retrieval Email Internal time cards, leave slips,

expense reports

10/19/05 4


New electronic process Often involves “converting” a paper

process to an electronic process Critical to document workflow and

procedures as initial step Opportunity for re-engineering paper

process Be open-minded – electronic process

need not “duplicate” paper process

10/19/05 5


Electronic process Perform risks analysis Perform benefits analysis Perform costs analysis Consider legal, business and

technology issues and options in each analysis

10/19/05 6


Electronic process Consider quantitative factors, e.g.

Reduction in cost for storage of paper records

Less time spent inputting data or processing applications

Greater accuracy due to reduction of transcription errors

Cost of new equipment or software “Instantaneous” transmission, compared to

time and expense of mail or courier

10/19/05 7


Electronic process Consider qualitative factors, e.g.

Change in customer satisfaction Potential for increase or decrease in fraud

10/19/05 8


Consult with your legal advisor in AG’s office

Consult with your IT advisors Consult with the UETA team

10/19/05 9


Legal issues Statutory requirements or prohibitions

Federal Laws & Regulations, e.g. Health Insurance Portability and Accountability Act

(HIPAA) Drivers Privacy Protection Act (DPPA)

Colorado Laws & Rules, e.g. Prohibitions on using or recording SSNs (see 23-5-

127, C.R.S.; 4-3-506, C.R.S.) Open records laws

10/19/05 10


Examine why pen and ink (“wet”) signature is requested on a paper document It’s required by law It serves an important purpose, even if

not mandated It’s “always been done that way”

10/19/05 11


Purpose of a signature Serve to authenticate a record by identifying

the signer with the signed record Serve “ceremonial” function – call signer’s

attention to significance of signing and potential legal implications

Serve to express signer’s approval or agreement of contents

Serve to express finality of document (not a draft; not accidentally submitted)

10/19/05 12


If signature needed on electronic record: What type of electronic signature? Create document/form to capture signer’s

intent to sign Create document/form to fulfill reason for

requesting signature

10/19/05 13


Evaluate whether these attributes of your electronic process need be set at low, medium or high level Authentication Confidentiality Integrity Non-repudiation Authorization Auditability Preservation

10/19/05 14


Authentication The process of identifying an individual Authentication merely ensures that the

individual is who he or she claims to be Authentication says nothing about the

access rights of the individual Not necessarily the same as an electronic

signature, which must demonstrate intent to sign

May not care about identity in some cases

10/19/05 15


Confidentiality Assurance that information is not disclosed

to unauthorized persons, processes, or devices

Assurance that information is protected against intentional or accidental unauthorized disclosure

10/19/05 16


Integrity Information protected against corruption,

tampering, or other alteration By unauthorized persons By accidental actions of authorized persons By intentional actions of authorized persons

Assurance of accuracy and completeness of information Need to capture questions asked on form, not

just responses

10/19/05 17


Non-repudiation Evidence that can be used to contradict a

person who is (falsely) denying sending or receiving a specific communication or engaging in a specific transaction.

10/19/05 18


Non-repudiation Some authorization and electronic

signature technologies, e.g. digital signatures, assure high confidence that identity or signature cannot be repudiated Such technologies also assure that any change

in document after digital signature applied will invalidate signature

Content of document can’t be repudiated if digital signature still valid

10/19/05 19

Business Manager’s RoleBusiness Manager’s Role Non-repudiation

PINs and passwords easily compromised People can’t remember them, so they write them down People intentionally let others “borrow” them People using same computer can often discover them People may intentionally use one PIN or password for

multiple people, such as both spouses People are scammed into revealing them through “phishing”

attacks or social engineering They can be hacked, intercepted, etc.

PINs and passwords do not assure that data not changed

PINs and passwords provide low (no?) assurance of non-repudiation

10/19/05 20


Authorization The process of granting or denying access

to systems, networks or applications based on identity

10/19/05 21


Auditability Also referred to as Accountability The ability to identify the person or

organization that performed, or is responsible for, the actions affecting information

“Audit trail” Who, what, when, how

10/19/05 22


Preservation Consider records retention issues

More problematic to store electronic records long term in usable form than paper

Must be able to migrate applications/systems as versions/equipment changes

Electronic records with “secure” signatures especially difficult

10/19/05 23

ConclusionConclusion

Business manager must take the lead in Managing an electronic process

implementation Reviewing existing electronic processes

Should request input from other sources: Legal, IT, UETA

Should understand laws and rules that may affect implementation of process

10/19/05 24

ConclusionConclusion

Business manager has role in shaping ultimate form of UETA rules through involvement of UETA team with your analysis and implementation We’ll learn from your experience and it will

help us shape rules that work Your implementation much more likely to

be compliant with rules finally adopted

10/19/05 25

Additional InformationAdditional Information Contact a member of the UETA Team Licensing tab at www.sos.state.co for info on

UETA Program General Information UETA Statute (24-71.3, C.R.S et seq.) FAQs about UETA (the Act) Glossary Power Point Slide Shows Calendar of Presentations and Demonstrations UETA Task Force Resources & Links

10/19/05 26

Contact InformationContact Information Colorado Department of State

Licensing Division, UETA Program1700 Broadway, Suite 300Denver, CO 80290303 894-2200

Barbara Groth – ext. 6423 [email protected]

Phil Gehlich – ext. 6624 [email protected]

The Role of the Business Manager in

Documents

Transcript of The Role of the Business Manager in