Evolving Issues in Electronic Data Collection Workshop Interoperability E-SIGN related multi-state Initiatives.

Evolving Issues in Electronic Data Collection Workshop

Interoperability

E-SIGN related multi-state Initiatives

44-7001. Definitions (UETA - Uniform Electronic Transactions Act )7. "Electronic Record" means a record that is created, generated, sent, communicated, received or stored by electronic means. 8. "Electronic Signature" means an electronic sound, symbol or process that is attached to or logically associated with a record and that is executed or adopted by

an individual with the intent to sign the record. 14. "Security Procedure" means a procedure that is employed to verify that an electronic signature, record or performance is that of a specific person or to detect changes or errors in the information in an electronic record. Security procedure includes a procedure that requires the use of algorithms or other codes, identifying words or numbers or encryption, callback or other acknowledgment procedures.

SEC. 106. DEFINITIONS (E-SIGN)For purposes of this title:(4) Electronic Record —The term ‘‘electronic record’’ means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.(5) Electronic Signature —The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.


E-Signature Law Summary• Arizona A.R.S. 41-132 (by/with state agencies) very specific criteria for linking signature to person (& security of document)• Arizona Electronic Transaction Act (AETA/UETA - in-state commerce) focus on sending/receiving the record “The effect of an electronic record or electronic signature attributed to a person .... is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties’ agreement, if any, and otherwise as provided by law.”• federal Electronic Signatures in Global and National Commerce Act (E-SIGN - interstate and international commerce) signed record “remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.”


E-SIGN

SEC. 104. Applicability To Federal And State Governments.(b) Preservation Of Existing Rulemaking Authority.— (2)(C) such agency finds, in connection with the issuance of such regulation, order, or guidance, that—

(i) there is a substantial justification for the regulation, order, or guidance;(ii) the methods selected to carry out that purpose—

(I) are substantially equivalent to the requirements imposed on records that are not electronic records; and(II) will not impose unreasonable costs on the acceptance and use of electronic records; and

(iii) the methods selected to carry out that purpose do not require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures.


E-SIGN

SEC. 104. Applicability To Federal And State Governments.(3) Performance Standards.—

(A) Accuracy, Record Integrity, Accessibility.—Notwithstanding paragraph (2)(C)(iii), a Federal regulatory agency or State regulatory agency may interpret section 101(d) to specify performance standards to assure accuracy, record integrity, and accessibility of records that are required to be retained. Such performance standards may be specified in a manner that imposes a requirement in violation of paragraph (2)(C)(iii) if the requirement

(i) serves an important governmental objective; and (ii) is substantially related to the achievement of that objective.

Nothing in this paragraph shall be construed to grant any Federal regulatory agency or State regulatory agency authority to require use of a particular type of software or hardware in order to comply with section 101(d).


August 10 & 11, 2000 - California Secretary of State sponsored a Multi-State Digital Signature Summit “in an effort to pool the collective expertise of state policy executives and technology experts and identify ways to remove barriers to the implementation of digital signature technology.”

Discussion about E-SIGN at that meeting lead to -

Sept 6, 2000 - National Governors’ Association (NGA) hosts meeting regarding state issues relating to implementation of the federal Electronic Signatures in Global and National Commerce Act(E-SIGN). Focused on prospective preemption of state laws, interoperability among states and retention requirements for state agencies.

That meeting led to NECCC being charged with coordinating four E-SIGN forums: Legal, Policy, Security/Privacy, and Interoperability.


• “The primary effect of E-SIGN should be on private entities that wish to use electronic signatures and electronic records as they conduct business. States should only be affected in so far as their activities must recognize and accommodate the use of electronic signatures and electronic records in the private sector.”

• “Another area where states should be prepared to deal with electronic signatures and documents is in their use in court. Although specific court documents, such as briefs, are exempted from E-SIGN, electronic contracts admitted as evidence are not.”

What Governors Need to Know About E-SIGN: The Federal Law Authorizing Electronic Signatures and Records,

NGA whitepaper, August 1, 2000

States will need to be prepared to accept private entity documents as evidence in courts and by any state agencies regulating those entities,including private entity documents originally created for another state.


E-SIGN Interoperability forumVision StatementDecember 2000

E-SIGN: “Electronic Signatures in Global and National Commerce Act.”

“Using electronic signatures means creating signed electronic documents. This forum will begin by asking ‘how do we get from technology neutral e-signatures statutes to agreement about what are sharable, trustworthy signed electronic documents (things that are reliable, usable, authentic, and having integrity)?’”

E-SIGN Forums met for a day and a half before the NECCC annual conference in December, 2000.


The Interoperability forum defines the essential requirements for a formally formed electronic signature as follows:

Secure electronic signaturesA signature is a secure electronic signature if, through the application of a security procedure, it can be demonstrated that the electronic signature at the time the signature was made was all of the following:

• Unique to the person using it. • Capable of verification. • Under the sole control of the person using it.• Linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated.


The Interoperability forum defines the essential requirements for a formally formed electronic record as follows:

Secure electronic recordsIf, through the ongoing application of a security procedure, it can be demonstrated that an electronic record signed by a secure electronic signature has remained unaltered since a specified time, the record is a secure electronic record from that time of signing forward.


It is recognized that there are many processes to form these signatures and documents. There are also varying levels of certainty desired for identifying a person, attributing a signature to them and assuring the integrity of the signed document. The next step is to define technology neutral classes of Trust Policies that define the requirements for different levels of signatures (and the levels of assuring the integrity and authenticity of the document).


These Trust Policies for both secure electronic signature and secure electronic document will allow this group to roughly answer:

• If a secure electronic signature is formed using PKI then it also needs... define registration requirements for each Trust Policy, define PKI specific requirements for each Trust Policy (including how to allow for PKI bridging solutions), etc. to be generally recognized by agencies in various states as in an acceptable format.• If a secure electronic signature is formed without using PKI then it also needs... define registration requirements for each Trust Policy, define technology specific requirements for each Trust Policy, define how/if to allow for bridging solutions(?), etc. to be generally recognized by agencies in various states as in an acceptable format.• If a secure electronic record is formed using XML then it also needs... to be generally recognized by agencies in various states as in an acceptable format. For example, how a PDF document is signed may differ from how an XML document is signed.


The NECCC “face-to-face” meeting led to agreement to focus on concrete types of signing that we could build principles around. The agreement was to look at three specific processes:

• e-notary,

• e-mall/procurement, and

• HIPAA driven healthcare data/document exchanges.

These cover the signatures range that was discussed in the face-to-face sessions going from closed EDI style (e-mall/procurement) to more open-ended signing contexts (e-notary).


Federal Policy - Department of the Treasury

The Financial Management Service of the US Department of the Treasury has issued (12/22/00) a final version of its Electronic Authentication Policy, for Federal payment, collection, and collateral transactions conducted over open networks such as the Internet.

http://www.fms.treas.gov/eauth/index.html

Section 5. Risk Model (Department of the Treasury)(a) All payment, collection, and collateral transactions must be properly authenticated, in a manner commensurate with the risks of the transaction. For any given Federal agency cash flow or program (e.g., corporate user fees, benefit payments, excise taxes, retail product sales, investment collateral, etc.) Federal agencies shall assess overall risk and determine the appropriate electronic authentication technique in accordance with the following risk model. (1) The three general factors used to determine the overall risk of Federal payment, collection, and collateral transactions are: risk ofmonetary loss, reputation risk, and productivity risk. (2) The risk of monetary loss is determined using a variety of elements, including but not limited to: .... (3) The reputation risk to the Government in the event of a breach or an improper transaction is determined using elements such as: .... (4) Productivity risk associated with a breach or improper transaction is determined using elements such as: ....

Department of the Treasury

Electronic Authentication forms based on risk assessment

• smart card PKI

• PC based PKI

• PIN

• none

What is a “signature”?

Consider the reasons to use a secure electronic signature(the “legal” reasons for a formal signature - wet or electronic):

1. to identify the person signing (the identification function);

2. to indicate that person's approval of the information contained in that data message (the authentication function);

3. to indicate that the record has not been altered (the integrity function).


Earlier:“This initial study led to a detailed description of the electronic record. We determined that an electronic record had to be a fully self-documenting object. We chose to describe these objects in eXtensible Markup Language (XML), a text based standard. We determined that an electronic record was made up of one or more documents, contextual information relating this record with other records, and evidential integrity checks.”

Victorian Electronic Records Strategy Final Report

This can be turned around - a fully self-documented electronic record requires a secure electronic signature to identify the signer, uniquely link the signer’s intent to the document and to assure the integrity of the document. But there are varying levels of certainty desired for identifying a person, attributing a signature to them and assuring the integrity of the signed document.


What is EDI?Electronic Data Interchange (EDI) is the computer-to-computer exchange of business-related documents in a structured, machine processable format. These documents may be purchase orders, invoices, payment remittances and shipping notices between the State of Ohio and its "trading partners." A trading partner, in EDI parlance, is a supplier, customer, subsidiary or any other organization with which the state of Ohio does business. EDI differs from e-mail and fax. Although both of these methods of transferring documents are electronic, both are unstructured and free-form in the way they are presented. This means that information received via e-mail or fax must be rekeyed and reinterpreted before it can be processed by a computer application. EDI, on the other hand, requires that the information be organized in a structured format which can be easily interpreted and processed by a computer application.

Ohio - http://www.state.oh.us/ecedi/welcome.htm


http://www.state.oh.us/ecedi/welcome.htm







How EDI Works - Briefly (Ohio continued)

EDI involves taking a standard computer flat file and reformatting the file into a structured EDI format. This format complies with specific industry standards. This reformatting process is performed by a specialized software program called an EDI translator.

Once the file has been put into a structured format, it is transmitted over telephone lines to a third party network. The third-party network called a Value Added Network (VAN) provides a service much like a post office. The VAN receives the transmitted documents and places these documents into an electronic mailbox for the receiving party to pick up. By dialing into the network, the receiving party can access its mailbox and retrieve the transmitted documents.

Once the electronic documents have been accessed by the receiving party, the documents once again can be processed through an EDI translator. The translator takes the documents, which are still in EDI format, and translates them into a standard computer flat file. This flat file then can be formatted into a report and printed out or sent directly into a company's computer application for processing.

Summary

different Trust Policies for different processes (& different risks)


"signed" database record

Expert Witness - System Integrity Audit

ReceivingunPackaging

Shipping

Packaging

Self-documenting record

System documenting record

Signed ElectronicDocument

Dig

ital

Sig

natu

re(o

r eq

uivale

nt) Signed Original

ElectronicDocument

Q & A


Russ SavageElectronic Transactions Liaison

Arizona's Office of the Secretary of [email protected]

602.542.2022602.418.3094 (cell phone)

http://www.sosaz.com/pa

additional E-SIGN informationhttp://www.state.tx.us/EC/E-SIGN.htm

Evolving Issues in Electronic Data Collection Workshop

Interoperability

Electronic Signatures Framework formulti-state Interoperability

(Thoughts on what’s next)



1. to identify the person signing identify (the identification function);

2. to indicate that person's approval of the information contained in that data message (the authentication function); intent

3. to indicate that the record has not been altered (the integrity function). record integrity

Electronic Signatures Framework for multi-state Interoperability

• fully self-documented electronic record (e.g. PKI/XML) (evidence based on test of record)

• fully trustworthy record/document system (e.g. EDI) does not have self-documented electronic records (evidence based on testimony about the system)

• fully self-documented electronic record in a fully trustworthy document system (e.g. PKI/XML/EDI)

• fully trustworthy record/document system does not have self-documented electronic records but can reliably export a self-documented electronic record (e.g. From EDI to PKI/XML)


Why the fuss about e-signature & e-documents?Because some of mine will migrate to your place and some of yours will migrate to my place.And they need to be readable and verifiable at both places.Trust policies form the foundation.

Interoperabilitygetting from here to over there


Arizona’s Notary Act

Notary

Person mails or deliversnotarized document

Person creates/has documentneeds notary

identify the personperform notarial dutynotarial certificatelog in journalcollect fee

Identify the person

perform notarial dutytake acknowledgmentadminister oath oraffirmationperform juratperform copy certification

Log in Journal

Notarial Certificateaffix seal and sign certificate,on or attached to document

Receipient receives the notarized document

repeat as needed


Arizona’s Electronic Notary ActElectronic Notary in the Presence of a Notary

repeat as needed

Notary

performs notary dutyattachs their electronicsignature in lieu ofhand signing andaffixing seal

Person creates electronic document

Receipient inspects the documentverifies signature & notary signing

electronic document issent with notary'ssignature as well assigner's signature

go to notary fornotarization


Arizona’s Electronic Notary ActElectronic Notary without the presence of a Notary

Trusted Third Partytimestamps the document

performs timestamp dutyattachs timestamp tokenlog in journal

Person transmits or deliverselectronic document

Receipient inspects the documentverifies signature & timestamp

sends acknowledgment of receipt

repeat as needed

signed electronicdocument sent withrequest for timestamp

timestamped documentsent to recepient

acknowledgement sent

Certificate Issuer

Person needs "notary"electronic signature certificate

identify the personperform Issuer dutylog in journalcollect fee

Person can create "notary"electronic signature certificate

inband acknowledgmentverifies person has private key




1. to identify the person signing (the identification function);

2. to indicate that person's approval of the information contained in that data message (the authentication function);

3. to indicate that the record has not been altered (the integrity function).

Notarization accomplishes these - even if the person only makes their mark.


Summary

Multi-state reciprocity on electronic notary can reduce the complexity of other interoperability issues by allowing generalized cross-jurisdiction “copy certification” of non-self-documenting records.

Arriving at electronic notary reciprocity will address nearly every interoperability issue. The solutions found for it can form the basis for general principles in other interoperability situations.

Any issues not addressed will likely surface in the HIPAA and e-mall/e-procurement processes that the E-SIGN Interoperability forum will explore this year.

Participation in the E-SIGN Interoperability forum is open to any state employee wishing to participate in finding common e-signature practices across the states.


Q & A

Electronic Signatures Frameworkfor multi-state Interoperability

Russ SavageElectronic Transactions Liaison

Arizona's Office of the Secretary of [email protected]

602.542.2022 602.418.3094 (cell phone)

http://www.sosaz.com/pa

Evolving Issues in Electronic Data Collection Workshop Interoperability E-SIGN related multi-state Initiatives.

Documents

electronic means

term electronic record

electronic records

electronic sound

term electronic signature

federal electronic signatures

definitions esign

state commerce