The Electronic Signatures in Global and National Commerce Act Digital Signatures and E- SIGN: Implications for PKIs Michael S. Baum, J.D., M.B.A., CISSP [email protected]
Dec 19, 2015
The Electronic Signatures in Global and National Commerce Act
Digital Signatures and E-SIGN: Implications for PKIs
Michael S. Baum, J.D., M.B.A., [email protected]
Agenda E-SIGN – Some relevant principles Electronic vs. digital signatures Nondiscrimination Validity vs. enforceability Limitations
E-SIGN - Impact on PKIs Technology neutrality Federal preemption
Responsive policy initiatives The Multi-State Digital Signature Summit Performance standards and the PAG
Conclusions
E-SIGN in a Nutshell
The Electronic Signatures in Global and National Commerce Act
Simply prevents discrimination against electronic acts and records
A psychological boost to E-commerce In balance, creates demand for PKIs Issues remain
E-SIGN Provisions
Title I: Electronic records and signatures in commerce
Title II: Transferable records
Title III: Promotion of international e-commerce
Title IV: Commission on Online Child Protection
------This presentation targets E-SIGN’s
critical implications for PKIs
E-SIGN Milestones
The reconciliation of HR. 1714 and S.761 Signed by President Clinton: June 30, 2000 Effective: October 1, 2000 Specified provisions are phased in thru June 2001
E-SIGN defines Electronic not Digital Signature
Digital Signature
Electronic Signature —means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
“means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.”
Record —
Records RetentionSatisfied by retaining electronic records that are:
Accurate Accessible to persons entitled to access it Capable of accurate reproduction for later reference Communicated by transmission, printing, or
otherwise Exception: Information whose sole purpose is to
enable the contract or other record to be sent, communicated, or received
E-SIGN: Nondiscrimination
“A signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form…” E-SIGN § 101(a) General Rules of Validity
(emphasis added)
Legal Effect and Validity
Undefined in E-SIGN Provide only threshold legal assurances Only gets you into the courthouse
Enforceability The extent to which you can prove successfully
the signature, record or contract and therefore prevail in a dispute
E-SIGN neither precludes nor materially advances enforceability
Enforceability demands evidence PKI complements E-SIGN by providing strong
evidence that can be essential to enforceability
Complex consumer disclosure and consent Oral communications and recordings do not
qualify as electronic records Industry-specific benefits
Insurance agents and brokers: liability limited Banks: electronic check retention permitted Mortgage industry: e-promissory notes enabled
Other Provisions
E-SIGN Does Not Control:
Wills and trusts Family law matters Much of the Uniform Commercial Code Court orders / notices / official court documents Other essential notices such as for utility
services, health insurance and product recalls
Agenda E-SIGN – Some relevant principles Electronic vs. digital signatures Nondiscrimination Validity vs. enforceability Limitations
E-SIGN - Impact on PKIs Technology neutrality Federal preemption
Responsive policy initiatives The Multi-State Digital Signature Summit Performance standards and the PAG
Conclusions
Technology Neutrality Distinguish:
Nondiscrimination vs. equivalency Product vs. technology neutrality
UNCITRAL example: “Information certifier” Implications:
Uncertainty Potential need for supplemental rules Sanctioning of ineffective products Anticompetitive impact on the marketplace Threatening to consumers?
Effect of Technology Neutrality on Notorial Acts
“If a … law requires a signature or record … to be notarized … that requirement is satisfied if the [notarization] is attached to or logically associated with the signature or record.”
E-SIGN § 101(g)
E-SIGN and Federal Preemption What is preemption? What E-SIGN says it preempts: “A State [law] may modify, limit, or
supersede … Section 101 … only if such [law does] not require, or accord greater legal status or effect to, the implementation or application of a specific technology…”
E-SIGN § 102(a)(emphasis added)
Scope of Preemption
What E-SIGN preempts Preempts only State laws that deny effect to
electronics solely because they are electronic or where they mandate exclusively a particular technology
UETA (over-simplified rule): Where enacted without material changes, UETA is not preempted by E-SIGN
Uniform Electronic Transaction Act (UETA)
Neither discriminates against nor mandates use of e-signatures / e-records
Permits e-notarizations and e-acknowledgments Enables electronic records retention Extends beyond E-SIGN by addressing:
Attribution of e-signatures or records Changes or errors in e-records during transmission Nondiscrimination against admissibility into evidence Time and place of sending and receipt of e-records
Limits on Preemption
What E-SIGN does not preempt Does not address preemption of state law,
other than in the specifically preemptive rules in Section 101
E-SIGN does not generally interfere with U.S. State digital signature laws and CA licensing regimes
Some States Licensing or Approving CAs
North CarolinaOregonTexas
WashingtonUtah
MinnesotaNebraska
California
Nevada
Arkansas
What Rules does E-SIGN Preempt?
Attribution - No Favorable presumptions - No Integrity - No Certification authority trustworthiness - No Licensing / accreditation - No Recognizes only digital signatures as an
alternative to handwritten signatures - Yes
Performance Standards Exception
Can be specified by a Federal or State regulatory agency
To assure accuracy, integrity, and accessibility of records
Agenda E-SIGN – Some relevant principles Electronic and digital signatures distinguished Nondiscrimination Validity and enforceability distinguished Limitations
E-SIGN - Impact on PKIs Technology neutrality Federal preemption
Responsive policy initiatives The Multi-State Digital Signature Summit Performance standards and the PAG
Conclusions
Multi-State Digital Signature Summit
Held in August 2000 in San Francisco Studied digital signature legislation, application, and
the effects in the public and private sector Attendees included Secretaries of States, state
digital signature coordinators and policy makers, American Bar Association Information Security Committee members, and other industry leaders
Considerable focus on preemption Conclusions
UNCITRAL Draft Model Law on E-Signatures
Beyond E-SIGN – Default Rules? Each signatory shall: exercise reasonable care to
avoid unauthorized use of its signature creation data Art. 8 Conduct of the signatory
A relying party shall bear the legal consequences of its failure to take reasonable steps to verify the reliability of an electronic signature
Art. 11 Conduct of the relying party
UNCITRAL
PKI Assessment Guidelines (PAG):A Tool to Establish Performance Standards?
A multidisciplinary initiative to develop objective guidelines for assessing PKI interoperation & quality
Non-sectoral, cross-industry, international The PAG can assist in developing
performance standards PKIAssessmentGuidelines
Conclusions E-SIGN creates both peace of mind and uncertainty Potential for litigation regarding preemption Is the technology neutral pendulum swinging? Future rules needed to support CA quality &
interoperation Harmonize with international initiatives
UNCITRAL Model Law on Electronic Signatures? APEC-EU-US bilateral/multilateral agreements?
Monitor impact of mandated consumer e-records and e-consent studies under E-SIGN
References
http://www.verisign.com/repository
Michael S. Baum, J.D., M.B.A., [email protected]