Guide to Computer Law—Number 283
Practitioner’s Perspective
by Holly K. Towle, J.D.
Electronic Signatures — Increasing
Use Means Increasing Questions
These are the kinds of questions we have begun to get from an increasing
array of clients:
Holly K. Towle is a
partner with Kirpatrick &
Lockhart Preston Gates
Ellis LLP (K&L Gates), an international law firm,
and chair of the firm’s E-merging Commerce
group. Holly is located in the firm’s Seattle
office and is the coauthor of The Law of
Electronic Commercial Transactions (2003,
A.S. Pratt & Sons). Holly.Towle@KLgates.com,
206-623-7580.
■
We are now receiving reports from [X] businesses signed with electronic
signatures. They no longer wish to send us original signed copies by
mail. Do we have to accept that?
■
We recently did an e-mailing of the paperwork for our [X] program,
which is wonderful given the reduced mailing costs. Several customers
responded by sending the forms with their names simply typed in on
the signature line. Is that enough?
At the most basic level, the answer to the first question is “No” and the answer
to the second is “Yes.” But the real answer is more complex, fact-dependent
and impacted by new laws. This article discusses the basic question of
“what is an electronic signature” and related issues regarding their use.
To put this into context, recall that not all contracts or documents require a
“signature.” Many times a shake of the hand, a nod of the head or another
“manifestation of assent” such as clicking an “I Agree” button is all that is
required to form a contract. Here we are talking about situations in which
something must be “signed” or bear a “signature.” When faced with such a
requirement, or when signatures are simply preferred, what is an “electronic
signature”?
What is an electronic signature?
The federal Electronic Signatures in Global and National Commerce Act
(“E-Sign”) provides this definition:
The term “electronic signature” means an electronic sound, symbol,
or process, attached to or logically associated with a contract or other
record and executed or adopted by a person with the intent to sign
the record.
Practitioner’s Perspective appears periodically
in the monthly Report Letter of the CCH Guide to
Computer Law. Various practitioners provideindepth analyses of significant issues and trends.
A “record” means “ information that is inscribed on a tangible medium
or that is stored in an electronic or other medium and is retrievable in
perceivable form.” That’s gobbledygook for almost any medium except an
oral conversation, i.e., a paper is a record; an email is a record; and a taped
conversation is a record because each can be retrieved in a perceivable form
for at least some instant in time. There is a reason spies take walks out of
the range of tape recorders to convey information: oral conversations aren’t
records because they can’t be retrieved even momentarily.
CCH GUIDE TO COMPUTER LAW
So which of these is an electronic signature if it appears in
an email:
1. “Holly Towle” showing in the Sender line;
2. “Holly” typed in at the bottom of the email after the
text;
3. “Holly Towle“ inserted as an image at the bottom
(assume I signed in ink, scanned the signed paper into
my computer, and then cropped it to create an image file
that I use whenever I want to “sign” something);
4. “H” appearing at the bottom or “:)” (smiley face) which is
my favorite way to sign (don’t worry, I’m making this up);
5. My use of a PKI encryption process that attaches my
private key to the document (“digital signature”);
NUMBER 283
Is that all there is to it?
It never is. Proving the existence of a sound, symbol or process
provided with the right intent is only one piece of a larger
puzzle. Here are samples of additional questions that anyone
relying on an electronic signature would want to ask:
1. How will I know who typed in “Holly”? This is the
“attribution” question which plagues e-commerce (see
my previous article “Getting to Yes in an Electronic Age”
CCH Guide to Computer Law Report Letter No. 279,
January 21, 2005, and Chapter 6 of my book The Law of
Electronic Commercial Transactions). It is also the reason
for Nos. 5 and 6 — digital signatures using public/
private key encryption and biometric identifiers — are
used by some to provide more reliability regarding who
actually signed. They are not generally required by law;
to the contrary, U.S. law forbids states from preferring
one technology over another (although some countries
do prefer some technologies).
6. Insertion or use of a biometric identifier;
7. Attachment of a little sound recording saying “All my
best, Holly;” or
8. Attachment of a scanned copy of a contract that I initially
signed by hand.
No. 8 is not an electronic signature: I delivered electronically
a copy of a handwritten signature, but did not sign
electronically in the first place.
Each of Nos. 1-7 could be an electronic signature because
each meets the first condition of being a sound, symbol
or process: Nos. 1-4 and 6 could be symbols; No. 5 (or 6)
could be a process, and No. 7 is a sound. But none will be
a signature (electronically or otherwise) unless I add it with
the intent to sign the record.
There’s a New York case illustrating the point. A company
faxed an unsigned guaranty to a person who refused to
start work without one. When it came time to enforce the
guaranty, the company said it never signed; the recipient
said that the company’s name appearing at the top of the
fax was a sufficient signature. The court said that because
federal law requires every fax to show the name of the
sender, the sole fact that the name appeared was not, alone,
enough to show intent that the name count as a signature.
That makes No. 1 the most suspect of the examples given
that every email shows the sender’s name. But No. 1 could
count in some circumstances (e.g., we’ve been exchanging
emails for months and I send one saying “Okay, we have
a deal” — my knowledge that the sender line includes
insertion of my name may be enough — in the “paper
world,” letterhead has been held to be enough).
Parties adopt these or other technologies to make the
attribution task easier. Each technology presents its
own issues and may or may not be practical, acceptable
to those involved, or actually allow attribution. For
example, any identifier stored in an insecure computer
can become problematical. If I store my little signature
stamp (No. 3) in my computer and an unauthorized
person gains access to it, then their insertion of it onto
a document is not my signature. That’s a forgery and
you will not be able to tell the difference (just like you
cannot now tell the difference if someone talented
forges my check).
2. What is my risk if I can’t prove who typed in “Holly”?
The answer will vary with the transaction. Selection of
an electronic signature method should be appropriate
to the risks involved— if you are lending $50 million
on the strength of an electronic signature, the risks are
obvious. If you are a travel agent covered by the Bank
Secrecy Act’s rules for opening new accounts, complying
electronically may need to involve use of biometric
identifiers or the like. One size does not fit all.
3. Am I looking at the right law? I quoted E-Sign and
although it has a sweeping preemptive effect, it does
not apply to intrastate transactions and contains other
scope limitations or exceptions, such as for all articles
of the Uniform Commercial Code except Articles 2 and
2A (sales and leases of goods) and for wills. Regulators
have certain powers and the Securities and Exchange
Commission is illustrative of a regulator with extensive
“e-consent” rules. E-Sign also does not preempt the
Uniform Electronic Transactions Act (UETA) if a state
adopted the 1999 uniform version — about 46 states
CCH GUIDE TO COMPUTER LAW
have adopted UETA but not all adopted the uniform
version. Other laws can also apply and sometimes
parties will have signed master contracts governing
what must, or must not, be done. The e-signature
method chosen needs to work under the laws and
contracts that apply to the particular transaction.
4. May I assume that electronic records are just like paper
records? No. E-Sign and UETA have special rules
regarding electronic records and so do some states and
regulators (again, the SEC is illustrative). Electronic
records are also more likely to be covered by new
laws regarding information security. Some of them
include, for example, an obligation to provide notice to
customers and regulators upon breach of the security
of the system. Again, applicable law can depend on
what you are doing, who you are and where you are.
5. Is use of electronic signatures practical? This question
is important but often ignored. Electronic signatures
may be imperative for an online business that needs
signatures on standard documents, but impractical
in other settings. Consider the typical real estate or
business closing involving unique documents with
page substitutions during the closing, and parties such
as title insurance companies that may or may not be
willing to accept an electronic signature. That is not to
say that electronic closings are not possible; they can be
impractical, however.
Must everyone deal electronically even if they
don’t want to?
Generally, no. E-SIGN says that it does not “require any
person to agree to use or accept electronic records or electronic
NUMBER 283
signatures, other than a governmental agency with respect to
a record other than a contract to which it is a party.” That’s
E-Sign. Parties are free to contract to use them as much, or as
little, as they would like. However, UETA says that consent
to deal electronically as to one transaction cannot be binding
as to other transactions. This creates a need to define the
“transaction” appropriately.
If a consumer customer of yours is willing
to deal electronically in areas where paper
would otherwise be required, can you simply
substitute electronics?
No. If a law requires information to be provided to a consumer
on paper, such as a Truth in Lending Act disclosure statement
for a consumer credit transaction, the consumer cannot
simply agree to accept an electronic substitute. Although
consent to the substitute is required, it must be preceded by
extensive disclosures regarding software and hardware and
other matters. (See 15 USC § 7001(c) for more information
and/or Chapter 11 of my book). Under that rule, consider
the second question listed at the beginning of this alert
regarding “program X:” if X involves consumer information
required to be delivered on paper, the disclosing party is not
free, unilaterally, to substitute electronic disclosures even if
the consumer does not know or care about the federal rule
(and/or additional UETA rules). Those rules exist and need
to be considered.
The above is not a complete list of issues that should be
considered. There are more and they, along with many other
issues relating to use of electronics in commerce, can be
impacted by increasing legislation and other developments.
It may be time to take a look at your practices vis-à-vis current
law, if you have not already done so.