ESIGN 101
(For the Uninitiated and the “Old Hands”)
Or How to Use Electronic Records and Signatures to Grow Your Business
AICP Great Lakes Chapter Education Day
May 14, 2015
Margo H.K. Tank
Partner
1
Disclaimer
© 2015 BuckleySandler LLP. All rights reserved. No
copyright claimed on images licensed from others.
No part of this document may be reproduced or
transmitted in any form, by any means (electronic,
photocopying, recording or otherwise) without the
express prior signed permission of the author. This
presentation is for purposes of education and
discussion. It is intended to be informational only and
does not constitute legal advice regarding any specific
situation, product or service.
2
The Statutes
• The state law solution – the Uniform Electronic Transactions
Act (UETA)
• The Federal solution – the Electronic Signatures in Global and
National Commerce Act (ESIGN)
–
–
–
–
•
•
•
•
Overlay statutes
Authorize replacing writings with electronic records
Authorize electronic signatures
Require affirmative “opt-in” by parties -- but opt-in may be shown by
surrounding circumstances
The Outliers – New York, Illinois, Washington State
The Extra Outlier – California
Statutes that are “Special” – UCC Articles 4A, 5, 8 and 9
Regulators that are “Special” – SEC and IRS
3
The Whole Point of the Statutes
• A record or signature may not be denied legal effect or
enforceability solely because it is in electronic form
• If a law requires a record to be in writing, an electronic
record satisfies the law
• If a law requires a signature, an electronic signature
satisfies the law
4
How It Works
Barwick v. Geico
Arkansas Supreme Court
•
•
•
•
•
Geico issued an automobile insurance
policy to an individual who applied for the
policy over the Internet.
As part of the application process, the
applicant elected to waive medical
benefits coverage, and electronically
signed a statement rejecting the coverage.
At the time of the application, Arkansas’
insurance law required that medical
benefits coverage could only be rejected
by a signed “writing.” However, Arkansas
had also adopted the UETA prior to the
date of application.
Geico issued the policy without medical
benefits coverage. The applicant later
married the plaintiff, Barwick, who was
driving the car covered by the Geico policy
when he was struck by another vehicle,
sustaining injuries. Barwick submitted
medical bills for payment under the Geico
policy. Geico rejected the claim.
•
•
When sued by Barwick, Geico moved for
summary judgment, pointing to the
electronic waiver of coverage signed by
the applicant. The applicant admitted
signing the waiver.
Barwick claimed the waiver was not
effective because it was not signed “in
writing”, as required by the insurance
statute. The Arkansas Circuit Court
rejected Barwick’s argument and granted
summary judgment in favor of Geico.
On appeal, the Arkansas Supreme Court
affirmed. The Court held that the plain
language of the Arkansas UETA authorized
the use of electronic records and
signatures to satisfy the writing
requirement in the insurance statute.
5
The Scope of the Statues
• Applies to the use of electronic records and signatures in
virtually any business-to-business or consumer
transaction, unless specifically excluded
– UETA applies to state law
– ESIGN applies to federal law and state law (subject to special
preemption rule)
– Parts of the UCC fill in the rules for Wire Transfers, Letters of
Credit, Securities and Personal Property Security Agreements
– SEC and IRS “roll their own”
• Covers (among many other things):
– Insurance
6
The Scope of the Statutes
• What to stay away from:
–
–
–
–
–
Many “bad things are gonna happen” notices
Many “bad things have happened” notices
Unhappy family stuff (Divorce, Death)
Happy family stuff (adoption, testamentary trusts)
Hazardous waste (like you had to be told, right?)
7
Getting the Opt-In
• For business-to-business transactions, any old agreement to
use electronic records and signatures will do (express, or
implied from circumstances – like turning on your computer) .
• For consumer transactions where the consumer is entitled to
receive information “in writing” –
– Under ESIGN (for federal requirements), and
– Under UETA in 17 states (for state requirements):
• Consumer must affirmatively consent
• Other party must provide disclosures prior to consent in clear and
conspicuous statement
• Consent must “reasonably demonstrate” ability to receive documents
8
Getting the Opt-In: Part 2
•
“Reasonable demonstration”
– Consumer consent must
• Be electronic or be confirmed electronically
• Include a “reasonable demonstration” of consumer’s ability to access information in the
electronic form(s) provided
– Legislative history in ESIGN attempts to set standard
• Test is not intended to “burden commerce”
• Email confirming receipt of test files is sufficient
– Failure to include “reasonable demonstration” in consent process may not be used as basis to
invalidate contract
•
“In person” consent/demonstrations can be tricky
– The “Now”
• Demonstration of ability to view – “they came, they saw, they clicked”
• Demonstration of ability to retain – relying on self-reporting
– The “Later”
• What constitutes a “reasonable demonstration” of the ability to access the records after the
consumer leaves the place of business?
• What special risks are created by relying on self-reporting to establish a “reasonable
demonstration” for future, off-site communications?
• Are special state law requirements pre-empted?
9
The Key Definitions
• “Record” means information that is inscribed on a
tangible medium, or that is stored in an electronic or
other medium and is retrievable in perceivable form
– All writings are records, but not all records are writings
– “Electronic Record” is virtually any stored record that is not on
paper
• “Electronic Signature” means an “electronic sound,
symbol, or process attached to or logically associated
with a record and executed or adopted by a person with
the intent to sign the record”
10
Electronic Signature
• Includes:
– Traditional ink signatures
– Typed names
– A click-through on a software program’s dialog box combined
with some other identification procedure
– Biometric measurements
– A digitized picture of a handwritten signature
– A complex, encrypted authentication system
– Electronic voice transmission
• Recording may be required to establish proof (and possibly to
meet the “attached or logically associated” standard)
• Beware contract limitations on use of voice signatures
11
Electronic Signature: The Tricky Bits
• Legal sufficiency vs. attribution
– UETA and ESIGN answer the question “is it a signature?”
– Do NOT answer the question “is it your signature?”
• Attribution must be proven
– May be proven by any means, including surrounding
circumstances or efficacy of agreed-upon security procedure
– Burden of proof is on person seeking to enforce signature
• Intent must also be established – watch out for:
– Placement of the signature “call to action”
– “Multi-signing” in consumer transactions
12
How It Works
Zulkiewski v. General American
Court of Appeals of Michigan
•
The Marquette Circuit Court for the State of Michigan
granted summary judgment for General American. On
appeal, the Court of Appeals affirmed. The appellate
court held:
•
Under Michigan’s UETA, an electronic signature may
be attributed to a person by any reasonable means.
•
In the case at hand, the following undisputed facts
were sufficient to establish attribution:
•
•
•
•
•
Dr. Zulkiewski took out a $250,000 life insurance policy from
General American. Prior to the events in dispute, his mother
was named as beneficiary on the policy.
Dr. Zulkiewski married his second wife.
General American permitted customers who enrolled in the
company’s eServices to change beneficiaries online. To prove
identity and enroll in the service, the applicant was required
to enter the policy number, and the insured’s social security
number, mother's maiden name, and an e-mail address. The
applicant then chose a password and verified it. An email
confirmation was sent to the insured.
Someone enrolled in the eService as Dr. Zulkiewski, providing
all the proper information, and then changed the policy
beneficiary to the second wife, electronically signing the
beneficiary change form. A further email alert was sent to
the Doctor’s email address giving notice of the change.
Shortly thereafter, Dr. Zulkiewski died.
Dr. Zulkiewski’s mother sued to obtain the insurance
proceeds, claiming that General American’s security
procedure was insufficient to prevent an unauthorized
signature on the change form, and arguing that before the
change could be enforced General American had to prove
that the form was signed by Dr. Zulkiewski. His mother
argued that the second wife or a “person unknown” could
have passed the security procedure and signed the change
form.
The wife filed an affidavit denying the allegations.
–
–
–
•
The aggregate information required to enroll in the
eService would be known to only a few people;
General American provided follow-up alerts to the
Doctor’s email address confirming the beneficiary
change, and
The Doctor’s widow presented an affidavit denying
any involvement in the beneficiary change.
The court observed that the Doctor’s mother had
offered no evidence that the widow or another
person had signed the change form, but just
“conjecture” that such a thing might have
happened. The court held that idle conjecture was
not enough to overcome the facts supporting
attribution.
13
How It Doesn’t Work
Adams v. Quicksilver, Inc.
Court of Appeals of California
•
•
•
•
•
Adams filed suit against Quicksilver for wrongful termination.
Quicksilver filed a motion to compel arbitration, based upon
an arbitration agreement Adams allegedly signed
electronically at the time she applied for employment. The
agreement was sent to Adams via a hyperlink in an email – no
password or other credential was required to access the form
– just the hyperlink.
The agreement included at least two places where Adams
was to add an electronic signature by typing her name into a
blank field. The second signature block was at the end of the
form, after provisions in the agreement calling for mandatory
arbitration of disputes. Quicksilver produced a copy of the
agreement that had been stored on the system of its vendor
and contained Adams full name (including middle name)
typed on the signature line after the arbitration agreement.
The system used by Quicksilver provided no audit trail for the
signing process, so it could not be determined when the
record was signed.
Adams argued that she had not signed the agreement. She
admitted filling out other blanks in the agreement and
saving/submitting it back to Quicksilver, but claimed that she
had not seen the arbitration provisions or the signature block
at the end of the agreement. She pointed out that her full
name was typed in the signature block, and that she always
omitted her middle name when signing. Several other
examples of her signature were provided to the court that did
not include her middle name.
The vendor’s system did not protect the signed record against
post-execution alteration, and the post-execution audit trail
maintained by the vendor showed that two Quicksilver
employees had accesses the record after it was first saved
and submitted for storage.
•
The district court granted the motion to
compel, and Adams appealed. The
California appellate court reversed,
referencing the attribution rules in
California’s UETA and concluding that
attribution had not been established by
a preponderance of the evidence.
In deciding that the electronic signature
could not be attributed to Adams, the
court cited several specific facts:
–
–
–
–
Adams did not have to use a password or
other credential to access the record
There was no audit trail for the signature
process
The record was not protected against
undetected post-signature alteration
At least two Quicksilver employees had
accessed the signed record after it was
saved and submitted by Adams
14
Electronic Retention of Records: ESIGN & UETA
• ESIGN and UETA allow copies of contracts and state and federal
disclosures to be retained electronically so long as the contract or
other record:
– Accurately reflects the information set forth in the contract or other
record
– Remains accessible to all persons who are entitled to access by statute,
regulation, or rule of law, for the period required by such statute,
regulation, or rule of law in a form that is capable of being accurately
reproduced for later reference, whether by transmission, printing, or
otherwise
• Electronic records meeting this test can satisfy “original”
requirements
• Consequences for failure to retain appropriately
– Impaired enforceability
– May not satisfy regulatory writing, delivery or signing requirements
– May not be admissible in court
15
Record Retention
• Challenges:
– Document integrity
• Contents sent are same as contents received;
• Record management system has ability to prevent unauthorized
modifications or changes to stored records.
– Content prints/stores accurately.
– Content will need to migrate due to technology advances.
16
Admissibility/Reliability
• Courts evaluating the integrity of an electronic record
may be expected to focus on system protections –
– Access controls
– Encryption of executed documents to prevent undetected
alteration
– Activity logs
– Security of copies stored offsite to verify content
– Conversion to paper
– Data Migration
– Evidence (preserving evidence of data integrity, versions, screen
shots, and process flows is essential to winning the case; See
Bar-Ayal v. Time Warner)
17
ESIGN §104 Retention Performance Standards
• Federal and State regulators can establish record retention
performance standards for:
– Accuracy
– Record Integrity
– Accessibility
• Performance standards should generally be technology
neutral
• Performance standards can impose greater costs or impose
higher burdens on eRecords over paper records if the
requirement:
– Serves an important government objective; and
– Is substantially related to achieving that objective
18
ESIGN §104 Paper Requirements
• Federal and State agencies cannot impose or reimpose a
requirement that a record be in tangible printed or paper
form
• Unless
– Compelling government interest relating to law enforcement or
national security; and
– The requirement is essential to attaining such interest.
19
Controlling Risks with SPeRS
What is it?
• SPeRS (Standards and Procedures for Electronic Records and Signatures)
– www.spers.org
• A cross-industry initiative to establish commonly understood “rules of the
road” available to all parties seeking to take advantage of the powers
conferred by ESIGN and UETA.
• Founded on the proposition that much of the time and effort being
invested by companies “re-inventing the wheel” could be avoided if crossindustry standards for these elements of electronic transactions could be
established.
• Focused on the behavioral and legal aspects of the interaction between
parties to the transaction, not on technology. SPeRS is intended to be
technology neutral.
• Standards are not necessarily legal minimums, but implementing the
standards should enhance reliability and sufficiency.
20
The SPeRS Structure
• SPeRS is divided into five sections:
–
–
–
–
–
Authentication
Consent
Agreements, Notices and Disclosures
Electronic Signatures
Record Retention
• Each section is composed of an Introduction and Outline
and a series of Standards with supporting materials.
21
Questions or for SPeRS
Margo H.K. Tank
BuckleySandler LLP
1250 24th Street, NW
Suite 700
Washington, DC 20037
202.349.8050
mtank@buckleysandler.com
www.buckleysandler.com
22