digital signatures: the law and best practices for compliance
DESCRIPTION
The CoSign Digital Signature solution automates your signature-based approvals compliantly and affordably, allowing you to cut costs and automate business processes.TRANSCRIPT
Digital Signatures
The Law and Best Practices For compliance
Disclaimer: ARX is not a law firm and does not provide legal advice.We make no warranty, express or implied, concerning anyinterpretation of laws and regulations or its reliability as presentedhere or of the content on websites cited in this presentation.
Electronic/Digital Signature Legislation
Electronic vs. Digital Signatures
Electronic signatures:
Legally defined as an electronic sound, symbol (e.g., a graphic representation of a person in JPEG file), or process, attached to or logically associated with a record, and executed or adopted by a person with the intent to sign the record.
Some of the solutions that fit this legal definition can be very problematic with regards to maintaining integrity and security, and especially a good business policy or practice.
Digital signatures :
Digital signatures, often referred to as advanced or standard electronic signatures, provide the highest form of signature and content integrity as well as universal acceptance.
Digital signatures help organizations sustain signer authenticity, accountability, data integrity, and non-repudiation (a signer cannot later deny their participation in a transaction they signed) of electronic documents and forms.
US/EU Federal and State Statutes
Legislation
Uniform Electronic Transactions Act (“UETA”) – 1999
Electronic Signatures in Global and National Commerce Act (“E-Sign”) –
2000
EU Directive for Electronic Signatures – 1999
These Acts give legal force and effect to electronic or
digital signatures.
Uniform Electronic Transactions Act (UETA)
UETA http://www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/ueta99.htm
SECTION 7. LEGAL RECOGNITION OF ELECTRONIC RECORDS,
ELECTRONIC SIGNATURES, AND ELECTRONIC CONTRACTS.
(a) A record or signature may not be denied legal effect or
enforceability solely because it is in electronic form;
(b) A contract may not be denied legal effect or enforceability solely
because an electronic record was used in its formation;
(c) If a law requires a record to be in writing, an electronic record
satisfies the law;
(d) If a law requires a signature, an electronic signature satisfies the
law.
E-Sign Act
ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE
ACT (aka E-Sign) at: http://frwebgate.access.gpo.gov/cgi-
bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106
Mirrors various provisions of UETA (which preceded it)
section a) says electronic signatures and documents are legal;
section b) this act does not override other acts that may mandate use
of paper-based transactions;
section c) “Consents” outlines what the parties must agree, and
declare they agree(d), to use of electronic signatures/contracts
between them; important in B2C and B2B scenarios.
State Compliance with UETA
46 US States (+ DC, Puerto Rico, and the Virgin Islands) have
adopted UETA. http://www.ncsl.org/programs/lis/CIP/ueta-statutes.htm
Georgia; Illinois; New York; Washington have other statutes pertaining
to electronic transactions(GA: Ga. Code Ann., § 10-12-1; IL: 5 ILCS 175/1-101; NY: NY CLS State Technology § 301
et seq.; WA: http://apps.leg.wa.gov/RCW/default.aspx?cite=19.34)
The US Federal Act, E-Sign, governs if disputes cannot be
settled at the state level.
Note: US courts seem to be so routinely admitting electronic signatures
due to the E-Sign Act that it is unnecessary for them to write a written
opinion actually going through the analysis under the statute. In a sense,
the statute is doing its job by obviating the need for any court to think
twice about whether an electronic signature could be admissible
(assuming it met all the other rules of evidentiary procedure).
EU Directive for Electronic/Digital Signatures
Directive 1999/93/EC Of the European Parliament and of the
Council of 13 December 1999 on a community framework for
electronic signatures:
The directive indicates standard digital signatures are required,
without explicitly saying so (wanting to appear technology neutral).
All EU Member States have adopted this directive with local
legislation, as of 2003.
EU Member States are not allowed to add additional requirements to
those in the directive.
EU VAT Directive 2001: Council directive 2001/115/EC:
Directive for electronic invoices calls for electronic signatures as
defined by the 1999 directive for electronic signatures.
Legal Summary
US and EU law accept electronic and digital signatures but state
nothing of specific technology choices.
US law allows for a broad definition of electronic signature.
EU law narrows the definition and implies that digital signatures
should be used.
Regulations in specific industries tend to lean toward digital
signatures.
The courts are concerned with:
Admissible evidence
Was a policy/procedure followed consistently in the
execution of routine business?
Best Practices for Digital Signature Deployment
A legally enforceable digitally signed record should have:
Admissible evidence: Attached to signed information
Uniquely linked to the signer
Capable of identifying the signer
Been created using means signer maintains under his/her control
Verifiable by anyone at anytime
Anyone at anytime should easily be able to detect changes to signed information
Organizational policy: Digital signing should be part of a standard automated organizational
policy/process
There should be a clear audit track
When are Digital Signatures Needed?
Audit and regulatory requirements
Particular to industry/geography
Acceptance
Inside and outside the organization
Verification
Now and in the archive
When proof of identity, intent, and integrity is needed
CoSign Digital Signature Compliance
CoSign creates legally enforceable digital signatures in accordance with UETA, 15 U.S.C. 7001 (E-Sign) and EU Directives 1999/93/EC and 2001/115/EC
The Cosign digital signature solution, when implemented with a proper organizational policy, can comply with:
FDA Title 21 CFR Part 11 (Life Sciences)
HIPAA (Healthcare)
Most states’ PE boards (Engineering)
Sarbanes Oxley
EU VAT Directive
SAFE BioPharma Association
United States Department of Agriculture (USDA)
About CoSign
The CoSign digital signature solution
automates your signature-based approvals
compliantly and affordably, allowing you to
cut costs and expedite business processes.
For more information, please contact
John Marchioni, VP Business Development
Tel: (415) 839 8161
www.arx.com