White Paper

Trends in Electronic Signatures

Strategies for addressing risk using biometric data

Author(s): Margo Tank, Partner, DLA Piper David Whitaker, Partner, DLA Piper

More and more, customers prefer to transact digitally, and companies wish to use electronic signatures to create both consumer and commercial contracts. These trends reflect the ease of use and efficiency of electronic contracting, the increased mobility of contracting parties, and the routine enforcement of electronic signatures by the courts1.

However, along with widespread adoption comes more frequent disputes over the authenticity and enforceability of signatures, as well. Just as in the world of paper agreements, contracting parties face the prospect that criminals may seek to steal value through the use of false identities, and individuals may dispute the authenticity of signatures appearing on contract documents – either because the signatures are, in fact, inauthentic, or in an attempt to avoid contract obligations.

This means that contracting parties using electronic signatures are increasingly focused on authenticating signers, and taking steps to assure that the signatures may be reliably attributed to the authenticated signer. This is especially true in higher-value transactions, where the consequences of an unenforceable signature may be particularly costly.

This whitepaper discusses the importance of authentication and attribution to the transaction, the risks associated with not properly addressing these issues, and recent case law trends in this area2.

Wacom for business2

—

1 For a couple of recent examples, see Fielding v. Dolgen, LLC, No. 3:17-cv-561-JAG, 2018 WL 3037425 (E.D. Va. June 19, 2018); March-Westin Co., Inc. v. Swinerton Builders, Inc., No. 1:17-CV-199, 2018 WL 2471451 (N.D.W. Va. June 1, 2018); Delgado v. Ally Fin., Inc., No. 317-CV-02189-BEN-JMA, 2018 WL 2128661 (S.D. Cal. May 8, 2018); Wade v. Furmanite Am., Inc., No. 3:17-CV-00169, 2018 WL 2088011 (S.D. Tex. May 4, 2018); see also eSignature and ePayment News and Trends, DLA PIPER, https://www.dlapiper.com/en/uk/insights/publicationseries/esignature-and-epay-news-and-trends/ (last visited Dec. 4, 2018) .

2 This Whitepaper was prepared at the request of Wacom and is offered for information purposes only. The content should not be construed as legal advice on any matter contained herein.

White Paper

Precise data point comparison between two handwritten electronic signatures can help authenticate signers.

What are authentication and attributionand why are they important?As a brief background, the principal federal law governing the use of electronic records and signatures in business transactions is the Electronic Signatures in Global and National Commerce Act (“ESIGN”)3. Forty-seven states and the District of Columbia have adopted a version of the Uniform Electronic Transactions Act, a model uniform law governing the use of electronic records and signatures (“UETA”)4. ESIGN and the UETA enable the use of electronic signatures and records for consumer and commercial transactions. However, neither ESIGN nor UETA specify specific authentication or attribution requirements. Instead ESIGN and the UETA5 look to existing common law rules concerning contested signatures and the burden of proof.

If the authenticity of an electronic signature is in dispute, the person seeking to enforce the signature will be required to prove that the signature was executed by the person against whom enforcement is sought. This means that parties accepting electronic signatures will need to be satisfied that the signature is sufficiently verifiable, under the circumstances and for the contemplated purpose to counterbalance the risk of such a dispute.

Wacom for business3

—

3 15 U.S.C. §§ 7001–7031 (2012).

4 UNIF. ELEC. TRANSACTIONS ACT (“UETA”) (UNIF. LAW COMM’N 1999). Illinois, New York and Washington state each have their own electronic signature laws. To the extent that these alternatives laws are inconsistent with ESIGN, ESIGN would apply to the transaction.

5 While ESIGN is silent on issues of attribution, UETA does include provisions that essentially incorporate common law rules. Under Section 9 of the UETA, a signature is attributable to a person if it was the act of the person. The act may be shown in any manner, including a showing of the efficacy of any security procedure (such as a PIN or password) applied to determine the person to which the electronic signature was attributable. Further, the effect of an electronic signature attributed to a person is determined by the context and surrounding circumstances at the time it was executed or adopted, including the parties agreement. See UETA §§ 9(a)–(b).

White Paper

VELOCITY

ANGLE

PRESSURE

Utilizing an electro-magnetic resonance signature pad and pen allows the capture of pen pressure, speed and tilt data to support signatures.

What is authentication?

“Authentication” refers to the process used to confirm an individual’s identity as a party in a transaction. Authentication of identity in an electronic transaction occurs in two contexts:

• When the relationship between the parties is first created.• When a transaction occurs during an existing relationship.

Broadly speaking, there are five strategies for initially determining an individual’s identity:

• Self-authentication: relying on the indivi dual’s assertion of identity;• Logical authentication: evaluating information the individual provides

for internal consistency (e.g. are the street address, zip code, and telephone number the individual provides all associated with the same geographic location);

• Negative authentication: determining that information provided by the individual is known to be untrustworthy or to signal potential fraud (e.g. the street address provided by the individual is a known mail-drop);

• Positive authentication: determining that the information provided by the individual is confirmed by trusted information sources (e.g. the individual claims to be a vice president of ABC Company, a fact confirmed by an independent business reporting agency), and

• Third-party authentication: receiving confirmation from a trusted third party of the individual’s identity (e.g., the individual presented a government-issued ID, confirming identity or the government ID contains a biometric measurement associated with the individual).

Selecting the appropriate authentication process for a particular transaction involves consideration of multiple factors, including the nature of the transaction, the risks associated with incorrect identification, the cost and complexity of the authentication process, and where the authentication is occurring. For example, when an individual is acting as the agent or representative of another person, authentication may be limited to confirming the individual’s authority to act on behalf of the other person. The actual identity of the representative may be less relevant or not relevant at all.

Wacom for business4

White Paper

Signatures like those of John Hancock are instantly recognizable and can be subjected to graphological analysis to identify potential forgery.

Wacom for business5

If the relationship between the contracting parties will include multiple transactions, a credential (e.g., User ID and password) may be created for recurring use by the individual, instead of repeatedly performing initial authentication. As an alternative to a credential, biometric measurements may be used for ongoing authentication, so long as the biometric can be reliably established and associated with the individual.

For high risk or high value transactions, generally parties will want more advanced and reliable methods for identifying signers. For example, establishing a customer’s identity or attributing a signature as part of a customer’s initial inquiry may be considered low risk, while executing the documents evidencing an equipment lease might be considered a high risk or high-value transaction.

What is attribution?

“Attribution” answers the question “was the signature created by the named signer.” The question arises when the signer claims that the signature is, in fact, not authentic – that is, the signer did not create the signature and should not be bound by it. Attribution is almost always a question of fact, not law, and has to be answered by an examination of the circumstances surrounding creation of the signature6.

Although ESIGN is largely silent on proving attribution, UETA expressly addresses attribution7 — a signature is attributable to a person if it was the act of the person.8 This is true in both consumer and business transactions. The act may be shown in any manner, including a showing of the efficacy of any security procedure (such as a password or PIN) applied to determine the person to whom the electronic signature was attributable.9 Moreover, the effect of an electronic signature attributed to a person is determined by the context and surrounding circumstances at the time of its execution or adoption, including the participants’ agreement.10

—

6 See Zulkiewski v. Am. Gen. Life Ins. Co., No. 299025, 2012 WL 2126068 (Mich. Ct. App. June 12, 2012); Adams v. Superior Court, No. G042012, 2010 WL 602515 (Cal. Ct. App. Feb. 22, 2010).

7 See, e.g., Martin v. Portexit Corp., 948 N.Y.S.2d 21 (N.Y. App. Div. 2012).

8 UETA § 9(a); see also Hose v. Washington Inventory Servs., Inc., No. 14-CV-2869-WQH-WVG, 2016 WL 6427810 (S.D. Cal. Aug. 30, 2016); Espejo v. S. Cal. Permanente Med. Grp., 201 Cal. Rptr. 3d 318 (Cal. Ct. App. 2016), review denied (Aug. 17, 2016)..

9 See Bynum v. Maplebear Inc., 160 F. Supp. 3d 527, 536–38 (E.D.N.Y. 20160; Hose, 2016 WL 6427810, at *6.

10 UETA § 9(b); Bynum, 160 F. Supp. 3d at 536–37.

White Paper

Each signature is a unique visual mark signifying identity and intent in signing ceremonies throughout modern history.

How are authentication and attribution related?

It is important not to confuse attribution of a signature with authentication of the signer’s identity. Authentication involves accurately identifying the parties to a transaction. A signature does not necessarily have to provide evidence of the signer’s identity, although some types of signatures may help identify the signer.

In contrast, attribution is focused on associating a particular individual with the signing process – which may be an issue whether or not the named signer has been correctly authenticated. So, for example, if a correctly authenticated signer claims that a signature was created by an impostor, an appropriate attribution method may provide evidence as to whether the signature was created by the identified signer or by an impostor. As another example, suppose an impostor, George Jones, signs an agreement while successfully posing as Fred Smith. In that case, the signer has not been correctly identified or authenticated, and the signature should not be enforceable against Fred Smith, but an appropriate attribution method may still be used to attribute the signature to George Jones and enforce it against him under his true identity.

What are the risks of not addressingauthentication or attribution appropriately?If a company incorrectly authenticates a signer (e.g., someone fraudulently as-sumes the signer’s identity), then depending on the nature of that relationship and the product or service provided, the company’s failure may result in significant monetary losses.11 In some cases, state or federal law will dictate how any losses are shared between the company and the person whose identity was stolen.

If a signature cannot be attributed to the named signer, then the terms of the executed document will often not be enforceable against the signer.12 This may be true even where the named signer has been correctly authenticated, but it cannot be established that he or she actually signed the record in question.

Wacom for business6

—

11 While not addressed in this whitepaper, an additional issue for an individual acting as a representative is whether that individual has been granted the authority to act on behalf of a corporation or other represented party. This issue will be resolved by other law.

12 See Section III below, in particular footnote 16 for cases illustrating the risks associated with the inability to attribute the signature to the identified signer.

White Paper

Biometric data, like fingerprints, can be used for authentication and be encoded alongside metadata used for attribution.

Current caselaw trendsJudicial guidance on attribution of electronic signatures is developing rapidly. Early case law on electronic signatures tended to focus on whether certain actions (e.g., a click-through) constituted an electronic signature. While this issue still arises occasionally, courts now frequently subject such disputes to limited analysis and conclude, in most cases, that the signer created an electronic signature.13 Today, courts spend significantly more time on determining whether sufficient evidence exists to attribute the signature to the identified signer.

• This issue arises in multiple scenarios (e.g., online purchase, online credit contract, employee orientation, etc.), but common to many recent cases is whether the system at issue adequately authenticated the person signing and associated that signing event with the identified signer:

• Aggregate information required to enroll known to few people and follow-up alerts sent to signer’s email address. 14

• An email link to the purported signer was sufficient to authenticate and to attribute the signature.15

• Who, besides the identified signer, had access to the signing process and could have signed the agreement. 16

Wacom for business7

—

13 See footnote 1 above for examples of recent cases.

14 Zulkiewski v. Am. Gen. Life Ins. Co., No. 299025, 2012 WL 2126068, at *1 (Mich. Ct. App. June 12, 2012).

15 Harpham v. Big Moose Home Inspections, Inc., No. 321970, 2015 WL 5945842, at *3 (Mich. Ct. App. Oct. 13, 2015).

16 For examples of courts concluding that a company properly authenticated an electronic signature, see Espejo v. S. Cal. Permanente Med. Grp., 201 Cal. Rptr. 3d 318 (Cal. Ct. App. 2016), review denied (Aug. 17, 2016); and Yearwood v. Dolgencorp, LLC, No. 6:15-CV-00898-LSC, 2015 WL 5935167 (N.D. Ala. Oct. 13, 2015). The following three cases demonstrate that courts will fail to uphold a signed contract where evidence exists that someone else could have accessed and signed the document: Mansour v. Kmart Corp., Inc., No. PWG-17-2440, 2018 WL 3575062 (D. Md. July 25, 2018); Murray v. ManorCare-W. Deptford of Paulsboro NJ, LLC, No. A-5640-16T1, 2018 WL 2436583 (N.J. Super. Ct. App. Div. May 31, 2018); Jim Schumacher, LLC v. Spireon, Inc., No. 3:12-CV-625, 2015 WL 3949349 (E.D. Tenn. June 29, 2015).

White Paper

Alternative biometric authentication tools include facial, iris and retinal scans.

Strategies for addressing authentication or attributionusing biometric dataOne of the available methods for both authenticating signers and attributing signatures is the capture of biometric data associated with creation of the signature. Biometric data captured as part of the signing process could potentially include retina scans, fingerprints, facial recognition, or creation of a handwritten signature.

As an illustration of the potential utility of biometrics, consider that certain signature pads can do more than just capture a digitized image of a manual signature. These pads are also able to capture information related to creation of the signature – pressure applied to the stylus tip, places where the stylus drops to the page and lifts off, how letters are shaped and formed by the signer, and so on. This biometric data, measured and captured in sufficient quantity and quality, can be associated with an individual and be used to confirm identity or a signature. In addition, other meta-data such as date/time, location, device ID, can be captured from signature pads or embedded in the executed document and be utilized for attribution as well as authentication.

There are at least two separate ways in which biometric signature data can be used: (1) to confirm the individual’s identity or (2) to provide evidence that a signature is attributable to the signer. For confirming identity, it will usually be necessary to capture and retain data from a specimen signature at the time of initial authentication, so that biometric data from later signatures can be compared as a method to confirm identity. When the signing event occurs, the newly captured data can then be compared to the specimen data to confirm identity.17 This process may then take the place of a credential (such as User ID and password) as a method to authenticate an individual on a recurring basis as part of multiple transactions over time.

For the signature attribution, there are two potential strategies using biometrics, depending on whether the party accepting the signature wants confirmation of attribution at the time of signing, or merely wants evidence that could be compared to other signatures at a later date in the event of a dispute. Just as with identity confirmation, using the biometric data to confirm attribution at the time of signing requires the existence of a specimen sample for comparison. But if the biometric data will only be used in the event of a dispute, the data from the signing event may be captured and retained, and only examined against other signature specimens if a dispute occurs. This second strategy has been recognized by at least one court as a legitimate method for adducing evidence of attribution.18

Wacom for business8

White Paper

The move from wet ink signatures to handwritten electronic signatures opens up significant new avenues for utilization of biometrics.

It is worth noting that the use of biometric signature data may also assist with a separate requirement under ESIGN and the UETA – establishing the intent to sign. A number of conventions are used with written documents to provide evidence of intent, like signing one’s name using a pen in a space reserved for a person’s signature. In the electronic environment, it is normally recommended that parties hoping to enforce signed records at a later date include some sort of scheme to establish as part of the electronic signing process – for example, through a statement of intent, or an explicit notice that a signature is being created. The use of a stylus to create a digitized signature on a signature line will likely be seen as analogous to using an ink pen, thereby taking advantage of a familiar ceremonial action that eliminates the need for a separate strategy to establish the intent to sign.

Note that no matter what type of biometric data is captured, preserving the integrity of the captured biometrics is paramount. While not an exact analogy, the captured biometrics operate similarly to an audit log19 in helping to authenticate an electronic signature. Therefore, if a company is to rely on the captured biometrics to establish that a party signed an agreement, the biometric data must be both securely stored and also must be tamper-proof (e.g., applying a cryptographic seal on the biometrics to detect any changes). If any doubt arises as to the validity of the biometrics, this will limit their effectiveness as a piece of evidentiary value.

—

17 See, e.g., Am. Family Life Assurance Co. of Columbus v. Biles, No. 3:10-CV-667-TSL-FKB, 2011 WL 5325622, at *3 (S.D. Miss. Nov. 3, 2011), aff’d sub nom. Am. Family Life Assur. Co. of Columbus v. Biles, 714 F.3d 887 (5th Cir. 2013). The court permitted an expert’s testimony because he compared signatures using the raw captured data from the electronic tablet and the signer’s known exemplar, and denied the introduction of expert testimony because it did not use the biometric data and instead used a hard copy of the electronic signature for comparison.

18 See id.

19 Note that audit logs are considered a business record under the rules of evidence. See Loyal v. State, 684 S.E.2d 124, 126 (Ga. Ct. App. 2009); State v. Marmie, No. 2004CA00078, 2005 WL 1414492, at *2 (Ohio Ct. App. 5th Dist. 2005).

White Paper

Wacom for business9

Signing ceremonies are a well understood part of the wet ink signing process. Utilization a similar signing ceremonies digitally can assist in confirming intent to sign.

business.wacom.com

© 2018 Wacom Technology Corporation. For more information please contact:

Wacom Technology Corporation 1455 NW Irving St, Portland, OR 97209. USA.

Organisations around the world are going digital. This brings speed, efficiency, cost savings, scalability, accessibility, security and new global opportunities. However as more businesses adopt similar technologies to keep up with the pace of change,

it’s getting increasingly difficult for them to differentiate from one another. Although many tasks in business can be automated, some interactions still need to be human for physical or legal reasons, or sometimes because people prefer them that way. However, this doesn’t mean that digital technology is irrelevant in these moments.

At Wacom we have 35+ years of experience helping people apply digital technologies to the most human of activities: creativity. We have helped people to draw and paint, to design and innovate, to make notes and handwrite - digitally.

This combination of human experience with digital advantage lies at the heart of all that we do. And now we are bringing that same philosophy and innovative technology to business.

Are you looking for specific information or help with your project?

Contact Us: +1-503-525-3100

More human

More digital