Legal Update

1. Introduction to E-SIGN and Electronic Signature Law
2. E-SIGN Preemption
3. Exceptions to E-SIGN Preemption
   A. State and Federal Governments as Market Participants and Regulators
   B. PKI as a "Security Procedure" under the UETA and the EU Directive on Electronic Signatures
   C. Other Non-UETA State Electronic Signature Laws
4. Additional Resources

I.Introduction to E-SIGN and Electronic Signature Law
On October 1, 2000, the Electronic Signatures in Global and National Commerce (E-SIGN) Act became federal law in the United States. Section 101 of E-SIGN provides that "with respect to any transaction in or affecting interstate or foreign commerce" a signature may not be denied legal effect "solely because it is in electronic form." Thus, E-SIGN creates a level playing field for electronic signatures vis-à-vis signatures on paper documents. In the interest of facilitating interstate commerce, Congress passed E-SIGN so that states cannot place requirements on, refuse to recognize, or deny the legal effect of an electronic signature merely because the signature did not fit or follow a prescribed technological process. In this respect, E-SIGN is technology neutral. E-SIGN does, however, contain several variations and exceptions to this general rule, discussed below.

E-SIGN reflects the culmination of work by several organizations to develop standards for the acceptance of electronic signatures in e-commerce. Among the sources and groups that helped shape the provisions of E-SIGN were the United Nations Commission on International Trade Law (UNCITRAL), the Directive of the European Parliament on a Community Framework for Electronic Signatures (the EU Directive) and the Uniform Electronic Transactions Act (UETA) as approved by the National Conference of Commissioners on Uniform State Laws (NCCUSL). E-SIGN, UETA and the EU Directive are based on Sections 5 and 7 of the UNCITRAL Model Law on Electronic Commerce, which proposed that an electronic signature "not be denied legal effect, validity or enforceability solely on the grounds that it is in the form of a data message." (See e.g., EU Directive, Art. 5, § 2). Nearly every state in the United States also has some form of electronic signature law on its books, and 23 have adopted UETA, which contains many of the same provisions as E-SIGN.

Such legislation has traditionally been drafted to permit a broad range of "electronic signatures" (often defined as "an electronic sound, symbol or process attached to a record by a person with the intent to sign the record") to satisfy the requirements of a legal signature. Many jurisdictions, however, have recognized the additional benefits that public-key-cryptography-based electronic signatures ("digital signatures") bring to electronic commerce. A digital signature is a type of electronic signature. The features of public-key technology have led many law and policy experts to conclude that, when properly implemented, PKI-based digital signatures provide greater assurance of a document's authenticity and integrity than other forms of electronic signatures. PKI technology provides proof of message integrity and, through verification of the signature by a trusted third party like DST, it provides the level of signer authentication necessary for e-commerce.

> Back to Top

II. E-SIGN Preemption
Electronic signature laws vary from jurisdiction to jurisdiction. An issue described as problematic because of ambiguous language found in E-SIGN is the extent to which E-SIGN preempts or supplants state law. Specifically, Section 102(a)(2) of E-SIGN provides that a state law may specify alternative procedures or requirements that are consistent with E-SIGN so long as those alternatives do not give greater legal effect to electronic signatures created using a particular technology.

By way of background, early in 1995 the State of Utah was at the forefront as the first jurisdiction to adopt a digital signature law. The Utah statute specifically addressed a PKI implementation of electronic signatures, because it spoke in terms of "asymmetric cryptosystems," "public keys," "private keys" and "digital certificates." (See DST's Digital Signatures and Public Key Infrastructure (PKI) 101 for an explanation of these terms.) The Utah law also contained a presumption that a digital signature (backed by a valid digital certificate issued by a licensed Certification Authority) was affixed by the subscriber listed in the certificate with the intention of signing the message.

Between 1995 and the adoption of E-SIGN, several states including Washington, Illinois and Minnesota followed suit with similar laws. (It is important to note that even with the presumption that these statutes have provided, the unwitnessed creation of a digital signature has remained open to denial by the alleged signer-i.e., there is no irrebuttable presumption. A party attempting to repudiate the digitally signed document could introduce evidence that the digital signature was created either under duress or without the person's knowledge.) Still, during the debate over passage of E-SIGN there was concern that digital signature technology should stand on its own merits and not be given an advantage over other technologies through presumptions built into the law.

In addition, concern was expressed that some laws improperly placed a burden on consumers to disprove their signature instead of requiring the relying party to prove the authenticity of the signature. Thus, as a general rule, Congress preempted such laws to the extent they accord a greater legal status to the implementation of a specific technology such as PKI.

> Back toTop

III. Exceptions to E-SIGN Preemption
Preferences for implementation of PKI still exist, as discussed below, in the following contexts:

• State and Federal Governments
• UETA and the EU Directive
• Other Electronic Signature Laws

A. State and Federal Governments as Market Participants and Regulators

As a specific exception to the technology-neutral provisions of Section 102(a)(2), state and federal governments may mandate the use of a particular technology in connection with procurement. See § 102(b) of E-SIGN. Also, under Section 104, a state or federal regulatory agency can interpret E-SIGN and specify standards to carry out the agency's statutory directives. While an agency may not require the use of a particular type of hardware or software, it can specify a performance standard or technical specification to address issues such as security, record integrity, signer authentication and interoperability. Section 104(b)(3)(A) of E-SIGN allows state and federal agencies to require, or accord greater legal status or effect to, a particular technology if it first finds that 1) the requirement serves an important government objective and 2) the implementation of that technology is substantially related to achieving that objective.

> Back to Top

B. PKI as a "Security Procedure" under the Uniform Electronic Transactions Act and the EU Directive on Electronic Signatures

E-SIGN was adopted with state adoption of UETA in mind. If a state adopts the official version of UETA, that adoption of UETA will "preempt" E-SIGN, even though UETA varies from E-SIGN in several respects. Moreover, state-modified provisions of UETA will not be considered preempted to the extent they still meet the technology-neutral conditions imposed by Section 102(a)(2) of E-SIGN.

UETA is more comprehensive than E-SIGN. E-SIGN contains no provisions dealing with the "attribution" of electronic signatures (i.e., "who" actually created the signature). Section 9 of UETA provides that an electronic signature may be "attributed" to a person by looking at the circumstances surrounding the creation of the signature and by "[a] showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable." (Emphasis added.) Section 10 of UETA recognizes the benefits that well-implemented, agreed-upon security procedures provide for attribution and message integrity, and it favors parties who follow such procedures in the event there is a dispute over the content of the message. UETA allows the parties to vary signature creation and attribution provisions by agreement; E-SIGN is silent on this matter (except for certain consumer protection provisions). Under UETA and most electronic signature laws, evidence of a record or signature may not be excluded solely because it is in electronic form. (UETA, § 7.) (Under the EU Directive, an "advanced electronic signature" backed by a "qualified certificate" created by a "secure-signature-creation-device" must be recognized as the equivalent of a handwritten signature and must also be admitted into evidence. (EU Directive, Art. 5, § 1).)

What kinds of conclusions can one draw from these provisions? Digital signatures, are one of the "security procedures" referred to in UETA and the EU Directive. As a trusted third party, DST provides security procedures to verify an electronic signature, verify the identity of the sender, and assure the informational integrity of the electronic record. Because E-SIGN neither preempts UETA nor the rights of parties to choose a course of conduct, it is clear that reliance on PKI-based digital signatures can afford a relying party greater procedural protections than are available with unauthenticated electronic signatures.

> Back to Top

C. Other Non-UETA State Electronic Signature Laws

Moreover, state laws containing provisions not related to the legal efficacy of electronic signatures remain unaffected by E-SIGN. Under Sections § 101(b) and 102(a)(2) of E-SIGN, other areas of state law, such as Certification Authority licensing, survive the enactment of E-SIGN. Most non-UETA state electronic signature laws cover more than just the legal effect, validity or enforceability of a contract created with an electronic signature.

In the area of PKI, they often provide technology-specific licensing standards for certification service providers, presumptions and warranties that the information provided by licensed certification service providers is accurate, and limitations on liability for following certain procedures. (See Nevada Rev. Stat. § 720.010, et seq.; Utah Code Ann. §§ 46-3-101, et seq.; Wash. Rev. Code § 19.34.010, et seq.; 5 Ill. Comp. Stat. 175/1-101, et seq.; Minn. Stat. 2000 § 325K.001, et seq.) (Article 6 of the EU Directive also requires that licensed certification-service providers offer a minimum set of warranties and it allows such providers to limit the value of transactions for which a certificate can be used.) Those laws remain unaffected by E-SIGN (to the extent that they do not accord "greater legal status" to signatures created with a specific technology). In fact, some states such as Utah and Minnesota have adopted UETA in addition to existing digital signature law as a belt-and-suspenders approach. By adopting UETA, states establish a level playing field for all electronic signatures, but by keeping a digital signature law on the books, they take advantage of the benefits provided by PKI-based signatures.

> Back to Top

IV. Additional Resources

Additional information regarding the law of electronic signatures in state, federal and international jurisdictions can be found at the web sites listed below:

E-commerce law site of Baker & McKenzie including "Electronic Signatures in Global and National Commerce Act of 2000: Effect on State Laws" by Raymond T. Nimmer

National Governors Association's "What Governors Need to Know About E-SIGN: The Federal Law Authorizing Electronic Signatures and Records"

Freddie Mac's "Preliminary Specifications for Electronic Loan Documentation"

Office of Management and Budget's "Guidance on Implementing the Electronic Signatures in Global and National Commerce Act"

"E-Sign of the Times" by Robert A. Wittie and Jane K. Winn

NCCUSL's Summaries, Fact Sheets, Articles and Final Uniform Electronic Transactions Act including "A Preliminary Analysis of Federal and State Electronic Commerce Laws" by Patricia Brumfield Fry

PureEdge Solutions' "Overview of the E-SIGN Bill"

> Back to Top