MUETA: What Every Public Sector Lawyer Should Know

Department Of Telecommunications And Energy

Thursday, December 2, 2004

2

The Once and Future Signature

I Traditional Signatures

II Before E-SIGN: The Law pertaining to Traditional Signatures in Massachusetts

III E-SIGN

IV MUETA

V Technology Neutrality

VI The Myth of “Nonrepudiation”

I

TRADITIONAL SIGNATURES

4

Traditional Signatures

Authentication: the original biometric

Attachment of signature to document

Intent of the signor

Some comfort re: document integrity

5

Traditional Signature Imperfections

Authentication

Attachment to document

Intent of the signor

Document integrity

Forgery

Electronic copying can disassociate signature from document

Signature pages can be replaced

Wordprocessed pages can be replaced and altered without detection

II

Before E-SIGN, the Law Pertaining to Traditional Signatures in

Massachusetts

7

Before E-SIGN

Many Massachusetts state statutes and regulations:

require signature for a particular transaction

Suggest what that signature must consist of

Statutes of frauds: Some contracts not valid unless reduced to writing.

8

Before E-SIGN

Various sections of the MGL and regulations

Defined signatures loosely to include many different kinds of signatures or

Defined signatures tightly to exclude many different kinds of signatures or

Explicitly prohibited use of electronic signatures

9

Mass. Common Law on Signatures was Liberal

Where validity of electronic records not at issue, courts treat in the same way as paper records. In the absence of state statute specifying a “wet” signature, lower level courts have permitted a number of different kinds of signatures.

Negotiations conducted through email, fax and phone call satisfies Long Arm StatuteLenient with respect to non-traditional signatures and records (e.g. facsimile signature)Telegram is a writing under statute of fraudsState trooper report signed via email valid

10

III E-SIGN

In the US, business and legal community concerned about validity of electronic signatures, contracts and other records under state lawSome states pass electronic signature lawsNo uniformity; not technology neutralGlobal issue. 1996 United Nations Commission on International Trade Law (“UNCITRAL”) Model Law on Electronic Commerce. Addresses electronic signatures

11

E-SIGN (cont.)

1999 National Conference of Commissioners on Uniform State Laws (NCCUSL) drafts the Uniform Electronic Transactions Act (UETA). Incorporates many provisions from UNCITRAL Model Law. Uniform, technology neutral

A few states start enacting UETA ----in a non-uniform manner

12

Federal E-SIGN, effective 10/01/00.

Goal: bring uniformity and technology neutrality to electronic signatures, contracts and records law in the USMechanism: pass Federal law to pressure states to adopt uniform version of UETA Validates electronic signatures, contracts and other records for most transactionsPreempts state law to the contrary

Reverse preemption provision

13

E-SIGN, cont.

Exemptions for: Family law

Hazardous waste transportation

Some transactions covered by the UCC; but E-SIGN does apply to sections 1-107(waiver or renunciation of claim after breach) and 1-206 (statute of frauds for contracts pertaining to personalty other than contracts for sale of goods covered by article 2-201, securities and security agreements); and Articles 2 (sale of goods) and 2A (leases).

14

E-SIGN, (Cont).

Scope: Documents related to transactions in interstate and foreign commerce

Only state government transactions covered are those related to procurement

Limits state and Federal government ability to regulate in favor of hard copy records used in private transactions

15

E-SIGN (cont.)

Because E-SIGN did not cover most agency transactions, Agency Counsel needed to review Massachusetts statutes and regulations in order to determine whether their agency could use electronic signatures.

16

E-SIGN Reverse Preemption Provision

In States that pass National Commission on Uniform State Law version of the Uniform Electronic Transactions Act, section 101 of E-SIGN (the validating provisions) is replaced by the state UETA

States that pass non-uniform versions of UETA may have some or all of their state UETA reverse-reverse-preempted by E-SIGN

17

Progress of Reverse Preemption

As of today, 44 states have enacted some form of UETA and therefore are not subject to section 101 of E-SIGN

UETA (MUETA) enacted in Massachusetts in 2003 (Senate 2076 ).

18

IV MUETA

Effective February 18, 2004

Codified at Mass. Gen. L. ch. 100G

Chapter 133, Acts of 2003

Applies to any electronic record or electronic signature created, generated, sent, communicated, received, or stored on or after MUETA’s effective date.

19

MUETA and E-SIGN differ in a number of ways, including …

MUETA applies to all government transactions, E-SIGN only to government procurement transactions

Aside from their explicitly excepted provisions, E-SIGN covers only interstate and foreign commerce transactions, MUETA covers all transactions covered by the law of the state in which MUETA is enacted

20

E-SIGN and UETA Both say….

Electronic signature, cannot be denied legal effect or enforceability solely because it is electronic

Signatures subject to E-SIGN/MUETA are also subject to other substantive law

Ex: state law regarding age at which person has capacity to create legally binding signature is not affected by E-SIGN

21

Neither E-SIGN nor MUETA says….

To use a particular electronic signature technology; both are “technology neutral”

22

Agency Counsel Need to Know….

Does MUETA Apply? If so, what part?Is the transaction subject to consumer or other disclosure or notice laws?Does the ES comply with the standards issued by SPR, RCB and ITD?Is the use of the ES voluntary?Does the electronic system address the elements required by MUETA?

Does MUETA Apply? If So, What Part of MUETA?

24

MUETA applies to:

Both “transactions” and government’s non transactional activityDifferent sections of MUETA apply to transactional and non transactional activityTransaction is defined as “an action or set of actions occurring between two or more persons relating to the conduct of business, commercial or governmental affairs”

Example: issuing a license to a doctor to practice in Massachusetts

25

MUETA applies, cont.

Transactions do not include unilateral actions.

Example: Using an electronic system to approve timesheets.

26

MUETA applies (cont.)

Exemptions: If they apply, electronic signatures and records not necessarily invalid but can’t rely on MUETA to validate. Exclusions include:

Creation and execution of wills, codicils or testamentary trustsMassachusetts UCC, other than sections 1-107and 1-206, section 2 and section 2A of chapter 106Adoption, divorce or other matters of family lawCourt orders or notices, official court documents including briefs, pleadings, and other writings, required to be executed in connection with court proceedings

27

MUETA applies (cont.)

Any notice of the cancellation or termination of utility services (water, heat, power); of default acceleration, repo, foreclosure, eviction, or right to cure, under a credit agreement secured by, or a rental agreement for, a primary residence of an individual;Cancellation or termination of health insurance or benefits or life insurance benefits, excluding annuities; Recall of a productDocuments required by law to accompany transportation or handling of hazmat, pesticides, or other toxic or dangerous materials.

Transaction Subject to Consumer or other Disclosure or Notice Laws?

29

Disclosure or Notice

MUETA is written so that it does not reverse-preempt E-SIGN section 7001(c), a consumer protection provision. Must follow rules for consumer disclosure when engaged in market activity with consumerMUETA’s own rules regarding compliance with notice or disclosure (whether or not consumer related) in connection with electronic transaction. MUETA section 8

Example: state law requiring translation of certain notices

Does the Signature Comply with the Standards Issued by the Supervisor of

Public Records, RCB and ITD and, for contracts, OSC?

31

Standards

General provisions of MUETA say that SPR, RCB and ITD “shall determine whether, the extent to which and the manner by which such entities shall create, maintain and preserve electronic records, signatures and contracts and the method of converting paper government records to electronic format”

32

Current Standards

SPR Bulletins1-99 (email)

1-92 (fax transmissions)

1-93 (optical media)

4-96 (access and copying of electronic public record)

33

Current standards (cont.)

RCBStatewide Records Retention Schedule 04/04

Guideline for documentation of recordkeeping systems

34

Standards (cont.)

ITDEvolving standards for information technology in general, nothing specific re: electronic signatures yet.

35

OSC and Electronic Signatures on Contracts

MUETA makes ITD is the agency with authority to say when Executive Department agencies can use electronic records and signaturesITD is currently following OSC’s lead in determining when OSC is comfortable having agencies use electronic signatures for state contracts, since OSC is the subject matter expert in that area. OSC has not yet authorized use of electronic records or signatures for state contracts

Is use of the ES Voluntary?

37

Voluntary

MUETA doesn’t require any government agency to use electronic signatures

Nor does it require any citizen or business to use an ES when doing business with us; to the contrary, MUETA only validates electronic signatures when used voluntarily in transactions

38

Voluntary (cont.)

Practical implication for agencies: always keep a paper option for those with whom your agency engages in transactions. Agency relying on MUETA for validation cannot force citizens or businesses to use electronic signatures for transactions.

Does the Electronic System Address the Elements Required by MUETA for a Valid Electronic Signature?

40

E-SIGN and UETA both define the term electronic signature

An electronic signature is:[E-sign] An electronic sign, symbol or process [MUETA] Information or data in electronic form

attached to or logically associated with a contract or other record

executed or adopted by a person

with the intent to sign the record

41

Elements

An electronic “sign, symbol or process”, or electronic “information or data”, that constitutes the signature

42

Creating Legally Valid E-Signatures…

1. “By a Person”---Proper authentication of the signor.

Authenticate means to determine the signor’s identity

Authentication can be complex or simple. Different levels of authentication can be chosen depending on the purpose of transaction. For some transactions, no authentication may be required.

Typically, look to factors such as whether signature is likely to be denied by putative signor, and legal significance of signature.

43

Creating Legally Valid Electronic Signatures…Example: U.S.Patent and Trademark Office trademark registration. Mickey Mouse can do it!

Mass DOR: Filing taxes

Mass. DEP: Filing for environmental permit

Compare: online application for welfare benefits

44

Legally valid…

Typical means of authentication: something you have, something you know

Ex: At ATM machine, you insert your card (something you have) and provide your PIN (something you know)

Ex: Criminal History Systems Board provides gun dealers with biometric scanners (fingerprint devices) attached to their PCS so they can authenticate holders of gun licenses

45

Legally valid…

2. “Executed or adopted…”Not enough for user to be identifiedHas to take some step that indicates that he executed or adoptedClick on a button that says “sign”, “I Agree”, etc. Present screens and choices to the signor that make clear what he is signing and that he is signing; capture his intent.

46

Legally valid…

3. Attach the signature to the document, or logically associate signature with document

47

Legally valid…..

4. Protect the integrity of the signed electronic document. Document retrieved from the system must be identical to the document signed.

Audit trail with good security

Data authentication software

Encryption

V

TECHNOLOGY NEUTRALITY

49

Any technology that meets the four ESIGN/UETA requirements can be used to

create a valid Electronic SignatureClick through choices online at an online “Store”.

LL Bean

Multi-factor authentication and click throughs (use of ATM)Digitized signature

Use your credit card at Macy’s

Digital Signature

50

Digital Signatures

Digital signatures:Are placed on specific data like an email or web page

Verify integrity of document signed

Can be used to verify that the data comes from where it claims to come from

Use cryptographyHolder of private key encrypts (can’t forge unless you have access to this)

Holder of public key can de-encrypt

51

Digital Signatures, cont.

Meets all four E-SIGN/ UETA requirements

Challenging to administer

Can’t use with “strangers” because no widely used digital identities

Certification authorities

HHS HIPAA Security Regs

VI

MYTH OF NONREPUDIATION

53

The Myth of “Nonrepudiation”

Statutory and Common Law reasons for repudiating a traditional signature:

Forgery or

Not forgery, but signature obtained under (1) unconscionable conduct by party to transaction; (2) fraud instigated by third party; (3) undue influence exerted by third party

54

Forgery in Common Law Jurisdictions

If a person denies that a signature is his, the relying party has to prove that it is truly that of person denying it. Onus of proof is on person seeking to rely on signature

55

Forgery, cont.

Traditional trust mechanism: witnessing the signature. He who would rely on a signature that is denied produces a witness who saw the signature being made.

56

Technical Non Repudiation

Authentication that provides “proof” of the integrity and origin of data in an unforgeable relationship, which can be verified by any third party at any time or

Authentication that with high assurance can be asserted to be genuine, and that cannot be subsequently refuted.

57

Problems with Technical Non-repudiation

Private key theft or illicit usage; identity theft

Relies on post-signature events, where traditional trust mechanism relied on event at time of signature (witness)

Use of “non-repudiation bits”, extension of digital signature, only verifies that the private key of the person whose public key is specified in the DS was used to affix the digital signature.

58

Legal Nonrepudiation: Legal Movement to Reverse Burden of Proof re: electronic signatures

UNCITRAL Model Law on Electronic Commerce Article 13Alleged signatory would have burden of proof to show that he or she did NOT digitally sign a given document (i.e. that it is a forgery)MUETA does NOT support legal nonrepudiation

59

Take Home Message on Non-Repudiation

Not achieved technically

Legally indefensible

Don’t write it into state law or regulations

ITD will not authorize

60

Practical Tips

Know your CIO and IT staff and ask them lots of questions Get involved in agency IT development projects from day oneReview all ES components as system is being developedApply the analysis set forth in this presentation

61

MUETA Resources

NCCUSL notes on UETA are excellent and judges likely to find them persuasive

ITD

Little case law on transactions covered by E-SIGN and UETA, but there will be more.

Contact Information

Linda Hamel

General Counsel

Information Technology Division

Commonwealth of MA

(617)-626-4404