The E-Sign Act
By Robert Williams of Cohasset Associates and Barclay T. Blair of PureEdge Solutions
E-Sign, the Electronic Signatures in National and Global E-Commerce Act (E-Sign) signed into law at the end of June, has been hailed as a groundbreaking piece of federal legislation that creates new possibilities for all kinds of electronic business.
Over the coming months, companies will have to address the information management opportunities and challenges presented by E-Sign. In this article we explore the potential impact of the new law on the electronic information management. This article addresses this important new law from three perspectives: first, the general impact of E-Sign; second, the questions that the law raises about the creation and management of electronic records; and third, recommendations about the issues that this law compels both business and agencies to address.
Simply stated, E-Sign grants electronic signatures and electronic records the same legal weight as their paper counterparts. In addition, the law seeks to promote domestic and international e-commerce by clarifying the legal significance of electronic transactions. Most US states and several nations have already passed some form of electronic signature legislation, a fact the law recognizes by working to harmonize divergent state laws and by providing Congress with a mandate to promote global legal harmonization.
One of the most significant aspects of E-Sign is that it is technology-neutral and therefore does not promote the use of specific technologies for either e-signatures or e-records. This approach is in keeping with many other e-commerce and records management laws currently being adopted domestically and internationally. While this is a logical approach to law making (technology-specific laws can easily become outdated with the rapid changes in technology) it also means that it places the burden on the users (i.e. you) to determine the best technologies and business practices to both benefit from and comply with these laws. E-Sign provides regulatory agencies with the authority to create specific criteria for electronic record accuracy, integrity and accessibility--even to the extent that an agency may override the technology neutrality provisions of this law. An existing regulatory example of this is the SEC's Rule CFR 240.17a-4 which requires a WORM (write once, read many times) functionality in the system for retaining electronic records.
It is also important to know that E-Sign does not provide carte blanche acceptance for migrating all types of transactions, contracts and records to electronic format. In keeping with the law's ethos of consumer protection, E-Sign specifically exempts from its provisions certain consumer-related notices, such as those related to foreclosure, cancellation of utilities and health insurance, as well as wills, adoption papers and the like. Additionally, E-Sign requires that consumers explicitly agree to the use of all electronic contracts and records prior to the initiation of any transaction that involves an electronic signature or results in an electronic record as the "official" copy of the transaction.
Electronic Records--Accuracy and Access
Although much of the press coverage related to E-Sign has focused on e-signatures, the law also contains other electronic records provisions that are equally important.
E-Sign states that businesses can satisfy legal record-keeping requirements for contracts and other documents by retaining an electronic record, provided that two key conditions/provisos are met:
First, the record must accurately reflect the information contained in the original contract or transaction and
Second, the record must remain accessible to those entitled to access by law, for the period required by law, in a form capable of accurate reproduction whether by transmission, printing, or otherwise.
If these criteria are not met the legal validity of an electronic record may be denied. This emphasis on accuracy and accessibility is customary in electronic record keeping rules.
For those who are concerned about the issue of whether an e-record can be an "original" record, E-Sign clearly states that laws requiring the existence of an "original" are satisfied if the above noted accuracy and accessibility criteria are met.
On a related matter, E-Sign states that any legal requirement to retain a contract or record is met by retaining an electronic record of the information in the contract or record (emphasis added). What does information in the contract or record mean? Does that language mean that retention of only the contents of a record is required? Does it include the form or physical appearance of the record? Clearly, the language could have directed that "accurate and accessible records" be retained. Perhaps the language is purposefully ambiguous to provide latitude for users to determine for themselves what to retain in any given situation.
While the law may be an accommodation that allows individuals and companies to decide what e-information needs to be retained, it is nonetheless a call to action. Every business needs to decide for itself what to retain. This is no small task in the e-world. Additionally, businesses must decide how and in what form e-records should be retained to satisfy business needs and legal and regulatory requirements. These are important policy decisions that may impact a company's ability to operate its business and protect its interests and should not be left to chance or determined by a technology budget.
A related and intriguing provision of E-Sign states:
"A requirement to retain 'contract' or other 'record' does not apply to any information whose sole purpose is to enable the contract or other record to be sent, communicated or received."
On the surface, this provision seems logical, as there are currently no general requirements in the paper world, for example, to retain an envelope that was used to deliver a contract. However, upon closer examination, the specific type of information that this provision encompasses in the electronic world is not as completely clear.
For example, one could read this provision as referring to software: the source code for an email has the "sole purpose" of enabling information to be sent, communicated, or received. However, if this provision encompasses software, it does not address the question as to how an enterprise can comply with the access criteria of E-Sign without also retaining the software needed to access the electronic records.
One could also read this provision as referring to standard email "headers" that contain the routing information for an email message. Although this information has the "sole purpose" of enabling an email message to be sent, communicated, or received, the evidentiary value of an email message is severely diminished when it is stripped of its header information.
In the most recent version of its Strategic Plan, the National Archives and Records Administration (NARA) appears to also agree that such information is part of what it describes as "essential evidence" that should be retained to document "the rights of American citizens, the actions of Federal officials and the national experience." Specifically, NARA states:
"The reality at the beginning of the 21st century is that most records are created electronically and may be maintained in a variety of formats . . . Included also are millions of email messages that no one will fully understand in the future unless we preserve both the messages and transmission information about them."
It is very important to understand that E-Sign does not grant any special privileges to e-records. E-records will be subject to at least the same rigor applied to paper-based evidence used in a court, audit, or regulatory action. It is therefore in an enterprise's best interest to err on the side of caution when making decisions about the amount and types of meta-data that it chooses to retain. For example, businesses that use HTML-based forms for e-commerce typically have only retained the information entered by the user (answers), not the information that the user saw when filling out the form (questions). Although this has proven to be acceptable for low-value online purchases such as books and flowers, it raises serious business issues and evidentiary questions for high-value transactions involving for "life-event" purchases such as life insurance and home mortgages.
Greater legal recognition and ever-expanding use provides all businesses and agencies with compelling reasons to revisit their existing records management policies and practices. There is an immediate need to develop answers to the nuts-and-bolts of e-record creation, retention, transmission, and disposition issues. All of this needs to be done with a view toward identifying those e-records and new business processes where E-Sign could provide an opportunity for improvement. Specifically, these key questions should be addressed:
• What should be retained and in what form, for the transaction at issue?
• What meta-data needs to be retained?
• Will the retention of the physical form of the record offer any evidentiary benefits?
• How will the company prove a contract existed from a multi-part e-communications?
• How will e-records be logically linked to the e-signature when each record is stored in separate systems?
• How will the company ensure e-record accessibility?
• What is the appropriate e-record or e-signature for specific business applications?
• What web records should be retained?
• How will you apply existing retention schedules to e-information and e-records?
Further, now also may be a prudent time to explore the process flow and information issues created by business re-engineering that make business more efficient to run:
• Can your processes be automated to capture records "at the source," instead of through printing and/or imaging?
• If COLD (Computer Output to Laser Disk) storage is used for transactions involving a "writing" and "signature," how will such requirements be satisfied?
• How can the legal acceptance of e-records and e-signatures promote the use of processes that limit the need to rely on printed documents and handwritten signatures?
• What is your plan for the migration of media formats over time?
What "outdated" software and hardware will you need to ensure that records remain accessible and reproducible?
• Should e-record issues be addressed as a company-wide initiative?
• What transactions require more robust e-records for evidentiary purposes?
• How will your company retain e-contracts to ensure they are useable in any formal proceeding?
E-records are here to stay. Whether it is justified on a legal or business basis, there are compelling reasons why now is the right time to focus on the management of electronic information and records. Success in this regard will both protect and promote the interests of a business or an agency.
Harnessing the wealth of knowledge that is contained in e-information will separate the winners from the losers in the new electronic world order. E-Sign has provided the license to use e-records and e-signatures. The ball is now in your court. It is your responsibility to ensure that electronic information is properly managed.
About the authors: Barclay T. Blair is Practices & External Affairs Director with PureEdge Solutions; e-mail: email@example.com. Robert F. Williams is President of Cohasset Associates and a contributor and columnist for KMWorld; e-mail: firstname.lastname@example.org.