A Framework for Designing an Effective E-Signature Process: Part II -- Significant Risks and Possible Mitigants

The second in a series of three articles addressing the opportunities presented by The Electronic Signatures in Global and National Commerce ACT ("ESIGN"), this installment, authored by Brannon D. Anthony and Patrick J. Hatfield, discussess significant risks common to e-signature processes.

This is the second installment of a three-part series describing a framework for implementing an effective e-signature process. This installment addresses significant risks common to e-signature processes.

SIGNIFICANT RISKS TO IMPLEMENTATION OF AN E-SIGNATURE PROCESS
The risks in using e-signatures differ from those in traditional paper-based processes, but those risks can be reduced to a level at or below the risks of using traditional processes. These risks fall into three broad categories: authentication risk: "That's not my signature;" repudiation risk: "That's my signature, but what I signed was later changed;" and compliance risk: "I never received that disclosure."

Authentication Risk
Because e-processes typically do not involve face-to-face settings, verifying the identity of the person signing a document is essential, unlike most traditional processes where documents are signed in person. Relying on the person's unique handwritten signature is not available in most e-signature approaches. As a result, authenticating the identity of the person actually signing electronically must be addressed in most e-processes.

There are several ways to authenticate the identity of a person. For example, asking the person to verify information only that consumer is likely to know, such as the person's mother's maiden name or a PIN, are ways to authenticate one's identity. Insurance companies may gather information about the consumer in the underwriting process that could be used in the authentication process, even if on a retroactive basis. The goal is to calibrate the process of authenticating a person with the risk associated with that particular signature failing.

Repudiation Risk
Because electronic data can be altered relatively easily without detection if extra steps are not taken, those extra steps must be taken to counter claims that the document could have been altered after it was signed electronically. Traditional methods of detecting altered documents are not sufficient for e-records.

Records signed electronically should be secured in a way that prevents them from being altered without detection. Encrypting documents signed electronically is one way to secure them from being altered without detection. In addition, "hard copies" of the e-signed documents can be sent to the other party, with clear instructions for that party to examine carefully the signed documents and to alert the other party immediately if they are not exactly what the person signed.

Compliance Risk -- Consumer Disclosures -- the Call Center Problem.
ESIGN, the federal electronic signature law, permits consumer disclosures to be provided exclusively through electronic means. Providing such disclosures electronically requires special steps to obtain the consumer's consent to receive such disclosures exclusively through electronic means. Designing an effective e-disclosure process will include addressing the authentication and repudiation risks and done properly can be as, if not more, effective than disclosures provided using traditional means. There is, however, a complication in providing such consumer disclosures in a telephone call. Recall that saying "I agree" can be an effective electronic signature, but the one exception to that is agreeing to receive required consumer disclosures over the telephone.

ESIGN permits those disclosures required by law to be provided to a consumer in writing, to be provided in an "electronic record," if the consumer has consented to receive the disclosures electronically. ESIGN, however, states that an "oral communication or a recording of an oral communication shall not qualify as an electronic record." As a result, simply reading the disclosures to the consumer, even if a recording is made of that reading, is not providing the consumer with an "electronic record" of the disclosures given. Unless and until a digital recording of the oral disclosures contained in an electronic record is made available to the consumer and access to that record has been reasonably demonstrated by the consumer, the consumer's oral consent to receive the disclosures over the telephone may not be effective. For consumer disclosures that must be provided at a certain time in the sales process, this aspect of ESIGN makes it difficult to provide the required disclosures in a single call.

There are ways to deal with this complexity in the call center setting. One practical solution is to provide a hard copy of the required consumer disclosures prior to a contact by the call center. An electronic voice signature can be obtained to acknowledge the consumer's receipt of the hard copy disclosures. There are other viable solutions to deal with this complexity. Selecting the best option must be done in the context of the overall process.

Our next and final installment deals with what to do when the electronic signatures and electronic records are challenged in litigation. The authors practice in the Atlanta office of the law firm Lord, Bissell and Brook, LLP and can be reached at [email protected] and [email protected], respectively. Both authors concentrate a significant portion of their practice on electronic commerce. Their colleague Brian Casey contributed significantly to this piece.

June 17, 2004 - Mock Trial on Electronic Signatures -- Register here.