Electronic Signature Legislation
Utah was the first jurisdiction in the United States to enact a statute which puts the force of law behind an electronic signature method, namely, digital signatures based upon an asymmetric cryptosystem utilizing private and public key pairs. The legislation, known as the Utah Digital Signature Act, was signed by the governor of Utah on March 9, 1995 and was amended in 1996.
California passed a digital signature statute in October, 1995.
Washington passed a digital signature statute in March, 1996.
Florida passed an electronic signature statute in May, 1996.
Connecticut, Delaware, Hawaii, Iowa, Louisiana, Minnesota, New Mexico and Wyoming have passed statutes which relate to electronic signatures.
Other states, including Georgia, Massachusetts and Illinois, presently are considering electronic signature legislation.
The Information Security Committee of the Section of Science and Technology of the American Bar Association has drafted Digital Signature Guidelines which it describes as "general statements of principle, intended as a common framework of unifying principles that may serve as a common basis for more precise rules in various legal systems." The ABA Guidelines are similar to and generally consistent with the Utah statute.
Different Legislative Approaches
The states have taken different approaches to digital signature legislation.
The Utah and Washington statutes, which are similar to each other, are detailed and comprehensive, create a state-sanctioned public key infrastructure and will be supplemented with regulations.
The California and Florida statutes are quite short. The California statute sanctions the use of digital signatures in communications with public entities, and directs the California Secretary of State to promulgate regulations. The Florida statute gives electronic documents the same legal status as tangible documents and sanctions all methods of electronic signatures; it also directs the Florida Secretary of State to study the issues relating to digital signatures.
It is likely that most states will follow one of the foregoing approaches, i.e., a comprehensive statute along the lines of Utah's or a short statute which sets forth certain basic principles and then empowers a government agency either to create comprehensive regulations or to study the issues further.
The Utah Statute (Utah Code, Title 46, Chapter 3)
Overview of the Utah Statute
Part One. Definitions.
Part Two. Licensing and Regulation of Certificate Authorities.
Part Three. Duties of Certification Authorities and Subscribers.
Part Four. Effect of a Digital Signature.
Part Five. Repositories.
Definitions of Significant Terms
Licensing and Regulation of Certificate Authorities
Implementing Agency. In Utah, the Department of Commerce, Division of Corporations and Commercial Code (the "Division") is the agency designated to implement the statute. The Division is a certification authority and may issue, suspend and revoke certificates as do licensed certification authorities. In effect, the Division is the certification authority at the top of the chain. The Division is given the power to govern licensed certification authorities, to determine appropriate amounts for "suitable guaranties," to specify various requirements and otherwise to give effect to and implement the statute.
The statute sets forth various criteria which an entity must meet in order to become a licensed certification authority, including the following:
Effect of lack of licensing. Unless the parties agree otherwise, the licensing requirements in the statute do not affect the effectiveness, enforceability or validity of a digital signature, except:
Part Four of the statute (discussed below) does not apply to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.
The liability limits discussed below do not apply to unlicensed certification authorities.
Duties of Certification Authorities and Subscribers
Issuance of a Certificate. A licensed certification authority may issue a certificate to a subscriber only if it has received a request for issuance signed by the prospective subscriber, and if the certification authority has confirmed that:
The authority must publish a "signed" copy of the certificate in a recognized repository unless the subscriber and certification authority agree otherwise.
By issuing a certificate, a licensed certification authority certifies to all who "reasonably rely" on the information contained in the certificate that:
By accepting a certificate issued by a licensed certification authority, the subscriber certifies to all who reasonably rely on the information contained in the certificate that:
By accepting a certificate, the subscriber agrees to indemnify the issuing certification authority for any loss or damage caused by issuance or publication of a certificate in reliance on a false and material representation of fact by the subscriber or the subscriber's failure to disclose a material fact, if the representation or failure to disclose was made either negligently or with the intent to deceive the certification authority or a person relying on the certificate.
By accepting a certificate issued by a licensed certification authority, the subscriber assumes a duty to exercise reasonable care to retain control of the private key and to prevent its disclosure to anyone not authorized to create the subscriber's digital signature. The private key is the personal property of the subscriber who rightfully holds it.
The statute provides for the temporary suspension or permanent revocation of certificates.
A certificate must state its expiration date. When a certificate expires, the subscriber and certification authority no longer are making the certifications provided by the statute and the certification authority no longer has any duties based upon issuance of that expired certificate.
By specifying a recommended reliance limit in a certificate, the certification authority and subscriber are recommending that people rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.
Unless a licensed certification authority agrees otherwise, it is not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the false or forged digital signature, the authority complied with all material requirements of the statute.
A licensed certification authority is not liable for more than the recommended reliance limit specified in the certificate for either
Unless it agrees otherwise, a licensed certification authority is liable only for direct, compensatory damages, which do not include punitive damages, damages for lost profits, savings or opportunity, or damages for pain or suffering.
The statute sets forth procedures for collecting on a certification authority's surety bond or letter of credit.
Effect of a Digital Signature
Where a law requires a signature or provides for certain consequences in the absence of a signature, that law is satisfied by a digital signature if:
The recipient of a digital signature assumes the risk that the digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient decides not to rely on a digital signature, the recipient shall promptly notify the signer of that decision.
A message is as valid, enforceable and effective as if it had been written on paper if:
In resolving disputes involving digital signatures, courts are to make the following presumptions:
The statute provides that the Division may "recognize" one or more repositories and sets forth criteria for such recognition.
The statute sets forth the circumstances under which a repository will and will not be liable to others.
Status of Implementation
Utah is continuing to draft its regulations and anticipates official adoption of the regulations by May, 1997. It has selected a consortium of vendors to develop a repository and to provide digital signature software and certification authority services. Utah anticipates it will be able to license certification authorities and put its infrastructure into operation by October, 1997.
The California Statute
The California statute permits any party to a written communication with a "public entity" (government agencies and political subdivisions) to affix a signature by use of a digital signature which complies with certain requirements, set forth below. The statute provides that the use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it includes all of the following characteristics:
The statute provides that the use or acceptance of a digital signature is at the option of the parties. The statute does not require a public entity to use or permit the use of a digital signature. It does not apply to communications between private parties.
The statute defines "digital signature" to mean "an electronic identifier, created by computer, intended by the party using it to have the same force and effect as the use of a manual signature." The statute does not explicitly adopt public key cryptography; instead, it defines criteria which the "signature" must meet and leaves it to the Secretary of State to decide on suitable technology which fulfills those criteria. Thus, California may adopt other electronic signature methods.
Status of Implementation
California has drafted regulations for the Secretary of State to review. The draft regulations permit creation of a public key infrastructure and are similar to the Utah statute. They recognize "public-key based digital signature solutions" as meeting the criteria set forth in the statute.
The Secretary of State will draft additional regulations at such time that other technologies are proven to meet the statutory criteria.
The Florida Statute
In May 1996 the Florida Legislature passed the "Electronic Signature Act of 1996."
The Florida statute is a California-type statute in the sense that it is relatively short, sets forth certain fundamental legal principles and grants certain powers and responsibilities to the Secretary of State. Unlike the California statute, however, it would apply to transactions between private parties.
The statute defines the word "writing" to include information which is created or stored in any electronic medium and is retrievable in perceivable form.
The statute provides that an "electronic signature" may be used to sign a writing and shall have the same force and effect as a written signature. "Electronic signature" is defined to mean any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with an intent to authenticate a writing. A "digital signature," i.e. a signature using private key/public key cryptography, is defined as one type of electronic signature. Thus, under the Florida statute, both digital signatures and other types of electronic signatures are legally-sanctioned methods for "signing" electronic documents.
The Secretary of State is given the authority to issue certificates required to verify digital signatures and to take other actions necessary to achieve the purposes of the statute.
The statute directs the Secretary of State to address certain issues to assist the legislature in determining whether it is in the public interest for the Secretary of State to set up a public key infrastructure, i.e., certification authorities and repositories.
Status of Implementation
The Florida Secretary of State organized a Digital Signature Advisory Committee to address the issues identified in the statute. The Committee issued its report on November 30, 1996. The Committee concluded:
The Proposed Georgia Legislation
In January 1997, the Digital Signature Task force of the Georgia Electronic Commerce Consortium, a group consisting of businesspeople, educators, government officials and lawyers, transmitted a proposed electronic signature statute to the Georgia legislature. At the time this paper is being written, it is under consideration by the legislature.
The Georgia bill takes a minimalist approach, similar to the Florida statute. It defines an "electronic signature" as an electronic or digital method executed or adopted by a party with the intent to be bound by or to authenticate a record, which is unique to the person using it, is capable of verification, is under the sole control of the person using it, and is linked to data in such a manner that if the data are changed the electronic signature is invalidated. Thus, it specifies the same four criteria as the California statute.
The Georgia bill gives both private entities and public agencies the option of using electronic records executed or adopted with electronic signatures. In those instances where someone accepts or agrees to be bound by an electronic record with an electronic signature, then any law which requires records of that type to be in writing shall be deemed satisfied and any law which requires a signature shall be deemed satisfied.
The Georgia bill also creates an Electronic Commerce Study Committee to study issues relating to electronic records and signatures. In addition, the bill authorizes state agencies to establish pilot projects to serve as models for the application of technology such as electronic signatures.
The text of the proposed Georgia statute may be found at the World Wide Web site of the Georgia Electronic Commerce Consortium, at http://www.cc.emory.edu.BUSINESS/GDS.html.
David A. Rabin is a partner in the Technology Group of the Atlanta law firm, Morris, Manning & Martin, LLP He chairs the Digital Signature Task Force of the Georgia Electronic Commerce Consortium, which has submitted a draft electronic signature statute to the Georgia Legislature.