E-signature Strategies Alan S. Kowlowitz Strategic Policies, Acquisitions and e-Commerce NYS Office for Technology

Outline of Class Overview of Electronic Signatures and Records Act (ESRA) Overview of Electronic Signatures and Records Act (ESRA) Explanation of ESRA’s definition of an e- signature Explanation of ESRA’s definition of an e- signature Available approaches to electronic signing Available approaches to electronic signing Guidance on selecting an e-signature approach Guidance on selecting an e-signature approach Records management implications of e- signed e-records Records management implications of e- signed e-records

Overview of Electronic Signatures and Records Act (ESRA)

ESRA Chapter 4, Laws of 1999: State Technology Law, Article 1 E-records and e-signatures given the same legal validity as paper records and ink signatures E-records and e-signatures given the same legal validity as paper records and ink signatures OFT Electronic Facilitator overseeing implementation OFT Electronic Facilitator overseeing implementation Use of e-signatures and records is voluntary Use of e-signatures and records is voluntary –Govt. must accept hard copies unless otherwise provided by law

ESRA Chapter 4, Laws of 1999: State Technology Law, Article 1 E-signatures and records can’t be used for: E-signatures and records can’t be used for: –Negotiable instruments –Instruments recordable under Art. 9 of the RPL (e.g., deeds) –Other instruments whose possession confers title –Documents affecting life and death (Wills, Trusts, Do-not-resuscitate orders, Powers of attorney, Health care proxies)

ESRA Amended by Chapter 314 Laws of New York, 2002 Amends and expands the definition of “electronic signature” to comport with the federal E-Sign Law Amends and expands the definition of “electronic signature” to comport with the federal E-Sign Law –Authorizes the use of various e-signature approaches in NYS OFT retains its role as “electronic facilitator” and regulator of e-signature/record OFT retains its role as “electronic facilitator” and regulator of e-signature/record Adopted into law on August 6, 2002 Adopted into law on August 6, 2002 Final regulations published in May 2003 Final regulations published in May 2003 Revised ESRA Guidelines in process Revised ESRA Guidelines in process

ESRA Definition of an E- signature

an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record. –Affords the greatest possible flexibility in selecting an appropriate e-signature solution –Sets some parameters on what constitutes an e- signature under ESRA

ESRA Definition of an E-signature “[A]n electronic sound, symbol, or process...” “[A]n electronic sound, symbol, or process...” –A wide range of “digital objects” may serve as an e-signature »Can be as simple a set of keyboarded characters or as sophisticated as an encrypted hash of a e-record’s contents – Allows a process to serve as an e-signature »Recorded events of accessing a system are associated with the content to be signed to create a record of the signer’s actions and intent

ESRA Definition of an E-signature “[A]ttached to or logically associated with...” “[A]ttached to or logically associated with...” –An e-signature is attached to or logically associated with an e-record during transmission and storage »Can be part of the record or maintained separately but associated to the record through a database, index, embedded link or other means »Link between e-record and e-signature must be Created at signing and maintained during any transmission Created at signing and maintained during any transmission Retained as long as a signature is needed which may be the record’s full legal retention period Retained as long as a signature is needed which may be the record’s full legal retention period

ESRA Definition of an E-signature “[E]xecuted or adopted by a person with intent to sign the record.” “[E]xecuted or adopted by a person with intent to sign the record.” –E-signature must express the same intent as a handwritten one –Must identify an individual who will convey intent –Practices that may help avoid confusion: »Allow the signer to review the record to be signed »Inform the signer that a signature is being applied »Format an e-record to contain accepted signature elements »Express signer’s intent in the record or a certification »Require the signer to indicate assent affirmatively »Record and retain date, time, and the signer intent

Example of a signature certification statement from the Department of Tax and Finance International Fuel Tax Agreement (IFTA) report (return) filing application.

Available Approaches to Electronic Signing

E-signature Approaches Most e-signature approaches involve a number of technologies, credentials, and processes Most e-signature approaches involve a number of technologies, credentials, and processes –More accurate to think of a range of approaches to e-signing rather than an array of stand-alone technologies Approaches provide varying levels of security, authentication, and record integrity Approaches provide varying levels of security, authentication, and record integrity –Can combine techniques from various approaches to increase the strength of the above-mentioned attributes

Click Through or Click Wrap Person affirms intent or agreement by clicking a button Person affirms intent or agreement by clicking a button ID information collected, authentication process (if any) and security procedures can vary greatly ID information collected, authentication process (if any) and security procedures can vary greatly Commonly used for low risk, low value consumer transactions Commonly used for low risk, low value consumer transactions

Personal Identification Number (PIN) or Password (“shared secret”) Person enters ID information, PIN and/or password Person enters ID information, PIN and/or password System checks that the PIN and/or password is associated with the person System checks that the PIN and/or password is associated with the person Authentication is the first part of a process that involves an affirmation of intent Authentication is the first part of a process that involves an affirmation of intent If over the Internet, the PIN and/or password is often encrypted using Secure Sockets Layer (SSL) If over the Internet, the PIN and/or password is often encrypted using Secure Sockets Layer (SSL)

Digitized Signature and Signature Dynamics Digitized Signature Digitized Signature –A graphical image of a handwritten signature often created using a digital pen and pad –A graphical image of a handwritten signature often created using a digital pen and pad –The entered signature is compared with a stored copy; if the images are comparable, the signature is valid –The entered signature is compared with a stored copy; if the images are comparable, the signature is valid Signature Dynamics Signature Dynamics –Variation on a digitized signature –Each pen stroke is measured (e.g. duration, pen pressure, size of loops, etc), creating a metric –The metric is compared to a reference value created earlier, thus authenticating the signer

Shared Private Key Also known as “symmetric cryptography” Also known as “symmetric cryptography” E-record is signed and verified using a single cryptographic key E-record is signed and verified using a single cryptographic key The key is shared between the sender and recipient(s) The key is shared between the sender and recipient(s) –Not really "private" to the sender A private key can be made more secure by incorporating other security techniques A private key can be made more secure by incorporating other security techniques –Smart cards or other hardware tokens in which the private key is stored

Public/Private Key Digital Signatures  Also know as Asymmetric Cryptography  Key Pair: Two mathematically related keys One key used to encrypt a message that can only be decrypted using the other key One key used to encrypt a message that can only be decrypted using the other key Cannot discover one key from the other key Cannot discover one key from the other key  Private Key: Kept secret and used to create a Digital Signature – Public Key: Often made part of a “digital certificate”and used to verify a digital signature by a receiving party Often used within a Public Key Infrastructure (PKI) Often used within a Public Key Infrastructure (PKI) –Certification Authority(CA) binds individuals to private keys and issues and manages certificates

BobAlice  Encrypt message digest with Private Key  Validate message digest with Public Key Hash algorithm Hi Alice Sincerely, Bob = Encrypts digest with Bob’s Private Key ##!FV += Hash algorithm Hi Alice Sincerely, Bob = Decrypts digest with Bob’s Public Key ##!FV += Hi Alice Sincerely, Bob ##!FV Certificate Digital Signatures Public/Private Key Cryptography

Biometrics Person’s unique physical characteristic are measured and converted into digital form or profile Person’s unique physical characteristic are measured and converted into digital form or profile –Voice patterns, fingerprints, and the blood vessel patterns present on the retina Measurements are compared to a stored profile of the given biometric Measurements are compared to a stored profile of the given biometric If the measurements and stored profile match, the software will accept the authentication If the measurements and stored profile match, the software will accept the authentication Can provide a high level of authentication Can provide a high level of authentication

Smart Card Not a separate e-signature approach in itself Not a separate e-signature approach in itself –It can facilitate various e-signature approaches A plastic card containing an embedded chip A plastic card containing an embedded chip –Can generate, store, and/or process data –Can generate, store, and/or process data Data from the card's chip is read by software Data from the card's chip is read by software –After a PIN, password or biometric identifier is entered More secure than a PIN alone More secure than a PIN alone –Both physical possession of the smart card and knowledge of the PIN is necessary Can be used to overcome concerns with shared secret approach to e-signature Can be used to overcome concerns with shared secret approach to e-signature

Additional Factors Each general approach to e-signing (e.g. PINs and passwords vs. digital signatures) varies in terms of: Each general approach to e-signing (e.g. PINs and passwords vs. digital signatures) varies in terms of: –Identifying the signer –Attributing a signature –Securing the integrity of both the record and the signature Each can increase security and reduce risk Each can increase security and reduce risk –Often independent of the technology selected

Signer identification or registration Method or process used to identify and authorize a signer to use an e-signature Method or process used to identify and authorize a signer to use an e-signature –Independent of the e-signature or e-record technology –Critical component of any e-signature solution –The stronger the identification method the more assurance that the appropriate person signed

Signer identification or registration Methods Self-identification as part of the signing process Comparison of user supplied information with a trusted data source Acceptance of a previously conducted and trusted process where individuals personally presented themselves and proof of identities Separate identification process to authorize the use of an e-signature where individuals personally present themselves and proof of identities

Signer Authentication Policy, process and procedures used to authenticate the signer Policy, process and procedures used to authenticate the signer Establish a link or association between the signer and the information and method used to sign Establish a link or association between the signer and the information and method used to sign The strength of the authentication system, can protect against fraud and repudiation The strength of the authentication system, can protect against fraud and repudiation

Signer Authentication Methods Something that only the individual knows: A secret (e.g., password or Personal Identification Number (PIN)) Something that only the individual knows: A secret (e.g., password or Personal Identification Number (PIN)) Something the individual possesses: A token (e.g., ATM card, cryptographic key or smart card) Something the individual possesses: A token (e.g., ATM card, cryptographic key or smart card) Something the individual is: A biometric (e.g., characteristics such as a voice pattern or fingerprint) Something the individual is: A biometric (e.g., characteristics such as a voice pattern or fingerprint) Two factor authentication: often includes use of hardware device such as a smart card Two factor authentication: often includes use of hardware device such as a smart card

Signature attests to the record’s integrity E-signature approaches provide varying levels of protection against unauthorized access or tampering with the signed e-record E-signature approaches provide varying levels of protection against unauthorized access or tampering with the signed e-record –Systems that manage signed e-records can provide protection if they have controls –Controls may be needed to ensure that the integrity of the signed e-record is not compromised during transmission –Added security is provided by approaches in which signature validation ensures that the e-record has not been modified » »Digital signatures

Selecting an E-signature Approach A business decision not just a technical one

Is an e-signature needed or desirable? Review requirements and risks Review requirements and risks –Creating and maintaining signed e-records may require more resources than unsigned ones Consider the following questions: Consider the following questions: –Is there a legal requirement for a signature? »Statute of Frauds requires certain contracts to be signed »Specific laws and regulations require signatures – Is there a business need for a signature? »Document that the signer attested to information’s accuracy, agreed to conditions, and/or reviewed contents »Higher risk transactions may need the protection against fraud or repudiation provided by e-signatures

Business Analysis and Risk Assessment ESRA regs § (c) require govt. entities to conduct and document a business analysis and risk assessment: ESRA regs § (c) require govt. entities to conduct and document a business analysis and risk assessment: –identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process.

Business Analysis and Risk Assessment Purpose: Purpose: –To identify and evaluate factors relevant to selecting an e-signature approach –Does not proscribe a method or set a standard –Protects interest in the use of sound technology and practices when transacting business electronically Business analysis and risk assessment are two parts of an integrated process Business analysis and risk assessment are two parts of an integrated process

Business Analysis Possible components Possible components –Overview of the business process –Analysis of legal and regulatory requirements –Identification of standards or accepted practices –Analysis of those who will use e-signature –Determination of interoperability requirements –Determination of costs of alternatives

Business Analysis Overview of business process and transaction Purpose and origins Purpose and origins Transactions place within the larger business process Transactions place within the larger business process Services to be delivered and their value Services to be delivered and their value Parties to the transaction and other stakeholders Parties to the transaction and other stakeholders Transaction’s workflow Transaction’s workflow

Business Analysis Analysis of legal and regulatory requirements How the transaction must be conducted How the transaction must be conducted Signature requirements Signature requirements –Are they specifically required, what records need to be signed, who must or can sign, do they need to be notarized Records related requirements Records related requirements –What records must be produced –How long do they need to be retained, –Who must or can have access to the records –Specific formats proscribed for the creation, filing or retention –Confidentiality requirements Importance of the parties’ identities to the transaction Importance of the parties’ identities to the transaction

Business Analysis Identification of standards or accepted practices on how e-transactions are conducted and e-signed Identification of standards or accepted practices on how e-transactions are conducted and e-signed –May be key factor in selecting a solution Analysis of parties to e-signed transaction Analysis of parties to e-signed transaction –Numbers –Location –Demographic characteristics –Access to technology –Accessibility requirements –Prior business relationships

Business Analysis Interoperability requirements Compatibility with an existing technology environment Compatibility with an existing technology environment Interoperability or consistency with approaches used by partners Interoperability or consistency with approaches used by partners –Governmental or private Leveraging an existing and proven solution Leveraging an existing and proven solution

Business Analysis Cost of alternative approaches Hardware and software purchases Hardware and software purchases Implementing additional policies and procedures Implementing additional policies and procedures Personnel to implement policies, procedures, or services Personnel to implement policies, procedures, or services Training costs Training costs Maintenance costs including help desk and user support Maintenance costs including help desk and user support

Risk Assessment E-signatures may serve a security function E-signatures may serve a security function –They usually include signer authentication –Some approaches provide message authentication and repudiation protection Selection of an e-signature solution includes identifying Selection of an e-signature solution includes identifying –Potential risks involved in a signed e-transaction –How e-signature approaches can address those risks

Risk Assessment Risk is the likelihood that a threat will exploit a vulnerability, and have an adverse impact Risk is the likelihood that a threat will exploit a vulnerability, and have an adverse impact –Threat is a potential circumstance, entity or event capable of exploiting vulnerability and causing harm –Vulnerability is a weakness that can be accidentally triggered or intentionally exploited –Impact refers to the magnitude of harm that could be caused by a threat –Likelihood that a threat will actually materialize To assess risks an entity should identify and analyze each of the above To assess risks an entity should identify and analyze each of the above

Risk Assessment Sources of threat –Parties to the transaction –Governmental entity staff –Malicious third parties such as hackers or crackers

Risk Assessment Vulnerabilities Repudiation Repudiation –Possibility that a party to a transaction denies that it ever took place Fraud Fraud –Knowing misrepresentation of the truth or concealment of facts to induce another to act to his or her detriment Intrusion Intrusion –Possibility that a third party intercepts or interferes with a transaction Loss of access to records Loss of access to records –For business and legal purposes

Risk Assessment Potential Impacts Financial Financial –Average dollar value of transactions –Direct loss to the governmental entity, citizen or other entity –Liability for the transaction Reputation and credibility Reputation and credibility – Relationship with the other involved party – Public visibility and perception of programs – History or patterns of problems or abuses – Consequences of a breach or improper transaction Productivity Productivity – Time criticality of transactions – Number of transactions, system users, or dependents – Backup and recovery procedures – Claims and dispute resolution procedures

Risk Assessment Likelihood Motivation and capability of threat Motivation and capability of threat Nature of the vulnerability Nature of the vulnerability Existence and effectiveness of controls Existence and effectiveness of controls A threat is highly likely where: A threat is highly likely where: –Its source is highly motivated and capable –Controls are ineffective

Risk Assessment Risk Matrix High Risk =11-16 Medium Risk =8-10 Low Risk =4-7 Negligible Risk =1-3

Select an E-signature Solution Balance business concerns (e.g., user acceptance and ease of deployment) with risk reduction Balance business concerns (e.g., user acceptance and ease of deployment) with risk reduction Identify overriding concerns Identify overriding concerns –An overriding factor might be compatibility with an existing standard or solution –Cost may be an overriding factor where risk is low

Cost-Benefit Analysis Cost-Benefit Analysis Can help entities decide on how to allocate resources and implement a cost-effective e-signature solution Can help entities decide on how to allocate resources and implement a cost-effective e-signature solution –Used to evaluate feasibility and effectiveness for each proposed solution to determine which are appropriate –Can be qualitative or quantitative –Demonstrates that a solution’s cost is justified by reducing risk Cost-benefit analysis can encompass the following Cost-benefit analysis can encompass the following –Determining the impact of implementing the solution –Determining the impact of not implementing it –Estimating the costs of the implementation –Assessing costs and benefits against system and data criticality

Documenting a Business Analysis and Risk Assessment ESRA regulation requires that the BA and RA be documented ESRA regulation requires that the BA and RA be documented –How, or in what detail is up to the governmental entity Minimum documentation should cover Minimum documentation should cover –Process used including factors mentioned in the ESRA regulation –Result and decision reached including justification The resulting documentation should be The resulting documentation should be –Accurate and readily available –Clear and understandable to an outside audience –Retained as long as the e-signature solution is used

Signed E-records Management Issues

Same issues as with unsigned e-records Same issues as with unsigned e-records –Focus is on the system and businesses processes that produce the e-record Preserving links between e-signed e-record’s components is critical Preserving links between e-signed e-record’s components is critical –Components provide evidence to support the reliability and authenticity of the signed e-record –May actually constitute the e-signature itself

Signed E-records Management Issues Key challenges faced in maintaining e- signed e-records Key challenges faced in maintaining e- signed e-records –Determining what needs to be retained to constitute a valid signed e-record –Preserving the association between the signed e-record’s various components over time

Determining what needs to be retained Cannot predict what the courts will require Cannot predict what the courts will require –Difficult to determine what information will be needed BA/RA used to select approach can help determine what needs to constitute the signed e-record BA/RA used to select approach can help determine what needs to constitute the signed e-record E-signature method will partially determine what will be retained E-signature method will partially determine what will be retained –Digital object: Maintain the ability to revalidate e-signatures –Signature process: Maintain adequate documentation of the e-signature’s validity

Determining what needs to be retained Digital object (encrypted hash, digitized signature, signature dynamic, other biometric) Digital object (encrypted hash, digitized signature, signature dynamic, other biometric) –Evidence that the e-signature was electronically validated –Functionality and records needed to revalidated –Vary according to the technology or approach used »Digital signature: public key of the presumed signer decrypted the message digest/hash and the hashes matched »Biometric: biometric profile of the signature matched the stored profile

Determining what needs to be retained Signature is a process (PIN, password, click wrap) Signature is a process (PIN, password, click wrap) –Signature does not exist as a discreet object and can’t be revalidated –Adequate documentation that the e- signature was valid when it was created must be retained –No court decisions on the validity of an e- signature »Can’t predict what the courts will require

Determining what needs to be retained Regardless of e-signature approach, entities should minimally retain documentation of the: Regardless of e-signature approach, entities should minimally retain documentation of the: –Signer’s identity –Process used to identify and authenticate the person –Date and time an individual was authenticated –Signer’s intent –Date and time that the signing process was completed

Preserving the association between a signed record’s various components Systems can manage signed e-records’ components Systems can manage signed e-records’ components –Must be accounted for when systems are planned E-records with long retention periods may need to be migrated to a new system or stored offline E-records with long retention periods may need to be migrated to a new system or stored offline –Need to preserve the association of their various components –Should be planned and well documented –Conducted in the normal course of business –Insure the records’ authenticity, integrity, and reliability

E-signature Strategies Questions and Concerns

NYS Office for Technology Strategic Policies, Acquisitions and e-Commerce