Evolving Issues in Electronic Data Collection Workshop Interoperability E-SIGN related multi-state Initiatives
Definitions (UETA - Uniform Electronic Transactions Act ) 7. "Electronic Record" means a record that is created, generated, sent, communicated, received or stored by electronic means. 8. "Electronic Signature" means an electronic sound, symbol or process that is attached to or logically associated with a record and that is executed or adopted by an individual with the intent to sign the record. 14. "Security Procedure" means a procedure that is employed to verify that an electronic signature, record or performance is that of a specific person or to detect changes or errors in the information in an electronic record. Security procedure includes a procedure that requires the use of algorithms or other codes, identifying words or numbers or encryption, callback or other acknowledgment procedures. SEC DEFINITIONS (E-SIGN) For purposes of this title: (4) Electronic Record —The term ‘‘electronic record’’ means a contract or other record created, generated, sent, communicated, received, or stored by electronic means. (5) Electronic Signature —The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. E-SIGN related multi-state Initiatives
E-Signature Law Summary Arizona A.R.S (by/with state agencies) very specific criteria for linking signature to person (& security of document) Arizona Electronic Transaction Act (AETA/UETA - in-state commerce) focus on sending/receiving the record “The effect of an electronic record or electronic signature attributed to a person.... is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties’ agreement, if any, and otherwise as provided by law.” federal Electronic Signatures in Global and National Commerce Act (E-SIGN - interstate and international commerce) signed record “remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.” E-SIGN related multi-state Initiatives
E-SIGN SEC Applicability To Federal And State Governments. (b) Preservation Of Existing Rulemaking Authority.— (2)(C) such agency finds, in connection with the issuance of such regulation, order, or guidance, that— (i) there is a substantial justification for the regulation, order, or guidance; (ii) the methods selected to carry out that purpose— (I) are substantially equivalent to the requirements imposed on records that are not electronic records; and (II) will not impose unreasonable costs on the acceptance and use of electronic records; and (iii) the methods selected to carry out that purpose do not require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures. E-SIGN related multi-state Initiatives
E-SIGN SEC Applicability To Federal And State Governments. (3) Performance Standards.— (A) Accuracy, Record Integrity, Accessibility.— Notwithstanding paragraph (2)(C)(iii), a Federal regulatory agency or State regulatory agency may interpret section 101(d) to specify performance standards to assure accuracy, record integrity, and accessibility of records that are required to be retained. Such performance standards may be specified in a manner that imposes a requirement in violation of paragraph (2)(C)(iii) if the requirement (i) serves an important governmental objective; and (ii) is substantially related to the achievement of that objective. Nothing in this paragraph shall be construed to grant any Federal regulatory agency or State regulatory agency authority to require use of a particular type of software or hardware in order to comply with section 101(d). E-SIGN related multi-state Initiatives
August 10 & 11, California Secretary of State sponsored a Multi-State Digital Signature Summit “in an effort to pool the collective expertise of state policy executives and technology experts and identify ways to remove barriers to the implementation of digital signature technology.” Discussion about E-SIGN at that meeting lead to - Sept 6, National Governors’ Association (NGA) hosts meeting regarding state issues relating to implementation of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN). Focused on prospective preemption of state laws, interoperability among states and retention requirements for state agencies. That meeting led to NECCC being charged with coordinating four E-SIGN forums: Legal, Policy, Security/Privacy, and Interoperability. E-SIGN related multi-state Initiatives
“The primary effect of E-SIGN should be on private entities that wish to use electronic signatures and electronic records as they conduct business. States should only be affected in so far as their activities must recognize and accommodate the use of electronic signatures and electronic records in the private sector.” “Another area where states should be prepared to deal with electronic signatures and documents is in their use in court. Although specific court documents, such as briefs, are exempted from E-SIGN, electronic contracts admitted as evidence are not.” What Governors Need to Know About E-SIGN: The Federal Law Authorizing Electronic Signatures and Records, NGA whitepaper, August 1, 2000 States will need to be prepared to accept private entity documents as evidence in courts and by any state agencies regulating those entities, including private entity documents originally created for another state. E-SIGN related multi-state Initiatives
E-SIGN Interoperability forum Vision Statement December 2000 E-SIGN: “Electronic Signatures in Global and National Commerce Act.” “Using electronic signatures means creating signed electronic documents. This forum will begin by asking ‘how do we get from technology neutral e-signatures statutes to agreement about what are sharable, trustworthy signed electronic documents (things that are reliable, usable, authentic, and having integrity)?’” E-SIGN Forums met for a day and a half before the NECCC annual conference in December, E-SIGN related multi-state Initiatives
The Interoperability forum defines the essential requirements for a formally formed electronic signature as follows: Secure electronic signatures A signature is a secure electronic signature if, through the application of a security procedure, it can be demonstrated that the electronic signature at the time the signature was made was all of the following: Unique to the person using it. Capable of verification. Under the sole control of the person using it. Linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated. E-SIGN related multi-state Initiatives
The Interoperability forum defines the essential requirements for a formally formed electronic record as follows: Secure electronic records If, through the ongoing application of a security procedure, it can be demonstrated that an electronic record signed by a secure electronic signature has remained unaltered since a specified time, the record is a secure electronic record from that time of signing forward. E-SIGN related multi-state Initiatives
It is recognized that there are many processes to form these signatures and documents. There are also varying levels of certainty desired for identifying a person, attributing a signature to them and assuring the integrity of the signed document. The next step is to define technology neutral classes of Trust Policies that define the requirements for different levels of signatures (and the levels of assuring the integrity and authenticity of the document). E-SIGN related multi-state Initiatives
These Trust Policies for both secure electronic signature and secure electronic document will allow this group to roughly answer: If a secure electronic signature is formed using PKI then it also needs... define registration requirements for each Trust Policy, define PKI specific requirements for each Trust Policy (including how to allow for PKI bridging solutions), etc. to be generally recognized by agencies in various states as in an acceptable format. If a secure electronic signature is formed without using PKI then it also needs... define registration requirements for each Trust Policy, define technology specific requirements for each Trust Policy, define how/if to allow for bridging solutions(?), etc. to be generally recognized by agencies in various states as in an acceptable format. If a secure electronic record is formed using XML then it also needs... to be generally recognized by agencies in various states as in an acceptable format. For example, how a PDF document is signed may differ from how an XML document is signed. E-SIGN related multi-state Initiatives
The NECCC “face-to-face” meeting led to agreement to focus on concrete types of signing that we could build principles around. The agreement was to look at three specific processes: e-notary, e-mall/procurement, and HIPAA driven healthcare data/document exchanges. These cover the signatures range that was discussed in the face-to- face sessions going from closed EDI style (e-mall/procurement) to more open-ended signing contexts (e-notary). E-SIGN related multi-state Initiatives
Federal Policy - Department of the Treasury The Financial Management Service of the US Department of the Treasury has issued (12/22/00) a final version of its Electronic Authentication Policy, for Federal payment, collection, and collateral transactions conducted over open networks such as the Internet.
Section 5. Risk Model (Department of the Treasury) (a) All payment, collection, and collateral transactions must be properly authenticated, in a manner commensurate with the risks of the transaction. For any given Federal agency cash flow or program (e.g., corporate user fees, benefit payments, excise taxes, retail product sales, investment collateral, etc.) Federal agencies shall assess overall risk and determine the appropriate electronic authentication technique in accordance with the following risk model. (1) The three general factors used to determine the overall risk of Federal payment, collection, and collateral transactions are: risk of monetary loss, reputation risk, and productivity risk. (2) The risk of monetary loss is determined using a variety of elements, including but not limited to:.... (3) The reputation risk to the Government in the event of a breach or an improper transaction is determined using elements such as:.... (4) Productivity risk associated with a breach or improper transaction is determined using elements such as:....
Department of the Treasury Electronic Authentication forms based on risk assessment smart card PKI PC based PKI PIN none
What is a “signature”? Consider the reasons to use a secure electronic signature (the “legal” reasons for a formal signature - wet or electronic): 1. to identify the person signing (the identification function); 2. to indicate that person's approval of the information contained in that data message (the authentication function); 3. to indicate that the record has not been altered (the integrity function). E-SIGN related multi-state Initiatives
Earlier: “This initial study led to a detailed description of the electronic record. We determined that an electronic record had to be a fully self- documenting object. We chose to describe these objects in eXtensible Markup Language (XML), a text based standard. We determined that an electronic record was made up of one or more documents, contextual information relating this record with other records, and evidential integrity checks.” Victorian Electronic Records Strategy Final Report This can be turned around - a fully self-documented electronic record requires a secure electronic signature to identify the signer, uniquely link the signer’s intent to the document and to assure the integrity of the document. But there are varying levels of certainty desired for identifying a person, attributing a signature to them and assuring the integrity of the signed document. E-SIGN related multi-state Initiatives
What is EDI? Electronic Data Interchange (EDI) is the computer-to-computer exchange of business-related documents in a structured, machine processable format. These documents may be purchase orders, invoices, payment remittances and shipping notices between the State of Ohio and its "trading partners." A trading partner, in EDI parlance, is a supplier, customer, subsidiary or any other organization with which the state of Ohio does business. EDI differs from and fax. Although both of these methods of transferring documents are electronic, both are unstructured and free-form in the way they are presented. This means that information received via or fax must be rekeyed and reinterpreted before it can be processed by a computer application. EDI, on the other hand, requires that the information be organized in a structured format which can be easily interpreted and processed by a computer application. Ohio - E-SIGN related multi-state Initiatives
How EDI Works - Briefly (Ohio continued) EDI involves taking a standard computer flat file and reformatting the file into a structured EDI format. This format complies with specific industry standards. This reformatting process is performed by a specialized software program called an EDI translator. Once the file has been put into a structured format, it is transmitted over telephone lines to a third party network. The third-party network called a Value Added Network (VAN) provides a service much like a post office. The VAN receives the transmitted documents and places these documents into an electronic mailbox for the receiving party to pick up. By dialing into the network, the receiving party can access its mailbox and retrieve the transmitted documents. Once the electronic documents have been accessed by the receiving party, the documents once again can be processed through an EDI translator. The translator takes the documents, which are still in EDI format, and translates them into a standard computer flat file. This flat file then can be formatted into a report and printed out or sent directly into a company's computer application for processing.
Summary different Trust Policies for different processes (& different risks) E-SIGN related multi-state Initiatives
Q & A E-SIGN related multi-state Initiatives Russ Savage Electronic Transactions Liaison Arizona's Office of the Secretary of State (cell phone) additional E-SIGN information
Evolving Issues in Electronic Data Collection Workshop Interoperability Electronic Signatures Framework for multi-state Interoperability (Thoughts on what’s next)
What is a “signature”? Consider the reasons to use a secure electronic signature (the “legal” reasons for a formal signature - wet or electronic): 1. to identify the person signing identify (the identification function); 2. to indicate that person's approval of the information contained in that data message (the authentication function); intent 3. to indicate that the record has not been altered (the integrity function). record integrity Electronic Signatures Framework for multi-state Interoperability
fully self-documented electronic record (e.g. PKI/XML) (evidence based on test of record) fully trustworthy record/document system (e.g. EDI) does not have self-documented electronic records (evidence based on testimony about the system) fully self-documented electronic record in a fully trustworthy document system (e.g. PKI/XML/EDI) fully trustworthy record/document system does not have self-documented electronic records but can reliably export a self-documented electronic record (e.g. From EDI to PKI/XML) Electronic Signatures Framework for multi-state Interoperability
Why the fuss about e-signature & e-documents? Because some of mine will migrate to your place and some of yours will migrate to my place. And they need to be readable and verifiable at both places. Trust policies form the foundation. Interoperability getting from here to over there Electronic Signatures Framework for multi-state Interoperability
fully self-documented electronic record (e.g. PKI/XML) relatively unique, relatively open (evidence based on test of record) fully trustworthy document system (e.g. EDI) does not have self-documented electronic records could be problematic unless truly closed system (evidence based on testimony about the system) fully self-documented electronic record in a fully trustworthy document system (e.g. PKI/XML/EDI) generally a series, relatively closed but readily exported to open system use fully trustworthy document system does not have self-documented electronic records but can reliably export a self-documented electronic record generally a series, relatively closed but exportable to open system use
Arizona’s Notary Act Electronic Signatures Framework for multi-state Interoperability
Arizona’s Electronic Notary Act Electronic Notary in the Presence of a Notary Electronic Signatures Framework for multi-state Interoperability
Arizona’s Electronic Notary Act Electronic Notary without the presence of a Notary Electronic Signatures Framework for multi-state Interoperability
What is a “signature”? Consider the reasons to use a secure electronic signature (the “legal” reasons for a formal signature - wet or electronic): 1. to identify the person signing (the identification function); 2. to indicate that person's approval of the information contained in that data message (the authentication function); 3. to indicate that the record has not been altered (the integrity function). Notarization accomplishes these - even if the person only makes their mark. Electronic Signatures Framework for multi-state Interoperability
fully self-documented electronic record (e.g. PKI/XML) (evidence based on test of record) fully trustworthy record/document system (e.g. EDI) does not have self-documented electronic records (evidence based on testimony about the system) fully self-documented electronic record in a fully trustworthy document system (e.g. PKI/XML/EDI) fully trustworthy record/document system does not have self-documented electronic records but can reliably export a self-documented electronic record (e.g. From EDI to PKI/XML) Notarization or certified copy can bridge incompatible document systems. Electronic Signatures Framework for multi-state Interoperability
Why the fuss about e-signature & e-documents? Because some of mine will migrate to your place and some of yours will migrate to my place. They need to be readable and they need to be verifiable. Notarization or “certified copy” can do that between incompatible document systems. Interoperability getting from here to over there Electronic Signatures Framework for multi-state Interoperability
Summary Multi-state reciprocity on electronic notary can reduce the complexity of other interoperability issues by allowing generalized cross-jurisdiction “copy certification” of non-self-documenting records. Arriving at electronic notary reciprocity will address nearly every interoperability issue. The solutions found for it can form the basis for general principles in other interoperability situations. Any issues not addressed will likely surface in the HIPAA and e-mall/e-procurement processes that the E-SIGN Interoperability forum will explore this year. Participation in the E-SIGN Interoperability forum is open to any state employee wishing to participate in finding common e-signature practices across the states. Electronic Signatures Framework for multi-state Interoperability
Q & A Electronic Signatures Framework for multi-state Interoperability Russ Savage Electronic Transactions Liaison Arizona's Office of the Secretary of State (cell phone)