Current Developments in Monetary and Financial Law, Vol. 3
Chapter

CHAPTER 34 The Legal Requirements for Creating Secure and Enforceable Electronic Transactions

Author(s):
International Monetary Fund
Published Date:
April 2005
Share
  • ShareShare
Show Summary Details
Author(s)
THOMAS J. SMEDINGHOFF

What are the rules and requirements for conducting business transactions in electronic form? In a commercial environment, parties enter into an endless variety of transactions. These include contracts governing the purchase and sale of goods, lease agreements, negotiable instruments, agreements for the creation of security interests, loan agreements and promissory notes, filings with government agencies, assignments of rights or title, license agreements, insurance contracts, proxy agreements, and the like. As the Internet becomes an integral part of business, there is an ever-increasing desire to conduct these transactions in that electronic medium. This chapter will address the legal issues raised by the process of entering into a transaction using electronic means. It will focus primarily on U.S. law, although the issues are largely the same worldwide.

Like all transactions, electronic transactions involve documents (usually referred to as records,1 electronic records,2 or data messages3) and signatures (usually referred to as electronic signatures4) that are created, communicated, and stored in electronic form.5 They may be created through the manual efforts of an individual (e.g., typing an e-mail message), via the automated processing of computers (e.g., by using software or a so-called electronic agent), or through human interaction with a computer (e.g., when an individual accesses a website and enters into a purchase agreement). Electronic transactions are communicated via an electronic medium, such as the Internet or a private value-added network, and they are typically stored on a computer-readable medium, such as a disk, tape, CD-ROM, or DVD. Frequently, evidence of electronic transactions never exists on paper, unless there is a need to provide a copy or to introduce evidence to a court or other fact finder.

Legal Recognition of Electronic Transactions

The threshold question for any type of transaction is whether it will be legally valid and enforceable if done in electronic form. Answering this question requires consideration of the legal barriers that might exist with respect to that type of transaction, and any additional requirements for enforceability that might be imposed by law solely because of the electronic nature of the transaction. For purposes of discussion, we will assume that the fundamental legal elements required for that type of transaction are otherwise present and satisfied. For example, if the electronic transaction involves entering into a contract, this chapter assumes that the basic requirements of a contract, that is, offer, acceptance, consideration, and so forth, are present and focuses only on the additional requirements for enforceability that arise because of the electronic nature of the transaction.

Legal Barriers to E-Commerce

When the enforceability of electronic transactions was first considered, several concerns were raised. There were, for example, many questions regarding whether electronic records and electronic signatures satisfy writing and signature requirements imposed by a variety of statutes and regulations, whether records maintained solely in an electronic form will satisfy legal record-keeping requirements, whether the record keeper can establish the authenticity and integrity of such records, whether an electronic record constitutes an original for evidentiary purposes,6 and whether electronic records and electronic signatures would be denied admissibility in court because of their electronic form.

The biggest issue, by far, has focused on the writing and signature requirements imposed by various laws. Specifically, in many cases, the law requires that a transaction be both documented in writing,7 and signed by the person who is sought to be held bound, in order for that transaction to be enforceable. The Statute of Frauds is, of course, the best example of such a law.8 In addition, in the United States thousands of other federal, state, and local statutes and regulations also require a variety of other types of transactions to be documented in writing and with a signature. For example, Georgia has over 5,500 and Ohio has over 8,000 such statutory sections.9

Statutes and regulations that require transactions to be in writing and signed have generally been perceived to constitute legal barriers to electronic transactions. The concern is that an electronic record might not qualify as writing, and an electronic signature might not qualify as a signature. In other words, many believed that such writing and signature requirements would be satisfied only by ink on paper. This general concern about the legality of electronic records and electronic signatures has persisted, not only because of a few contrary court decisions,10 but also because of a lack of specific statutory authorization.

The Legislative Response

As a consequence, the enforceability of electronic transactions has been the subject of extensive legislative efforts. The U.S. federal government, all 50 U.S. states, and the governments of at least 55 other countries have enacted or are currently considering some form of legislation governing the enforceability and conduct of electronic transactions.11

  • In the United States, the enforceability of electronic transactions is primarily governed by the Electronic Signatures in Global and National Commerce Act (E-SIGN),12 a federal law enacted in 2000 that largely preempts inconsistent state law, and the Uniform Electronic Transactions Act (UETA),13 a uniform state law that was finalized by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999 and has now been adopted by 45 states.14

  • In the European Union, the enforceability of electronic transactions is governed by the Electronic Signatures Directive adopted in 199915 and the Electronic Commerce Directive adopted in 2000.16

  • Internationally, model laws governing the enforceability of electronic transactions have also been developed by the United Nations Commission on International Trade Law (UNCITRAL) Working Group on Electronic Commerce,17 which completed work on its Model Law on Electronic Commerce18 in 1996 and finalized and approved its Model Law on Electronic Signatures in 2001.19 These model laws have served as the basis for legislation enacted in several countries.

Each of these laws (and many others) authorize most transactions20 to be conducted in electronic form.21 They effectively sweep away concerns regarding legal requirements for paper documents and ink signatures, as well as inconsistent legal requirements for enforceable electronic transactions,22 and permit electronic commerce to proceed on a substantially uniform legal basis.

To remove the primary barriers to the use of electronic transactions, these statutes typically stipulate that the electronic records and electronic signatures that comprise the transactions cannot be denied legal effectiveness solely on the ground that they are in electronic form. Thus, for example, E-SIGN simply states that, notwithstanding any other rule of law, “a signature, contract, or other record relating to [a] transaction… may not be denied legal effect, validity, or enforceability solely because it is in electronic form.”23 Likewise, UETA provides that “a record or signature may not be denied legal effect or enforceability solely because it is in electronic form.”24 UETA also goes somewhat further, stating that “if a law requires a record to be in writing, an electronic record satisfies the law” and “if a law requires a signature, an electronic signature satisfies the law.”25 Similarly, the European Union Electronic Signature Directive requires member states to “ensure that an electronic signature is not denied legal effectiveness…solely on the grounds that it is in electronic form….”26 The impact of these simple provisions is important, because it prohibits a court from holding that covered transactions are unenforceable solely because of the fact that they are conducted in electronic form.

It is important to keep in mind, however, that legislation providing for the legal recognition of electronic transactions does not in any way waive the fundamental requirements set forth in the substantive law governing the transaction. For example, although e-commerce legislation gives legal recognition to electronic contracts, the parties must still satisfy the requirements for a contract, including offer, acceptance, the inclusion of certain minimum terms, etc. E-commerce legislation simply ensures that transactions previously done on paper can now be done electronically.

Legislation authorizing the use of electronic records and electronic signatures generally applies to most business, commercial (including consumer), and governmental transactions. However, there are a variety of exceptions to the scope of transactions they authorize in electronic form. For example, in the United States, transactions governed by the following laws, or the use of the following documents, are expressly excluded from the scope of E-SIGN, UETA, or both:

  • All articles of the Uniform Commercial Code (UCC), other than Sections 1-107 and 1-206, and Articles 2 and 2A;27

  • Laws governing the creation and execution of wills, codicils, or testamentary trusts;

  • Laws governing family-law matters such as adoption or divorce;

  • Court orders or notices and other official court documents required to be executed in connection with court proceedings;

  • Notices of cancellation or termination of utility services;

  • Notices of default, acceleration, repossession, foreclosure, or eviction, or of the right to cure, under a mortgage or rental agreement for the primary residence of an individual;

  • Notices of the cancellation of health insurance or benefits or life insurance benefits (excluding annuities);

  • Notices of the recall of a product or material failure of a product that risks endangering health or safety; and

  • Any document required to accompany the transportation or handling of hazardous materials, pesticides, or other toxic or dangerous materials.28

It is worth noting, however, that such e-commerce-enabling legislation typically does not prohibit conducting any of the transactions excluded from their scope in electronic form. Rather, the enforceability of those types of transactions is left to other laws.

E-SIGN or UETA—Which One Applies?

The relationship between E-SIGN and UETA has been the source of some confusion. UETA was finalized in July 1999 as a uniform law designed to be enacted by each of the states. A year later, however, Congress passed E-SIGN in an attempt to accomplish a similar purpose at the national level. Both statutes are similar, although there are a number of substantive differences, such as the comprehensive consumer notice and consent requirements that appear in the E-SIGN legislation.

E-SIGN is a sweeping federal statute that applies to all transactions “in or affecting interstate or foreign commerce.”29 E-SIGN thus preempts all inconsistent state law.30 However, E-SIGN contains a provision granting the states authority to “modify, limit, or supercede the provisions of Section 101” of E-SIGN.31 States may exercise this authority in one of two ways:

  • By adopting the official version of UETA without any changes; or

  • By adopting a law that specifies “alternative procedures or requirements for the use or acceptance (or both) of electronic records or electronic signatures,” provided that such alternate procedures are consistent with E-SIGN and do not require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification for electronic records or signatures.32

This provision creates a situation in which E-SIGN applies to some electronic transactions and UETA applies to others, depending in large part on the law enacted in the state whose law will govern the transaction. Moreover, because most of the states that have enacted UETA have made some changes to the official form adopted by NCCUSL, there is a further question as to whether these enactments of UETA supercede E-SIGN.

This chapter will not attempt to address the complex federal preemption issues involved.33 However, for purposes of analyzing legal requirements for electronic transactions, two points should be noted. First, there is a significant similarity in the approach taken by both E-SIGN and UETA. Major differences, such as the consumer consent provisions in E-SIGN, are noted. Second, for many parties entering into electronic transactions on a nationwide basis, the preemption issue may be moot, as it may ultimately be necessary to comply with the requirements of both statutes in order to ensure the enforceability of transactions in all relevant jurisdictions.

Key Questions for Electronic Transactions

With legislation in place that authorizes the use of electronic records and electronic signatures in lieu of paper records and handwritten signatures, the next matter involves satisfying the legal requirements in order to create valid and enforceable electronic transactions. Although existing laws diverge on this issue, there are three fundamental questions to consider:

  • What requirements are imposed by e-transaction laws? Assuming that, under applicable law, a particular transaction (e.g., contract, promissory note, letter of credit) can be done in electronic form, what additional requirements must be satisfied so that the electronic version of the transaction will be legally enforceable?

  • Do the parties trust the message? Even if the legal requirements are satisfied, are the parties to the transaction sufficiently comfortable with the authenticity and integrity of the communications and documents comprising the transaction that they are willing to ship their products, transfer funds, provide services, change their position, or otherwise rely on electronic records communicated over the Internet, especially when asked to do so in a real-time environment?34

  • What rules govern completion of the transaction in electronic form? What are the rules that govern the conduct of the parties with respect to carrying out the transaction in electronic form, such as rules regarding the time an electronic message is considered sent, the time the message is considered received, and the place at which the message is considered sent and received?

This chapter will examine these three fundamental questions as they apply to transactions in the online environment.

Requirements Imposed by E-Transaction Laws

Based on the current legislation enacted in the United States and internationally relating to electronic transactions, ensuring enforceability requires that the parties focus on the following questions:

  • Notice and Consent. Have the parties consented to conduct this transaction in electronic form? Have the requisite notices been provided?

  • Signature. Have the signature formalities required for this transaction (where applicable) been satisfied with a legally recognized form of electronic signature?

  • Record Accessibility. Are copies of the electronic records comprising the transaction available to all parties?

  • Record Keeping. Will the electronic records of this transaction satisfy applicable legal record-keeping requirements?

The following sections will summarize each of these issues.

Notice and Consent Requirements

Because electronic transactions are fundamentally different from more traditional ways of doing business, and because they present enhanced risks in a variety of areas, some e-transaction legislation expressly requires that the parties consent to enter into a transaction electronically before it will be considered enforceable. In the United States, this concept appears in both E-SIGN and in UETA.

As a starting point, both E-SIGN and UETA make clear that while they authorize electronic transactions, nothing in either statute requires a party to conduct any transaction in electronic form.35 This preserves the right of a party36 to refuse to enter into any transaction in electronic form.37

UETA goes further, however, because the statute is premised on the requirement of consent. Thus, the benefits of the statute will not apply unless the parties have “agreed to conduct transactions by electronic means.”38 Whether the parties have agreed to conduct a transaction by electronic means is determined from the context and surrounding circumstances, including the parties’ conduct,39 and may be either expressed or implied. This requirement can certainly be satisfied with absolute certainty by obtaining an express agreement to do business electronically before relying on electronic transactions, but that is not necessary. For example, if one party sets up a website that is capable of accepting electronic communications, and another party goes to that website and enters into a transaction with the first party, it can arguably be inferred that both have implicitly agreed to conduct their transaction in electronic form.

The UETA consent provisions apply to all transactions within its scope, both those of businesses and consumers. E-SIGN, on the other hand, contains an extensive disclosure and consent provision, but only for certain limited types of consumer transactions. It applies only when a statute, regulation, or other rule of law requires that information relating to a transaction be provided or made available to a consumer in writing.40 In such a case, the use of an electronic record to provide the relevant information to a consumer is acceptable only if the consumer affirmatively consents to receive an electronic record in lieu of a paper record, provides such consent electronically, and does so in a manner that reasonably demonstrates that he or she can access the electronic information in the form that will be used.41

Moreover, prior to consenting, the consumer must be provided with a clear and conspicuous notice that informs the consumer of

  • His or her option to have the information provided on paper;

  • Whether the consent to receive the information in electronic form applies only to the particular transaction giving rise to the obligation to provide the information, or to identified categories of records that may be made available during the course of the parties’ relationship;

  • The procedures the consumer must use to update information needed to contact the consumer electronically;

  • How he or she may obtain a paper copy of the electronic record, and the fee therefore;

  • The hardware and software requirements for access and retention of the electronic records;

  • His or her option to withdraw such consent, and the procedures the consumer must use to withdraw consent; and

  • The conditions, consequences, and fees for withdrawing such consent.42

The European Union Electronic Commerce Directive takes a slightly different approach that appears to be intended to achieve the same goal. It does not require consent of the parties, but instead requires that information society services (e.g., sellers of goods online) provide a variety of information to the other party regarding the transaction. Required information includes a comprehensive and unambiguous statement as to the technical steps to follow to conclude the contract, whether or not the concluded contract will be filed by the service provider and where it will be accessible, the technical means for identifying and correcting input errors prior to the placing of the order, and the languages offered for the conclusion of the contract.43 The service provider is also obligated to acknowledge receipt of the purchaser’s order without undue delay and by electronic means, and is required to make available to the purchaser appropriate, effective, and accessible technical means of identifying and correcting input errors prior to the placing of the order.44

Signature Requirements

Signatures can serve a variety of purposes in a transaction. The primary uses for a signature can be summarized as follows:

  • Expression of Intent: A signature evidences the signer’s intent with respect to the document signed. The nature of the signer’s intent will vary with the transaction and in most cases can be determined only by looking at the context in which the signature was made. A signature may, for example, signify an intent to be bound to the terms of a contract, the approval of a subordinate’s request for funding of a project, authorization to a bank to transfer funds, confirmation that the signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had an opportunity to review them.

  • Satisfaction of Legal Requirements: A signature is often used to satisfy a law or regulation that requires the presence of a signature before the document will be considered legally effective. The statute of frauds (which requires contracts for the sale of goods in excess of $500 to be signed) is, of course, the best example of such a law. In addition, however, thousands of other federal, state, and local statutes and regulations also require certain types of transactions to be documented in writing with a signature.

  • Security: Signatures often function as a security device. That is, signatures can be used (1) to authenticate a document (i.e., to identify the signer and indicate that such person is the source of, or has approved, the document), and/or (2) to ensure the integrity of the document (i.e., to ensure that the document has not been altered since it was signed).45

Traditionally, under U.S. law, any symbol that is made with the intent to sign a document can qualify as a legally valid signature. Thus, for example, the definition of “signed” in the UCC includes “any symbol,” so long as it is “executed or adopted by a party with present intention to authenticate a writing.”46 The primary focus is on the “intention to authenticate” a document, which distinguishes a signature from an autograph.

Both E-SIGN and UETA extend this basic approach to the concept of an electronic signature. To be enforceable under U.S. law, they require that an electronic signature possess three elements, namely that it be47

  • A sound, symbol, or process;

  • Attached to or logically associated with an electronic record;48 and

  • Made with the intent to sign the electronic record.49

Electronic signatures that meet these requirements are considered legally enforceable as substitutes for handwritten signatures for most transactions in the United States.50

The definition of electronic signature recognizes that there are many different methods by which one can sign an electronic record. Although electronic signatures, by their nature, are represented digitally (i.e., as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures (that qualify under E-SIGN and UETA) include the following:

  • A name typed at the end of an e-mail message by the sender;51

  • A digitized image of a handwritten signature that is attached to an electronic document (sometimes created via a biometrics-based technology called signature dynamics);52

  • A secret code, password, or personal identification number to identify the sender to the recipient (such as that used with automated teller machine cards and credit cards);

  • A unique biometrics-based identifier, such as a fingerprint, voice print, or a retinal scan;

  • A mouse click (such as on an “I accept” button);53

  • A sound (e.g., the sound created by pressing “9” on your phone to agree); and

  • A digital signature (created through the use of public key cryptography).54

This is, of course, not an exhaustive list of methods by which one can electronically sign a document. There are other ways of signing an electronic document, and presumably many more will be developed in the future. However, all forms of electronic signatures must satisfy the three requirements outlined above.

There is a big difference, however, between an electronic signature that merely satisfies the requirements of E-SIGN and UETA, and a trustworthy electronic signature. As a consequence, parties who desire to engage in electronic transactions may find that merely using a legally compliant electronic signature is not sufficient. As discussed above, clicking a mouse on an “I accept” button or typing a name on an e-mail message both qualify as legally enforceable signatures. But by themselves, they offer no evidence as to who clicked the mouse or typed the name that appears on the electronic document. Thus, to say that they are legally enforceable may be somewhat illusory, as a party’s ability to authenticate a signature or use it to verify the integrity of a document may be very limited at best. The key lies in authenticating the person who applied the symbol or executed the process—that is, in knowing (and being able to prove) who typed the name or who clicked on the “I accept” button.

For electronic transactions, these security-related signature functions of identity and integrity can be key. When transactions are automated and conducted over significant distances using easily altered digital technology, the need for a way to ensure the identity of the sender and signer and the integrity of the document becomes pivotal. Thus, while removing the so-called signature barrier to electronic transactions may have been an important legislative step, it is also important to recognize that an electronic signature, by itself, may not provide the security that a unique handwritten signature is thought to carry on a paper-based transaction. This need for security—for trusting the transaction—is addressed below.

Record Accessibility Requirements

Another key requirement for the enforceability of electronic transactions is that the documents that comprise the transaction be communicated in a form that can be retained and accurately reproduced by the receiving party. In the United States, the Federal E-SIGN legislation provides that the legal effect, validity, or enforceability of an electronic record “may be denied if such electronic record is not in a form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record.”55 Likewise, UETA provides that “if a sender inhibits the ability of a recipient to store or print an electronic record, the electronic record is not enforceable against the recipient.”56

The European Union Electronic Commerce Directive contains a similar requirement governing contracts with information society services (e.g., for the sale of goods). Under the Directive, contract terms and general conditions “must be made available in a way that allows him to store and reproduce them.”57

This requirement does not, of course, limit electronic transactions to those parties that possess the technical capability for downloading or printing documents. Rather, the focus is on the form of the document as communicated by the sender and essentially requires that the sender do nothing to inhibit the ability of the recipient to download, store, or print the applicable record. The fact that the recipient may choose to use a device without such capabilities (for example, a handheld device without a print capability) should not affect the enforceability of the transaction. On the other hand, such provisions clearly call into question the click-wrap agreement typically used on many websites, in which the agreement is displayed in a separate window from which it cannot be downloaded or printed.

Record Retention Requirements

An essential element for the enforceability of all transactions is record keeping. In the event of a dispute, it is necessary to produce reliable evidence documenting the terms of the transaction and the agreement to the parties. Similar requirements also exist, for example, to satisfy regulatory requirements (e.g., regulations governing the insurance, securities, and banking industries), as well as the requirements of government agencies, such as the Internal Revenue Service. For electronic transactions, the issue becomes a question of whether keeping electronic records will satisfy applicable statutes, regulations, or evidentiary rules and, if so, what requirements must be met for acceptable electronic records.

Both E-SIGN and UETA address this issue directly and impose similar requirements. Essentially, storage of an electronic record will satisfy legal record retention requirements if the stored copy of the electronic record satisfies the following requirements:

  • The record must accurately reflect the information set forth in the record;58 and

  • The record must remain accessible for later reference.59

With respect to evidentiary rules, both E-SIGN and UETA also provide that if a rule of evidence or other rule of law requires a record relating to a transaction to be provided or retained in its original form, this obligation is satisfied by meeting the accuracy and accessibility requirements listed above.60 These provisions also make clear that records can be kept in electronic-only form. Moreover, it provides a great deal of flexibility to the parties in terms of how they store the records, when and whether they transfer the records to new media, and meeting applicable evidentiary requirements.

Security—Is the Transaction Trustworthy?61

Beyond compliance with the statutory requirements for legal enforceability, the primary concern of parties to an electronic transaction is the pivotal question of trust. To say that an electronic transaction complies with legal requirements is one thing. To have a sufficient degree of trust in an electronic transaction such that one is willing to ship products, transfer funds, or enter into a binding contractual commitment in real time is something else.

The loss of trust can have a significant impact. For example, on August 26, 2002, the Reuters News Agency reported that large South Korean investors had stopped trading stocks online as a result of a disclosure from Daewoo Securities, Korea’s fourth largest brokerage, that an unauthorized person had used one of its client accounts to buy almost $22 million worth of shares. The matter involved the apparently unauthorized purchase of 5 million shares in Delta Information and Communications over a period of 90 seconds.62 The loss of trust was, of course, immediate. According to the article, one of Korea’s biggest institutional investors was quoted as saying “starting today, we started to stop online trading for the time being because of the security risks.”

The Requirements for Trust

Trust, of course, plays a role in virtually all commercial transactions. Regardless of whether the deal is struck in cyberspace or in the more traditional paper-based world, each of the transacting parties must have some level of trust before they will be willing to proceed with the transaction. But trust has different components. Trusting one’s business partners has always been important (e.g., Are they reputable and creditworthy? Will they perform as promised?). But in today’s e-business environment, companies also need to trust the transaction itself.

What does trusting the transaction mean? When vital business transactions depend on computer and network availability, the parties need to know that these will work properly and without interruption. When remote communications replace personal contact or a trusted medium such as the mail, the parties need to verify each other’s identity. When easily copied and altered electronic records replace signed paper documents, the parties need assurance that these records are authentic and unaltered. And when sensitive data are stored electronically, the parties need assurances that the data are protected and accessible.63

The importance of trust for the success of e-commerce is widely recognized. For example, the Commission of the European Communities noted that:

The first objective is to build trust and confidence. For e-commerce to develop, both consumers and businesses must be confident that their transaction will not be intercepted or modified, that the seller and the buyer are who they say they are, and that transaction mechanisms are available, legal, and secure. Building such trust and confidence is the prerequisite to win over businesses and consumers to e-commerce.64

Ensuring that an electronic transaction is trustworthy, from a legal perspective, requires consideration of four issues: authenticity, integrity, confidentiality, and nonrepudiation.

Authenticity—Who Sent the Message?

Authenticity is concerned with the source or origin of a document or message.65 Who created or signed the document? Who sent the message? Is it genuine or a forgery?

A party entering into a transaction relying on an electronic message must be confident of the source of that message. For example, when a bank receives an electronic payment order from a customer directing that money be paid to a third party, the bank must be able to verify the source of the request and ensure that it is not dealing with an impostor.66

Likewise, a party must also be able to establish the authenticity of its electronic transactions should a dispute arise. That party must retain records of all relevant communications pertaining to the transaction and keep those records in such a way that it can show that the records are authentic. For example, if one party to a contract later disputes the nature of its obligations, the other party may need to prove the terms of the contract to a court. A court, however, will first require that the party establish the authenticity of the record that the party retained of that communication before the court will consider it as evidence.67

A signature can be used to authenticate the source of a document. This works very well with handwritten signatures on paper documents, because such signatures can usually be related to a specific person, through handwriting analysis if necessary. But, most legally recognized electronic signatures do not perform this function, or provide such a weak level of authentication that they have little or no evidentiary value for that purpose.68 For example, while E-SIGN and UETA both recognize that typing one’s name, clicking a mouse, and almost any other sound or symbol can constitute a valid electronic signature, it is readily apparent that such signatures, by themselves, do little to authenticate the source of a document. The ultimate question—who typed the name or who clicked the mouse—often remains unanswered.

Some electronic transaction legislation attempts to address this problem by requiring that an electronic signature contain both information from which the signer can be identified and a level of security designed to ensure that the signature was in fact made by the person identified.69 However, most electronic transaction legislation (including E-SIGN and UETA) recognizes the validity of electronic signatures that are, in many respects, the legal equivalent of signing a paper contract with an “X.” They leave unanswered the question of proving the identity of the signer.

Integrity—Has the Document Been Altered?

Integrity is concerned with the accuracy and completeness of the communication. Is the document the recipient received the same as the document that the sender sent? Is it complete? Has the document been altered either in transmission or storage?

The concern regarding integrity flows from the fact that electronic documents are easily altered in a manner that is not detectable. Moreover, because every copy of an electronic document is a perfect reproduction, there is no such thing as an original electronic document. Thus, unlike paper documents, electronic records come with no inherent attributes of integrity.

The recipient of an electronic message must be confident of a communication’s integrity before the recipient relies and acts on the message. Integrity is critical to e-commerce when it comes to the negotiation and formation of contracts online, the licensing of digital content, and the making of electronic payments. For example, consider the case of a contractor who wants to solicit bids from subcontractors and submit a proposal to the government online. The contractor must be able to verify that the messages containing the bids upon which he or she will rely in formulating the proposal have not been altered. Likewise, if the contractor ever needs to prove the amount of a subcontractor’s bid, a court will first require that the contractor establish the integrity of the record of that communication before the court will consider it as evidence in the case.70

A signature can be used to verify the integrity of a document. This works reasonably well with paper documents with a handwritten signature (or initials) placed at the bottom of each page, which is a reasonably reliable way of preventing undetected alterations. But most legally recognized electronic signatures do not include this function. Clicking a mouse or typing one’s name on an easily altered electronic document is no guarantee of document integrity. Typically, the use of cryptographic algorithms, often coupled with digital signatures, is the only way to detect alteration in an electronic document.

Confidentiality

Confidentiality is concerned with controlling the disclosure of information. It involves (1) protecting information so that unauthorized persons cannot have access to it and/or (2) protecting information so that even if unauthorized access is obtained, the information is unreadable (e.g., by encrypting the information).

Confidentiality may not be an issue in all situations. In some cases, however, it is critical. Maintaining a competitive advantage, for example, may require that certain information be kept confidential. In addition, statutes and regulations designed to protect the privacy of personally identifiable information typically require that such information be kept confidential, except when used in a manner authorized by law.71 Likewise, confidentiality may be necessary to protect a property right in information, such as a trade secret right. Information can qualify as a trade secret only if it is not generally known and reasonable security precautions are taken to maintain secrecy.72 In addition, confidentiality may be necessary to comply with certain legal obligations, such as an obligation not to disclose the contents of attorney-client communications,73 or obligations arising as a result of contractual commitments. Confidentiality may also be important for preventing access to and use of information that can cause harm to the owner of the information, such as credit card, bank account, or social security numbers.

Nonrepudiation—Can the Message Be Proved in Court?

Nonrepudiation flows from authenticity and integrity. It is the ability to prove that the originator of a document in an electronic transaction intended to be bound by the terms of the document, that is, to hold the sender to his or her communication in the event of a dispute.74 A person’s willingness to rely on a communication, contract, or funds transfer request is typically contingent upon having some level of comfort that he or she can prevent the sender from denying that he sent the communication (if, in fact, he or she did send it), or from claiming that the contents of the communication as received are not the same as what the sender sent (if, in fact, they are what was sent). For example, a stockbroker who accepts buy or sell orders over the Internet would not want clients to be able to place an order for a volatile commodity, such as a pork bellies futures contract, and then be able to confirm the order if the market goes up and repudiate the order if the market goes south.75

The Challenge of the Electronic Environment

With paper-based transactions, a party can rely on numerous indicators of trust to ensure the authenticity, integrity, confidentiality, and nonrepudiability of a document. These include using paper (sometimes with letterhead, watermarks, colored backgrounds, or other indicia of reliability) to which the message is affixed and not easily altered, handwritten ink signatures, sealed envelopes for delivery via a trusted third party, or personal contact between the parties. With the use of electronic documents and electronic communications conducted remotely over the Internet, however, none of these indicators of trust are present. All that can be communicated are bits (Os and 1 s) that are in all respects identical and that can be easily copied and modified without detection.

Thus, moving transactions to an electronic environment has two important consequences. First, in many cases it is difficult to know when one can rely on the integrity and authenticity of an electronic message. This, of course, makes difficult those decisions that involve entering into contracts, shipping products, making payments, or otherwise changing one’s position with reliance on an electronic message, especially for significant transactions. Second, this lack of reliability can make proving one’s case in court difficult at best. For example, if a defendant denies making the signature that is appended to an electronic document, it may be virtually impossible for the plaintiff to prove the authenticity of that electronic signature, absent additional evidence.

If e-commerce is to reach its full potential, however, parties must be able to trust electronic communications for a wide range of transactions, particularly ones where the size of the transaction is substantial or the nature of the transaction is of higher risk. In such cases, a party relying on an electronic communication will need to know, at the time of reliance, whether the message is authentic, whether the integrity of its contents is intact, and whether the relying party can establish both of those facts in court if a dispute arises.

The Law and Trust in Electronic Transactions

Establishing trust in an electronic transaction requires the use of security procedures76 designed to ensure the authenticity, integrity, confidentiality, and/or nonrepudiation of electronic documents and messages. There are a number of security procedures that can be used to assist in establishing trust for electronic communications. These include

  • Algorithms or codes;77

  • Cryptography and digital signatures;

  • Identifying words or numbers;

  • Replies and acknowledgments;

  • Repeat-back acknowledgments;

  • Using an automated process or system;78

  • Date and time stamping;

  • Using trusted third parties to retain copies of electronic communications; and

  • Encryption.

Increasingly, the law is recognizing the importance of security procedures in determining the enforceability of an electronic transaction and the allocation of risk in the event of a loss. The first formal recognition of the legal effect of security procedures occurred in 1989 with the approval of Article 4A of the UCC,79 which addresses the electronic transfer of funds by wire.80 A person who wishes to transfer funds electronically does so by transmitting an electronic message, called a payment order, to his or her bank. Because that message cannot bear a traditional ink signature, security procedures must be used instead. The UCC recognized this as well as the reality that a bank receiving a payment order needs something objective on which it can rely in determining whether it may safely act on that order.81 Article 4A modernized the law by providing that a bank could rely on security procedures as a substitute for the traditional time-tested requirement of a signature to ensure the authenticity and integrity of the message. Thus, under Article 4A, an electronic message purporting to be from a bank’s customer that instructs the bank to transfer funds to a payee is considered valid, and the bank is authorized to transfer the funds in accordance with the order if the authenticity and integrity of the order is verified pursuant to a commercially reasonable security procedure, regardless of whether the order was actually authorized by the customer. The bottom line is that Article 4A adopts security procedures rather than signatures as the basis for verifying electronic transactions and apportioning liability.

Since the advent of UCC Article 4A, the law is starting to recognize that security has a key role to play in electronic transactions. Approaches vary, however, and currently electronic transactions statutes fall into the following categories with respect to security:

  • Security not addressed. Many statutes say nothing at all with regard to the role of security. They merely authorize the use of electronic records and signatures in lieu of paper records and signatures (and in some cases provide for other transactional requirements, such as consent), but say nothing about, or give no legal effect to, the use of security procedures. This is the approach taken by E-SIGN and UETA.

  • Security as a precondition to enforceability. Some statutes require the use of security, at some level, before the transaction (or some aspect of it) will be legally enforceable. The UNCITRAL Model Law on Electronic Signatures, for example, requires an element of reliability, that is, that electronic signatures be as reliable as appropriate for the circumstances, before the electronic signature will be considered valid. Likewise, the electronic signature must be capable of identifying the signer, another aspect of security. Many of the electronic signature statutes enacted by the various states in the United States also took a similar approach (although they are largely preempted by E-SIGN now).82

  • Incentives for security—legal presumptions. A number of statutes provide that almost any form of electronic signature can be enforceable and meet legal signature requirements, while recognizing that some electronic signatures are more trustworthy than others.83 To encourage the use of those electronic signatures deemed to be more trustworthy, and to provide message recipients with an enhanced level of assurance regarding the authenticity and integrity of messages using such signatures, these statutes typically provide a legal benefit in the form of an evidentiary presumption regarding the sender’s identity and/or the integrity of the document. Thus, these statutes, while not literally requiring security as a precondition to the enforceability of electronic transactions, provide incentives for security by providing a legal benefit (i.e., a presumption) to those who use security to assist them in ensuring that the transaction will be enforceable.

  • Security as a risk allocation device. Finally, some legislation uses the presence or absence of security as a risk allocation device. UETA, for example, in some cases allocates the risk of loss for errors or mistakes to the party that failed to implement agreed-upon security procedures. Likewise, UCC Article 4A allocates the risk of loss for fraudulent electronic payment orders based on the presence or absence of an agreed-upon security procedure.

A good example of legislation that provides for legal presumptions is the Illinois Electronic Commerce Security Act, which creates a technology-neutral class of trustworthy signatures called “secure electronic signatures.”84 While all electronic signatures are enforceable under this Act, an electronic signature that qualifies as a secure electronic signature enjoys a rebuttable presumption that the signature is that of the person to whom it correlates.85 This approach was followed in the European Union Electronic Signature Directive. Under this Directive, while electronic signatures cannot be denied enforceability solely because they are in electronic form, a more secure form of electronic signature (referred to as “advance electronic signatures”) is presumed to satisfy legal requirements for signatures and is presumed admissible as evidence in legal proceedings.86

Technology-specific statutes that confer similar legal presumptions on certain cryptographically created digital signatures have been enacted in Minnesota, Missouri, Utah, and Washington.87 To ensure that the digital signature possesses a level of trust sufficient to warrant enhanced legal recognition, these statutes impose a regulatory structure on certification authorities that voluntarily elect to be licensed by the state.88 Based on the apparent assumption that all certificates issued by licensed certification authorities are trustworthy, and that a digital signature that is created using the private key corresponding to the public key listed in such a certificate is a trustworthy signature, the legislation has bestowed attributes of trust to messages verifiable by such certificates.89

There is, of course, a great deal of debate over whether, or how, the law should address the role of security in electronic transactions. But regardless of the outcome of that public policy debate, there can be no denying that security is an ever-increasing concern for electronic transactions. And even where it is not given special recognition in legislation, it will ultimately become important in the evidentiary process in the event of a dispute. Whether an electronic record is admissible, or the weight that it will be given by the trier of fact, will ultimately depend on the ability of the proponent of the electronic document to establish its authenticity and integrity—factors that hinge upon the sufficiency of the security measures employed under the circumstances.

What Rules Govern the Transaction?

Finally, for any electronic transaction, the parties need to know the rules that govern their use of the electronic medium for communication and storage, and these rules can differ significantly from those that govern transactions documented on paper. Questions to be considered, for example, include rules regarding the time and place of sending and receipt of electronic documents, the notarization of electronic documents, and the effect of errors introduced into the communication process.

Unfortunately, most electronic transaction statutes enacted to date say little or nothing about the rules governing the conduct of parties using electronic records and signatures. However, UETA and, to a lesser extent, E-SIGN do provide guidance with respect to some of these issues.

Timing Rules

When is an electronic record considered sent? When is it considered to have been received? These issues of timing can be important for resolving a variety of issues, such as whether a binding contract has been created (particularly in the case where an offer sets a deadline for acceptance), whether a document has been filed with the applicable government agency on time, when a trade was consummated, and so forth. For example, in one case, a court held that a fax transmission was not effective notice because, while it was started before the deadline passed, it was not completed until afterward.90 Electronic transmissions may pose similar problems, especially since there can be a delay between sending and receipt.

UETA provides that the time at which an electronic record is considered to have been sent is the time that the record “enters an information processing system outside the control of the sender” (in the case where a message is sent from one computer system to another), or “enters a region of the information processing system designated or used by the recipient which is under the control of the recipient” (in the case where a message is sent from one person to another on the same system, such as where both parties are on America Online).91 An electronic record will be considered to have been sent as of that time, provided that it is addressed properly to an information processing system that the recipient has designated or uses for the purpose of receiving electronic records and from which the recipient is able to retrieve the electronic record, and provided further that it is in a form capable of being processed by that system.92

Conversely, UETA provides that an electronic record is considered received by the intended recipient when it enters an information processing system that the recipient has designated or uses for the purpose of receiving electronic records of the type sent and from which the recipient is able to retrieve the electronic record, and is in a form capable of being processed by that system.93 It is also important to note that an electronic record is considered received even if no individual is aware of its receipt. That is, as with first class mail, once the message is delivered it makes no difference whether or not the addressee actually opens it.

Venue Rules

Another important question, and one that may have bearing on determining which law applies to a transaction, is the question of where a message is considered sent from and where it is considered received.

UETA provides, as a default rule, that an electronic record is deemed to be sent from the sender’s place of business and to be received at the recipient’s place of business.94 If the sender or recipient has more than one place of business, the relevant place of business is considered to be the one that has the closest relationship to the underlying transaction. If the sender or the recipient does not have a place of business, then the place of business is considered to be the sender’s or recipient’s residence, as the case may be.95 E-SIGN does not address this issue.

Requirements for Creation of Electronic Contracts

A contract may be made in any manner sufficient to show agreement, including offer and acceptance, or conduct that recognizes the existence of a contract.96 In theory, the same rule should apply to electronic contracts, although there are very few laws on the subject. There are fundamental provisions in E-SIGN, UETA, and the UNCITRAL Model Law on Electronic Commerce that support the validity of electronic contracts, but little more than that. In part due to this fact, in 2001 UNCITRAL began a project to develop an international convention on electronic contracting.97 Similarly, in the United States, an industry group known as the Electronic Financial Services Council has developed Standards and Procedures for Electronic Records and Signatures (SpeRS) to address these issues and develop appropriate standards.98

E-SIGN provides that “a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.”99 Similarly, UETA provides that “a contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.”100 Finally, the UNCITRAL Model Law on Electronic Commerce goes a bit further by providing both that “an offer and the acceptance of an offer may be expressed by means of data messages,” and “where a data message is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that a data message was used for that purpose.”101

As a general rule, contract offers may be made orally, in writing, or by conduct. There is no reason why an electronically transmitted offer should be any less effective than an oral or written one.102 To be valid, an offer must communicate to the person receiving it that, once the offer is accepted, a contract is created.

An offer may be accepted “in any manner and by any medium reasonable in the circumstances.”103 Typical offline acceptances include written and oral communications, as well as acceptance by conduct. Their online counterparts include acceptance by e-mail or other form of electronic message, by electronic agent, and by conduct such as clicking on a button or downloading content.

Thus, if an offer is made by e-mail, one should be able to accept it by the same means.104 But what if the offer was made by some other method, such as letter or fax? An acceptance does not necessarily have to be sent the same way as the offer.105 However, UETA provides that an electronic record is considered received only when it enters a computer system “that the recipient has designated or uses for the purpose of receiving electronic records of the type sent.”106 Thus, if the parties have regularly corresponded in the past by e-mail, an e-mail acceptance sent to the offeror’s e-mail address will presumably be effective. However, in some cases many people have multiple e-mail addresses that are used for different purposes, and some of these e-mail addresses may be rarely used or monitored. Thus, the purpose of the foregoing requirement is to ensure that recipients can designate the e-mail address or system to be used in a particular transaction.

Automated Transactions

Can the act of a computer (without human involvement) create a contract? The answer should be yes, depending on the circumstances.

A computer can certainly generate an offer. For example, an inventory system can calculate when supplies are low and automatically generate an electronic purchase order to a vendor. Would such an order be a binding offer? While there are not yet any cases directly on point, one analogous case has upheld the validity of a computer-generated insurance renewal.107 The court, reasoning that the computer operates only in accordance with the information and directions supplied by its programmers, held that the insurance company was bound by the computer-generated renewal notice.

Acceptances can also be generated by computer. The issue, however, is likely to be whether a responsive message is an acceptance or merely an acknowledgment of receipt. In most cases it will depend on the nature of the response. For example, in one case involving a computer order entry system, orders were placed by touch-tone phone, and the system automatically generated a tracking number for each order. When the seller refused to fill the buyer’s order, the buyer sued. The court held that no contract had been created, since the tracking number was merely for administrative convenience and not a clear acceptance.108

This issue will certainly arise in Electronic Data Interchange (EDI) transactions, where a computer can automatically acknowledge receipt of an electronic purchase order. However, this type of acknowledgment usually only means the computer received the message in a form it could read.109 It does not necessarily mean the order was accepted. Other types of EDI messages, such as purchase order acknowledgments, would be proper acceptances. UETA also provides that receipt of an electronic acknowledgement from a computer establishes that a record was received by the computer but does not, by itself, establish that the content sent corresponds to the consent received.110

Related is the question of the enforceability of contracts formed via electronic agents. An electronic agent is a computer program or other automated means used to initiate an action or respond to electronic records or performances in whole or in part without review or action by an individual at the time of the action or response.111

Both E-SIGN and UETA specifically recognize the validity of contracts formed by electronic agents. E-SIGN provides that a contract or other record relating to a transaction may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents, so long as the action of any such electronic agent is legally attributable to the person to be bound.112 Likewise, UETA recognizes that a contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agent’s actions or the resulting terms and agreements.113 In addition, UETA recognizes that a contract may be formed by the interaction of an electronic agent and an individual.114

Errors in Transmission

Another key concern for electronic transactions is the problem of changes or errors that may be introduced into an electronic record, either because of system or transmission problems, or intentional alteration. E-SIGN does not address this issue. However, UETA does contain a limited provision. As a general rule, UETA provides that if the parties have agreed to use a security procedure to detect changes or errors in electronic records, and one party conforms to the procedure but the other does not, if an error or change occurs that could have been detected by the nonconforming party had that party applied the security procedure, the conforming party may avoid the effect of the changed or erroneous record.115 Also, in the case of an automated transaction involving an individual, the individual may avoid the effect of a record that resulted from an error made by the individual if the electronic agent of the other party did not provide an opportunity for the prevention or correction of the error and the individual promptly notifies the other person of the error takes reasonable steps to return or destroy the consideration received as a result of the erroneous record, and has not used or received any benefit or value from the consideration received.116

Notarization or Witness Requirements

In many cases, a law requires that a signature or a document be notarized, acknowledged, verified, or made under oath. Both UETA and E-SIGN recognize that this requirement can also be satisfied for electronic transactions, so long as the electronic signature of the person authorized to perform these acts, together with all other information required to be included by other applicable law, is attached to, or logically associated with, the signature or record.117 However, it is important to note that this provision does not eliminate any of the other requirements of notarial laws (such as the use of a stamp or seal). It simply allows the signing of the document to be accomplished in an electronic medium. Some states, such as Florida, have already passed electronic notary statutes designed to address how the other requirements of a notary can be accomplished in an electronic medium. However, for states that have not, the value of this provision may be limited.

Party Autonomy

One final point is worth noting. With the law in a state of flux, a common approach for parties regularly engaged in electronic transactions is to simply enter into their own contract to decide the rules that will govern their online conduct. This concept of party autonomy, that is, the right of the parties to agree between themselves as to the rules that govern their transactions, has been a core premise of the U.S. government position regarding electronic commerce.

Consistent with this view, UETA expressly provides that, subject to certain exceptions, the effect of any of the provisions in UETA may be varied by agreement.118 E-SIGN, however, like most other legislation, is simply silent on the subject of party autonomy. Some legislation (such as consumer protection legislation) actually prohibits variation of its terms by agreement.

In the absence of laws that prohibit changes of the rules by agreement of the parties,119 the courts generally uphold such agreements.120 The Supreme Court stated “[a]bsent some ‘overriding procedural consideration that prevents enforcement of the contract,’ courts have held that agreements to waive evidentiary rules are generally enforceable even over a party’s subsequent objections.”121 The Court did note, however, that “there may be some evidentiary provisions that are so fundamental to the reliability of the fact-finding process that they may never be waived without irreparably discrediting the … courts.”122

Thus, some contracts that purport to alter existing legal rules have been held unenforceable. In one case, for example, the court refused to enforce an agreement that only certain types of appraisals would be admissible, on the ground that such a provision “purported to totally preempt the court from its consideration of legally competent evidence.”123 In another case, the court held that a licensee could dispute a contractual recital that trademark infringement was conclusive evidence of irreparable injury.124 In another case, the court stated, “It is at best highly doubtful that parties may, by contract, allocate burdens of proof, establish standards of proof, or, in other respects, control judicial fact-finding procedures in actions arising out of their contracts.”125 Finally, some courts have upheld provisions in insurance policies that alter the legal presumption of death after absence for seven years, although many other courts refuse to enforce such agreements.126

In most cases, however, contracts between trading partners (especially in a business-to-business context) that establish rules for electronic transactions where none previously existed, or that alter existing rules, will be enforced. Until the law governing electronic transactions evolves further, this is often the best way for the parties to ensure the enforceability and security that they require.

Notes

The term “record” is typically defined as “information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.” See Electronic Signatures in the Global and National Commerce Act (E-SIGN), and 15 U.S.C. § 7006; Uniform Electronic Transaction Act (UETA), § 2(13).

The term “electronic record” means a “record created, generated, sent, communicated, received, or stored by electronic means.” E-SIGN, 15 U.S.C. § 7006 (4); UETA § 2(7).

The term “data message” means “information generated, sent, received, or stored by electronic, optical, or similar means including, but not limited to, Electronic Data Interchange (EDI), electronic mail, telegram, telex, or telecopy.” United Nation Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures, Article 2(c).

The term “electronic signature” means “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” E-SIGN, 15 U.S.C. § 7006 (5); UETA § 2(8). Under the European Union Electronic Signature Directive, “electronic signature” means “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.” Electronic Signature Directive, 1999/93/EC (13 December 1999), Article 2(1).

Electronic form means “relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.” E-SIGN, 15 U.S.C. § 7006 (2); UETA § 2(5). See also 5 Ill. Comp. Stat. 175/5-105 (1998).

The requirement that a document be an original occurs in a variety of contexts for a variety of reasons. In many situations, documents must be transmitted unchanged (i.e., in their original form), so that other parties may have confidence in their contents. Examples of documents where an original is often required include trade documents (e.g., weight certificates, agricultural certificates, quality and quantity certificates, inspection reports, insurance certificates) and non-business related documents (e.g., birth certificates and death certificates). When these documents exist on paper, they are usually accepted only if they are original, because alterations may be difficult to detect in copies.

The requirement that a document be an original is also important from an evidentiary perspective. In particular, the best evidence rule (sometimes referred to as the “original document rule”) requires that in proving the terms of a writing, where the terms are material, the original must be produced unless it is shown to be unavailable for some reason other than the serious fault of the proponent, 1 McCormick on Evidence §230 at 704 (Cleary Ed., 3d ed., 1984). See also Federal Rule of Evidence 1002 “Requirement of Original,” which states that “to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by act of Congress.”

Requirements that agreements be in writing serve a variety of purposes. These include (1) providing tangible evidence of the existence and nature of the intent of the parties to bind themselves; (2) alerting parties to the consequences of entering into a contract; (3) providing a document that is legible to all, including strangers to the transaction; (4) providing a permanent record of the transaction that remains unaltered over time; (5) allowing the reproduction of a document so that each party can have a copy of the same; (6) allowing for the authentication of the data by means of a signature; (7) providing a document that is in a form acceptable to public authorities and courts; (8) finalizing the intent of the author of the writing and providing a record of that intent; (9) allowing easy storage of data in tangible form; (10) facilitating control and subsequent audit for accounting, tax, or regulatory purposes; and (11) bringing legal rights and obligations into existence in those cases where a “writing” is required for validity purposes. See United Nations, UNCITRAL Model Law on Electronic Commerce with Guide to Enactment 1996, at par. 48, http://www.uncitral.org/english/texts/electcom/ml-ecomm.htm, and Illinois Commission on Electronic Commerce and Crime, Final Report of the Commission on Electronic Commerce and Crime (May 26, 1998), http://www.bakernet.com/ecommerce/ceccfin.doc.

For the Statute of Frauds and contracts involving the sale of goods, see UCC § 2-201(1) (1998); see also UCC § 1-206 (1998) (limited enforcement of unsigned, unwritten contracts for the sale of securities for $5,000 or more). See Restatement (Second) Of Contracts § 110 statutory note, at 284-85 (1982) (listing state statutes of frauds).

See Report of the National Conference of Commissioners on Uniform State Laws (NCCUSL), Uniform Electronic Transactions Act, Task Force on State Law Exclusions (September 21, 1998), http://www.webcom.com/legaled/ETAForum/docs/report4.html.

See, e.g., Department of Transportation v. Norris, 474 S.E.2d 216 (Ga. Ct. App. 1996), rev’d sub nom. Norris v. Georgia Dept of Transportation, 486 S.E.2d 826 (1997) (holding that a fax transmission was not a writing).

See Baker & McKenzie, Global E-Commerce Law website, http://www.bakernet.com/ecommerce (providing a regularly updated summary of ecommerce legislation).

E-SIGNS. 761, P.L. 106-229, 15 U.S.C. 7001 et. seq., effective October 1, 2000, http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_bills&docid=f:s761enr.txt.pdf. E-SIGN preempts all inconsistent state legislation, other than state enactments of UETA in the form promulgated by NCCUSL.

UETA, approved by the NCCUSL on July 23, 1999, http://www.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.htm.

As of May 1, 2004, 45 states and the District of Columbia had enacted UETA. For an updated list of those states that have enacted UETA, see http://www.bakernet.com/ecommerce/uetacomp.htm and http://www.nccusl.org/nccusl/uniformact_factsheets/uniformacts-fs-ueta.asp.

Directive 1999/93/EC of 13 December 1999 on a Community Framework for Electronic Signatures (hereinafter Electronic Signature Directive), http://www.europa.eu.int/information_society/topics/ebusiness/ecommerce/8epolicy_elaw/law_ecommerce/legal/digital/index_en.htm.

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (hereinafter Electronic Commerce Directive), http://www.europa.eu.int/ISPO/ecommerce/legal/documents/2000_31ec/2000_31ec_en.pdf.

UNCITRAL was established by the General Assembly in 1966 (Resolution 2205 (XXI)) as the vehicle by which the United Nations could play an active role in reducing or removing disparities in national laws governing international trade that created obstacles to the flow of trade. Its general mandate is to further the progressive harmonization and unification of the law of international trade, and it has come to be the core legal body of the United Nations system in the field of international trade law. UNCITRAL is composed of 36 member states selected by the General Assembly so as to be representative of the world’s various geographic regions and its principal economic and legal systems. Further information, as well as a list of ongoing and completed projects, may be found at http://www.uncitral.org.

See United Nations, UNCITRAL Model Law on Electronic Commerce with Guide to Enactment 1996, http://www.uncitral.org/english/texts/electcom/ecommerceindex.htm.

See United Nations, UNCITRAL Model Law on Electronic Signatures 2001, http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf.

The term “transaction” is defined in the E-SIGN Act as “an action or set of actions relating to the conduct of business, consumer, or commercial affairs between two or more persons, including any of the following types of conduct: (A) the sale, lease, exchange, licensing, or other disposition of (i) personal property, including goods and intangibles, (ii) services, and (iii) any combination thereof; and (B) the sale, lease, exchange, or other disposition of any interest in real property, or any combination thereof.” E-SIGN, 15 U.S.C. § 7006(13). UETA defines “transaction” as “an action or set of actions occurring between two or more persons relating to the conduct of business, commercial, or governmental affairs.” UETA § 2(16).

E-SIGN, 15 U.S.C. § 7001(a); UETA § 7.

See Thomas J. Smedinghoff and Ruth Hill Bro, “Moving with Change: Electronic Signature Legislation as a Vehicle for Advancing E-Commerce,” The John Marshall Journal of Computer and Information Law, Vol. XVII, No. 3, Spring 1999, at 723, http://www.bmck.com/moveart.doc.

E-SIGN, 15 U.S.C. § 7001(a).

UETA § 7(a).

UETA §§ 7(c) and 7(d).

Electronic Signature Directive, Article 5(2).

This means, for example, that transactions governed by UCC Articles 3 (negotiable instruments), 4 (bank deposits and collections), 4A (funds transfers), 5 (letters of credit), 6 (bulk sales), 7 (warehouse receipts, bills of lading, and other documents of title), 8 (investment securities), and 9 (secured transactions, sales of accounts, and chattel paper) are not covered by either E-SIGN or UETA. Note, however, that some of these articles already include express provisions for electronic transactions (such as Article 4A and Article 9).

See E-SIGN, 15 U.S.C. § 7003, and UETA § 3(b) (listing exceptions).

E-SIGN 15 U.S.C. § 7001.

See Smedinghoff and Bro, supra note 22 (discussing the various approaches taken by state electronic signature legislation prior to the enactment of E-SIGN).

E-SIGN, 15 U.S.C. § 7002(a).

E-SIGN, 15 U.S.C. § 7002(a).

For an excellent discussion of this issue, see Robert A. Wittie and Jane K. Winn, “Electronic Records and Signatures Under the Federal E-SIGN Legislation and the UETA,” The Business Lawyer, Vol. 56, No. 1, November 2000, at 293.

There are, of course, other issues relating to trust, including the creditworthiness of the other party, confidence in the other party’s ability to perform, etc. However, these issues remain the same regardless of whether the transaction takes place via paper or electronically and are not addressed here. Here, we focus on trust as it relates to the authenticity and integrity of the electronic records that form the basis of the transaction. In many respects, this boils down to the question of whether the details of the transaction are ultimately provable and enforceable in a court of law.

E-SIGN, 15 U.S.C. § 7001(b)(2) (“This title does not… require any person to agree to use or accept electronic records or electronic signatures, other than a governmental agency with respect to a record other than a contract to which it is a party”); UETA § 5(a) (“This [Act] does not require a record or signature to be created, generated, sent, communicated, received, stored, or otherwise processed or used by electronic means or in electronic form”) and 5(c) (“A party that agrees to conduct a transaction by electronic means may refuse to conduct other transactions by electronic means. The right granted by this subsection may not be waived by agreement”).

This does not apply to government agencies. See E-SIGN, 15 U.S.C. § 7001(b)(2).

Of course, nothing prevents a business from announcing to its customers or trading partners that it will do business with them only via electronic transactions.

UETA § 5(b). E-SIGN also has consent provisions, but they are limited to a consent to receive records in electronic form in consumer transactions where a rule of law requires that information relating to the transaction be provided or made available to the consumer in writing. See E-SIGN, 15 U.S.C. § 700(c) (discussed below).

UETA § 5(b) and comment 3. Some state enactments of UETA (e.g., California) require such consent to be in electronic form.

E-SIGN, 15 U.S.C. § 7001(c). Examples might include laws requiring written disclosure of interest rate charges in consumer loan transactions, or laws requiring that consumers be provided with periodic written statements of account.

E-SIGN, 15 U.S.C. §§ 7001(c)(1)(A) and 7001(c)(l)(C)(ii). It is not clear from the statute whether this obligation to “reasonably demonstrate” ability to access the information is met if the consumer merely states in an electronic message that he or she can access the electronic records in the specified formats, or otherwise acknowledges or responds affirmatively to an electronic query that asks whether the consumer can access the electronic record. Read literally, the statute requires that the consumer consent in a manner that “reasonably demonstrates” that he or she can actually access the electronic record in the relevant format.

E-SIGN, 15 U.S.C. § 7001(c) (1)(B).

Electronic Commerce Directive, Article 10(1).

Electronic Commerce Directive, Articles 11(1) and 11(2).

It is for this reason, for example, that parties to a multipage contract will sometimes initial each page of the contract. In the electronic environment, certain types of signatures (e.g., cryptographically created digital signatures) can play an important role in verifying the integrity of the entire document.

UCC Article 1, § 1-201(39) (1999).

E-SIGN, 15 U.S.C. § 7006(5) and UETA § 2(8) (definitions of “electronic signature”).

Second, the requirement that the signature be “attached to or logically associated with” the record being signed requires that the parties to the electronic transaction implement an electronic record keeping process that, in the future, can provide evidence that a specific signature was applied to or used in connection with a specific document. The easiest way to do this is, of course, to have the signature incorporated as part of the electronic record that is stored. An alternative is to establish a demonstrably reliable and provable process whereby the signature (or evidence of the completion of a process) is stored separately from the electronic record being signed, but in a manner that will allow the two to be correlated in the event it is necessary for evidentiary purposes.

Thus, the signature needs to relate to a specific document and evidence the signer’s intent with respect to that document. The signer’s intent, as with any transaction, is determined by the contents of the document and/or other surrounding facts and circumstances.

See UETA §§ 2(8) and 7(d) and E-SIGN, 15 U.S.C. §§ 7001(a) and 7006(5). The European Union Electronic Signature Directive also uses a similar definition of an electronic signature. Under the Directive, an electronic signature must also possess three elements, namely that it (1) be data in electronic form, (2) be attached to or logically associated with other electronic data, and (3) serve as a method of authentication. Electronic Signature Directive, Article 2(1).

Shattuck v. Klotzbach, 2001 Mass. Super. LEXIS 642 (December 11, 2001).

Signature Dynamics involves measuring the way a person writes his or her signature by hand on a flat surface, measuring speed, pressure, angle, size, etc., and applying those measurements to a message.

By including the term “process” as part of the definition of an electronic signature, both E-SIGN and UETA make clear that the process of clicking a mouse can qualify as a signature if the other applicable requirements are also present. As noted in the Reporter’s notes to UETA, “this definition includes as an electronic signature the standard Webpage click-through process. For example, when a person orders goods or services through a vendor’s web site, the person will be required to provide information as part of a process that will result in receipt of the goods or services. When the customer ultimately gets to the last step and clicks the “I agree” button, the person has adopted the process and has done so with the intent to associate the person with all the record of that process.” UETA § 2, comment 7. It is not clear whether the process of clicking a mouse on an “I Accept” button will satisfy the definition of a signature in the EU Electronic Signature Directive, as such definition requires that the signature constitute “data in electronic form.” See EU Directive at Article 2(1).

In more technical terms, a digital signature is the sequence of bits that is created by running an electronic message through a one-way hash function to create a unique digest (or “fingerprint”) of the message and then using public key encryption to encrypt the resulting message digest with the sender’s private key. Public key cryptography employs an algorithm using two different but mathematically related cryptographic keys—one key for creating a digital signature or transforming data into a seemingly unintelligible form, and the other key for verifying a digital signature or returning the message to its original form. For an overview of this technology and the process by which digital signatures are created, see Information Security Committee, Electronic Commerce Division, ABA Section of Science & Technology Law, Digital Signature Guidelines, August 1996, available at http://www.abanet.org/scitech/ec/isc/dsgfree.html; Thomas J. Smedinghoff, ed., Online Law, chs. 3, 4, and 31 by Lorijean G. Olie (Addison-Wesley, 1996); Warwick Ford and Michael Baum, Secure Electronic Commerce (Prentice Hall, 1997).

E-SIGN, 15 U.S.C. § 7001(e).

UETA § 8(c).

Directive 2000/31/EC (Electronic Commerce Directive), Article 10(3).

Both E-SIGN and UETA make clear that this requirement does not extend to information whose sole purpose is to enable the contract or other record to be sent, communicated, or received. E-SIGN, 15 U.S.C. § 7001(d)(2); UETA § 12(b).

UETA § 12(a); E-SIGN, 15 U.S.C. §7001(d). E-SIGN requires that the stored electronic record remain accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.

E-SIGN, 15 U.S.C. § 7001(d)(3); UETA § 12(d).

Portions of this section are adapted from Thomas J. Smedinghoff, ed., Online Law, chapter 3, by Lorijean G. Oei (Addison-Wesley, 1996).

“Daewoo Securities Hit by Online Trade Fraud,” Reuters News Agency, August 26, 2002, as reported on Yahoo at http://asia.tech.yahoo.com/020826/reuters/asia-122181-tech.html.

Of course, the requirement for such trust is a relative concept that varies from transaction to transaction, largely depending on how high the stakes are. For example, the level of trust required for an online merchant to ship $200,000 worth of tires is much higher than what is required for an online bookstore to ship a $20 book. The bookstore may not require a high level of trust in each transaction, especially where a credit card number is provided and the risk of loss from fraud (e.g., $20) is relatively low. On the other hand, shipping $200,000 worth of merchandise based on an electronic message may require a much higher level of trust. Likewise, a bank will require even greater assurances before it will make a multi-million-dollar funds transfer in real time based on an electronic message. At a minimum, the risk of a fraudulent message must be acceptable, given the nature and size of the transaction.

Commission of the European Communities, A European Initiative in Electronic Commerce, COM (97) 157 final (April 16, 1997), http://www.cordis.lu/esprit/src/ecomcom.htm.

See Fed. R. Evid. 901(a) (1995).

See UCC §§ 4A-202, 4A-203, & cmt. (1998). § 4A-202 solves this problem for a bank and its customer who has agreed to transact banking electronically and to be subject to Article 4A. If the bank verifies the payment order by using a commercially reasonable security procedure, the customer will be bound even if he or she did not in fact authorize the payment order. § 4A-202(b). If, however, the customer can prove that the person sending the fraudulent payment order did not obtain the information necessary to send such an order from an agent or a source controlled by the customer, the loss is shifted back to the bank. § 4A-203(a)(2). If the bank does not follow the security procedure and the order is fraudulent, the bank generally must cover the loss. § 4A-202(a).

See, e.g., U.S. v. Eisenberg, 807 F.2d 1446 (8th Cir. 1986) (disputing the authenticity of letter); U.S. v. Grande, 620 F.2d 1026 (4th Cir. 1980) (disputing authenticity of invoice), cert, denied, 449 U.S. 830, 919 (1980).

Some forms of electronic signature, such as a cryptographically created digital signature, if properly implemented, can provide strong authentication as to the source of the signature. Certain biometric techniques can also achieve a similar result.

The UNCITRAL Model Law on Electronic Signatures, for example, requires that a signature identify the signer and that it be “as reliable as was appropriate for the purpose” for which the message was generated or communicated. By including these elements in the definition of an electronic signature, this Model Law seeks to require a minimum level of security before such signature will be considered legally enforceable. UNCITRAL Model Law on Electronic Signatures, Article 2(a) and Article 6(1).

See, e.g., Victory Med. Hosp. v. Rice, 493 N.E.2d 117 (111. App. Ct. 1986).

See, e.g., regulations governing Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, August 14, 2002.

See, e.g., 1 Melvin F. Jager, Trade Secrets Law §§ 3.04[6],[7], 5.05[2] (1995).

See, e.g., Cal. Evid. Code §§ 950 et seq. (1995); American Bar Association, Model Rules of Professional Conduct, Rule 1.6 (1992).

See Information Security Committee, Electronic Commerce Division, ABA Section of Science & Technology Law, Digital Signature Guidelines, August 1996, http://www.abanet.org/scitech/ec/isc/dsgfree.html. One definition of nonrepudiation is “[s]trong and substantial evidence of the identity of the signer of a message and of message integrity, sufficient to prevent a party from successfully denying the origin, submission or delivery of the message and the integrity of its contents.” Id. at § 1.20.

See generally, John Browning, “Follow the Money—A New Stock Market Arises on the Internet,” SCI. AM. 31 (July 1995) and “Daewoo Securities Hit by Online Trade Fraud,” Reuters News Agency, August 26, 2002, as reported on Yahoo at http://asia.tech.yahoo.com/020826/reuters/asia-122181-tech.html.

A security procedure is a procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or for detecting changes or errors in the information in an electronic record. UETA § 2(14) and UCC Article 4A§ 201.

See generally, Warick Ford and Michael Baum, Secure Electronic Commerce (Prentice Hall, 1997).

See Fed. R. Evid. 901(b)(9) (1995).

See UCC Art. 4A, Funds Transfers (1989). Article 4A has since been adopted in all 50 states.

UCC Art. 4A, Prefatory Note (1990).

UCC § 4A-203, Official Comment.

Several states enacted electronic signature statutes that adopted security requirements from a decision of the U.S. Comptroller General. See U.S. Comptroller General, Matter of National Institute of Standards and Technology—Use of Electronic Data Interchange Technology to Create Valid Obligations, 71 Comp. Gen. 109 (1991), (December 13, 1991). Under those statutes an electronic signature is legally effective as a signature only if it is (1) unique to the person using it; (2) capable of verification; (3) under the sole control of the person using it; and (4) linked to the data in such a manner that if the data are changed, the signature is invalidated. This approach requires attributes of security as a precondition to the validity of the signature itself, something not required for paper-based signatures.

Electronic signatures, like traditional signatures of ink on paper, come in varying degrees of security. A handwritten signature, for example, is more trustworthy than an “X,” and a notarized signature is more trustworthy than both. Just as the law provides certain benefits to the more trustworthy forms (see, e.g., Fed. R. Evid. 901(a) (1995) (confirming that notarized signatures are considered self authenticating), these electronic signature statutes seek to define the characteristics required for a trustworthy (or secure) signature.

5 111. Comp. Stat. 175/10-110 (1998). This Act also defines a class of secure electronic records. Id. at 175/10-110. See generally, Illinois Commission on Electronic Commerce and Crime, Final Report of the Commission on Electronic Commerce and Crime (May 26, 1998), http://www.bakernet.com/ecommerce/cecc-fin.doc.

5 111. Comp. Stat. 175/10-120.

Electronic Signature Directive, Article 5(1).

See Minn. Stat Ann. § 325K.20 (West 1998); Mo. Ann. Stat. § 28.677 (West 1998); Utah Code Ann. § 46-3-101 (1998); Wash. Rev. Code § 19/34/900 (West 1998).

See, e.g., Minn. Stat Ann § 325K.20 (West 1998); Mo. Ann. Stat. § 28.677 (West 1998); Utah Code Ann. § 46-3-101 (1998); Wash. Rev. Code § 19/34/100 (West 1998). The digital signature legislation enacted in Germany, Italy, and Malaysia contains a similar approach.

See, e.g., Utah Code Ann. § 406(3). The Utah Digital Signature Act provides that if a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority, then a court of the State of Utah “shall presume that” (a) the digital signature is the digital signature of the subscriber listed in that certificate, and (b) the digital signature was affixed by that subscriber with the intention of signing the message. Id.

Bomen Inc., Comp Gen B-234652, May 17, 1989, 3 CGEN (CCH) 103, 198 (1989) (23-page fax started, but not completed, before the deadline).

UETA § 15(3).

UETA §§ 15(a)(1) and 15(a)(2).

UETA § 15(b).

UETA § 15(d).

UETA § 15(d).

UCC 2-204.

E-SIGN § 101(a)(2).

UETA § 7(b).

UNCITRAL Model Law on Electronic Commerce, Article 11(1).

Of course, there can be questions about the reliability of electronic communications, which may make it more difficult to introduce evidence in court.

UCC 2-206(1)(a).

It is well established that an acceptance may properly be sent by the same means as the offer, unless the offer says otherwise. See Restatement (Second) of Contracts § 65.

See, e.g., Market Development Corp. v. Flame-Glo Ltd., 1990 WL 116319 (E.D. Pa. August 8, 1990) (a mailed offer may be accepted by fax).

UETA § 15(b)(1).

State Farm Mutual Auto. Ins. Co v. Brockhurst, 453 F.2d 533 (10th Cir. 1972).

Corinthian Pharmaceutical Systems v. Lederle Labs, 724 F. Supp. 605 (S.D. Ind. 1989) (the seller’s other correspondence stated that orders were not effective until accepted by the seller).

An EDI “functional acknowledgment” confirms that the message was functionally complete, that is, all fields in the form were completed with recognizable codes. It does not reflect acceptance of the substantive terms.

UETA § 15(f).

See E-SIGN § 106(3); UETA § (2)(6).

E-SIGN § 101(h).

UETA § 14(1).

UETA § 14(2).

UETA § 10(1).

UETA § 10(2).

E-SIGN § 101(g); UETA § 11.

UETA § 5(d).

For example, UETA § 5(c) provides that “a party that agrees to conduct a transaction by electronic means may refuse to conduct other transactions by electronic means. The right granted by this subsection may not be waived by agreement.”

For example, the courts have approved stipulations that have waived hearsay objections (Sac and Fox Indians of Mississippi in Oklahoma, 220 U.S. 481, 488-489 (1911)), have held that stipulations as to the admissibility of documents preclude subsequent objections as to authenticity (Tupman Thurlow Co. v. S.S. Cap Castillo, 490 F.2d 302, 309 (2nd Cir. 1974); United States v. Wing, 450 F.2d 806, 911 (9th Cir. 1971)), and have held that a stipulation as to admissibility precludes a hearsay objection at trial (United States v. Bonnet, 877 F.2d 1450, 1458-1459 (10th Cir. 1989)). Courts also have approved stipulations to waive the best evidence rule (Finch, Van Slyk & McConville v. Le Sueur County Co-op Co., 128 Minn. 73, 150 N.W. 226 (1914); Skibsaktieselskapet Bestum III v. Duke, 131 Wash. 467, 230 P. 650 (1924)), or to waive the qualifications of an expert witness (Brinck v. Bradbury, 179 Cal. 376, 176 P. 690 (1919)).

United States v. Mezzanatto, 513 U.S. 196, 115 S. Ct. 797, 803 (1995), citing 21 C. Wright & K. Graham, Federal Practice and Procedure § 5039, 207-208 (1977).

Id. at 803.

Cronkv. State, 420 N.Y. S.2d 113 (N.Y. Ct. CI. 1979).

Oleg Cassini, Inc., v. Couture Coordinates, Inc., 297 F. Supp. 821, 833 (S.D.N.Y. 1969).

Transamerica Insurance Co. v. Bloomfield, 55 Or. App. 31, 637 P.2d 176, 180 (1981).

See Williston on Contracts (4th ed.), Vol. 7, § 15.13, 274-75 (Lawyers Cooperative Pub., 1997).

    Other Resources Citing This Publication