Electronic Transactions and Pennsylvania Law
|by Leonard A. Bernstein and Gary L. Kaplan
Fall 2000, Vol. 63, No. 3
On June 30, 2000, President Clinton signed the Electronic Signatures in Global and National Commerce Act (the E-Signatures Act), which generally becomes effective on October 1, 2000 and provides a national framework for authorizing electronic transactions and records.
The new act provides a structure that plainly encourages electronic commerce and paperless record keeping, yet it intentionally leaves open critical details that must be addressed in any move from paper to electronic transactions. In addition, implementation of the Electronic Signatures Act will depend, in part, on state law, as the act provides for preemption of state law in some instances, but not others.
Pennsylvania enacted a slightly modified version of the Uniform Electronic Transactions Act (UETA) last year, so the effects of the new federal law on transactions in the state are somewhat murky. Fortunately, Pennsylvania law is generally consistent with the E-Signatures Act and, therefore, efforts to implement new technology are unlikely to be constrained by legal uncertainties.
In this article, we will summarize key provisions of the Electronic Signatures Act and discuss the limitations of the act that must be considered when undertaking electronic initiatives, as well as the unique issues raised by Pennsylvania's enactment of a modified version of the UETA.
The E-Signatures Act
At the heart of the E-Signatures Act is its pronouncement that a signature, contract or other record may not be denied legal effect because it is in electronic form. For example, a party to a contract may not avoid his or her obligations simply because the contract was executed electronically rather than in writing. (We will discuss how the act itself does not assure enforcement of the signature either.)
Although not addressing all issues that may affect enforceability of an electronic record, the E-Signatures Act establishes a necessary condition for enforcement. Specifically, it provides that if a law requires retention of a record or contract, that standard is met if the information is retained electronically in a form that accurately reflects the information set forth in the contract or record and remains accessible in a form that can be reproduced accurately by all persons entitled to access.
While setting forth general standards for electronic transactions, the E-Signatures Act, like many state laws and other regulations, requires special protections for transactions involving consumers. The act provides that whenever a law or regulation requires a written disclosure to consumers, that specification will be met only if four conditions are satisfied.
First, the consumer must have affirmatively consented to the use of electronic communication (and not withdrawn such consent). Presumably, state and federal regulators will elaborate on the meaning of affirmative consent.
Second, prior to consenting, the customer must receive a clear and conspicuous statement that:
- informs the consumer of a right to have the record provided on paper and the right to withdraw consent to the use of electronic records (together with any conditions or fees related to withdrawal of consent);
- informs the consumer of whether the consent applies only to a particular transaction or to records that may be provided during the course of the parties' relationship;
- describes the procedures for withdrawing consent and updating contact information; and
- informs the consumer how to obtain a copy of the electronic record and whether any fee may be charged.
Third, prior to consenting, the customer must be provided with a statement of the hardware and software required for accessing and retaining the electronic record. And finally, the consumer must consent electronically, or confirm his or her consent electronically, in a manner that demonstrates the consumer's ability to access the electronic information. In addition to its own consumer protections, the Electronic Signatures Act addresses consumer protection laws that require verification or acknowledgment that the consumer has received a required disclosure. The act provides that such information may be provided electronically "only if the method used provides verification or acknowledgment of receipt." Presumably, this means that such a disclosure should automatically trigger an opportunity for delivery of the consumer's electronic signature in return.
In addition to general standards applicable to electronic transactions and records, and protections for consumers, the E-Signatures Act addresses transactions that raise special issues or that are excluded from the act. For example, the act provides that if a law requires a contract or document to be retained in original form, an electronic record will suffice if the electronic record accurately reflects the original and can be "accurately reproduced for later reference or otherwise." Likewise, the act states that a law requiring retention of a check will be satisfied if the electronic record meets the above criterion for the information on the front and back of the check.
Like state electronic commerce laws enacted prior to the E-Signatures Act, the new law excludes certain traditional and sensitive transactions that, therefore, may continue to require written signatures and paper records. The act will not apply to:
- Laws and records involving adoption, divorce and other matters of family law;
- Article 9 (relating to secured transactions) and other specified sections of the Uniform Commercial Code;
- Court orders or official court documents;
- Default and acceleration notices regarding an individual's primary residence;
- Notices of product recalls related to health or safety; and
- Documents relating to the transportation of hazardous materials.
It should be noted that exclusion from the E-Signatures Act does not mean the referenced transactions can never be completed electronically, only that the act will not trump current laws requiring a writing in these areas. Limitations of the Act
The new law neither entirely eliminates risks related to e-signatures and electronic documents, nor ensures their enforceability. Instead, the E-Signatures Act simply provides the opportunity for businesses and government to adopt technologies and procedures that themselves provide necessary assurances of attribution, non-repudiation, data integrity and reliability.
The limitations of the act require elaboration. Suppose Bank A and Bank B electronically exchange a contract that is purportedly executed in the body of the contract itself. (In other words, each bank executes the contract by typing in a signature.) Although the E-Signatures Act does not prohibit enforcement of these "electronic signatures," it likewise says nothing about their enforceability. In fact, such simplified electronic signatures are unlikely to withstand legal challenge, because they lack any necessary safeguards.
In the hypothetical, for example, no safeguards assure:
- Data Integrity-How do Banks A and B know that they have signed the same contract?
- Attribution-How do Banks A and B know that the other party, as opposed to a third party, actually signed the contract?
- Non-repudiation-How could Bank A or B disprove a false assertion that the other party never executed the contract?
- Reliability-How can Bank A or B prove that neither side has altered the contract subsequent to its execution?
Fortunately, technology has been developed (and is continuing to be developed) that would allow both parties (and the courts) reasonably to rely on each other's electronic signature. Currently, the most commonly used technology is a public key infrastructure (PKI) that allows for the creation of what are generally referred to as digital signatures. A common form of digital signature uses cryptography based upon two different (or asymmetric) keys (where one key can encrypt a message and the other can decrypt the message, but neither key can do both) and a hash function, which translates a long document into a short alphanumeric code of a specified length. Together, the keys and the hash function provide safeguards for electronic signatures:
- The signer uses the hash function to create a unique identifier for the document (the signature).
- The signer uses his or her key to encrypt the identifier and the related document.
- The receiver uses his or her key to decrypt the identifier and the related document. This assures that the document was sent by the party with the encryption key.
- The receiver uses the same hash function as on the document to create a matching identifier. (By comparing the output of the hash function on the received document with the decrypted identifier, the recipient can be certain that the document they have received is the same as the signed document.)
An additional level of protection can be provided to electronic documents through the use of digital certificates that attempt to assure that the senders and/or receivers of electronic materials are who they purport to be. (Certificates are based on a process of registering keys with a third-party agency.) In adopting legislation that allows for electronic signatures, but that does not specify the use of particular safeguards or technology, the act will allow for the continued development and improvement of e-commerce mechanisms. However, the failure to adopt specific requirements or presumption of reliability implies that efforts to rely exclusively on electronic signatures or documents will not be without risk, at least until there is a greater body of case law addressing their enforceability.
Preemption and State Law
Perhaps the most confusing issues raised by the E-Signatures Act relate to its interaction with state law. Section 102 of the act provides that it will preempt state law, unless the state law either enacts the Uniform Electronic Transactions Act without modification or addresses the electronic signatures in a manner consistent with the Electronic Signatures Act and does not favor any specific technology over others.
Pennsylvania falls squarely in the gray area of preemption contemplated by the Electronic Signatures Act.
In December 1999, Pennsylvania enacted the Pennsylvania Uniform Electronics Act, which adopts UETA with a few notable changes. Fortunately, as we will show, the main changes from the model seem largely consistent with the E-Signatures Act, which may minimize confusion in implementing the two laws. In any event, the safest course will be for businesses and individuals to cover their bases, to the extent possible, under both federal and state law requirements.
The interplay between the Electronic Signatures Act and Pennsylvania's UETA depends on the differences between the two laws as written by the National Conferences of Commissioners on Uniform State Law (NCCUSL) and whether those differences conflict with the E-Signature Act.1
The two main differences between Pennsylvania's UETA and the model law relate to the burden of proof in business-to-business transactions and consumer transactions.
With respect to business-to-business transactions, the Pennsylvania law provides that businesses must agree upon a specific protocol or security procedure at the outset of their transaction and places the burden of proof thereafter on the party seeking to invalidate the transaction. By contrast, the model law would require the party seeking to affirm the transaction to bear the burden of proof.
With respect to consumer transactions, Pennsylvania law, in contrast to the model, adds protection for consumers to guard against their exploitation by subtle devices. For example, the Pennsylvania law, like the Electronic Signatures Act, requires specific consumer consent to electronic transactions and may require assurance that electronic communications with consumers can be received. (Actually, the Pennsylvania law is written in the negative. It provides that a consumer transaction is void if a party knows that an attempted electronic communication was unsuccessful.)
Although it is impossible to predict all instances in which the Electronic Signatures Act and Pennsylvania law will disagree, a review of their main differences (and the differences between Pennsylvania law and UETA) suggest that the laws will largely compliment each other, rather than conflict. Compliance efforts should therefore consider both sets of laws, as well as other potential sources of e-commerce regulation, such as FTC rules, Gramm-Leach-Bliley Regulations, and regulations under the Health Information Portability and Accountability Act.
Most importantly, Pennsylvania's UETA is technologically neutral and, therefore, does not preemptively conflict with the E-Signatures Act. Because the E-Signatures Act does not address the burdens of proof on parties to an electronic contract, Pennsylvania's rule will likely apply to covered transactions.2 Finally, Pennsylvania's consumer protection rules do not contradict the new federal rules and, therefore, it is reasonable to expect both sets of rules to apply.
The E-Signatures Act continues, rather than completes, the law's efforts to reflect and accommodate advances in technology.
As the law continues to evolve, businesses and individuals would be well advised to acknowledge their own responsibility to assure that their electronic transactions are secure and susceptible to proof of reliability, integrity and clarity.
- It could be argued that the enactment of exceptions to UETA renders the entire Pennsylvania act null due to preemption. Alternatively, it could be argued that any exceptions to UETA are void, regardless of their consistency with the act. The alternative reading, however, would seem incompatible with Section 102(a)(4) of the act, which expressly allows for section-by-section review of state law efforts to limit applicability of UETA in connection with certain areas of state law, as well as the act's recognition that some variation in state law is permissible.
- It should be noted that Pennsylvania's UETA, like the model law, addressed several issues that are not addressed in the Electronic Signatures Act. For example, UETA (both Pennsylvania and the model law) specifically require proof of attribution of an electronic signature-i.e., proof that the signature belongs to the person it purports to represent. The E-Signatures Act is silent on this issue.