May 13, 1998 98-R-0701
FROM: Mary M. Janicki, Principal Analyst
RE: Electronic and Digital Signature Laws
You asked for information on laws in other states on electronic and digital signatures.
In “electronic commerce” there are two categories of signatures—electronic signatures and digital signatures. An electronic signature can be any form of electronic mark on a message or document. It is defined as any letters, characters, or symbols manifested by electronic or similar means and executed to authenticate a document. Digital signatures are a subset of electronic signatures and use asymmetric cryptography to create the signer's mark. They are considered to be secure because they use encryption to create a singular signature for each individual.
The General Assembly just enacted a provision to include electronic signatures as signatures under the state's corporation laws. Elsewhere, Connecticut law includes only one reference to electronic signatures (in connection with computer-based patient records) and none to digital signatures. Although authorized, the Department of Health Services has not yet issued the necessary regulations on using electronic signatures for medical records.
Many state legislatures have made efforts to adapt new technology to those laws regulating commerce and dealing with fraud. In light of their increased use and technological advances in the field of electronic commerce, the law and courts have begun to recognize computer-generated signatures and give them the same weight accorded handwritten signatures. Utah's Digital Signature Act of 1995 was the first. While federal legislation has been proposed, none has passed. In the meantime, many states have enacted laws regulating the use of electronic or digital signatures and many others have considered such legislation. State laws usually address one type of signature but not both. And they vary with respect to the types of transactions that are covered, from those that apply to all communications to others that only affect tax returns or inter-state agency documents.
The legal issue associated with electronic or digital signatures is whether they are a legally acceptable form of signature under a state's statute of frauds. Another issue is whether a standard form of digital signature will emerge under federal and state laws. The level of detail in the law is a question that states choosing to enact statutes need to address, as well as whether they want to delegate to a state agency the authority to regulate electronic commerce.
WHAT THEY ARE
The purpose of electronic or digital signatures is to guarantee a level of validity, authenticity, and security in electronic or computerized commerce not conducted in person. The more general
term “electronic signature” is defined as any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with intent to authenticate a writing.
A digital signature is an electronic encoded message containing a unique alphanumerical notation. It resembles a cryptic series of letters, numbers, and symbols, produced by a mathematical formula. A “key pair,” a private and public key, is used to scramble a message then unscramble or decrypt the information. Each digital signature is unique and can be linked back to the sender by using the appropriate public key. It assures each party that the other party is who they say they are and that the received message is valid and unchanged. A digital signature
is used to “sign” electronic documents to verify authenticity electronically, which is more reliable than traditional signatures.
Connecticut law does not refer to digital signatures. The only reference to electronic signatures is contained in CGS 19a-25a, which was enacted in 1993 (PA 93-317). It requires the Department of Health Services (DOHS) commissioner to adopt regulations, if deemed necessary, on the use of electronic signatures for medical records kept in licensed hospitals. Electronic signatures are used in the production of computer-based patient records. DOHS has not yet adopted the regulations.
Until the regulations are adopted, hospitals must submit any current or proposed protocol on electronic signature use for medical records to DOHS for approval. The protocol must address patient confidentiality and record security.
PA 97-137, An Act Concerning Corporations and Other Business Organizations, the Assignment of Lottery Winnings and the Statute of Limitations on Actions Against Land Surveyors, defines the terms “sign” or “signature” as they appear in various sections of the corporation laws to include an electronic signature. The act becomes effective July 1, 1998.
Approximately 20 states have already enacted laws covering electronic or digital signatures; while another 20 are considering legislation or have established task forces, commissions, or study groups to evaluate the issue before recommending legislation. Utah was the first to authorize commercial use of digital signatures when it passed the Utah Digital Signature Act in 1995. The model law governs the use of the public-private key pair encryption and certification authorities. It creates, apportions, and limits liability of the certification authority and the key holders to the parties who rely on the certification of authority. It provides that a digital signature that satisfies the requirements of the statute will also satisfy any rule of law requiring a written signature. The State of Washington also has such a comprehensive law that establishes provisions for certifying, validating, and relying on digital signatures.
Typically, state laws address either electronic signatures (23 states) or digital signatures (15 states), but not both. Also, states differ on the question of what constitutes an electronic signature; some include any “mark” made with the intent to authenticate while others specify characteristics make such a signature acceptable. With respect to digital signatures, legislation (1) provides that a state agency (usually the secretary of state) must issue regulations governing their implementation and use and (2) governs license certification authority, the neutral third party that links the public and private keys necessary for a digital signature.
The scope of electronic and digital signature legislation varies from those laws that cover all public and private communications to others that are limited to communications between state agencies or those that relate to notaries public, financial institutions, campaign finance statements, motor vehicles, or tax returns.
The details of other states' laws are enclosed in the attachments which come from the Internet site of McBride Baker & Coles, a Chicago law firm focusing on electronic commerce (http://www.mbc.com).
The growth of on-line and Internet usage, particularly in the banking industry, has prompted interest in the development of legal standards and protections to enforce electronic agreements and transactions. Congress has not yet passed any federal laws governing digital signatures, although several bills have been introduced. The National Conference of Commissioners on Uniform State Law has established a drafting committee on electronic contracting to draft a uniform statute relating to the use of electronic communications and records in contractual transactions. There is an interest in creating a uniform law to cover interstate banking and commerce.
However, in the absence of a federal law, many states have passed or are considering different forms of digital signature legislation. They vary from the Utah act, which provides for the detailed establishment and operation of a digital signature system to the law in California which delegates broad authority to a government agency to devise rules for electronic authentication.
The basic question related to digital signature usage is whether it constitutes a legally acceptable form of signature under a state's statute of frauds. Legal recognition as a valid “signature” is critical. In addition, variations in the definition of “digital signature” in laws among the states creates differences in what is deemed legally acceptable from state to state. The more forward–looking state legislatures avoid drafting statutes that may become technologically obsolete by broadly defining terms and listing the criteria for an acceptable digital signature.