Legal issues in documenting: e-commerce transactions. (Cover Story).While electronic commerce offers speed, convenience, and cost advantages over traditional paper-based transactions, it raises many business and legal issues. One of the most complex is transaction documentation. A discussion of legal issues in documenting e-commerce e-commerce, commerce conducted over the Internet, most often via the World Wide Web. E-commerce can apply to purchases made through the Web or to business-to-business activities such as inventory transfers. transactions begins with basic questions, such as what constitutes adequate business records of an e-commerce transactions? Moreover -- since records are not kept just for business purposes -- what constitutes legally adequate records of e-commerce transactions? Broadly speaking Adv. 1. broadly speaking - without regard to specific details or exceptions; "he interprets the law broadly" broadly, generally, loosely , concerns around documenting e-commerce transactions fall into two categories: creating and capturing adequate records, and maintaining adequate records over time. Electronic commerce programs focus on facilitating transactions, not on creating legally adequate records, and records managers therefore may not have been consulted in decisions about what e-commerce software to deploy. Ideally, however, records managers should be involved in planning, designing, and implementing e-commerce processes; selecting and implementing the software; and training users on how and when to use it for records management purposes. Records mangers can help to ensure that the undertaking does not increase the company's risk. Companies that fail to maintain proper electronic records may be in the mainstream now, but in five years they likely will be in trouble -- embroiled em·broil tr.v. em·broiled, em·broil·ing, em·broils 1. To involve in argument, contention, or hostile actions: "Avoid . . . in litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. , enduring expensive regulatory examination, or bedeviled by fraud. It is far better to build records management into e-commerce from the beginning than to attempt to retrofit ret·ro·fit v. ret·ro·fit·ted or ret·ro·fit, ret·ro·fit·ting, ret·ro·fits v.tr. 1. To provide (a jet, automobile, computer, or factory, for example) with parts, devices, or equipment not in it later when opposing counsel, regulators, or auditors begin to ask hard questions about the evidence establishing who did what, when, and who owes whom. Creating and Capturing a Legally Adequate Record In evaluating the software's ability to create and capture legally adequate records, records managers will want the answer to these questions: * What data must be created and captured to show what the participants did? * Is the process designed to create and capture that data? If not, how can we modify it to do so? * What metadata (1) (meta-data) Data that describes other data. The term may refer to detailed compilations such as data dictionaries and repositories that provide a substantial amount of information about each data element. is sufficient to support and validate To prove something to be sound or logical. Also to certify conformance to a standard. Contrast with "verify," which means to prove something to be correct. For example, data entry validity checking determines whether the data make sense (numbers fall within a range, numeric data each transaction? To validate the system? * Is such metadata also captured and stored? Is it stored separately or as part of transaction records? * How are the content and metadata that make up the complete record linked and verified ver·i·fy tr.v. ver·i·fied, ver·i·fy·ing, ver·i·fies 1. To prove the truth of by presentation of evidence or testimony; substantiate. 2. ? * Where will transaction records reside? How will they be secured? How will they be retrieved? Authenticating Transactions Authenticating transactions is an important and difficult facet facet /fac·et/ (fas´it) a small plane surface on a hard body, as on a bone. fac·et n. 1. A small smooth area on a bone or other firm structure. 2. of creating and capturing legally adequate records. The price tag for failure can be immense. Meridien Research estimates the cost of online credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. -- including consumers falsely claiming they never ordered items -- to be $9 billion in 2001. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. has two aspects: participant verification and transaction content verification. Authenticating Participants Currently there are many technological options but no standard method of authenticating the participants in an electronic transaction. The Electronic Signatures in Global and National Commerce Act The Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106-229, 14 Stat. 464, enacted 2000-06-30, ) is a United States federal law passed by the U.S. (ESIGN ESIGN Electronic Signatures in Global and National Commerce Act ), which was intended to facilitate electronic commerce, removes legal barriers to recognizing electronically authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. (or signed) transactions as valid. It does not prescribe pre·scribe v. To give directions, either orally or in writing, for the preparation and administration of a remedy to be used in the treatment of a disease. any technique for authenticating the parties to an e-commerce transaction and has produced mass confusion about which authentication techniques might be acceptable in a given situation. Fortunately for the profession, records managers are unlikely to bear legal responsibility for choosing the "wrong" technique. Still, whatever technology is adopted, records managers must find a way to capture adequate records of party authentication. Capturing party authentication data may be quite straightforward. For instance, two parties with an established course of business may simply type their names at the bottom of an e-mail and assume it to be sufficient authentication. (1) If the parties rely solely on e-mail, any procedure that captures the entire e-mail suffices to capture the party-authentication data (the name typed into the e-mail). More commonly, parties to lower-value transactions are authenticated using the "password-and-PIN" method: a combination of a password to access a system and a Personal Identification Number to authorize To empower another with the legal right to perform an action. The Constitution authorizes Congress to regulate interstate commerce. authorize v. to officially empower someone to act. (See: authority) a transaction. Companies may adopt this approach without assessing the risk involved -- in other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , they assume that a transaction executed in the system was generated by its apparent source (i.e., the password and PIN's authorized user authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal ) -- without a legally adequate record to prove it. Suppose the company wants to challenge someone for executing fraudulent The description of a willful act commenced with the Specific Intent to deceive or cheat, in order to cause some financial detriment to another and to engender personal financial gain. commercial transactions through its Web site. An important piece of information is missing if the company's ordinary business records for this transaction type do not include a record of password and PIN having been used. The company therefore cannot easily demonstrate why the suspected unauthenticated transactions differ from all authenticated transactions -- at least not by using its customary transaction records. Authenticating Transaction Content Records managers have two basic options for authenticating transaction content (i.e., what the parties actually agreed to in e-commerce transactions). One relies on technology alone; the other combines technology with an additional process safeguard. The technology-only approach uses Secure Socket Layer (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) or a similar method for securing data during transmission. The system mathematically hashes the material of the transaction before and after transmission to ensure that the data as originated matches the data as received. The other approach, combining technological authentication with a business process safeguard, is becoming increasingly common. Companies add a confirmation step to the technology approach described above -- perhaps sending an e-mail or follow-up fax to the buyer to confirm the transaction's substance. These two approaches result in different records of transactions. Ideally, the technology-only approach should retain the mathematical hash verification as part of the transaction metadata. The hash mechanism should be prevalent enough and the process understood well enough that the company can duplicate DUPLICATE. The double of anything. 2. It is usually applied to agreements, letters, receipts, and the like, when two originals are made of either of them. Each copy has the same effect. them in the future if necessary. By contrast, the technology-plus-process approach ideally results in a single record containing all the material related to both the transaction and the follow-up process. The transaction's record, therefore, would contain party authentication evidence, transaction content, the content's technological verification, follow-up process materials (if written), and all relevant metadata. If it is not feasible to retain the transaction record with the follow-up process record, there must be a reliable method of cross-referencing the two. Authenticating Signatures Who would accept paper purchase orders without signatures on the forms? While e-commerce should not be subject to more burdens than paper commerce, requiring a "signature" -- in this instance, an authentication -- is a basic standard for a business document that authorizes or approves business activity. Electronic signatures, therefore, form a critical part of electronic commerce. In the paper world, however, a signature does not appear or disappear over the record's life, so electronic signatures present new issues for both lawyers and records managers. The complexity of documenting electronic commerce increases in proportion to the complexity of the signature method used. The most intricate is the digital signature (see sidebar (1) A Windows Vista desktop panel that holds mini applications (gadgets) such as a calendar, calculator, stock ticker and Vonage phone dialer. It is the Windows counterpart to the Dashboard in the Mac. See Windows Vista and gadget. , Electronic Signatures vs. Digital Signatures). Digital signatures illustrate some important recordkeeping difficulties. Two approaches to retaining digital signatures in records are emerging. Various regulatory bodies appear to be leaning toward the Continuous Re-sign Approach, which retains the capability to re-authenticate, or resign, a digitally signed Any message or key that has been encrypted with a digital signature. When a user's public key is digitally signed by a certification authority (CA), it is known as a digital certificate or digital ID. See digital signature and digital certificate. record every time that record is retrieved. While costly and requiring larger data storage capacity, this approach provides maximum security. By contrast, the Validation See validate. validation - The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements. Approach involves retaining metadata with the transaction record that shows the party relying on the signature checked and validated val·i·date tr.v. val·i·dat·ed, val·i·dat·ing, val·i·dates 1. To declare or make legally valid. 2. To mark with an indication of official sanction. 3. it at the time of the transaction. In other words, this method keeps a record of having originally validated the electronic signature but does not continuously re-validate the signature throughout the record's life. Continuous Re-sign vs. Validation The following examples of how companies might conduct and document electronic transactions using the Continuous Re-sign and Validation Approaches illustrate the practical differences of the two methods. Continuous Re-sign Approach. Assume that Corporation Ideal wants to adopt the Continuous Re-sign Approach for its digitally signed transactions. It chooses a certificate authority (CA) to issue digital certificates. Corporation Ideal requires all customers to obtain a digital certificate (and thus, the ability to engage in Corporation Ideal's e-commerce transaction system) through CA. Because of its high transaction volumes, Corporation Ideal contracts with a CA for a continuous online connection to CA's information repositories An information repository is an easy to deploy secondary tier of data storage that can comprise multiple, networked data storage technologies running on diverse operating systems, where data that no longer needs to be in primary storage is protected, classified according to captured . Every time Corporation Ideal reviews a record or needs it for court, it can show the digital signature being associated with the transaction record. Unfortunately, a continuous online connection is expensive and is an ideal point of attack for hackers. Both Corporation Ideal and its CA soon find security monitoring an arduous ar·du·ous adj. 1. Demanding great effort or labor; difficult: "the arduous work of preparing a Dictionary of the English Language" Thomas Macaulay. 2. process, and they are somewhat uncertain about the signing process's integrity. Must Corporation Ideal, due to its choice of recordkeeping model, also examine the CA's operations and recordkeeping? Additionally, Corporation Ideal did not fully analyze the implications of a customer's signature key being valid only for one year. After records exceed the one-year mark, the ability to digitally sign at every record recall starts to disappear. Can a customer's new certificate and signature now be retroactively ret·ro·ac·tive adj. Influencing or applying to a period prior to enactment: a retroactive pay increase. [French rétroactif, from Latin applied to all their earlier transactions? Does this update have to be done every year? If not, how does Corporation Ideal stand behind its transactions? It is also true that the Certificate Authority business is fairly new and somewhat volatile. After three years, CA goes out of business. Who does Corporation Ideal turn to in order to validate its transactions once the validation source is gone? In short, the Continuous Re-sign Approach poses significant uncertainties and logistical lo·gis·tic also lo·gis·ti·cal adj. 1. Of or relating to symbolic logic. 2. Of or relating to logistics. [Medieval Latin logisticus, of calculation difficulties. Validation Approach. Corporation Practical adopts the Validation Approach. It chooses a certificate authority with whom to do business and requires all customers to obtain a certificate through the CA. At the time each transaction is processed, Corporation Practical checks the CA's digital certificate directories to see that the customer's signature is a valid one and stamps its verification of that fact into the transaction record itself. The record is stored securely and cannot be altered after it is captured. When Corporation Practical's customers are notified by the CA that their private signature key is about to expire expire /ex·pire/ (ek-spi´er) 1. to exhale. 2. to die. ex·pire v. 1. To breathe one's last breath; die. 2. To exhale. , they return to the CA for a new one. Corporation Practical's process is not affected. If the CA goes out of business, Corporation Practical can quickly arrange to transfer its business to a new certificate authority. The Validation Approach presents fewer unknowns and produces a self-sufficient, viable record of its digitally signed transactions. As illustrated, the Validation Approach on the whole is the most practical choice. Whether it will be widely accepted and adopted will depend on business and judicial decisions and regulatory actions yet to come. Records managers will want to work with regulators in their industry to achieve a workable outcome. Companies using either of these approaches will have to address software and hardware obsolescence ob·so·les·cent adj. 1. Being in the process of passing out of use or usefulness; becoming obsolete. 2. Biology Gradually disappearing; imperfectly or only slightly developed. over time. Again, those using the Continuous Re-sign Approach will have to address many more unknowns in the process than will companies using the Validation Approach. An Opportunity Records managers have an opportunity to take a leading role in developing business processes, selecting vendors, and implementing solutions for creating and capturing legally adequate records. Collaboration will be the key. Armed with an understanding of the business case, the technical options, and the legal implications, organizations will be able to select solutions that are cost effective, operationally superior, and legally defensible de·fen·si·ble adj. Capable of being defended, protected, or justified: defensible arguments. de·fen over the long run. ABOUT THE AUTHOR: Emily Frye is Vice President and Counsel for Technology at iWitness Inc. She can be reached at Emily.Frye@iwitness.com. AT THE CORE THIS ARTICLE EXAMINES: * the importance of building records management into e-commerce transactions from the beginning * the two aspects of authenticating transactions * how companies can conduct and document electronic transactions using the Continuous Re-sign and Validation Approaches RELATED ARTICLE: ELECTRONIC SIGNATURES VS. DIGITAL SIGNATURES The terms electronic signature and digital signature are used interchangeably INTERCHANGEABLY. Formerly when deeds of land were made, where there Were covenants to be performed on both sides, it was usual to make two deeds exactly similar to each other, and to exchange them; in the attesting clause, the words, In witness whereof the parties have hereunto , but they are not the same, and their legal implications are likely to be very different. Electronic signature is a broad category of identification mechanisms that includes any electronic method for binding a party to a transaction. Electronic signatures can include passwords, PIN numbers, a name typed at the bottom of an e-mail, or a digital signature. A digital signature, by contrast, is a type of electronic signature that is generally used for sensitive or high-value transactions (although this is not universally true, and simple forms of it are deployed in most Internet browsers See Web browser. today). A digital signature entails using a specific technology called public key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ), which generally involves a certificate authority, registration authority, subscriber, and a relying party. Very simply described, a PKI works as follows: * The subscriber presents herself and her identification information to a registration authority, who validates that the subscriber is who she says she is. * The registration authority presents its opinion of the validity of the Subscriber's identity to the certificate authority, which in turn issues the subscriber a digital certificate and a "key pair." A key pair is an encryption-based mechanism for participating in electronic transactions. The subscriber (probably a buyer) uses the private key to sign transactions, and a relying party (probably a seller) uses the certificate authority's directory of public keys and certificates to validate that the subscriber is a valid key holder and signer within the rules of this particular PKI. * The subscriber now uses the digital certificate to perform, with various relying parties, any form of electronic commerce that the digital certificate supports. SOME DEFINITIONS AND ASSUMPTIONS * Records managers seek to ensure records sufficient for both business and legal purposes (including use as evidence). * Party authentication, when stored with a completed transaction record, is functionally equivalent to an electronic signature (and therefore equivalent to an intent to be bound). * A "legally adequate record" is a group of materials that very likely satisfy the Business Records Exception to the Hearsay hearsay: see evidence. Rule's requirements, as defined in Federal Rule of Evidence 803(6) and as applied to digital or electronic evidence. These materials must be kept as a regular part (not a one-time creation) of conducting electronic commerce; they must be humanreadable; and they must be accurate, authentic, and complete. "Complete" means that both the content and the relevant metadata are retained together or verifiably linked. REFERENCE (1) Before ESIGN, many parties conducted business this way and courts recognized it as viable; there is no obvious reason why the passage of ESIGN should change judicial interpretation absent additional facts. See, for instance, Doherty v. Registry The configuration database in all 32-bit versions of Windows that contains settings for the hardware and software in the PC it is installed in. The Registry is made up of the SYSTEM.DAT and USER.DAT files. Many settings previously stored in the WIN.INI and SYSTEM. of Motor Vehicles (Mass. 1997-Suffolk Dist. Ct. Dept. 97CV0050), in which a police officer recorded a traffic violation using e-mail with his name typed at the bottom. Opposing counsel said it was an inadequate record of the violation because the e-mail was not "signed"; the court disagreed. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion