Making E-Signatures Count

But you can ensure that a contract goes through smoothly. The online process should verify that both parties agreed on it and that the customer accepted the offer of a product or service. It also should confirm that the customer promised to keep up his end of the deal, such as paying for the product or service. Disputes over online contracts typically come in two forms: A customer denies the validity of the contract and claims his signature isn't on it, or he may repudiate the contract, arguing "that's not what I signed."

Not My John Hancock

So, how do you make a digital signature stick? Affixing an e-signature on the dotted line doesn't guarantee you can enforce it, but it does authenticate a document and identify the signer. It also obligates the signer to follow the terms of the contract--purchasing 2,000 widgets from your company for a specific price, for example--and reduces the chance that the signer will deny her signature and reject the terms of the contract.

The best way to avoid a customer disclaimer is to authenticate her during the transaction process. Ask the consumer questions, for example, about her identity, such as Social Security number, mother's maiden name and birthplace.

You can dig deeper with your questions to further ensure the authentication can't be challenged, but beware that too many questions can turn off an online customer, prompting her to terminate the transaction instead. If you use a questionnaire, you should have a privacy policy in place and accessible to the customer during the transaction. E-SIGN doesn't require this, but you could run afoul of other individual privacy and confidentiality laws such as GLBA (Gramm-Leach-Bliley Act) or HIPAA (Health Information Portability and Accountability Act).In a business-to-business transaction or contract, you can authenticate your partner by using a unique PIN, token or data from a smartcard. A more structured method would use a PKI (Public Key Infrastructure) system, in which public and private keys combine with a digital certificate to create an electronic signature. A certificate authority (CA), in the enterprise or from a trusted authority like VeriSign, generates the digital certificate.

A PKI with a smartcard adds additional security. The card's token contains a digital signature generated from a private key and a passphrase known only to the signer. This can make it even more difficult to challenge a digital signature. A black hat attacker would need the token in hand and knowledge of the passphrase to pose as a legitimate user.

But setting up a PKI and implementing tokens isn't simple. Although these systems can generate identities or signatures to authenticate users to network services, signatures for contracts and other electronic records are bound to the document with a hashing algorithm and encryption. If you don't have the IT resources for implementing a PKI, you can outsource the signature process to companies like DocuSign or AlphaTrust, or you can purchase a package to install from the likes of nCipher or Silanis Technology (See "Sites To See,").

An authentication's electronic process can be equal to, if not superior to, a face-to-face meeting. And you can save and maintain the authentication data with the contract. Plus, the system keeps detailed log files of the transaction.

There are also steps you can take to minimize the risk of repudiation--the contract being rejected by your customer or partner. Most transactions are hashed, electronically signed and locked down to prevent alteration or destruction. Sensitive transactions can even be written to a WORM (write once, read many) format.During and after transaction processing, organizations should capture and maintain the content and context of the contract--date, time and location of the sender, how the document was received and what was done to it after receipt. This can be accomplished with detailed log files.

The content of the transaction may include multiple documents or forms, but you should collect them all into one document--that's the final agreement for a customer to confirm and transmit. You can have it hashed with an algorithm for unique ID and to prevent anyone alleging that the document has changed or that they attached an electronic note for review, such as comments or an e-mail attachment related to the agreement or transaction.

Say your customer claims to have added a note to the transaction that stipulated a 5 p.m. same-day delivery of goods or the deal is off, but you never received such a note. You may have to show the court that your contracting process was designed to capture the entire communication--so the file contains the entire record. Your customer would need to convince the court that he included an attachment with the contract.

The contract or transaction process must also prove that transmitting the document means the deal is for real. Did the customer click "send" prematurely? If so, she may not be bound by the terms of the agreement. Your process should require the entire Web form to be completed and then presented to the customer for final review. Add an online assistant or a toll-free phone number to address questions or problems. This will further ensure the validity of the final transaction or contract. If you're drafting a contract that entails negotiating the language of the agreement and determining language for the options, you'll need version control with a document- or content-management system.

Although E-SIGN makes paper and electronic contracts equivalent under the law, it also imposes an additional burden on electronic versions: Organizations must get the consent of their customers to "opt in" and use electronic records. Inform consumers whether their consent is limited to an individual transaction or for all the records used during the course of the business relationship.The consent process will require some time and labor. The law requires that you give your customers or business clients a "clear and conspicuous" statement of any options to access records in nonelectronic form (hard copy). Consider including a separate "terms and agreement" or "terms of use" document that explains the opt-in, withdrawal and entire contracting process. Make it accessible at all times, along with your privacy policy.

After all this preparation, if you still end up in court to defend an electronic contract, be sensitive to common misperceptions about electronic data. Many people believe that information stored in electronic form is an easy target for attackers. Describe your procedures for preventing unauthorized or accidental alteration or deletion of data to allay these concerns. And remember, the best defense is a good offense: Architect your transaction process with verification and authentication measures to quell any disputes.

Sean Doherty is a technology editor and lawyer based at Network Computing's Syracuse University Real-World Labs®. Write to him at [email protected].

"Long-Term Care for Your Data,"

"Rules of Electronic Recordkeeping""The E-Signature Act"

"Electronic Signatures: A Framework for Designing an Effective E-Signature Process"

UETA (Uniform Electronic Transaction Act) text

UETA in state law

E-Signature software:nCipher Corp.

Silanis Technology,

Topaz Systems

E-Signature Tools and Services:

AlphaTrust Corp.DocuSign

VeriSign

E-SIGN applies to commercial, consumer and business transactions that are required by federal and state laws to be in writing and signed by the party to be charged (the customer). Many contract terms, agreements and legal obligations are required by law to be in writing, such as contracts for the sale of goods in excess of $500.

E-SIGN lets organizations give their customers electronic documents, such as privacy notices and investor prospectuses. It also lets them use electronic records for data retention. E-SIGN does not apply where an agreement is not required by law to be in writing, nor does it apply to cases such as adoption, divorce and wills.

Putting something in writing establishes a record and provides evidence of the legal relationship. The challenge is to create an online process that supports this. Electronic writings or contracts that successfully do so are most likely to stand up in court.0