Electronic Records Management Guidelines Electronic and Digital Signatures Electronic and Digital Signatures Summary The advent of e-government and e-services has changed the way state agencies and local government offices do business. As a result, electronic systems and processes have become as important as traditional paper and ink. In a paper environment, a hand signature, also known as a “wet signature,” authorizes and authenticates the content of a document. A signature provides a level of trustworthiness and accountability that aids the conduct of business. Electronic signatures extend the function of handwritten signatures to electronic documents, providing a way for two parties to conduct business confidently in an electronic environment. Up-to-date technologies and procedures must meet the demand for trustworthiness where hand signatures are not viable. Since signatures derive their primary importance from their legal and evidentiary value, these concerns must drive the selection of electronic signature technologies. Consequently, each agency will need to define its legal and evidentiary needs in relation to its business processes before choosing an electronic signature application. Furthermore, the electronic signature application selected must fit the agency‟s technology architecture to create, preserve, and make available its records. Technical obstacles pose great challenges to the long-term preservation of electronic signatures. Policy regarding the preservation of signatures should be adopted by each agency to ensure consistent practice across the organization. Legal Framework Many government agencies have unique and specific legislative mandates that apply to them and their functions. Two chapters of the Minnesota statutes in particular apply to electronic signatures, Chapters 325L and 325K. Uniform Electronic Transactions Act (UETA) [Minnesota Statutes, Chapter 325L1] addresses the issues of the legal admissibility of electronic records created in a trustworthy manner and the application of the paper-oriented legal system to electronic records. The Minnesota Electronic Authentication Act [Minnesota Statutes, Chapter 325K2] defines an electronic signature uniquely in terms of digital signature using Public Key Infrastructure technology (PKI). This type of digital signature is: a transformation of a message using an asymmetric cryptosystem such that a person receiving the initial message and having the signer's public key can accurately determine: (1) whether the transformation was created 1 Minnesota Office of the Revisor of Statutes. 2009 Minnesota Statutes. Chapter 325L: Uniform Electronic Transactions Act. 2009. https://www.revisor.leg.state.mn.us/statutes/?id=325L 2 Minnesota Office of the Revisor of Statutes. 2009 Minnesota Statutes. Chapter 325K: Electronic Authentication. 2009. https://www.revisor.leg.state.mn.us/statutes/?id=325K Minnesota State Archives, Minnesota Historical Society March 2012, Version 5 Page 1 Electronic Records Management Guidelines Electronic and Digital Signatures using the private key that corresponds to the signer's public key; and (2) whether the initial message has been altered since the transformation was made. Each agency should their specific statutory requirements before making any choices about electronic signature technologies. In addition to state laws, agencies must adhere to federal laws such as: Electronic Signatures in Global and National Commerce (E-Sign)3, a federal law that addresses the issues of the legal admissibility of electronic records created in a trustworthy manner and the application of the paper-oriented legal system to electronic records. (Federal version of UETA.) Health Insurance Portability and Accountability Act of 1996, HIPAA4. This act is concerned with non-repudiation. Non-repudiation “provides assurance of the origin or delivery of data,” so that the sender cannot deny sending a message and the receiver cannot deny receiving it. This prevents either party from modifying or breaking a legal relationship unilaterally. HIPAA holds that only a digital signature technology can currently provide that assurance. For more information on the legal issues you must consider when considering using electronic signature technology, including what constitutes a government record, refer to the Legal Framework chapter of these guidelines and the Minnesota State Archives‟ Preserving and Disposing of Government Records5. Key Concepts When selecting and implementing an electronic signature technology, keep in mind: Functions of Signatures Definitions of Signatures Electronic Signature Technologies Other Means of Authentication 3Thomas. Electronic Signatures in Global and National Commerce Act. S.761. Library of Congress. http://thomas.loc.gov/cgi-bin/query/z?c106:S.761: 4 U.S. Department of Health and Human Services. Understanding HIPAA Privacy. http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html 5 Minnesota Historical Society. Preserving and Disposing of Government Records. Minnesota State Archives. May 2008. http://www.mnhs.org/preserve/records/docs_pdfs/PandD_may2008.pdf Minnesota State Archives, Minnesota Historical Society March 2012, Version 5 Page 2 Electronic Records Management Guidelines Electronic and Digital Signatures Functions of Signatures In general, signatures serve specific functions. The American Bar Association6 enumerates these as: Evidence: A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer. Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act, and thereby helps prevent inconsiderate engagements. Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect. Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction, and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption. An electronic signature will have to fulfill some or all of these functions. You should determine which are pertinent to your business processes before selecting a particular electronic signature technology. Definitions of Signatures Using Minnesota Statutes the traditional definition of a signature is as follows: The signature of a person, when required by law, (a) must be in the handwriting of the person or, (b) if the person is unable to write, (i) the person's mark or name written by another at the request and in the presence of the person or, (ii) by a rubber stamp facsimile of the person's actual signature, mark, or a signature of the person's name or a mark made by another and adopted for all purposes of signature by the person with a motor disability and affixed in the person's presence.7 A reliance on the definition above would make it virtually impossible to use technology to deliver services and to meet all legal and evidentiary requirements. To address this problem, and 6 American Bar Association. Digital Signature Guidelines Tutorial. Section of Science and Technology Information Security Committee. http://www.americanbar.org/groups/science_technology.html 7 Minnesota Office of the Revisor of Statutes. 2009 Minnesota Statutes: 645.44 Words and Phrases Defined. 2009. https://www.revisor.leg.state.mn.us/statutes/?id=645.44 Minnesota State Archives, Minnesota Historical Society March 2012, Version 5 Page 3 Electronic Records Management Guidelines Electronic and Digital Signatures to provide a standard approach to the use of electronic signatures, Minnesota adopted the Uniform Electronic Transactions Act (UETA)8 in the 2000 legislative session. UETA defines electronic signatures as: An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record. This definition is not technology specific, and so does not mandate the adoption of any particular hardware or software application. Any technology, theoretically, that could authenticate the signer and the signed document could generate a legally admissible signature, as long as the parties could demonstrate the trustworthiness of the process that created and preserved the records in question. In many communities there is no distinction made between the terms „electronic‟ and „digital‟, especially among information technology communities where “electronic” and “digital” are used synonymously and interchangeably. However, in Minnesota law there is a clear legal distinction made between electronic and digital signatures. A digital signature is a particular type of electronic signature that relies on a Public Key Infrastructure (PKI) technology. UETA does not separately define digital signatures but permits their use under the broader definition of electronic signatures. The Minnesota Electronic Authentication Act9 however does define a digital signature uniquely in terms of PKI. A digital signature is: A transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine: (1) whether the transformation was created using the private key that corresponds