Monday, May 26, 2014

An Introduction to the Law of Electronic Signatures and Electronic Records in North Carolina (Part 3)

In the first part of this series, we explored the history of state and federal legislation governing electronic signatures and records, explained the key terminology, and addressed the fundamental principles undergirding the laws. In the second part, we covered the consent requirement, retention, and authentication. In this third installment, we address the exemptions, exculsions, and exceptions to the general rules.

Exemptions, Exclusions, Exceptions

The purpose of the UETA and the E-SIGN Act was to ensure that electronic signatures and records were given the same legal status as ink signatures and paper records.  However, each piece of legislation contains a number of exceptions.  

One of the most important things to know about the UETA and the E-SIGN Act are the areas in which they do not apply.   

The first exception related to requirements in other laws for a particular method of delivery. If another law requires a record (i) to be posted or displayed in a certain manner, (ii) to be sent by a specified method, or (iii) to contain information that is formatted in a certain manner, the other law controls. For example, if another law requires transmittal by First Class or Certified USPS Mail, you may not rely upon email (but you may email in addition to USPS).

Another important exception to the general validity of electronic signatures and records is for the requirements of the various laws governing the creation and execution of wills, codicils, or testamentary trusts.  It would be a grave mistake to attempt to execute a will using an electronic signature.   


Exemptions from the UETA and E-SIGN Act can become confusing when some--but not all--of an area of law is exempt.  Most of the Uniform Commercial Code is exempt from the UETA and the E-SIGN Act, but the following remain subject to UETA and E-SIGN (and therefore electronic signatures and records are valid):
  • Sales of Goods (UCC Article 2)
  • Leases of Goods (UCC Article 2A)
  • G.S. 25-1-306 (an authenticated record of the settlement of a claim involving the sale of or lease of goods) (This last exemption is found in the UETA only--not in the E-SIGN Act.)
Laws governing adoption, divorce, or other matters of family law are exempt from the E-SIGN Act (though the UETA does not specifically exclude them).
  
In addition, the UETA and E-SIGN Act do not apply to the following:
  • cancellation of utility services;
  • any notice of default, acceleration, repossession, foreclosure or eviction, or the right to cure, under a loan or lease for a primary residence;
  • cancellation of health or life insurance benefits;
  • any notice of a product recall; or
  • the transportation or handling of hazardous materials.
 
The E-SIGN Act and UETA may, or may not, apply to transactions involving government entities.  In North Carolina, transactions with government entities are controlled by the Electronic Commerce in Government Act (G.S. Ch. 66, Article 11A), which allows for the use of the UETA as alternative to the more complex (and secure) procedures described in that Article (which establishes the role of the “certification authority“, a person authorized by the Secretary of State to vouch for the relationship between a signatory and a public agency).

By understanding the circumstances in which electronic signatures and electronic records may--and may not--be used, as well as the requirements imposed by law, we can effectively utilize electronic signatures and records and enjoy the benefits of technology with confidence in their validity and enforceability.



Image by Jomphong via freedigitalphotos.net

Sunday, May 25, 2014

Why California's Online Privacy Laws Matter to Businesses in Every State

 
Image source material Truthout / Foter.com
People sometimes assume that the laws of states in which they do not have a physical presence do not apply to them.  Businesses and other organizations that engage with the public online, however, may be subject to the rules of the states in which their users reside.  I have previously written about how a few states have their own website (or web application) privacy rules, and the widespread view that California's are the most significant. 
 
Because California's online privacy laws are so important to organizations across the country, it is important to monitor relevant legal developments in California, including the actions of California's Attorney General.  This post summarizes recent developments in California affecting website operators and application operators.

  • Early in 2012, California's Attorney General reached a voluntary resolution with Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Blackberry, requiring that mobile apps provide privacy policies that users could find in a consistent location before downloading an app.

  • In October of 2012, California's Attorney General sent letters to approximately 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave them 30 days to comply.

  • In December of 2012, the Attorney General filed an enforcement action against Delta Airlines over its mobile application privacy policy statement.

  • In 2013, Attorney General Harris issued Recommendations for the Mobile Ecosystem, which provided app developers with recommendations to develop privacy policies and procedures.


  • In February of 2014, California's Attorney General issued a guide, Cybersecurity in the Golden State, intended to help organizations protect against, and respond to, data breaches and other cyber risks. 

Any organization with an online presence would do well to keep an eye on California's online privacy laws and enforcement actions.  Check the North Carolina Privacy & Information Security Law Blog from time to time for updates on this and other important legal updates.

Saturday, May 24, 2014

An Introduction to the Law of Electronic Signatures and Electronic Records in North Carolina (Part 2)

In the first part of this series, we explored the history of state and federal legislation governing electronic signatures and records, explained the key terminology, and addressed the fundamental principles undergirding the laws. In this part, we address some of the key requirements of the applicable laws.

The Consent Requirement

A fundamental requirement of the E-SIGN Act and UETA is the consent requirement. The E-SIGN Act and UETA do not require any party to a transaction to accept or agree to use electronic signatures or documents; they merely ensure the enforceability of such documents and signatures if the parties agree to use them.
The consent of a commercial party may sometimes be inferred. Many consumer electronic transactions, however, require affirmative consent. To avoid the possibility of a consumer slipping through, it may be prudent to include an opt-in provision in all electronic transactions without regard to whether they are believed to be consumer transactions.  
Another aspect of the consent issue is that although electronic transactions are governed by UETA and the E-SIGN Act, the parties may opt out of many aspects of those laws. In other words, the parties may vary, waive or disclaim most of the provisions of UETA or E-SIGN Act by agreement, if both parties are "commercial" parties. This is not the case when one party is a consumer.  

Consumer Consent

The North Carolina version of the UETA differs from the model UETA drafted by the NCUSL. It contains heightened consumer protection provisions, consisting of disclosures and procedural steps, that were not in the original UETA. These provisions were taken from the E-SIGN Act, although they do not match the E-SIGN Act perfectly. Importantly, if a party to an electronic transaction is a consumer in North Carolina, North Carolina law is deemed to apply regardless of any other contractual provision purporting to apply another state's laws.
When one party to an electronic agreement is a consumer, you must ask whether any statute, regulation, or rule of law requires the transaction be in writing or requires any information relating to the transaction be in writing. The answer is usually "yes." There are so many consumer protection laws and other laws requiring written disclosures or contracts, that it is easy to overlook one. The best practice is often to assume that some requirement of this sort applies to all consumer transactions. In these cases, the customer must be given certain disclosures prior to entering into an electronic transaction, including statements regarding various rights, as well as hardware and software requirements. It should be noted that North Carolina's UETA and the E-SIGN Act do not match perfectly in this regard, and care should be taken to satisfy both. 
When any law requires a consumer be given something related to the transaction in writing, the consumer's consent must reflect the following procedural requirements:
  • If the consumer provides an electronic signature using the other party’s equipment, such as a signature capture pad or a personal computer, the consumer must be given a hard copy of the relevant documents.
  • If any other law requires future notices to the consumer (such as periodic statements, change in terms, etc.), they can be provided electronically, such as by email, but only if the consumer has reasonably demonstrated his or her ability to receive and access the notice in the electronic form that will be used to provide the information that is the subject of the consent. The burden of proof is on the non-consumer party, and a built-in assertion of ability to access might not suffice.

 

The Retention Requirement

If any law requires an electronic document be sent, provided, disclosed, retained or “in writing,” then an electronic form may be used only if the document is “capable of retention.” An electronic record is capable of retention if: (a) the recipient can print or store the electronic record; or (b) it is capable of being accurately reproduced for later reference by all parties entitled to access it. It can be accurately reproduced if it correctly reflects the information set forth in the record at the time it was first generated. The retention requirement applies to both consumer and non-consumer contexts. This does not, however, impose any new requirement to store records if the law does not otherwise require record retention.
Even though the UETA and E-SIGN Act are technologically neutral—that is, no particular format is given preferential treatment—if the format is proprietary, it must be accessible to all who are entitled to access the record. For this reason, widely-available formats are highly recommended. For example, it is easy to provide a link to the free Adobe Acrobat Reader, thereby making the PDF format accessible to a consumer. If a provider of a document chooses to use a proprietary format, the obligation is on that party ensure that the other party can access it.

Authentication

For millenia, people have been denying that a signature or mark was made by them. Clearly, forgeries happen, and just as clearly, people try to get out of agreements they have made by claiming never to have made them. There is nothing new about this problem.
In the context of an electronic signature, technology could make the authentication easier or more difficult. Obviously, it is easy to type anyone's name into the signature block of a document, but that does not mean it is always hard to prove who did the typing. (That is the magic of metadata.)

The laws provide that the attribution of a signature or record to a person may be shown in any manner, including "a showing of the efficacy of any security procedure." Context can also be used. If you meet with someone in person, and they give you their email address, and you then email back and forth with them, you have evidence that an emailed signature is authentic.
In sum, while electronic signatures need to be capable of authentication, the issue is really no more problematic than in the realm of paper documents.
[In Part 3 of this series, we will look at the exceptions, exemptions, and exclusions from the UETA and the E-SIGN Act.]


Image by Jomphong via freedigitalphotos.net

New Guidance on the New Website Privacy Requirements

Those of you who read this blog regularly know that I've previously written about how a few states have their own website privacy rules, and expressed the widely-held view that California's are the most rigorous. I have also explained that websites directed at U.S. audiences generally need to comply with California's strict rules.
Image source material  Truthout / Foter.com
A few weeks ago, I wrote about a new website privacy law that amends California's existing Online Privacy Protection Act, which became effective at the first of the year.
 
Last week, California's Attorney General published some guidance to aid organizations in complying with the recent changes in California privacy law.   The portion of the guidance that relates to the newest requirements offers the following general recommendations:
  • Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: "How We Respond to Do Not Track Signals," "Online Tracking" or "Do Not Track Disclosures." 
  • Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a "choice program."
  • State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.
  • Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
  • Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
More specific recommendations are included in the guidance relating to these and other aspects of California privacy law.

Organizations that have a nationwide audience should update their website privacy policy statements in light of the new rules and guidance, if they have not already.

Sunday, May 18, 2014

An Introduction to the Law of Electronic Signatures and Electronic Records in North Carolina (Part 1)

Image by Jomphong via freedigitalphotos.net
Among the hottest topics these days are electronic signatures and electronic records. In this series of articles, we will examine the key aspects of the state and federal laws governing their use in the private sector. This series will focus on the salient legal aspects of:

• Electronic Signatures;

• Electronic Records; and

• Electronic Notarizations.

The Benefits of Electronic Signatures and Records

The ever-growing interest in electronic signatures and electronic records is based on potential benefits that can be compelling in some circumstances. Electronic signatures and records offer the promise of convenience – rapid execution, storage, and recall (including by searchable text) – and accessibility – the ability to access records twenty-four hours per day, seven days per week, three hundred sixty-five days per year. There is also a potentially massive cost savings potential, including lower transaction costs and storage costs.

The Legal Landscape

There are several sources of law that apply to electronic signatures and records in North Carolina. The primary state law applicable to electronic signatures and records in North Carolina is our version of the Uniform Electronic Transactions Act ("UETA") (codified at N.C.G.S. Ch. 66, Article 40). Electronic signatures were first given explicit legal recognition by state statutes, beginning with California, in the 1990s. Soon there became a clear need for uniformity among the emerging state laws. The National Conference of Commissioners of Uniform State Laws, the body responsible for the Uniform Commercial Code, took up the task, creating the Uniform Electronic Transactions Act in in 1999. Forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have now adopted the Uniform Electronic Transactions Act. Three states, Illinois, New York and Washington, have not adopted the UETA, but have statutes pertaining to electronic transactions.


Infographic credit: National Conference of State Legislatures

North Carolina's Electronic Commerce in Government Act (N.C.G.S. Ch. 66, Article 11A) applies when a governmental entity is involved. The ECGA allows for use of UETA standards, but also provides for an alternative employing more secure procedures, which involve a “certification authority“—a person authorized by the Secretary of State to vouch for the relationship between a signatory and a public agency. This is a more complex method of electronic contracting.

The UETA acknowledges that an electronically-notarized signature or record is valid. It does not address how an electronic notarization works. For that, we look to North Carolina's Electronic Notary Public Act (N.C.G.S. Ch.10. Article 2). An electronic notarization is an official act (acknowledgement, verification, etc.) performed by an electronic notary public using their electronic seal and electronic signature on electronic documents. Before performing notarial acts electronically, a notary must register with the Secretary of State. (See N.C.G.S. 10B-106). Registration requires a three hour training course, an examination, and $50 fee. An electronic notarization requires the signer be in the notary’s presence, and telephones, computers, videoconferences, etc. do not qualify, so the advantage over manual signature and notarization is minimal in most circumstances. The anecdotal evidence I have seen indicates that the adoption and use of electronic notarization is minimal at this time.

Congress noted the trend of states adopting the UETA and decided that a federal statute was needed to provide for uniformity and to clearly govern this area in the context of interstate commerce, so it enacted the Electronic Signatures in Global and National Commerce Act (better known as the "E-SIGN Act") in mid-2000. Fortunately for us, the E-SIGN Act and the UETA are very similar, and employ much of the same terminology.

The existence of both state and federal laws covering the same issues raises the question whether the UETA or E-SIGN Act applies in any given instance. The answer is more complicated that perhaps we would wish. Because Congress took action on the E-SIGN Act after states had begun adopting the UETA, it included a conditional reverse preemption provision, which effectively says that if a state adopts the UETA and includes provision more protective of consumer than the E-SIGN Act, the UETA controls; otherwise, the E-SIGN Act controls. Therefore, my recommendation usually is to comply with the more strict of the two in any given instances.

Key Terminology

Understanding the terminology is critical to applying the E-SIGN Act and UETA. Under both acts, the term "electronic signature" means “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” The term is deliberately made as broad as possible, but the key, just as under the common law of signatures, is an act plus intent. Some common examples help illustrate the breadth of the term:

• Manual signature scanned to an image (e.g. to PDF);
• A name typed into an email message (but not always in NC);

• The click of an “Accept” button;
• a voicemail message (for non-consumers, and even then only if the intent to be bound is clearly shown); and
• a “digital signature” (using algorithms, public keys, and private keys).

The reference to digital signatures raises the oft-repeated question whether digital signatures and electronic signatures are the same. A digital signature is a kind of electronic signature in which technology (encryption and keys) is used to verify the party. Not all electronic signatures are digital signatures in the same way that not all pens are fountain pens.

Another key term is "electronic record", which means "a contract or other record created, generated, sent, communicated, received, or stored by electronic means." Essentially the same definition is used under federal and state law. Again, the term is defined as broadly as possible. Common examples will illustrate the breadth of the term:

• Scanned images of physical (paper) documents
• Electronically-generated documents (e.g., MS Word .doc files)
• Electronic records of actions (e.g., file log, history)

Fundamental Principles
 

The fundamental principles undergirding the E-SIGN Act and the UETA are fairly straightforward, and can be summarized in two very succinct statements:

• A record or signature may not be denied legal effect or enforceability solely because it is in electronic form.

• If a law requires a record to be "in writing", an electronic record satisfies the law provided it complies with the E-SIGN Act or UETA and the other requirements of the applicable law.


Two additional key principles help explain some provisions of the E-SIGN Act and UETA for us. The first is technological neutrality. No format is given preferential treatment by the laws. However, if a format is proprietary, it must be accessible to all who are entitled to access the electronic record. Some formats are better-established, and therefore more "accessible" than others (e.g., Adobe's PDF). The second key principle is flexibility. By avoiding a preference for any particular technology, the UETA and E-SIGN Act facilitate technological innovation and limit the need for updates to the respective laws.


[In Part 2 of this series, we will look at the specific requirements of the state and federal laws.]

Understanding the Law of Electronic Signatures and Electronic Records

I recently delivered a continuing education presentation on behalf of the North Carolina Bar Association regarding the legal aspects of electronic signatures and records.

 For those who are interested and were unable to attend, I am providing the slides here.  


Saturday, May 17, 2014

Befor the Aftermath: How to Prepare NOW for the Possibility of a Future Privacy Lapse or Data Security Breach

image by cohdra
Despite a greater focus on prevention than ever before, privacy lapses and data security breaches continue to increase as a source of financial, legal, and reputational risk for a wide array of businesses. According to the Identity Theft Resource Center, a nonprofit group that tracks data security breach reports, there were 614 data security breaches reported in 2013, covering almost 92 million records.

The litany of recent breaches in the headlines includes names of venerable brands and fast-growing technology companies. If even large businesses with significant resources and tech-savvy companies cannot always prevent data security breaches, what are the odds your company will be 100% successful in avoiding a breach? It seems almost irresponsible these days to assume that you can stop every attack and prevent every oversight indefinitely. Instead, every business must face the reality that a breach is possible, and take steps now to address the possibility. This article will focus not on prevention, but upon preparing for an effective response.

Notice Requirements

In the event of a significant breach, approximately 46 states and the District of Columbia have laws that require a business suffering a breach to notify the affected customers, the state attorney general, and the consumer reporting bureaus.

One result of the notices required by these laws is that watchdog groups are better able to monitor breaches. However, this is not the entire picture. Breaches affecting a small number of persons may not be required to be reported and are, therefore, not included in the publicly-available statistics. For example, under North Carolina's Identity Theft Protection Act, only breaches affecting 1,000 or more individuals must be reported to the North Carolina Attorney General and consumer reporting bureaus. Many commentators believe that the majority of data breaches in North Carolina and elsewhere go unreported for this and other reasons.

A Costly Matter

Data security breaches can be very expensive. A study of insurance claims in 2013 conducted by the risk management firm NetDiligence showed that the average total reported cost of a security breach to a business was $954,253, with average legal fees of $574,000. The same study found that 29.3% of data breach-related insurance claims were made by businesses in the health care sector, with 15% in the financial services sector.

Preparing for the Possibility of a Breach

Given the immense financial and reputational risks of a privacy violation or data security breach, and the near impossibility of absolute prevention, it is important for each business to prepare in advance for the possibility of a breach. Prudent breach preparation can help a business to more effectively respond to a breach, mitigate losses and liability, and demonstrate compliance with applicable laws. The following categories of measures are strongly suggested:

• Conduct a Risk Assessment and Document It.

Although breach prevention measures are beyond the scope of this article, evidence of a reasonable risk assessment can be useful in the aftermath of a breach to document that commercially–reasonable steps were taken to identify vulnerabilities and weigh the costs of addressing them.

• Implement Commercially-Reasonable Policies and Security Measures.

After identifying the categories of sensitive information held and the likely sources of risks, a business should then take and document reasonable measures to prevent them. This should include the adoption of effective technological standards and well-thought-out policies and procedures. The scope and rigor of the measures will depend upon the risk profile and resources of the business. Although primarily intended to prevent a breach, the existence and documentation of a reasonable prevention program can help to mitigate liability following a breach.

• Review Policies and Procedures Periodically.

At regular intervals, policies and procedures should be re-evaluated to ensure they remain current or revised to reflect changes in the risk profile and landscape. Again, the scope and frequency of these reviews will depend upon the risk profile and resources of the business.

• Prepare a Response Plan.

Just as every business should have a documented disaster recovery plan, every business that holds sensitive data should have a documented breach response plan (''Response Plan'') ready (and tested) to guide the business's efforts in the hours and days following a breach. Assembling a Response Plan from scratch in the immediate aftermath of a breach wastes valuable time and risks overlooking important matters in the rush to handle an emergency.

The Response Plan need not address every conceivable contingency, but should contain the basic, universal response protocols that will form the basis of the business's response. The Response Plan should be created with the input of security personnel, IT personnel, legal counsel, and senior management.

• Select a Response Team.

Every business is comprised of individuals with unique strengths. In advance of a privacy or security incident, each business should determine who is best suited to perform each task addressed in the Response Plan. Those individuals should be assigned to a response team and trained to implement the Response Plan so that they will be able to ''hit the ground running'' when called upon to respond. The response team should include security, IT, communications/public relations, and legal experts, as well as senior management.

Perform Due Diligence on Third Parties.


Several recent major data security breaches have arisen from the actions of vendors who obtained customer information from another business. The vendor usually has no direct relationship with the customer, and the customers typically sue the business with which they have a relationship instead of, or in addition to, the vendor.

Selecting third-party vendors to handle your customers' information should involve a commercially-reasonable due diligence process to ensure that only responsible vendors are deemed to be eligible to receive customer information. Knowing the right questions to ask is key.

Use Carefully-Crafted Contracts.

Some risks of liability and other losses arising from data security can be reduced through well-drafted contracts with third-party vendors. Many contracts presented to businesses by third-party vendors are woefully inadequate to protect the business if the vendor fails to prevent a breach of the business’s customer data. A review by a lawyer who understands the relevant issues can potentially help a business save large sums in litigation fees and liability in the event of a subsequent breach.

Consider Cybersecurity Insurance.

A number of firms now offer insurance against losses arising from data security breaches. This category of coverage is available as an addition to directors and officers liability insurance coverage (better known as a ''D&O'' policy) or as stand-alone coverage. Coverage terms are not standardized in the way that, for example, homeowner's policies are, and there are usually significant exclusions from coverage. Therefore, it may be useful to have a proposed policy reviewed by legal counsel and technology professionals to ensure that the offered coverage is adequate and that the remaining risks are understood.

Prior Planning Prevents Poor Performance
A business should do all it reasonably can to prevent a privacy or information security breach, but must recognize that some risk of a breach inevitably remains. By taking a few responsible steps in advance, the losses associated with a breach can be mitigated efficiently and effectively. In addition to commercially-reasonable preventative measures, a solid and well-documented Response Plan can go a long way toward helping customers, employees, managers, shareholders, and other stakeholders sleep more soundly at night.




This article was originally published in May 2014 in Legal Currents under the title "Befor the Aftermath: How to Prepare Now for the Possibility of a Privacy Lapse or Data Security Breach."