1

Electronic Transactions & Filing: Electronic Transactions & Filing: Legal IssuesLegal Issues

R. Justin Smith.

Department of Justice

Environment and Natural

Resources

(202) 514-9369

justin.smith@usdoj.gov

10/30/2000

2

OverviewOverview

2 major statutes: GPEA requires agencies to provide for e-

filing/e-txn “when practicable” E-SIGN limits government ability to set the

form of documentation in transactions between private parties

Why do e-txns/e-filing raise legal issues? Key legal issues What are some other (non-legal) issues?

3

GPEA: Government GPEA: Government Paperwork Elimination ActPaperwork Elimination Act

Pub.L. No. 105-277, sections 1701-1710 (1998)Pub.L. No. 105-277, sections 1701-1710 (1998) GPEA requires federal agencies to provide for --

e-filing/submissions e-records e-signatures

by 10/21/2003 “when practicable” Envisions widespread use of Internet by agencies

to transact business with each other, with commercial enterprises, and with the general public– Must also mean keeping agency records electronically

4

GPEA -- Cont’dGPEA -- Cont’d

Electronic signatures and records in accordance with GPEA procedures “shall not be denied legal effect”

The OMB Guidance (issued 4/00)– Requires implementation schedule by 10/00 to have

optional electronic substitutes for paper process in place by end of FY03

DOJ has issued guidance on legal issues. Available at cybercrime.gov website.

5

E-SIGN: Electronic E-SIGN: Electronic Signatures In Global and Signatures In Global and National Commerce ActNational Commerce Act

15 U.S.C. 7001 15 U.S.C. 7001 etet seqseq.. Permits (but does not require) parties to use

electronic signatures and records in their transactions

Electronic sigs/records “shall not be denied legal effect” solely because in electronic form

Agencies have limited ability to impose requirements regarding:– Form of transactions between private parties– Record retention

6

E-SIGN (continued)E-SIGN (continued)

What are the Government’s and the public’s risks and liabilities in “private-party” transactions? Consider: Drug prescriptions, Government-secured loans

Importance of regulating record retention Consult OMB guidance on interpretation.

Also at cybercrime.gov.

7

Why consider legal issues in Why consider legal issues in developing E-systems?developing E-systems?

Ability to maintain public trust depends in part on having reliable and legally adequate records of transactions– Documents and records have legal effect

Provide basis for agency decisions Provide basis for individual claims/relief

– Records are evidence of agency action– Agency records are important for litigation

8

Litigation needs should be a Litigation needs should be a consideration in e-system consideration in e-system

developmentdevelopment Why are litigation needs important when

only a tiny percentage of agency transactions are involved in law suits?– Litigation establishes legal rights

Single win may set binding precedent or validate and agency’s interpretation of statute

Single loss can have serious impact on an entire agency program

9

10

11

What are the 4 kinds of legal What are the 4 kinds of legal issues raised?issues raised?

1. Availability2. Legal sufficiency3. Reliability and persuasiveness4. Liabilities (Responsibilities)

12

Issue #1 – Availability of Issue #1 – Availability of InformationInformation

Availability is essential for any use. Will the information be: Collected? Retained? Accessible?

13

Will the electronic process Will the electronic process collect all necessary collect all necessary

information?information?

Consider all types of information: Processing records – e.g., Who sent it? Has

it been altered? Content, including all parts of transaction. Identity of the parties – e.g, who signed it? Intent – e.g., certified to be true?

14

Will the electronic process Will the electronic process retain the information?retain the information?

Consider:• Storage medium• Unauthorized access• Corruption over time• How long will it be retained?

15

Issue #2 - Legal Sufficiency: Issue #2 - Legal Sufficiency: Will electronic sigs/records be Will electronic sigs/records be

legally enforceable?legally enforceable? Risk that courts will give “signature” and

“writing” their traditional meanings– Contracting laws often require signed writings– Other laws too, such as “written consent”

GPEA/ESIGN: e-sigs will not be denied effectiveness– Double negative not necessarily a positive– What about signatures not in accord with GPEA

procedures?

16

Issue #2 - Legal SufficiencyIssue #2 - Legal Sufficiency - continued- continued

What characteristics help make e-What characteristics help make e-signatures and e-documents legally signatures and e-documents legally

effective?effective? – Identify the “parties” to the instrument and the

individuals who “sign” for those parties

– Identify the date and circumstances of the signing

– Provide evidence of intent to bind

– Satisfy concerns about reliability, non-alteration, false repudiation

– Satisfy the “ceremonial” aspect of “signing”

17

Issue #3 – Reliability and Issue #3 – Reliability and Persuasiveness: Will Persuasiveness: Will electronic sigs/records electronic sigs/records

persuade a court?persuade a court? Will the material be meaningful/understandable?

Context must be preserved – Paper forms vs. e-forms

Electronic vulnerabilities– To tampering– To electromagnetic forces– To buggy software

18

Issue #3 Cont’d - Issue #3 Cont’d - PersuasivenessPersuasiveness

Who do you need to persuade?– Jury, Private party, Boss, Congress, etc.

How to prove I.D. w/o signatures? People may feel that e-signature systems are

unfamiliar, complex, vulnerable, easily fabricated, and error-prone

Many e-sig systems could require an expert– Not just technology; process controls too

19

Issue #4 - Liabilities Issue #4 - Liabilities (Responsibilities)(Responsibilities)

Agencies must address statutory responsibilities in designing new e-systems

FOIA (& state equivalents) Privacy Act (& state equivalents) Rehabilitation Act, ADA, and related laws Records laws Discovery obligations

20

Electronic Processes & Electronic Processes & Corporate Self-ReportingCorporate Self-Reporting

Corporate self-reporting is fundamental to many regulatory schemes

Self-reporting is desirable because:– it produces data essential for enforcing the law– it does so at very low cost to businesses and

governments– it induces companies to monitor and correct

their own compliance problems

21

Criminal Enforcement and Criminal Enforcement and Self-ReportingSelf-Reporting

The threat of criminal enforcement is very important to self-reporting systems– Regulated entities must know that compliance

is the norm – There are substantial temptations to falsify– Criminal penalties usually deter far better than

civil penalties

22

Potential Problems with Potential Problems with Electronic Self-ReportingElectronic Self-Reporting

Close attention to a large number of details is needed

The details are like links in a chain: each is essential. To make matters worse:– Burden of proof in a criminal proceeding– Unfamiliarity to courts and juries– Defense attorneys will be highly attentive– One failure can trigger additional litigation

23

Defenses to Watch ForDefenses to Watch For

The intentional compromise defense– “Oops, I put my password on a post-it.”

– Consider requiring signors to affirm when they sign that they have followed security rules.

The delegation defense– “Oh, I told my subordinate A to go online and

submit that. Or was it B?”

– Make very clear at signature that only authorized persons may sign

24

Defenses (continued)Defenses (continued)

The “hacker defense” – “It must have been one of those hackers.”– Technical means may be able to help secure

signatures.– Automatic acknowledgments help preclude this

defense.

25

Designing for EnforcementDesigning for Enforcement

Consider and address the distinctive features of electronic processes

Design a robust system– Better to start off right; errors may be

unrecoverable– Can eliminate redundant controls later

Consider periodic wet signatures – Again, might eventually be eliminated

26

Design For Enforcement (ctd.)Design For Enforcement (ctd.)

Minimize damage in the event of failures– PKI systems can help compartmentalize losses

Involve a wide range of parties early in the design process: – enforcement personnel, general counsels, inspectors

general, technical experts, etc Mock cases, “tiger teams” Share information with other agencies Consider joining forces with others

27

Special IssuesSpecial Issues

Electronic record retention. Is information accessible? Has it been altered?

Decentralized software design– Manifest handling a possible example– Each firm will need to consider the key issues I

have outlined But will they have proper incentives? Can we meet the reasonable-doubt standard? Will systems interoperate correctly?

28

Where can I get more Where can I get more information?information?

DOJ has E-Commerce Working Group with attorneys from many components– ECWG has a subgroup analyzing legal issues

related to electronic filing/record keeping– Web: www. /cybercrime.gov /ecommerce.html,

…/gpea.htm Agency General Counsel, IG Others (e.g., OMB, FPKI, ECWG) have experts

29

E-Commerce Contacts at DOJE-Commerce Contacts at DOJ Justin Smith -- ECWG member (Environment Division)

202-514-9369; Justin.Smith@USDOJ.gov

David Gottesman – ECWG member (Civil Division)202-307-0183; David.Gottesman@USDOJ.gov

David Goldstone - ECWG Co-chair (Criminal Division)202-616-1713; David.Goldstone@USDOJ.gov

Tony Whitledge - E-Filing subgroup chair (Tax Division)202-514-2832; tony.whitledge@USDOJ.gov

30

APPENDIXAPPENDIXPractical Guidance Practical Guidance

GGeneraleneral GuidelinesGuidelines -- --A Twelve Step programA Twelve Step program

31

Consider first whether each agency txn or function – Should be converted to an electronic process– If so, how should that process be designed

Apply the twelve steps to assess the legal risks involved in those decisions

32

Step 1Step 1

1. Conduct an analysis of the nature of a transaction or process to determine the level of protection needed and the level of risk that can be tolerated

Consider txns that have greatest risk:– Transactions that have legal significance– Transactions with the public/newcomers– Processes that are historically susceptible to fraud or

litigation

33

Step 1 -- Cont’dStep 1 -- Cont’d

Catalog information that needs the greatest level of protection:– Instruments reflecting rights and obligations– Information used in litigation, especially

criminal proceedings– Legally protected data (i.e., Privacy Act

protected info) or other sensitive data

34

Steps 2 & 3Steps 2 & 3

2. Consider potential costs, quantifiable and unquantifiable, direct and indirect, in performing a cost/benefit analysis

3. Use available sources of expertise inside and outside your agency, including the OMB guidance, DOJ guidance– Conform procedures to guidance

35

Step 4 Step 4

4. Consider developing a comprehensive plan to convert traditional processes to electronic ones, especially if converting means re-engineering existing processes– New process should be at least as reliable as,

and fulfill same function as paper systems they replace

– Involve all interested parties -- record managers, IG, counsel, FOIA/Privacy Act officers, etc., in design phase to ensure all legal requirements considered and met

36

Steps 5 & 6Steps 5 & 6

5. Consider the kinds of information relevant to the process; ensure that necessary information is gathered– And what about e-mail?

6. Consider using a “terms and conditions” agreement

37

Step 7Step 7

7. Incorporate a long-term retention and access policy for electronic processes– Ensure availability over time of records that

may be needed for litigation or long-term agency use

38

Step 8Step 8

8. Be aware of legal concerns that implicate effectiveness of or impose restrictions on electronic data or records– Do statutes and regulations need to be changed:

• To allow for electronic submissions (under GPEA)?• To require private parties to file materials in certain

formats (under E-SIGN) ? – Do statutes or regs impose requirements that are

difficult or impossible to meet in an electronic-based system?

39

Steps 9 & 10Steps 9 & 10

9. Develop processes that can form the basis of admissible and persuasive evidence

10. Analyze the full range of technological options and follow commercial trends cautiously

40

Steps 11 & 12Steps 11 & 12

11. Consider the unique legal risks presented by outsourcing an agency’s data management functions– contractual requirements to ensure availability,

reliability, and that all legal requirements are met

12. Retain extrinsic proof in important or sensitive contexts.

41

PracticalPractical GuidanceGuidance

SpecificSpecific GuidelinesGuidelines

42

General Information to Gather, General Information to Gather, Retain and Have AvailableRetain and Have Available

Ensure electronic process collects and keeps--– Date and time communication sent & received– Identity of the specific persons sending and

receiving communication– Intent of sender (e.g., a “banner”)– Complete contents, context & proof info was not

altered– Means of showing all relevant communications – Means to distinguish final from drafts

43

Particular Types of Particular Types of TransactionsTransactions

Design electronic process to establish specific information for particular types of transactions– Contracts and related transactions– Regulatory and reporting programs– Benefit programs

44

Consider the 4 categories of Consider the 4 categories of important data important data separatelyseparately

– For each category, the integrity and chain of custody should be available, persuasive, legally effective, admissible, and not create liability

1. Content - the “substance” of the filing 2. Process - Transmission logs and audit

trails 3. Identities - the person(s) responsible 4. Intent - what were they thinking?

45

Retention and AvailabilityRetention and Availability

Ensure that important electronic records are--– Retrievable in a form that can be viewed or printed

in a “user-friendly” form; Provide means to store an retrieve non-documentary

information (e.g., an audio file attached to an e-mail)

– Appropriately indexed in a manner that allows compilation of all relevant documents into a usable “file”

46

Retention and AvailabilityRetention and Availability

– Retained and retrievable for the same length of time as comparable paper-based records

– Fully retrievable, printable and adequately indexed even if the agency later modifies its electronic system (hardware or software)

47

Retention and AvailabilityRetention and Availability

– Accessible, even if the electronic document originally was encrypted or restricted by a password.

– Capable of being promptly located, retrieved, printed and interpreted by immediately available personnel.

48

How can these issues be How can these issues be addressed?addressed?

Pro-actively– E-filing & record keeping should be done right!– Many steps can be taken to improve a process– Understanding the issues is the first step

Consider using “tiger teams” to test new electronic processes and anticipate flaws and defenses