Today’s blog post comes from Ken Moyle, DocuSign’s chief legal officer. If you’ve used electronic signature on an electronic record, you may be wondering about an “authoritative copy.” Ken addresses the question, “What is a single authoritative copy?” below:

The concept of “Authoritative Copy” comes from UCC Art. 9-105. This revision to Article 9 was intended to address the problem of electronic chattel paper. Anticipating that there may someday be a technological means for identifying or controlling an electronic “original,” the drafters of 9-105 came up with the parameters, including these requirements:

(1) a single authoritative copy of the transferable record exists which is unique, identifiable, and, except as otherwise provided in paragraphs (4), (5), and (6), unalterable;
(2) the authoritative copy identifies the person asserting control as—
(A) the person to which the transferable record was issued; or
(B) if the authoritative copy indicates that the transferable record has been transferred, the person to which the transferable record was most recently transferred;
(3) the authoritative copy is communicated to and maintained by the person asserting control or its designated custodian;
(4) copies or revisions that add or change an identified assignee of the authoritative copy can be made only with the consent of the person asserting control;
(5) each copy of the authoritative copy and any copy of a copy is readily identifiable as a copy that is not the authoritative copy; and
(6) any revision of the authoritative copy is readily identifiable as authorized or unauthorized

ESIGN (Title II) and UETA (Section 16) create a parallel structure for the electronic equivalent of a paper promissory note, known as a “transferable record.” Since the UCC Article 3 provisions for promissory notes were not designed for use with electronic records, both laws set forth special rules for the management and retention of Transferable Records, stating that an electronic record can be treated as the equivalent of a negotiable promissory note in certain respects if:

• The electronic record contains only the same terms and conditions that are permitted
• in a promissory note governed by Article 3 of the UCC
• The electronic record is signed;
• The issuer of the record has agreed that it should be treated as a transferable record under the UETA; and
• The method used to record, register, or evidence a transfer of interests in the transferable record reliably establishes the identity of the person entitled to “control” (meaning control the transfer of) the electronic record.

The “safe harbor” for establishing control of the Transferrable Record is taken directly from UCC 9-105 above.

DocuSign has taken this concept and created a process by which a document that is brought into our system can be identified and treated as an authoritative copy in compliance with the statutory provision, thereby enabling our customers to execute and transfer negotiable instruments.

Ken Moyle, DocuSign’s Chief Legal Officer, recently taught an online CLE (Continuing Legal Education) class, E-Commerce 2009: The State of the Law of Electronic Signatures and Records.

In addition to his role at DocuSign, Ken also serves as the Chairman of the Public Policy Committee for the Electronic Signature and Records Association (ESRA) of Washington D.C. Ken discussed information on the state and federal statutory framework, case law and regulatory updates. He also dispelled myths on evidence and proof, provided practice tips and shared practical considerations associated with electronic signatures and records.

CLE Course Highlights include:

• Statutory framework (state and federal) including Washington’s non-uniform statute
• Case law update
• Regulatory update
• Evidence and proof (dispelling myths)
• Practical considerations
• Practice tips

This course, offered through the Washington State Bar Association, was delivered to participants via hour-long webinar. As electronic signature technology evolves, understanding the legal landscape around electronic signatures and records positions you well to understand the implications and benefits of adoption electronic contract execution services. For more of Ken’s thoughts on electronic signature, online contract execution, and public policy, take a look at his previous blog posts.

I was just reading Schneier on Security, a blog on security and security technology. According to Schneier, the security of a purple process is sorely lacking:

“It’s trivial to cut and paste — with real scissors and glue — anyone’s signature onto a document so that it’ll look real when faxed. There is so little security in fax signatures that it’s mind-boggling that anyone accepts them.”

In another post from his archives, Schneier commented on the story of a prisoner being freed from jail on the basis of a forged fax – a fax was sent to the jail, stating that a decision had been reached to release the prisoner immediately. Because faxes are treated as if they were original documents, people do accept fax signatures and do so all the time. However, faxes lack authentication mechanisms of original documents, such as letterheads, watermarks and signatures. We also have the issue of unsecured data within the fax process, such as exposed credit card numbers, personal contact information and other potentially sensitive data.

Security Considerations of a ‘wet’ Signature:

• Is unique to the signer, but each one may look slightly different
• May not be known by the recipient, so there is no certain way to rely on it
• Is subjective in that handwriting experts can indicate ‘likelihood’ that it belongs to a given individual, but it is often arguable
• Can be easily copied and used on other documents via “real scissors and glue”
• Does not ensure the underlying document has not been modified
• Has to be physically moved around, as in faxed

What if Security Were Highly Important to You?
DocuSign’s electronic signature and online contract execution process captures the identity of the party to the agreement, generally via an email address associated with the individual. DocuSign also captures the individual’s consent to use electronic signatures and adoption of a GUID/Symbol combination. This combination serves as the individual’s signature which can then be applied to an unalterable document with a unique envelope ID number. Combine the above with an audit log of the sending and signing process with a hash value to the actual image of the signed document, you have a process that would take more than cut-and-paste to fake. DocuSign can issue a digitally signed (sealed) electronic record of the transaction for true reproduction of the electronic version of the document. Eliminating the manual document handling eliminates data leakage via fax in the physical world.

Security Considerations of a DocuSign Signature:

• Both the visible and invisible aspects of the signature are completely unique to the signer and cannot be copied
• Arrives with evidence about the signer’s identity such as email, IP address, authentication information, time stamps, etc.
• Is not subjective, as experts can easily determine from the extensive audit log exactly who signed, when they signed, and where they signed on the document with evidence.
• Cannot be copied anymore than a picture of the Mona Lisa is the actual Mona Lisa
• Affirms the fact the underlying document has not been modified
• Does not have to be physically moved, as it is electronic

In our ‘mock trials’ the judge indicated that if a person wanted to commit fraud, the first thing they would do is to request a paper transaction because

How important is your and your customers' data?

Image courtesy of flickr user L.Marie under Creative Commons. v