1 electronic transactions & filing: legal issues r. justin smith. department of justice...
TRANSCRIPT
1
Electronic Transactions & Filing: Electronic Transactions & Filing: Legal IssuesLegal Issues
R. Justin Smith.
Department of Justice
Environment and Natural
Resources
(202) 514-9369
10/30/2000
2
OverviewOverview
2 major statutes: GPEA requires agencies to provide for e-
filing/e-txn “when practicable” E-SIGN limits government ability to set the
form of documentation in transactions between private parties
Why do e-txns/e-filing raise legal issues? Key legal issues What are some other (non-legal) issues?
3
GPEA: Government GPEA: Government Paperwork Elimination ActPaperwork Elimination Act
Pub.L. No. 105-277, sections 1701-1710 (1998)Pub.L. No. 105-277, sections 1701-1710 (1998) GPEA requires federal agencies to provide for --
e-filing/submissions e-records e-signatures
by 10/21/2003 “when practicable” Envisions widespread use of Internet by agencies
to transact business with each other, with commercial enterprises, and with the general public– Must also mean keeping agency records electronically
4
GPEA -- Cont’dGPEA -- Cont’d
Electronic signatures and records in accordance with GPEA procedures “shall not be denied legal effect”
The OMB Guidance (issued 4/00)– Requires implementation schedule by 10/00 to have
optional electronic substitutes for paper process in place by end of FY03
DOJ has issued guidance on legal issues. Available at cybercrime.gov website.
5
E-SIGN: Electronic E-SIGN: Electronic Signatures In Global and Signatures In Global and National Commerce ActNational Commerce Act
15 U.S.C. 7001 15 U.S.C. 7001 etet seqseq.. Permits (but does not require) parties to use
electronic signatures and records in their transactions
Electronic sigs/records “shall not be denied legal effect” solely because in electronic form
Agencies have limited ability to impose requirements regarding:– Form of transactions between private parties– Record retention
6
E-SIGN (continued)E-SIGN (continued)
What are the Government’s and the public’s risks and liabilities in “private-party” transactions? Consider: Drug prescriptions, Government-secured loans
Importance of regulating record retention Consult OMB guidance on interpretation.
Also at cybercrime.gov.
7
Why consider legal issues in Why consider legal issues in developing E-systems?developing E-systems?
Ability to maintain public trust depends in part on having reliable and legally adequate records of transactions– Documents and records have legal effect
Provide basis for agency decisions Provide basis for individual claims/relief
– Records are evidence of agency action– Agency records are important for litigation
8
Litigation needs should be a Litigation needs should be a consideration in e-system consideration in e-system
developmentdevelopment Why are litigation needs important when
only a tiny percentage of agency transactions are involved in law suits?– Litigation establishes legal rights
Single win may set binding precedent or validate and agency’s interpretation of statute
Single loss can have serious impact on an entire agency program
11
What are the 4 kinds of legal What are the 4 kinds of legal issues raised?issues raised?
1. Availability2. Legal sufficiency3. Reliability and persuasiveness4. Liabilities (Responsibilities)
12
Issue #1 – Availability of Issue #1 – Availability of InformationInformation
Availability is essential for any use. Will the information be: Collected? Retained? Accessible?
13
Will the electronic process Will the electronic process collect all necessary collect all necessary
information?information?
Consider all types of information: Processing records – e.g., Who sent it? Has
it been altered? Content, including all parts of transaction. Identity of the parties – e.g, who signed it? Intent – e.g., certified to be true?
14
Will the electronic process Will the electronic process retain the information?retain the information?
Consider:• Storage medium• Unauthorized access• Corruption over time• How long will it be retained?
15
Issue #2 - Legal Sufficiency: Issue #2 - Legal Sufficiency: Will electronic sigs/records be Will electronic sigs/records be
legally enforceable?legally enforceable? Risk that courts will give “signature” and
“writing” their traditional meanings– Contracting laws often require signed writings– Other laws too, such as “written consent”
GPEA/ESIGN: e-sigs will not be denied effectiveness– Double negative not necessarily a positive– What about signatures not in accord with GPEA
procedures?
16
Issue #2 - Legal SufficiencyIssue #2 - Legal Sufficiency - continued- continued
What characteristics help make e-What characteristics help make e-signatures and e-documents legally signatures and e-documents legally
effective?effective? – Identify the “parties” to the instrument and the
individuals who “sign” for those parties
– Identify the date and circumstances of the signing
– Provide evidence of intent to bind
– Satisfy concerns about reliability, non-alteration, false repudiation
– Satisfy the “ceremonial” aspect of “signing”
17
Issue #3 – Reliability and Issue #3 – Reliability and Persuasiveness: Will Persuasiveness: Will electronic sigs/records electronic sigs/records
persuade a court?persuade a court? Will the material be meaningful/understandable?
Context must be preserved – Paper forms vs. e-forms
Electronic vulnerabilities– To tampering– To electromagnetic forces– To buggy software
18
Issue #3 Cont’d - Issue #3 Cont’d - PersuasivenessPersuasiveness
Who do you need to persuade?– Jury, Private party, Boss, Congress, etc.
How to prove I.D. w/o signatures? People may feel that e-signature systems are
unfamiliar, complex, vulnerable, easily fabricated, and error-prone
Many e-sig systems could require an expert– Not just technology; process controls too
19
Issue #4 - Liabilities Issue #4 - Liabilities (Responsibilities)(Responsibilities)
Agencies must address statutory responsibilities in designing new e-systems
FOIA (& state equivalents) Privacy Act (& state equivalents) Rehabilitation Act, ADA, and related laws Records laws Discovery obligations
20
Electronic Processes & Electronic Processes & Corporate Self-ReportingCorporate Self-Reporting
Corporate self-reporting is fundamental to many regulatory schemes
Self-reporting is desirable because:– it produces data essential for enforcing the law– it does so at very low cost to businesses and
governments– it induces companies to monitor and correct
their own compliance problems
21
Criminal Enforcement and Criminal Enforcement and Self-ReportingSelf-Reporting
The threat of criminal enforcement is very important to self-reporting systems– Regulated entities must know that compliance
is the norm – There are substantial temptations to falsify– Criminal penalties usually deter far better than
civil penalties
22
Potential Problems with Potential Problems with Electronic Self-ReportingElectronic Self-Reporting
Close attention to a large number of details is needed
The details are like links in a chain: each is essential. To make matters worse:– Burden of proof in a criminal proceeding– Unfamiliarity to courts and juries– Defense attorneys will be highly attentive– One failure can trigger additional litigation
23
Defenses to Watch ForDefenses to Watch For
The intentional compromise defense– “Oops, I put my password on a post-it.”
– Consider requiring signors to affirm when they sign that they have followed security rules.
The delegation defense– “Oh, I told my subordinate A to go online and
submit that. Or was it B?”
– Make very clear at signature that only authorized persons may sign
24
Defenses (continued)Defenses (continued)
The “hacker defense” – “It must have been one of those hackers.”– Technical means may be able to help secure
signatures.– Automatic acknowledgments help preclude this
defense.
25
Designing for EnforcementDesigning for Enforcement
Consider and address the distinctive features of electronic processes
Design a robust system– Better to start off right; errors may be
unrecoverable– Can eliminate redundant controls later
Consider periodic wet signatures – Again, might eventually be eliminated
26
Design For Enforcement (ctd.)Design For Enforcement (ctd.)
Minimize damage in the event of failures– PKI systems can help compartmentalize losses
Involve a wide range of parties early in the design process: – enforcement personnel, general counsels, inspectors
general, technical experts, etc Mock cases, “tiger teams” Share information with other agencies Consider joining forces with others
27
Special IssuesSpecial Issues
Electronic record retention. Is information accessible? Has it been altered?
Decentralized software design– Manifest handling a possible example– Each firm will need to consider the key issues I
have outlined But will they have proper incentives? Can we meet the reasonable-doubt standard? Will systems interoperate correctly?
28
Where can I get more Where can I get more information?information?
DOJ has E-Commerce Working Group with attorneys from many components– ECWG has a subgroup analyzing legal issues
related to electronic filing/record keeping– Web: www. /cybercrime.gov /ecommerce.html,
…/gpea.htm Agency General Counsel, IG Others (e.g., OMB, FPKI, ECWG) have experts
29
E-Commerce Contacts at DOJE-Commerce Contacts at DOJ Justin Smith -- ECWG member (Environment Division)
202-514-9369; [email protected]
David Gottesman – ECWG member (Civil Division)202-307-0183; [email protected]
David Goldstone - ECWG Co-chair (Criminal Division)202-616-1713; [email protected]
Tony Whitledge - E-Filing subgroup chair (Tax Division)202-514-2832; [email protected]
30
APPENDIXAPPENDIXPractical Guidance Practical Guidance
GGeneraleneral GuidelinesGuidelines -- --A Twelve Step programA Twelve Step program
31
Consider first whether each agency txn or function – Should be converted to an electronic process– If so, how should that process be designed
Apply the twelve steps to assess the legal risks involved in those decisions
32
Step 1Step 1
1. Conduct an analysis of the nature of a transaction or process to determine the level of protection needed and the level of risk that can be tolerated
Consider txns that have greatest risk:– Transactions that have legal significance– Transactions with the public/newcomers– Processes that are historically susceptible to fraud or
litigation
33
Step 1 -- Cont’dStep 1 -- Cont’d
Catalog information that needs the greatest level of protection:– Instruments reflecting rights and obligations– Information used in litigation, especially
criminal proceedings– Legally protected data (i.e., Privacy Act
protected info) or other sensitive data
34
Steps 2 & 3Steps 2 & 3
2. Consider potential costs, quantifiable and unquantifiable, direct and indirect, in performing a cost/benefit analysis
3. Use available sources of expertise inside and outside your agency, including the OMB guidance, DOJ guidance– Conform procedures to guidance
35
Step 4 Step 4
4. Consider developing a comprehensive plan to convert traditional processes to electronic ones, especially if converting means re-engineering existing processes– New process should be at least as reliable as,
and fulfill same function as paper systems they replace
– Involve all interested parties -- record managers, IG, counsel, FOIA/Privacy Act officers, etc., in design phase to ensure all legal requirements considered and met
36
Steps 5 & 6Steps 5 & 6
5. Consider the kinds of information relevant to the process; ensure that necessary information is gathered– And what about e-mail?
6. Consider using a “terms and conditions” agreement
37
Step 7Step 7
7. Incorporate a long-term retention and access policy for electronic processes– Ensure availability over time of records that
may be needed for litigation or long-term agency use
38
Step 8Step 8
8. Be aware of legal concerns that implicate effectiveness of or impose restrictions on electronic data or records– Do statutes and regulations need to be changed:
• To allow for electronic submissions (under GPEA)?• To require private parties to file materials in certain
formats (under E-SIGN) ? – Do statutes or regs impose requirements that are
difficult or impossible to meet in an electronic-based system?
39
Steps 9 & 10Steps 9 & 10
9. Develop processes that can form the basis of admissible and persuasive evidence
10. Analyze the full range of technological options and follow commercial trends cautiously
40
Steps 11 & 12Steps 11 & 12
11. Consider the unique legal risks presented by outsourcing an agency’s data management functions– contractual requirements to ensure availability,
reliability, and that all legal requirements are met
12. Retain extrinsic proof in important or sensitive contexts.
42
General Information to Gather, General Information to Gather, Retain and Have AvailableRetain and Have Available
Ensure electronic process collects and keeps--– Date and time communication sent & received– Identity of the specific persons sending and
receiving communication– Intent of sender (e.g., a “banner”)– Complete contents, context & proof info was not
altered– Means of showing all relevant communications – Means to distinguish final from drafts
43
Particular Types of Particular Types of TransactionsTransactions
Design electronic process to establish specific information for particular types of transactions– Contracts and related transactions– Regulatory and reporting programs– Benefit programs
44
Consider the 4 categories of Consider the 4 categories of important data important data separatelyseparately
– For each category, the integrity and chain of custody should be available, persuasive, legally effective, admissible, and not create liability
1. Content - the “substance” of the filing 2. Process - Transmission logs and audit
trails 3. Identities - the person(s) responsible 4. Intent - what were they thinking?
45
Retention and AvailabilityRetention and Availability
Ensure that important electronic records are--– Retrievable in a form that can be viewed or printed
in a “user-friendly” form; Provide means to store an retrieve non-documentary
information (e.g., an audio file attached to an e-mail)
– Appropriately indexed in a manner that allows compilation of all relevant documents into a usable “file”
46
Retention and AvailabilityRetention and Availability
– Retained and retrievable for the same length of time as comparable paper-based records
– Fully retrievable, printable and adequately indexed even if the agency later modifies its electronic system (hardware or software)
47
Retention and AvailabilityRetention and Availability
– Accessible, even if the electronic document originally was encrypted or restricted by a password.
– Capable of being promptly located, retrieved, printed and interpreted by immediately available personnel.
48
How can these issues be How can these issues be addressed?addressed?
Pro-actively– E-filing & record keeping should be done right!– Many steps can be taken to improve a process– Understanding the issues is the first step
Consider using “tiger teams” to test new electronic processes and anticipate flaws and defenses