Purpose

To provide guidelines for all OSU Administrators which have or will be implementing electronic signature for conducting OSU business.

Background Information

The Electronic Signatures Act (Public Law No: 106-229) went into effect on October 1, 2000 and gives electronic contracts the same weight as those executed on paper. The act has some specific exemptions or preemptions.  Although the act enables documents to be signed electronically, the option to do so lies solely with the consumer.

The act specifically avoids stipulating any 'approved' form of electronic signature, instead leaving the method open to interpretation by the marketplace.  Any numbers of methods are acceptable under the act.  Methods include simply pressing an I Accept button, digital certificates, smart cards, and biometrics.

E-signatures may be implemented using various methodologies depending on the risks associated with the transaction.  Examples of transaction risks include: fraud, non-repudiation, and financial loss.  The quality and security of the e-signature method should be commensurate with the risk and needed assurance of the authenticity of the signer.  Authentication is a way to ensure that the user who attempts to perform the function of an electronic signature is in fact who they say they are and is authorized to “sign”.

Definitions

Authentication

To establish as genuine and to verify the identity of the person providing an electronic signature.

Credential

An object that is verified when presented to the verifier in an authentic transaction

Electronic Record

A contract or other record created, generated, sent, communicated, received, or stored by electronic means.

Electronic Signature or e-Signature

An electronic identifier that is created by a computer and is intended by the party using it to have the same intent, affect and authority as the use of a manual (either written or facsimile) signature.

Transaction

A discrete event between a user and a system that supports a business or programmatic purpose.

Policy

The intent of this policy is to allow for e-signature use at OSU by means of methods that are practical, secure, and balance risk and cost. It is not the intent of this policy to eliminate all risk but rather to provide a process that gives parties assurance that appropriate analysis was completed prior to implementation of e-signature, and that the level of user authentication used is reasonable for the type of transaction conducted.  The E-Authentication Guidance for Federal Agencies, OMB 04-04 defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. The guidance defines the required level of authentication assurance in terms of the likely consequences of an authentication error.  The e-Authentication Risk and Requirements Assessment (eRA) Tool is the risk and assurance level evaluation tool to be used at OSU.  See FIS Exhibit 003-15 e-Signature Authentication Assurance Levels.

User authentication entails verifying the user’s unique credentials: such as username and password, or a digital certificate.  This may requires validation against specific OSU held information.  Security and access to OSU-specific information is determined by a “record custodian.” Record custodians are responsible for compliance with all legal obligations related to information, and in that capacity have final authority for the utilization, access, and release of data under their jurisdiction. In some instances there are multiple custodians for various sets of data.

Under this policy, a University entity may implement use of e-signatures.  A University entity, or “Unit”, is the OSU organization conducting business by means of an e-signature; such as a College, department, auxiliary, or administrative division.  Any University transaction enabled by e-signatures must be evaluated by the Unit in conjunction with the applicable records custodian, using the eRA tool.  (This includes any existing implied or explicit e-signatures in use prior to the adoption of this policy.)  For risk assessment and review purposes, similar types of transactions may be grouped together under one agreement.  Implemented e-signatures will be reviewed periodically for appropriateness, and continued applicability.

An e-signature may be accepted in all situations if requirement of a signature/approval is stated or implied. This policy does not supersede situations where laws specifically require a written signature.  This policy cannot limit the right or option to conduct the transaction on paper or in non-electronic form and the right to have documents provided or made available on paper at no charge.  The e-signature must be protected by reasonable security measures as applicable to established computer functions of the University

Evaluation Process

An Evaluation of Risk will be performed by the Unit to determine risks associated with using an e-signature and to determine the quality and security of the e-signature method required.  An evaluation will be made using the E-Authentication Guidance for Federal Agencies, OMB 04-04 for reference and guidance.  The e-RA (Risk Assessment) Tool will assist Units determine the level of risk.  The reports resulting from the eRA assessment shall be included as part of the official record for this e-signature implementation and submitted with the proposal to the records custodian.

Determination of Electronic Signature Methodology should be commensurate to the assurances needed for the risks identified.  In addition, specifications for recording, documenting, and/or auditing the e-signature as required for non-repudiation and other legal requirements shall also be determined by the Unit.  The lowest cost, least complex method acceptable for the risk is generally preferable.  The National Institute of Standards and Technology (NIST) Electronic Authentication Guidelines: 800-63 can be useful in making this determination.

Units that propose e-signature methods that are at a higher or lower level of assurance than indicated in the risk assessment process shall:

• Describe the reason for variance.
• Identify the potential risk of using a tool from a lower (or higher) assurance level than the risk assessment identifies.
• Identify the steps that will be taken to mitigate the risk or justify why a higher assurance level method is appropriate.
• Obtain the signed approval of the Unit director. The signed document shall be included as part of the official record for this e-signature implementation.

Approval

The Unit will seek approval to implement an e-signature from the applicable records custodian, using the Proposal for Use of e-Signature form (see FIS Exhibit 003-16).  It is the records custodian’s responsibility to ensure that the proposed e-signature and method meet the requirements of this policy.  In determining whether to approve an e-signature method, consideration will be given to the systems and procedures associated with using that electronic signature, and whether the use of the electronic signature is at least as reliable as the existing method being used. 

Should it be deemed necessary by the records custodian, he/she will seek approval from University Legal Counsel and the appropriate information technology office or officer, such as the Chief Information Security Officer (CISO).

Implementation

The implementation process will likely differ for each transaction and for each Unit, as it is dependent on many factors such as technical environment, appropriate assurance level, and the nature of the transaction.

Maintenance and Review Requirements

Recordkeeping - A formal record of the risk assessment evaluation, e-signature method selection, and justification will be maintained by the Unit.  At such time as the University has implemented a technology security plan and infrastructure, a copy would also be filed at the office of the CISO.

Security - Software and/or hardware that is required for e-signatures, such as Public Key Infrastructure (PKI) certificates, “fobs”, or “dongle”s, will be provided by the Unit.  The Unit will also ensure that appropriate controls and monitoring of the software/hardware are in place.

Periodic Review - A review of each e-signature implementation will be conducted periodically, but no less than every three years, by the Unit.  This will include an evaluation of the e-signature use to determine whether any applicable legal, business, or data requirements have changed.  A determination will be made as to the continued appropriateness of the risk assessment and e-signature implementation method.

A record of this review will be documented and filed as part of the official record for this e-signature implementation maintained by the Unit.  If as a result of the periodic review the risk level changes, a new risk assessment must be completed, including review and approval.

Authority

Various Federal rules and regulations establish the authority for use of electronic signatures. 

The Electronic Signatures in Global and National Commerce Act enacted on June 30, 2000 (S761, HR 1320 IH, commonly known as the ESIGN) established the validity of electronic records and signatures.

The Uniform Electronic Transactions Act (UETA) provides a legal framework for electronic transactions.  It gives electronic signatures and records the same validity and enforceability as manual signatures and paper-based transactions.  UETA was adopted by Oregon in 2001 and created legal recognition for most electronic transactions and parallels the legal recognition for paper transactions conducted in Oregon. (Uniform Electronic Transactions Act Chapter 84 (HB 2112) and OAR 125-600-0000.)

Additional Information

Family Educational Rights and Privacy Act (FERPA): 34 CFE Part 99; Final Rule. These final regulations provide general guidelines for accepting “signed and dated written consent” under FERPA in electronic format.

OSU Acceptable Use of University Information Policy

Standards for Electronic Signatures in Electronic Student Loan Transactions