Fiscal Operations Manual
Section 500: Financial Accounting and Analysis
The Electronic Signatures Act (Public Law No: 106-229) went into effect on October 1, 2000 and gives electronic contracts the same weight as those executed on paper. The act has some specific exemptions or preemptions. Although the act enables documents to be signed electronically, the option to do so lies solely with the consumer.
The act specifically avoids stipulating any 'approved' form of electronic signature, instead leaving the method open to interpretation by the marketplace. Any numbers of methods are acceptable under the act. Methods include simply pressing an I Accept or I Approve button, digital certificates, smart cards, and biometrics.
E-signatures may be implemented using various methodologies depending on the risks associated with the transaction. Examples of transaction risks include: fraud, non-repudiation, and financial loss. The quality and security of the e-signature method should be commensurate with the risk and needed assurance of the authenticity of the signer. Authentication is a way to ensure that the user who attempts to perform the function of an electronic signature is in fact who they say they are and is authorized to “sign”.
The intent of this policy is to allow for e-signature use at OSU by means of methods that are practical, secure, and balance risk and cost. It is not the intent of this policy to eliminate all risk but rather to provide a process that gives parties assurance that appropriate analysis was completed prior to implementation of e-signature, and that the level of user authentication used is reasonable for the type of transaction conducted. The E-Authentication Guidance for Federal Agencies, OMB 04-04 defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. The guidance defines the required level of authentication assurance in terms of the likely consequences of an authentication error. The e-Authentication Risk and Requirements Assessment (eRA) Tool is the risk and assurance level evaluation tool to be used at OSU. See FIS Exhibit 003-15 e-Signature Authentication Assurance Levels.
Authentication - To establish as genuine and to verify the identity of the person providing an electronic signature.
Credential - An object that is verified when presented to the verifier in an authentic transaction
Electronic Record -A contract or other record created, generated, sent, communicated, received, or stored by electronic means.
Electronic Signature or e-Signature - An electronic identifier that is created by a computer and is intended by the party using it to have the same intent, affect and authority as the use of a manual (either written or facsimile) signature.
Evaluation of Risk - analysis performed by the Unit to determine risks associated with using an e-signature and to determine the quality and security of the e-signature method required. An evaluation will be made using the E-Authentication Guidance for Federal Agencies, OMB 04-04 for reference and guidance. The e-RA (Risk Assessment) Tool will assist Units determine the level of risk. The reports resulting from the eRA assessment shall be included as part of the official record for this e-signature implementation and submitted with the proposal to the records custodian.
Record Custodian – the individual responsible for compliance with all legal obligations related to information and, in that capacity, have final authority for the utilization, access, and release of data under their jurisdiction. In some instances, there are multiple custodians for various sets of data.
Transaction - A discrete event between a user and a system that supports a business or programmatic purpose.
Unit - an OSU organization conducting business by means of an e-signature; such as a College, Department, Auxiliary, or Administrative Division.
User Authentication - verifying the user’s unique credentials such as username and password, or a digital certificate. This may require validation against specific OSU held information.
Acceptance of E-Signatures on Documents - An e-signature may be accepted in all situations if requirement of a signature/approval is stated or implied. This policy does not supersede situations where laws specifically require a written signature. This policy cannot limit the right or option to conduct the transaction on paper or in non-electronic form and the right to have documents provided or made available on paper at no charge. The e-signature must be protected by reasonable security measures.
Use of E-Signatures on Documents – The decision to use an electronic signature should be weighed against the risks identified with the transactions. In addition, specifications for recording, documenting, and/or auditing the e-signature shall also be determined by the Unit and approved by the University. The lowest cost, least complex method acceptable for the risk is generally preferable. The National Institute of Standards and Technology (NIST) Electronic Authentication Guidelines: 800-63 can be useful in making this determination.
Units that propose e-signature methods that are at a higher or lower level of assurance than indicated in the risk assessment process shall:
- Describe the reason for variance.
- Identify the potential risk of using a tool from a lower (or higher) assurance level than the risk assessment identifies.
- Identify the steps that will be taken to mitigate the risk or justify why a higher assurance level method is appropriate.
- Obtain the signed approval of the Unit director. The signed document shall be included as part of the official record for this e-signature implementation.
Security and access to OSU-specific information is determined by a “record custodian.” Any University transaction enabled by e-signatures must be evaluated by the Unit in conjunction with the applicable records custodian, using the eRA tool. (This includes any existing implied or explicit e-signatures in use prior to the adoption of this policy.) For risk assessment and review purposes, similar types of transactions may be grouped together under one agreement. Implemented e-signatures will be reviewed periodically for appropriateness, and continued applicability.
Once the method of e-signatures is determined, obtain the signed approval of the Unit director. The signed document shall be included as part of the official record for this e-signature implementation. Units will seek approval to implement an e-signature from the applicable Records Custodian, using the Proposal for Use of e-Signature form (see FIS Exhibit 003-16). It is the Records Custodian’s responsibility to ensure that the proposed e-signature and method meet the requirements of this policy. In determining whether to approve an e-signature method, consideration will be given to the systems and procedures associated with using that electronic signature, and whether the use of the electronic signature is at least as reliable as the existing method being used.
Should it be deemed necessary by the Records Custodian, he/she will seek approval from University Legal Counsel and the appropriate information technology office or officer, such as the Chief Information Security Officer (CISO).
The implementation process will likely differ for each transaction and for each Unit, as it is dependent on many factors such as technical environment, appropriate assurance level, and the nature of the transaction.
Recordkeeping - A formal record of the risk assessment evaluation, e-signature method selection, and justification will be maintained by the Unit. At such time as the University has implemented a technology security plan and infrastructure, a copy would also be filed at the office of the CISO.
Security - Software and/or hardware that is required for e-signatures, such as Public Key Infrastructure (PKI) certificates, “fobs”, or “dongles”, will be provided by the Unit. The Unit will also ensure that appropriate controls and monitoring of the software/hardware are in place.
Periodic Review - A review of each e-signature implementation will be conducted periodically, but no less than every three years, by the Unit. This will include an evaluation of the e-signature use to determine whether any applicable legal, business, or data requirements have changed. A determination will be made as to the continued appropriateness of the risk assessment and e-signature implementation method.
A record of this review will be documented and filed as part of the official record for this e-signature implementation maintained by the Unit. If as a result of the periodic review the risk level changes, a new risk assessment must be completed, including review and approval.
Various Federal rules and regulations establish the authority for use of electronic signatures.
The Electronic Signatures in Global and National Commerce Act enacted on June 30, 2000 (S761, HR 1320 IH, commonly known as the ESIGN) established the validity of electronic records and signatures.
The Uniform Electronic Transactions Act (UETA) provides a legal framework for electronic transactions. It gives electronic signatures and records the same validity and enforceability as manual signatures and paper-based transactions. UETA was adopted by Oregon in 2001 and created legal recognition for most electronic transactions and parallels the legal recognition for paper transactions conducted in Oregon. (Uniform Electronic Transactions Act Chapter 84 (HB 2112) and OAR 125-600-0000.)
Family Educational Rights and Privacy Act (FERPA): 34 CFE Part 99; Final Rule. These final regulations provide general guidelines for accepting “signed and dated written consent” under FERPA in electronic format.