eIDAS and its impact on electronic signatures around the world

Rachel Stoermer, senior corporate counsel at DocuSign, spoke to a live ESRA conference audience about eIDAS, a new regulation that went into effect in the summer of 2016. It covers the entire European Union and it replaces the e-signature directive that was in place since 1999.

Stoermer explained: “The main takeaway is that the biggest thing that hasn’t changed is that it supports the use of e-signatures in Europe. The EU directive in 1999 had a concept of tiers of e-signatures: simple ones that can’t be denied as well as special ones, known as qualified e-signatures (QES).

“Under the directive, each country was tasked with implementing it into their laws. And each of them may have interpreted and implemented it differently, which meant that a QES doesn’t have cross-border recognition.

“There was a perception that because of the lack of consistency, it was doing more harm than good in promoting a single digital market. They wanted e-business to be easy to do across borders.”

Stoermer continued: “Another piece of background had to do with public e-infrastructure. I wonder if blockchain will eat into the dominance of PKI outside the US, but for now, PKI is the ‘secret sauce’ that gives an e-signature special recognition and makes it easily accepted. It’s a cryptographic standard that’s standards-based, so it should work the same way everywhere.

It uses a public key and a private key – the private key is associated with a specific signer. And historically, it was tied to a physical device that you could carry with you, like a keyfob.

“eIDAS offers consistency by being a regulation that applies to the member states, rather than directing them to implement it. It also expands the original directive – it lays the groundwork for cross-border electronic ID schemes. They’re coming up with a government-issued electronic ID that works across Europe.

“It also updated some technical standards that were making it harder to do things, particularly in the cloud, and it introduced the concept of a trust service. It regulates and defines what it means to be a trust service, particularly a PKI provider.

“eIDAS has a lot more, such as other trust services, like electronic seals and time stamping, and it introduces the concept of a qualified trust provider, which gives someone special status. They get approved by a supervisory body that requires them to undergo audits and carry a certain kind of insurance.”

Stoermer then went on to discuss the three types of defined e-signatures under eIDAS:

• A simple e-signature is similar to what the US thinks of as an e-signature, like clicking an “I accept” button.

• An advanced e-signature (AES) doesn’t have to use PKI, but every European regulatory agency has said it does. You would go to a certificate authority that would issue you a private key that you keep under your control – it doesn’t have to be a physical thing. They have a set of technical standards that have to be followed.

• A qualified e-signature (QES). It’s a subset of the AES – it has to use PKI and has to be blessed by a supervisory body. It has to comply with eIDAS and they have to have an approved method of identity verification. Trust providers who want approval from European governments have to get those governments to approve how they do ID verification, but no one has a process yet to do this remotely. Everyone doing this right now does in-person identity verification. eIDAS opens the door for remote verification, but it’s not happening yet.

Stoermer explained: “If you do business in Europe, you need to know a few things. First, it maintains the concept of non-discrimination against e-signatures. If a signature would otherwise be valid, the fact that it’s electronic can’t be used to declare it invalid. That will be sufficient for doing business.

“But there are cases where AES and QES are valuable, such as where they get the status of a handwritten signature. That covers things like divorce proceedings.

“The other thing AES and QES get is a presumption of authenticity, which doesn’t exist in the US. In Europe, if you show up with a handwritten signature, it’s assumed valid unless the other party is able to prove it’s not.

“The last thing is if you do go through the effort of getting an AES or QES, it’s valid across the EU.

“eIDAS talks about what it means to be an e-signature, but it doesn’t say when it’s required. Countries can still have their own special use cases, like buying a boat and requiring a special e-signature. Purchase and sale of land, family law, etc. will likely have special requirements,.

“Any kind of e-signature is admissible as evidence and you have to prove it up like you would in the US. You have to do more work if it’s not an AES or QES, but if it has an audit trail, you can likely get it introduced as valid evidence.

“If you’re doing business in Europe, what you’ll think about is that AES and QES have an added cost, so you’ll need to consider whether it’s worth it. If you’re in an industry where there’s a lot of fraud, it might be useful. Or a counter party might insist on it.

“There’s no special legal status to an AES.”

A Q&A session followed, which included the following:

Q: Is there a provision for signatures for corporations where multiple people would be required?

A: eIDAS doesn’t talk about rules for how many people need to sign or how many people are authorized to sign. But the regulations for certain kinds of documents may require that, such as an insurance contract that has regulations that need to be met.

Q: I’ve heard that since eIDAS was passed that advanced e-signatures are seeing some definitions arising, such as Italy having their own definition. Any update on that?

A: No update. AES isn’t useless. It uses PKI technology, which has value, but what I usually see is that the value comes from the security. In Italy, they had four levels of e-signature before eIDAS so I’m not surprised that it’s being picked up as a middle tier.

Q: Most of Europe is on a civil law basis. The way we think about signatures as an expression of intent is different from Europe, where they think of it more as a form of identification. Can you talk about what the differences are and what the cultural perceptions are in Europe vs. the US?

Also, what’s the difference between e-seals for corporate identity and e-signature under eiDAS for individual identity?

A: I don’t have a lot of knowledge about e-seals. Regarding the cultural differences, you’re right that signatures are viewed differently, as are contracts. In common law countries, it’s about the signature, it’s about the intent of the deal, even if you forgot to sign the third page of a 17-page document.

In Europe, it’s more about ceremony. That’s why you see a preference for AES and QES in Europe, particularly when you’re trying to take an American e-signature process and then you’re confused why your European partners don’t want to click and send it back.

[Rachel brought Ken Moyle up to talk about e-seals.]

A: Civil law vs. common law is about evidence and risk. The typical risk appetite in a civil law country is that it needs to be supported by existing law, not common law. In the US, we say that we can do it until the law says we can’t. That’s the kind of thing that drives the use of e-signatures. In the UK, because it’s common law, it’s been shoehorned into this European law. In the case of e-signatures, you have these two tiers, and when they got a hold of that in the UK, they didn’t understand why there were two versions of a signature. It’s all about the burden of proof.

Where special signature comes into effect is when you’re giving legal effect to an agreement. From a US point of view, the point where you require a notary, that’s a good indication of the type of transaction that would require an advanced e-signature. It’s an official, indisputable signature accepted in court.

The problem comes from the fact that our perception problems aren’t unique to us. There are attitudes in Europe where people think a signature doesn’t count if it’s not the highest tier of signature. That’s not the reality, but it’s the perception.

The concept of e-seals is a result of eiDAS recognizing the failure of the 1999 directive to do too much. It tried to create identity and signature in one thing and create such a high assurance that it would be indisputable in all cases, like an ultimate drivers license. But it was unusable. eIDAS tries to focus on the core concept, which is creating an electronic ID and letting business figure out how to use it.

The concept of an e-seal is the idea that a corporation, as distinct from a person, should be able to sign on behalf of itself as its own identity.

Q: QES has a requirement for PKI. Is there a difference between PKI and PK in private keys, which are more about signing and a one-on-one relationship?

A: When I say PKI, I mean the private key infrastructure that matches a private key to a public key. They’re talking about a system with a master issuer of a key that can be verified. With a QES that’s been blessed by the government, it’s more about the infrastructure has been blessed, rather than any particular key.

So to the extent that there are private keys with a pubic key counterpart, it wouldn’t fall under eIDAS. There are uses for PKI other than contracts, such as in healthcare, where they use private ley technology to do internal sign-offs, such as a doctor signing off on something. That’s something that doesn’t need to be blessed by someone – it’s internal. There are vendors, like DocuSign, that sell PKI-styled systems that companies can use internally.

The principles of electronic record retention

Record retention isn’t the most glamorous topic, but it can be very embarrassing if it’s not handled correctly. Curt Moy, USAA, Assistant Vice-President, Corporate Counsel at USAA, and ESRA Board member knows quite a bit about electronic record retention. He moderated a discussion about retaining electronic records in front of a live ESRA event audience. Joining him were Jerry Buckley, founding partner of Buckley-Sandler, and John Isaza, CEO of Information Governance Solutions.

Implementing a meaningful record retention schedule

Isaza started the discussion by pointing out the major issue facing companies that don’t have a proper record retention plan in place: “The failure to retain records can create big problems when there is pending litigation. Look at Arthur Andersen, which went out of business for that reason.”

He noted that businesses have always known how to handle paper records, and while the technology explosion has led to a large increase in the number of electronic files being created, “statistically, most organizations are still maintaining the same amount of paper. The problem is they don’t know what to do with electronic records.”

Isaza added: “Records have to be maintained irrespective of medium. How do you create a records retention schedule that resonates with all your systems? How does that program capture those records? We have a lot of clients who are good at capturing the data, but they have difficulty with disposing of it properly, which creates vulnerabilities.

“It’s a distributed data problem. There are records stored in places you wouldn’t expect them to be stored, like some random person’s backup in the cloud, so you lose the ability to control the data. In all fairness, the technology has come a long way in the last three years, with the cheap ability to store data.

“Two cornerstone documents that need to exist for the creation of a successful program: a legal holds program and a records and information management policy, which includes a records retention schedule. They need to work in tandem, be robust, and be able to be audited.”

And, Isaza said, don’t forget that “a records retention schedule needs to be adaptable to all the places you store data and it has to follow the thousands of regulations that exist in the United States.”

Best practices

Moy then turned to best practices, noting that the first one should involve creating an inventory of the information currently being stored and seeing what types of documents need to be retained.

“That’s correct,” Isaza said. “In the old days, that was the best practice. For many companies, they have an inventory from the paper world that serves as a good starting point. These days, we try to leverage our experience with other clients to say which are the types of records that should be expected for any organization– 80% of them will fall under finance, accounting, and so forth, where the type of information being retained is very similar. The other 20% of documents are dependent on vertical you’re in.

“Other than inventorying everything, you can create a department records coordinator network, where someone in each department is assigned the responsibility of telling you what kinds of records they have. That way the schedule is an evolving document that changes with the changes in the organization.”

Moy continued: “Next is determining the regulatory environment for the records and assigning retention periods for them.”

“Yes,” Isaza replied. “We know what the regulations are around the world. Even if a company is based in the US, if it does business elsewhere in the world, it can be subject to regulations in other jurisdictions. So the next step is identifying all those regulations, including what’s specific to your vertical, or verticals.

“Here’s a good anecdote that relates to identifying your verticals. I have a client with a technology consulting business, and they came to me asking about regulations around vaccinations. They have a division they purchased that has to do with creating vaccines, as odd as that seemed.”

Moy then moved on to document handling. He asked: “Don’t you have to focus on all components of a document, such as a contract with a digital signature? You have to marry the regulations that cover both because they’ve been compiled into one document, even though they may be housed in two different containers, one for the signature and one for the contract.”

Isaza replied: “Yes. That goes to the biggest challenge. You need to determine what the official record is and whether you’ll preserve it in place or find a repository to migrate it to. Most organizations decide to preserve in place, but in the example given, then you have to make sure that when you, for example, preserve a contract with a signature contained in another system, you have to make sure the systems speak to each other.

“You also have to keep in mind how to dispose of that document. Are you allowed to dispose of the signature at the same time as the contract? You need to know that.”

Moy asked: “What are some of the best practices for purging or disposing of records once the expiration date hits?”

Isaza responded: “That’s a challenge for most of our clients because of the number one concern around legal holds. You have to make an assessment whether a legal hold is pending. If you have the green light to dispose, the question becomes how to set the systems up top delete.

“In an ideal world, the deletion is taking place automatically in the systems, and you have the ability to stop the destruction if there’s a litigation hold. The best practices would involve identifying the triggering event that will initiate the disposition. The triggering event could be when the document is no longer active, or the sale of an asset. And then you have to decide if you want to tack on a certain number of years beyond that.

“Then the technology has to do what you want it to do. From that viewpoint, it’s a laborious process to apply the technology to this.

“You need to focus on the systems that are the most active and apply the rules to those systems and hopefully you’ll have systems that will allow you to build rules with disposition into them. If not, there are systems you can purchase that allow you to migrate the record into that system, such as Documentum, which provide repositories for records.”

Isaza noted that such an effort feeds into “the information lifecycle governance model. You’re being inundated with data on a daily basis, but only 3-5% of it rises to the level of becoming a regulated record or something you need to keep. Easily 70% of the rest of it is redundant data that can be disposed of at any time.

“Let’s say you have files on a portable device. I would consider that a copy. I would give it a very short time frame to retain, such as 3 years. That gives the end user 3 years to decide if they need to keep it before it’s destroyed.

“You can create buckets in your records retention schedule so you can retain big data. I would consider anything not in the official repository to be a copy that can be disposed of.”

An audience member then had a question about how Isaza’s comment aligns with the “store in place” trend. Isaza replied: “When we talk about ‘store in place,’ we’re talking about official repositories of records. So when you have a data map of where all the content is located, certain systems are the primary generators of records. Even emails could be generating records.

“That’s what we mean, versus store in place on a thumb drive or something like that. You need to make sure when the record is created, it has to be retained in an official repository. You need a ‘mother ship,’ so to speak. In SharePoint, there are add-ons you can use to create and capture a record. The implementation is a challenge, but it takes baby steps to get there.”

The impact of SPERS on e-record retention

Moy then turned to Buckley to discuss the impact of SPERS (Standards and Procedures for Electronic Records and Signatures) on digital record retention. Buckley and his colleagues played a role in developing SPERS.

Buckley recalled: “After the ESIGN Act was passed, we realized there were no provisions for regulations, which was intended. We deal mostly with financial services firms, and they need guidance. There was a realization that you could substitute e-signatures for ink signatures as long as certain standards were met, but people who had to deal with each other in secondary markets didn’t know what was legal, valid, binding, and enforceable.

“We initiated SPERS in the early 2000s to deal with that. We convened all the major trade associations and many of the biggest players in the business to discuss it. We spent a year-and-a-half to develop SPERS. That standard has 5 major parts. The fifth part relates to record retention. The intention is to have something that’s accepted as commercially reasonable and holds up in court. It’s a behavioral standard, not a technology one.

“SPERS was adopted by the mortgage, variable annuity, and auto finance industries. It’s had some durability since then. We are considering an update to it even though what’s in there has been reinforced by the courts.”

Buckley continued: “SPERS’ record retention provision is crucial because you have the offering of the record to the consumer, which has to be done under ESIGN, but you also have the retention of the record by the business party. That’s where the rules come in. It was designed for business people, lawyers, and technology people. We lay out the issues that need to be considered.

“One of the issues with the secondary market is retention and how records are retained. You have to demonstrate ongoing integrity of a record, keep it for specified time, and if you’re using vendors, you have the question of their durability. You also have to retain the audit trail so you can prove up the record.

“We’re talking about the records and the data. You can reference the SPERS standard and have a discussion with your legal, technology and business teams. The document is very readable. It has a practical approach to what has to be done.”

Moy noted: “It takes the entire company to make sure that information and record retention schedule is handled properly.”

Isaza added to that: “ARMA International promulgated eight principles for retaining records and information: accountability, transparency, integrity, protection, availability, retention, disposition, and compliance. When we talk about SPERS and its section on retention, maybe we need a section on disposition too, because it’s important to, for example, know what to keep when a merger happens. For many of my clients, it can be a liability if they keep things that should be disposed of.

“The other thing is what the courts are focusing on. When they look at whether you’re using artificial intelligence or the system you use, they’re looking at your methodology. They want you to have created an adaptable environment and did the best you could in a systematic way, not a situation where you applied it in different places.”

Retaining records in obsolete systems

Moy then brought up an interesting conundrum: “How should organizations deal with records in obsolete systems? You may have records that need to be retained for decades, but systems can change, so you have to migrate them as systems are updated. But what happens if you can’t retrieve those records?”

Isaza replied: “It’s a problem. The federal rules were revised in December 2015 to address those issues. But the reality is that as the owner of that data, if the information is relevant to the subject matter of a lawsuit, you’ll have to figure out how to obtain it.

“An example: We just wrote memoranda for a client who had 45,000 backup tapes. Of those 45,000 tapes, at least half were in an unreadable format because of physical deterioration. It was costing them $25,000 a month to store the tapes and it would cost them a fortune to restore the data because the systems and data are obsolete.

“So you’re stuck footing the cost to retrieve the data if that happens.”

Moy asked: “Is the creator of the document the person responsible for retaining it, or the recipient?”

Buckley replied: “It’s easiest to think of this as who is going to rely on the information. The truth is that with e-signatures, your signature will be created by the counter-party who feels it’s reliable and can be proved in court. The party that originated the transaction and parties relying on the record are the ones who have to retain it.”

Isaza added: “Along with a retention schedule, it’s useful to track owners of records, which could be an entire department. That way the record owner knows that if they receive a litigation hold, they put the record on hold.

“But there are other things that can transcend a department, such as a tax record, which could be held across accounting and finance. In that situation, I would argue that the record owner is the one who needs it the longest.”

Buckley added: “I think of retention almost like mortgage servicing. Until something goes wrong, you won’t worry about it, but if something happens, you’ll want to know you have a way to deal with it.”

A final question, regarding the risks seen in other spaces, was then raised to close out the session.

Isaza responded: “I do work across all the verticals out there, including oil and gas, automotive, software companies and others. It’s an issue across the board because of those 80% of your records that every company has. Then you have levels of complexity around various requirements, especially if, say, a company is in Omaha but they’re doing business in Germany.”