7 landmark electronic signature legal cases

Legal expert Margo Tank, a DLA Piper partner, is well-known to many people in the world of e-signatures. She made a significant contribution during the creation of ESIGN legislation in the United States and has played a key role in the history of ESRA.

She took the time to walk through some of the most important legal cases since ESIGN was signed into law 17 years ago. “These cases apply in just about any vertical,” she noted. “The principles covered here are umbrella ones.”

She broke the case law into seven distinct categories:

Disclosures on a mobile device

“There were two key cases for this one: O’Connor v Uber and Meyer v Uber,” she said. “In the first case, the court was asked to consider the plaintiff’s argyment that there wasn’t a valid agreement because it was displayed on ‘a tiny iPhone screen when most drivers are about to go on duty.’ The court rejected that argument because it’s irrelevant whether or not someone reads a contract, as long as they have the opportunity to do so.

“Way back in the beginning of contract law, the focus wasn’t on whether the reader read it or understood it – although regulators are now focused on understandability – as long as they had the opportunity to read it.

“In the second case, the Second Circuit in August 2017 reversed the lower court, finding that ‘a reasonably prudent smartphone user would have been on reasonably conspicuous notice of the terms and conditions of service, and the terms and conditions under the “Registration” button put the user on notice that clicking it meant acceptance of those terms.’ Again, that’s regardless of whether they reviewed them.

“The courts are now looking at this concept of ‘the reasonably prudent smartphone or Internet user.’ Given the proximity of the hyperlink to the button and the absence of clutter that might have impaired the plaintiff’s ability to see the hyperlink, and the meaningful terms weren’t obfuscated – all of that helps enforce the contract.”

Effective presentation of electronic contracts

“Berkson v Gogo is a case from 2015 in the Eastern District of New York. The provider was accused in a class action lawsuit of duping customers into signing up for a monthly Wi-Fi service without their knowledge. The plaintiffs claimed that the website misled them into thinking they were only purchasing a single month of use while concealing that it was actually a subscription agreement.

“As part of the analysis, the court reviewed a large number of relevant prior decisions that scrutinized the way terms are disclosed to consumers on electronic platforms. It was a long case, and the court looked at a number of empirical studies of reading and viewing behavior, including eye tracking patterns.

“The court concluded that in general, an electronically presented agreement is enforceable if: 1) the website presenting the agreement gives a reasonably prudent user, on inquiry, a notice of the terms of the contract, 2) the user is encouraged by the design and content of the web page to examine the terms through a hyperlink and 3) the hyperlink to the agreement is placed where the user is likely to see it.

“Usability and design are definitely a tricky balance to strike, but it’s critical. There are certain requirements that must be set forth, either by law through certain disclosures, or through terms that are clear and conspicuous. That has to be balanced with how to present the information electronically because you’re able to manipulate it.

“You also don’t want to oversimplify it, such as a situation where a document requires the signer to express their intent multiple times: you can’t necessarily have one expression of intent apply to all the other instances. So if someone needs to sign in multiple spots on a document, you can’t necessarily say that one signature covers the rest of them.”

UETA overlay illustration

“This is a case that has been around since 2011. We use it as an example of illustrating how UETA and ESIGN act as overlay statutes. They enable the replacement of certain paper requirements with an electronic record or an electronic signature. There’s some confusion there, so this case helps with that.

“Barwick v Geico was an Arkansas case. Geico issued a car insurance policy to someone who applied for the policy over the Internet. As part of the process, the applicant waived medical benefits coverage and electronically signed to that effect. At that time, Arkansas law said that medical benefits coverage could only be rejected ‘in writing.’ However, Arkansas had also adopted the UETA prior to the date of the application.

“The applicant was driving the car covered by the policy and was hit by another car. They submitted medical bills under the policy and Geico rejected the claim. When sued by Barwick, Geico pointed to the electronic waiver of coverage, which the applicant admitted signing. But the plaintiff claimed the waiver wasn’t effective because it wasn’t in writing, as the statute required. The court agreed with Geico, and a higher court upheld the ruling, saying that Arkansas’ implementation of UETA backed them up.

“’Writing’ is viewed as anything written, whether it’s on paper or on a screen, as long as you abide by the rules in the UETA with respect to replacing the writing requirement with an electronic record or contract.”


“The concept here is, how do you attribute the signer’s signature to the signer? It’s different from identifying the signer – it’s how do you make sure it’s the signer who did the act of signing?

“This was an interesting case: Zakuski v General American. It was 2012 in Michigan, and here are the facts: Doctor Z took out a $250,000 life insurance policy and named his mother as beneficiary. He married his second wife and changed the beneficiary designation on several policies to her. General American allows customers to make that change online, but the insured is required to enter various information, including policy number, Social Security number, and mother’s maiden name, when they do so. The company also sends an email confirmation of the change.

“Someone enrolled in the General American’s e-servicces as the doctor, providing all the proper information, and changed the beneficiary to the second wife. An email alert was sent. Shortly thereafter, the doctor died and his mother sued to get the insurance proceeds, claiming that the company’s security policies weren’t enough and General American couldn’t prove that it was the doctor who signed the change. She said that the second wife could have done so.

“The wife filed an affidavit claiming that she hadn’t made the change. The court granted summary judgment for General American and the appeals court held it up, saying that under Michigan’s UETA implementation, an e-signature could be attributed to someone ‘by any reasonable means.’ That’s significant because that meant General American’s procedure was sufficient.

“The aggregate information required to enroll in the e-service was only known to a few people, an email alert of the change was sent to the doctor’s email address, and the doctor’s wife signed the affidavit. The court observed that the doctor’s mother offered no evidence that someone other than the doctor had made the change. Such a conjecture wasn’t enough to overcome the facts of attribution, according to the court.

“That was significant because there haven’t been a lot of cases where courts have applied UETA regarding attribution. This court said that General American’s procedure was sufficient. The case didn’t compare how the process was done compared to how it would have been done in the past, when it was done on paper, but the procedure really wasn’t that different, and you could argue that the electronic version offers more security.”

Audit trails

“Creating and preserving audit trails is the key to winning any court case. There’s one really good case, Adams v Quicksilver. It was in California in 2010. The plaintiff in an employment dispute challenged the validity of her electronic signature on an arbitration agreement. The agreeement had been sent to her via a hyperlink in an email at the time she was hired. No password or other credential was required. The agreement had two places where she had to sign her name by typing in a blank field – one was at the end of the agreement.

“The employer supplied a copy of the agreement from its system, which had the plaintiff’s full name, including middle name, typed in the signature line at the end of the agreement. The system provided no audit trail for the signing process, though, so it couldn’t be determined when the agreement was signed.

“The plaintiff argued that she hadn’t signed the agreement and said that she always omitted her middle name when signing any agreement. Several other examples of her signature without her middle name were produced, and it was determined that the employer’s system didn’t have a way of safeguarding against post-signing alterations. The post-execution audit trail that they did have actually showed that two of the employer’s employees had accessed the record after it was saved for storage.

“The court held for the plaintiff, referencing the attribution rules in UETA and noting that attribution had not been proven. The court also noted that the plaintiff didn’t have to supply a password or other credential, there was no audit trail for the signature process, the record wasn’t protected against post-signature alteration, and the only audit trail was one where at least two employees accessed the signed record after it was signed and submitted by the plaintiff.

“This case cuts both ways: You need an audit trail and if you have one, you want to make sure that employees or other people can’t alter a record. The definition of accessing the record covers being able to edit it, not just viewing it. And you want to capture the process from the beginning: the authentication method, the presentation of particular documents, the signing event, and so forth. A lot of companies apply what’s none as a tamper seal, so there’s integrity protection if it’s edited in in unauthorized way.

“If you don’t have an audit trail, a low-tech way to do it is if you need to prove that the customer saw and agreed to the terms, saving and preserving screenshots of the process has won a number of cases. The presentation of the information, the buttons, and hyperlinks helps prove up the case.”


“Essentially, ESIGN and the UETRA support the use of electronic records, but they don’t talk about how to enter them into evidence. In Lorraine v Markel, a case from 2007, both parties in an insurance dispute attached emails as exhibitions for summary judgment but neither provided authentication of the records themselves that would be needed to admit them into evidence.

“The court’s detailed opinion covered how to get information admitted into evidence. There are 14 rules that affect admissibility. This opinion walks through each of the aspects and explains how it applies to electronic evidence. It’s still regarded as a seminal case in this area.”

The future of legal activity in the e-signature space

“That leads us back to where we started. As mobile phones continue to remain in our lives, with most adults using them globally, more and more products and services will be delivered through those devices. How that’s done will continue to be scrutinized.

“The ability to view and retain information in a mobile format needs to be looked at carefully, because it has to be presented in a fair way. It’s also key to be able to access that information at a later time.”

eIDAS and its impact on electronic signatures around the world

Rachel Stoermer, senior corporate counsel at DocuSign, spoke to a live ESRA conference audience about eIDAS, a new regulation that went into effect in the summer of 2016. It covers the entire European Union and it replaces the e-signature directive that was in place since 1999.

Stoermer explained: “The main takeaway is that the biggest thing that hasn’t changed is that it supports the use of e-signatures in Europe. The EU directive in 1999 had a concept of tiers of e-signatures: simple ones that can’t be denied as well as special ones, known as qualified e-signatures (QES).

“Under the directive, each country was tasked with implementing it into their laws. And each of them may have interpreted and implemented it differently, which meant that a QES doesn’t have cross-border recognition.

“There was a perception that because of the lack of consistency, it was doing more harm than good in promoting a single digital market. They wanted e-business to be easy to do across borders.”

Stoermer continued: “Another piece of background had to do with public e-infrastructure. I wonder if blockchain will eat into the dominance of PKI outside the US, but for now, PKI is the ‘secret sauce’ that gives an e-signature special recognition and makes it easily accepted. It’s a cryptographic standard that’s standards-based, so it should work the same way everywhere.

It uses a public key and a private key – the private key is associated with a specific signer. And historically, it was tied to a physical device that you could carry with you, like a keyfob.

“eIDAS offers consistency by being a regulation that applies to the member states, rather than directing them to implement it. It also expands the original directive – it lays the groundwork for cross-border electronic ID schemes. They’re coming up with a government-issued electronic ID that works across Europe.

“It also updated some technical standards that were making it harder to do things, particularly in the cloud, and it introduced the concept of a trust service. It regulates and defines what it means to be a trust service, particularly a PKI provider.

“eIDAS has a lot more, such as other trust services, like electronic seals and time stamping, and it introduces the concept of a qualified trust provider, which gives someone special status. They get approved by a supervisory body that requires them to undergo audits and carry a certain kind of insurance.”

Stoermer then went on to discuss the three types of defined e-signatures under eIDAS:

• A simple e-signature is similar to what the US thinks of as an e-signature, like clicking an “I accept” button.

• An advanced e-signature (AES) doesn’t have to use PKI, but every European regulatory agency has said it does. You would go to a certificate authority that would issue you a private key that you keep under your control – it doesn’t have to be a physical thing. They have a set of technical standards that have to be followed.

• A qualified e-signature (QES). It’s a subset of the AES – it has to use PKI and has to be blessed by a supervisory body. It has to comply with eIDAS and they have to have an approved method of identity verification. Trust providers who want approval from European governments have to get those governments to approve how they do ID verification, but no one has a process yet to do this remotely. Everyone doing this right now does in-person identity verification. eIDAS opens the door for remote verification, but it’s not happening yet.

Stoermer explained: “If you do business in Europe, you need to know a few things. First, it maintains the concept of non-discrimination against e-signatures. If a signature would otherwise be valid, the fact that it’s electronic can’t be used to declare it invalid. That will be sufficient for doing business.

“But there are cases where AES and QES are valuable, such as where they get the status of a handwritten signature. That covers things like divorce proceedings.

“The other thing AES and QES get is a presumption of authenticity, which doesn’t exist in the US. In Europe, if you show up with a handwritten signature, it’s assumed valid unless the other party is able to prove it’s not.

“The last thing is if you do go through the effort of getting an AES or QES, it’s valid across the EU.

“eIDAS talks about what it means to be an e-signature, but it doesn’t say when it’s required. Countries can still have their own special use cases, like buying a boat and requiring a special e-signature. Purchase and sale of land, family law, etc. will likely have special requirements,.

“Any kind of e-signature is admissible as evidence and you have to prove it up like you would in the US. You have to do more work if it’s not an AES or QES, but if it has an audit trail, you can likely get it introduced as valid evidence.

“If you’re doing business in Europe, what you’ll think about is that AES and QES have an added cost, so you’ll need to consider whether it’s worth it. If you’re in an industry where there’s a lot of fraud, it might be useful. Or a counter party might insist on it.

“There’s no special legal status to an AES.”

A Q&A session followed, which included the following:

Q: Is there a provision for signatures for corporations where multiple people would be required?

A: eIDAS doesn’t talk about rules for how many people need to sign or how many people are authorized to sign. But the regulations for certain kinds of documents may require that, such as an insurance contract that has regulations that need to be met.

Q: I’ve heard that since eIDAS was passed that advanced e-signatures are seeing some definitions arising, such as Italy having their own definition. Any update on that?

A: No update. AES isn’t useless. It uses PKI technology, which has value, but what I usually see is that the value comes from the security. In Italy, they had four levels of e-signature before eIDAS so I’m not surprised that it’s being picked up as a middle tier.

Q: Most of Europe is on a civil law basis. The way we think about signatures as an expression of intent is different from Europe, where they think of it more as a form of identification. Can you talk about what the differences are and what the cultural perceptions are in Europe vs. the US?

Also, what’s the difference between e-seals for corporate identity and e-signature under eiDAS for individual identity?

A: I don’t have a lot of knowledge about e-seals. Regarding the cultural differences, you’re right that signatures are viewed differently, as are contracts. In common law countries, it’s about the signature, it’s about the intent of the deal, even if you forgot to sign the third page of a 17-page document.

In Europe, it’s more about ceremony. That’s why you see a preference for AES and QES in Europe, particularly when you’re trying to take an American e-signature process and then you’re confused why your European partners don’t want to click and send it back.

[Rachel brought Ken Moyle up to talk about e-seals.]

A: Civil law vs. common law is about evidence and risk. The typical risk appetite in a civil law country is that it needs to be supported by existing law, not common law. In the US, we say that we can do it until the law says we can’t. That’s the kind of thing that drives the use of e-signatures. In the UK, because it’s common law, it’s been shoehorned into this European law. In the case of e-signatures, you have these two tiers, and when they got a hold of that in the UK, they didn’t understand why there were two versions of a signature. It’s all about the burden of proof.

Where special signature comes into effect is when you’re giving legal effect to an agreement. From a US point of view, the point where you require a notary, that’s a good indication of the type of transaction that would require an advanced e-signature. It’s an official, indisputable signature accepted in court.

The problem comes from the fact that our perception problems aren’t unique to us. There are attitudes in Europe where people think a signature doesn’t count if it’s not the highest tier of signature. That’s not the reality, but it’s the perception.

The concept of e-seals is a result of eiDAS recognizing the failure of the 1999 directive to do too much. It tried to create identity and signature in one thing and create such a high assurance that it would be indisputable in all cases, like an ultimate drivers license. But it was unusable. eIDAS tries to focus on the core concept, which is creating an electronic ID and letting business figure out how to use it.

The concept of an e-seal is the idea that a corporation, as distinct from a person, should be able to sign on behalf of itself as its own identity.

Q: QES has a requirement for PKI. Is there a difference between PKI and PK in private keys, which are more about signing and a one-on-one relationship?

A: When I say PKI, I mean the private key infrastructure that matches a private key to a public key. They’re talking about a system with a master issuer of a key that can be verified. With a QES that’s been blessed by the government, it’s more about the infrastructure has been blessed, rather than any particular key.

So to the extent that there are private keys with a pubic key counterpart, it wouldn’t fall under eIDAS. There are uses for PKI other than contracts, such as in healthcare, where they use private ley technology to do internal sign-offs, such as a doctor signing off on something. That’s something that doesn’t need to be blessed by someone – it’s internal. There are vendors, like DocuSign, that sell PKI-styled systems that companies can use internally.