Electronic Signature Policy

Definitions

The following terms are used in this policy.

Term

Definition

Electronic Signature

An electronic signature is a paperless method used to authorize or approve documents which indicates that a person adopts or agrees to the meaning or content of the document.

 

Federal (the federal E-Sign law) and New York state law (The Electronic Signatures and Records Act or “ESRA”) define an electronic signature as: “an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record.”

 

Basis for Policy

The following laws were enacted to support the use of electronic signatures.

Law

Definition

Federal Law

The federal government authorized the use and acceptance of electronic signatures in The Electronic Signatures in Global and National Commerce Act (E-Sign).

 

NYS Law

The Electronic Signatures and Records Act (ESRA), the New York state law which authorizes the acceptance of electronic signatures in most documents, went into effect in August of 1999. The Act was updated in 2002 to make New York state law consistent with the federal E-Sign law. The act provides that "signatures" made via electronic means will be as legally binding as hand-written signatures. It does not mandate the use of, or require a specific form of, electronic signature.

 

Those choosing an electronic signature method can be assured that the electronic signature will be given full legal effect under federal and state law if the signature method conforms to the standards outlined in the policy.

Exceptions

E-Sign and ESRA contain exceptions to the general standard that electronic signatures are afforded full legal effect. These exceptions indicate when an electronically signed document is not afforded the same legal standing as a handwritten signature. Most of these exceptions would not apply to the RF. In general, a handwritten signature may be required for documents or notices pertaining to:

Policy

The RF allows the use of electronic signatures as an acceptable alternative to an original signature for those documents requiring signature or acknowledgement in accordance with minimum standards. This policy is intentionally flexible, allowing campus operations managers or central office department vice presidents, as applicable, to approve implementation of electronic signatures.

Note: The policy does not mandate the

Minimum Standards

Use of an electronic signature must be in accordance with the following minimum standards, consistent with NYS issued guidelines. Compliance with these standards helps to ensure the validity of an electronic signature.

Step

Action

Preparation

  1. Obtain approval from operations manager or central office departmental vice president to implement the use of electronic signatures.
  2. Determine that electronic signature methodology will be made in accordance with the specific standards outlined in this policy.
  3. Verify that electronically signed documents going to external agencies abide by guidelines set forth by the external agency and meet the requirements of the receiving organization.

     

Processing

  1. Provide opportunity for the signer to review the entire document or content to be signed prior to applying an e-signature.
  2. Make it impossible for an e-signature to be applied to a document without the signer having been informed that a signature is being applied.
  3. Allow the signer’s intent to be expressed as part of the record or in a certification statement submitted with and linked to the signed record.

     

Signature Retention

  1. Record the date, time, and fact that the signer indicated his or her intent and retain this information for evidentiary purposes. This may be different than the time the signer accessed the application or was authenticated.
  2. Retain all electronically signed documents in accordance with the RF Electronic Records Management Policy and the Record Retention for Person Related Records guideline.

     

Implementation

Security and Risk

Operating locations that choose to use electronic signatures must ensure a proper level of security and ability to link the signed document with the signer. This policy does not supersede any law or scenario wherein a written signature is specifically required (see above for specific exceptions).

Various technologies support different levels of security, authentication, record integrity and record retention. Solutions for making an electronic signature trustworthy must address the following security concerns:

Function

Provides

Confidentiality

Protects content from unauthorized access so that only the intended audience can view it

Authenticity

Assures that the document truly comes from the signer

Integrity

Detects unintentional or malicious alteration and prevent signer from refuting a electronic signature document

Security

Maintains security of document from origination through the entire business process

Accessibility

Allows access to document across all platforms

The RF recommends that operating locations that are considering using electronic signatures:

Technology Guidelines

There are a number of approaches to implementing the use of electronic signatures. The technology approach selected should support the minimum standards outlined in this policy. When choosing a technology, consider the significance of the business requirement as it relates to electronic signatures. For instance, applying an electronic signature to an e-mail might be fine, but additional validation or security in other situations may necessitate password protection or encryption. A combination of technologies may be warranted to mitigate risks.

Examples of technology that support digital signatures that may work for various RF related projects or documents include

Technology Approach

Provides that signer or signature is

Click Through or Click Wrap

asked to click a button to demonstrate intent

Personal Identification Number (PIN) or Password

asked to enter identifying information

Signature Dynamics

authenticated through automated analysis

Biometrics

authenticated by physical characteristics prior to applying his or her signature

Shared Private Key (Symmetric) Cryptography

authenticated by using a single cryptographic key (encrypts and decrypts message).

This method should only be used if the keys are changed regularly to ensure a higher level of security

Public/Private or Asymmetric Cryptography (PKI) – Digital Signature

authenticated by using two cryptographic keys one private and one public (encrypts and decrypts message)

Note: Other methods may be developed which incorporate applicable minimal standards, this list is not meant to be inclusive.

Certification Practice Statement

A Certification Practice Statement (CPS) is a statement or policy describing the compliance practices of a certificate authority concerning his or her digital certificates.

A standard CPS outlines

An excellent CPS includes

Digital certificate authority concerning

  • issuing
  • renewing
  • revoking
  • validation

Digital certificate authority concerning

  • all standard CPS content
  • liabilities
  • financial responsibilities
  • governing laws
  • compliance/audit standards and frequencies

     

Whenever feasible, a CPS should be obtained from either the

Responsibilities

This policy identifies the following responsibilities as assigned to those cited below.

Role

Individual/Group

Contact Information

Comply with

All RF staff

n/a

Policy Executor(s)

Joshua B. Toas,

Chief Compliance Officer & Assistant Secretary

Office of Compliance Services

(518) 434-7145

Joshua.Toas@rfsuny.org

 

Related Documents

Below are related documents and policies required to complete the procedures or that provide other relevant information or instructions.

The following resources can be used for additional guidance

Document Name

Location

RF Data Use Policy

Acceptable Date Use and Security of RF Data and Information Technology Policy

RF Confidential Information Policy

Confidential Information Policy

RF Electronic Records Management Policy

Electronic Records Management Policy

RF Guidelines for Protecting Research Foundation Data

Guidelines for Protecting Research Foundation Data

New York State Office for Technology

New York State Office for Technology

Federal Electronic Signatures in Global and National Commerce Act

Federal Electronic Signatures in Global and National Commerce Act

Change History

Date

Change History

13-May-11

Updated policy executor and responsible party to Mike Bartoletti.

7-Oct-09

New Policy.

Effective Date: 7-Oct-2009

Responsible Party: Joshua Toas

Contact Information: (518) 434-7145

Document Type: Policy

Version: v1.0

Copyright © 2009 The Research Foundation of State University of New York

 

 

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Copyright © 2012 The Research Foundation for The State University of New York