Electronic Signature Policy

Definitions

The following terms are used in this policy.

Term

Definition

Electronic Signature

An electronic signature is a paperless method used to authorize or approve documents which indicates that a person adopts or agrees to the meaning or content of the document.

Federal (the federal E-Sign law) and New York state law (The Electronic Signatures and Records Act or “ESRA”) define an electronic signature as: “an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record.”

Basis for Policy

The following laws were enacted to support the use of electronic signatures.

Law

Definition

Federal Law

The federal government authorized the use and acceptance of electronic signatures in The Electronic Signatures in Global and National Commerce Act (E-Sign).

NYS Law

The Electronic Signatures and Records Act (ESRA), the New York state law which authorizes the acceptance of electronic signatures in most documents, went into effect in August of 1999. The Act was updated in 2002 to make New York state law consistent with the federal E-Sign law. The act provides that "signatures" made via electronic means will be as legally binding as hand-written signatures. It does not mandate the use of, or require a specific form of, electronic signature.

Those choosing an electronic signature method can be assured that the electronic signature will be given full legal effect under federal and state law if the signature method conforms to the standards outlined in the policy.

Exceptions

E-Sign and ESRA contain exceptions to the general standard that electronic signatures are afforded full legal effect. These exceptions indicate when an electronically signed document is not afforded the same legal standing as a handwritten signature. Most of these exceptions would not apply to the RF. In general, a handwritten signature may be required for documents or notices pertaining to:

the transfer of real property
eviction and foreclosure
cancellation of health insurance
the Uniform Commercial Code.

Policy

The RF allows the use of electronic signatures as an acceptable alternative to an original signature for those documents requiring signature or acknowledgement in accordance with minimum standards. This policy is intentionally flexible, allowing campus operations managers or central office department vice presidents, as applicable, to approve implementation of electronic signatures.

Note: The policy does not mandate the

use of an electronic signature
application to those internal operational type documents which require an informal routing or acknowledgement
method or software utilized for any specific need, so long as the method adopted conforms to the minimum standards outlined in this policy
(See Technology Guidelines below)

Minimum Standards

Use of an electronic signature must be in accordance with the following minimum standards, consistent with NYS issued guidelines. Compliance with these standards helps to ensure the validity of an electronic signature.

Step	Action
Preparation	Obtain approval from operations manager or central office departmental vice president to implement the use of electronic signatures. Determine that electronic signature methodology will be made in accordance with the specific standards outlined in this policy. Verify that electronically signed documents going to external agencies abide by guidelines set forth by the external agency and meet the requirements of the receiving organization.
Processing	Provide opportunity for the signer to review the entire document or content to be signed prior to applying an e-signature. Make it impossible for an e-signature to be applied to a document without the signer having been informed that a signature is being applied. Allow the signer’s intent to be expressed as part of the record or in a certification statement submitted with and linked to the signed record.
Signature Retention	Record the date, time, and fact that the signer indicated his or her intent and retain this information for evidentiary purposes. This may be different than the time the signer accessed the application or was authenticated. Retain all electronically signed documents in accordance with the RF Electronic Records Management Policy and the Record Retention for Person Related Records guideline.

Implementation

Security and Risk

Operating locations that choose to use electronic signatures must ensure a proper level of security and ability to link the signed document with the signer. This policy does not supersede any law or scenario wherein a written signature is specifically required (see above for specific exceptions).

Various technologies support different levels of security, authentication, record integrity and record retention. Solutions for making an electronic signature trustworthy must address the following security concerns:

Function	Provides
Confidentiality	Protects content from unauthorized access so that only the intended audience can view it
Authenticity	Assures that the document truly comes from the signer
Integrity	Detects unintentional or malicious alteration and prevent signer from refuting a electronic signature document
Security	Maintains security of document from origination through the entire business process
Accessibility	Allows access to document across all platforms

The RF recommends that operating locations that are considering using electronic signatures:

perform and document an internal risk assessment to assist with identifying the risk(s) around the objective(s) including but not limited to compliance,
potential legal issues, and significance
evaluate business and technological solutions against their potential to mitigate risk

Technology Guidelines

There are a number of approaches to implementing the use of electronic signatures. The technology approach selected should support the minimum standards outlined in this policy. When choosing a technology, consider the significance of the business requirement as it relates to electronic signatures. For instance, applying an electronic signature to an e-mail might be fine, but additional validation or security in other situations may necessitate password protection or encryption. A combination of technologies may be warranted to mitigate risks.

Examples of technology that support digital signatures that may work for various RF related projects or documents include

Technology Approach	Provides that signer or signature is …
Click Through or Click Wrap	asked to click a button to demonstrate intent
Personal Identification Number (PIN) or Password	asked to enter identifying information
Signature Dynamics	authenticated through automated analysis
Biometrics	authenticated by physical characteristics prior to applying his or her signature
Shared Private Key (Symmetric) Cryptography	authenticated by using a single cryptographic key (encrypts and decrypts message). This method should only be used if the keys are changed regularly to ensure a higher level of security
Public/Private or Asymmetric Cryptography (PKI) – Digital Signature	authenticated by using two cryptographic keys one private and one public (encrypts and decrypts message)

Note: Other methods may be developed which incorporate applicable minimal standards, this list is not meant to be inclusive.

Certification Practice Statement

A Certification Practice Statement (CPS) is a statement or policy describing the compliance practices of a certificate authority concerning his or her digital certificates.

A standard CPS outlines

An excellent CPS includes

Digital certificate authority concerning

issuing
renewing
revoking
validation

Digital certificate authority concerning

all standard CPS content
liabilities
financial responsibilities
governing laws
compliance/audit standards and frequencies

Whenever feasible, a CPS should be obtained from either the

vendor providing digital certificate services to the campus or central office or other covered entity
responsible administration that manages the service when a campus, central office or other covered entity provides their own certificate
services infrastructure

For more detailed best practice and technology guidelines, refer to the New York State Office for Technology Web site NYS Best Practice Guideline and NYS OFT Policy PKI Certificate.

The National Institute of Standards and Technology (NIST) Electronic Authentication Guidelines: 800-63 guidelines may also be used to help determine methodology.

Responsibilities

This policy identifies the following responsibilities as assigned to those cited below.

Role

Individual/Group

Contact Information

Comply with

All RF staff

n/a

Policy Executor(s)

Joshua B. Toas,

Chief Compliance Officer & Assistant Secretary

Office of Compliance Services

(518) 434-7145

Joshua.Toas@rfsuny.org

Change History

Date	Change History
13-May-11	Updated policy executor and responsible party to Mike Bartoletti.
7-Oct-09	New Policy.

Effective Date: 7-Oct-2009

Responsible Party: Joshua Toas

Contact Information: (518) 434-7145

Document Type: Policy

Version: v1.0

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Document Name	Location
RF Data Use Policy	Acceptable Date Use and Security of RF Data and Information Technology Policy
RF Confidential Information Policy	Confidential Information Policy
RF Electronic Records Management Policy	Electronic Records Management Policy
RF Guidelines for Protecting Research Foundation Data	Guidelines for Protecting Research Foundation Data
New York State Office for Technology	New York State Office for Technology
Federal Electronic Signatures in Global and National Commerce Act	Federal Electronic Signatures in Global and National Commerce Act