4
| W H I T E P A P E R |
silanis
Compliance for Electronic
Documents and Signatures
A
s organizations use electronic signature solutions to
move paper-based business processes to electronic
documents and signatures, they have to consider
what impact this will have on their compliance with a wide
variety of laws, regulations and their own business policies.
Although the laws and regulations have existed for some
time that allow most industries and business processes to
be to carried out electronically, many organizations are not Which business activities are affected by using electronic
sure what applies where and how to ensure compliance. documents and signatures
Understanding which factors affect compliance and where
to look for compliance is essential to any organization that
plans on implementing an electronic signature solution in
their business processes:
In summary, what are we complying with:
• Laws – created by federal, state, and local lawmakers,
they affect how business and government is carried out
and usually enforced by civil courts.
• Regulations – issued by government agencies at all
levels and usually enforced at by the same agencies
23
• Business Policies – created by an organization as
We make paperless happen ™
Copyright ©2007 Silanis Technology Inc.
Making Business Records Compliant
internal procedures to enforce accountability in processes
not directly covered by laws and regulations.
As we shall see in the following sections, some laws,
regulations and business policies directly affect the use of
electronic documents such as the ability to use them. Other
laws, regulations and business policies indirectly affect the
use of electronic document signatures because they must
meet specific requirements in order to comply.
Which types of electronic documents and processes are
affected
• Transactional documents to carry out the exchange
of goods and services between businesses, individuals
and governments.
• Regulatory documents used to comply with specific
government regulations.
• Internal procedure documents to comply with business
accountability policies.
• Use and storage of documents
• Signing of documents
• Delivery of documents
REQUIREMENTS FOR ELECTRONIC
DOCUMENTS AND SIGNATURES
There are a variety of requirements for the use of electronic
documents and signatures covered in the various laws and
regulations in force today. However, there are a number of
general requirements for electronic documents and signatures
that will comply with almost all laws and regulations:
1/7
 4
| W H I T E P A P E R |
silanis
Compliance for Electronic
Documents and Signatures
Electronic Signatures – there are five basic requirements that
electronic signatures should fulfill:
• The signer must intend the signature to have the same
force and effect as a signature affixed by hand.
• The signature must be unique to the person using it.
• The signature must be verifiable as belonging to the
user.
• The signature must be under the sole control of the
person using it.
• The signature must be attached or linked to the
document in a way that authenticates the integrity of
the electronic signature and document contents.
The first point is the most essential in the use of signatures
as it addresses the concept of intent. A signature captures
a person’s intent to approve, authenticate or agree to the
contents of a document. Intent is specifically dependent on the
document and the process used to review and mechanism used
to sign. In addition, the signature must be able to demonstrate
that the intent was captured. If the process is weak or poorly
implemented, a signer can dispute the intent of their signature
and render the signed document ineffective. It is important
to remember that most legal disputes over signed documents
are about the intent and not about a fraudulent signature or
document.
The remaining points address the authenticity of a signature
and the document. These are secondary since laws referring to
signatures require the concept of intent but not authenticity
of the signature or document. In fact, authenticity of the
signature and document will relate to the admissibility of
the signed document as evidence into a court of law. If they
are shown to be unreliable or not the usual manner in which
business is conducted, then the document may not be admitted
23 We make paperless happen ™
Copyright ©2007 Silanis Technology Inc.
Making Business Records Compliant
into court and cannot be used to enforce the purpose of the
document.
Meeting the three requirements on signature authenticity
will likely ensure a solution complies with most regulations.
The point concerning the authenticity of the document after
it has been signed is usually addressed in most laws and
regulations by a requirement to ensure the accuracy of a
signed document.
Electronic Documents – Most laws concerning electronic
documents and signatures have two basic requirements for
electronic documents:
i. The electronic document, with or without an electronic
signature, must remain accurate and unchanged over
time.
ii. The electronic document, with or without an electronic
signature, must remain accessible over time.
The first requirement reflects how we expect documents to
behave in general. When dealing with the types of documents
discussed earlier, it is essential that documents do not change
without indicating that it has changed. This is a requirement in
all laws addressing the use of electronic documents. The second
requirement is more specific to the use of electronic records
since it addresses the possibility that an electronic document,
signed or unsigned, may not always be stored in a format or
system that is always accessible to the parties involved with the
document. However, if we choose to use electronic documents
and signatures in our business application, we must be certain
that the stored electronic documents will remain accessible to
various users over the lifecycle of the documents.
2/10
2/7
 4
| W H I T E P A P E R |
silanis
Compliance for Electronic
Documents and Signatures
COMPLIANCE FOR ELECTRONIC RECORDS AND
SIGNATURES IN THE UNITED STATES
There are many laws and regulations in the US that directly
address the use of electronic documents and signatures in
various commercial, government and organizational processes.
There are also some laws that indirectly affect the use of
electronic documents and signatures. This section summarizes
a large portion of the many laws and regulations.
1. Laws, regulations, and guidelines affecting commercial
use
Electronic Signatures in Global and National Commerce
Act (ESIGN) – federal law passed in 2000 enabling the use
of electronic records and signatures across the US for any
transaction relating to the conduct of business, consumer,
or commercial affairs in or affecting interstate or foreign
commerce. It does not apply to any level of government that is
covered by separate laws (see the following section).
• Enable use of electronic records and signatures where
laws require documents and signatures and parties to
agree to use electronic versions.
• Enables electronic transmission of government-
mandated disclosures subject to appropriate consent
from recipient.
• Any record may be retained electronically as long as it
remains accurate and accessible to all entitled parties
for as long as the record is required.
• Allows for the use of an electronic signature
for notarization.
"ONE OF TOUGHEST CHALLENGES ORGANIZATIONS FACE WHEN MOVING THEIR BUSINESS
TO THE WEB IS IDENTIFYING WHAT LAWS, REGULATIONS AND POLICIES APPLY TO THEM,
AND HOW TO GO ABOUT MEETING COMPLIANCE REQUIREMENTS"
23 We make paperless happen ®
Copyright ©2007 Silanis Technology Inc.
Making Business Records Compliant
• An electronic signature means an electronic sound,
symbol, or process attached to or logically associated
with a contract or other record and executed or
adopted by a person with the intent to sign the record.
• Enables use of electronic promissory note for the
purpose of a real estate loan.
Uniform Electronic Transactions Act (UETA) – state-level
equivalent to ESIGN passed in 49 states. Provides very similar
provisions as described for ESIGN.
UCC Article 9-105 – This provision of UCC Article 9 on
Security Instruments enables the use of electronic documents
for equipment leasing and financing contracts. This is referred
to as electronic chattel and is very similar in wording to the
sections in ESIGN and UETA covering electronic notes.
Federal Reserve Board Interim Final Rules on Electronic
Disclosures – These rules establish uniform standards for the
electronic delivery of federally mandated disclosures under five
consumer protection regulations: B (Equal Credit Opportunity),
E (Electronic Fund Transfers), M (Consumer Leasing), Z (Truth
in Lending), and DD (Truth in Savings). Under the rules,
disclosures may be delivered electronically if they obtain
consumers’ consent in accordance with the requirements
of ESIGN and follow guidance on the timing and delivery
of electronic disclosures. For more information, see: Federal
Reserve Release.
3/7
 4
| W H I T E P A P E R |
silanis
Compliance for Electronic
Documents and Signatures
"IF THEY FAIL TO COMPLY, THEY RUN THE RISK THAT THEIR ELECTRONIC RECORDS AND
AGREEMENTS WILL NOT STAND UP IN A COURT OF LAW SHOULD THEY BE DISPUTED BY
THE VARIOUS PARTIES INVOLVED"
Office of Management and Budget (OMB) Guidance on
Implementing ESIGN – this guidance is for federal agencies
that may create regulations on how electronic records and
signatures may be used in specific commercial processes that
they regulate. The following are some key regulations currently
in place:
• Department of Education – regulation regarding use
of electronic signature and records for government-
guaranteed student loans.
• Department of Homeland Security – regulation
regarding use of electronic signature and records
for the I9 employment eligibility form.
• IRS – regulation regarding use of electronic
signature and records for transmission of
employee benefit information (pending).
For more information, see: OMB Guidance on Implementing the
Electronic Signatures in Global and National Commerce Act.
2. Laws, regulations and guidelines affecting government
use
Government Paperwork Elimination Act (GPEA)
Federal law passed in 1998 allowing for the use of electronic
signatures and records by all federal government agencies.
It is much simpler than ESIGN and has only two major
requirements:
• Gives legal effect to electronic records and
signatures when used by federal government
agencies.
• Requires that all federal government agencies
provide for use and acceptance of electronic
23
records and signatures by October, 2003.
We make paperless happen ™
Copyright ©2007 Silanis Technology Inc.
Making Business Records Compliant
Office of Management and Budget (OMB) Guidance on
Implementing GPEA
As required by GPEA, OMB has developed and published
procedures and guidance to federal agencies on their use and
acceptance of electronic signatures. These procedures provide
far more detail on technology requirements for electronic
signatures. For more information on OMB guidelines, see www.
whitehouse.gov/omb/memoranda/m00-10.html.
e-Authentication Guideline
This guideline is published by the e-government e-authentication
Initiative team and addresses the principles and techniques to
be used by government agencies in authenticating any user
that will interact electronically with the government, including
for the purpose of electronic signing. For more information,
see: E-Authentication.
National Archives and Records Administration (NARA)
NARA publishes a number of guidance documents relating
to electronic records management including guidance for
agencies implementing electronic signatures and records. For
more information, see: NARA Electronic Records Management
(ERM) Guidance Guidance on the Web .
State Laws
All US states and territories have enacted laws and regulations
on the use and acceptance of electronic records and signatures
by state and local governments. There are many states where
several laws have been enacted. However, all state laws fall
into one of three categories:
• Technology neutral – in this case any form of
signature is acceptable as long as it meets the
4/7
 4
| W H I T E P A P E R |

silanis
Compliance for Electronic
Documents and Signatures
definition of for an electronic signature.
• Technology preferred – while the law will allow
for any type of signature, certain types are given
a preference by an evidentiary presumption of
validity.
• Technology Specific – a specific form of
technology is specified for use such as an
electronic signature.
It is also worth noting that many state laws also recognize that
digital certificate authorities may optionally be used to create
and distribute certificates to be used in signing. As a result, they
have included in their laws what criteria a certificate authority
must meet to be considered acceptable for use in that state.
The numbers of laws at the state level are numerous and are
covered in detail in various Web sites including E-COMMERCE
LAW RESOURCES and E-Commerce Legislative Tables.
Electronic Recording for County records
There are many documents handled by county recorders. The
most important are real estate documents that consume the
majority of their time and could be streamlined with electronic
recording. There has been a patchwork of laws throughout
various states to allow for various levels of electronic recording.
Recently, a uniform model law was introduced known as the
Uniform Real Property Electronic Recording Act. To date,
nine states have introduced or enacted this law. For more
information see www.pria.us, www.nacrc.org, and www.alta.
org.
Making Business Records Compliant
3. Regulations affecting specific industries
Governments at all levels have passed regulations regarding
the use of electronic signatures and records in specific areas
that they regulate. Here, we summarize three of the most
widely used sets of regulations.
Health Insurance Portability and Accountability Act (HIPAA)
Enacted in 1996, this broad law covering all aspects of health
insurance contained among many provisions an entire portion
concerning administrative simplification. This part of the Act
required the Secretary of Health and Human Services to adopt
standards related to certain electronic health transactions. The
scope of the covered transactions extends from health care
providers, clearing houses to insurers. The standards cover
several areas related to the use of electronic records and
signatures. Most importantly:
• Data (and the records in which they may be
contained) must be protected physically and
logically to ensure its integrity, confidentiality and
availability at all times.
• Electronic signatures must be based on digital
signature cryptographic technology and ensure
the message integrity, non-repudiation and user
authentication. Additional information on the
various aspects of the Act and its regulations may
be found at The Health Insurance Portability and
Accountability Act of 1996 (HIPAA).

"THE VAST MAJORITY OF LEGAL DISPUTES DON’T INVOLVE PROVING OR DISPROVING

THAT A DOCUMENT WAS SIGNED. THEY INVOLVE PEOPLE’S UNDERSTANDING OF WHAT
WAS SIGNED. IT’S THEREFORE IMPORTANT FOR ORGANIZATIONS TO DISTINGUISH USER
AUTHENTICATION FROM SIGNING INTENT WHEN DETERMINING HOW THEY PLAN TO MEET

23
COMPLIANCE REQUIREMENTS FOR ELECTRONIC DOCUMENTS AND SIGNATURES"

We make paperless happen ™ 5/7

Copyright ©2007 Silanis Technology Inc.
 4
| W H I T E P A P E R |
silanis
Compliance for Electronic
Documents and Signatures
FDA CFR 21 Part 11
This regulation came into effect in 1997 to enable the use of
electronic records and signatures in all companies regulated by
the FDA. Its primary influence has been in the pharmaceutical
and biomedical industries though others such as food and
cosmetic manufacturers are also affected. The regulation
covers any process within these companies that is regulated
by the FDA. The regulation covered electronic records and
signatures separately and in summary:
• Electronic records need to be handled in a secure
environment to protect their integrity and ensure a
secure audit trail of any activities or accesses to
the records. Two environments are defined: open
and closed. A closed environment is controlled by
the organization responsible for creating the records
while an open environment is any other.
• Electronic signatures can come in two forms:
User ID/PIN and Biometric. The User ID/PIN is subject
to various specific controls relating to ensuring their
proper use and maintenance while the Biometric
signature has no specific controls. In both cases, the
electronic signature must be logically associated
with the signature. For additional information, see
Title 21 Code of Federal Regulations.
Federal Aviation Administration (FAA)
In 2002, the FAA issued guidance on the use of electronic
signatures, record keeping systems and manuals. As with other
similar government guidance, standards for electronic records
and signatures are fairly broad. Their requirements are similar
to those described in “Requirements for Electronic Documents
and Signatures”. For more information see AC 120-78 at the
FAA Web site or: Acceptance and Use of Electronic Signatures,
Electronic Recordkeeping Systems, and Electronic Manuals.
23 We make paperless happen ™
Copyright ©2007 Silanis Technology Inc.
Making Business Records Compliant
4. Internal business procedures and sarbannes
There are no laws that directly dictate the use of electronic
records and signatures for internal procedures in non-
governmental organizations. However, the vast majority of
internal procedures are dictated by the need for auditable
controls so that any activity that has a financial impact
may be verified by internal and external auditors and, where
applicable, to comply with the Sarbannes-Oxley Act. Since
there are no laws or regulations specifying standards for the
use of electronic records and signatures, it is left up to the
companies to determine the appropriate systems. In light of
the Sarbannes-Oxley Act, any public company should ensure
that these systems provide sufficient security to address the
potential risk for fraud based on their internal controls.
5. Laws and regulations indirectly affecting use of electronic
records and signatures
Rules on disclosures and consumer agreements
There are numerous federal and state mandated disclosures
affecting various industries that deal with consumers including
financial services, insurance, communications and health.
The recruiting and hiring of employees is also affected by
disclosures. In many cases, the timing and appearance of
presentation is also specified in the laws and regulations.
The various laws enabling the use of electronic records
and signatures do not affect or remove these disclosure
requirements. Therefore, in implementing a system for use
by consumers, one must always respect the requirements of
timing and appearance in electronic disclosures. In many cases,
such as in lending and insurance, the appearance of a paper
document must be preserved in the electronic presentation
since the laws were created with paper documents in mind.
6/7
 4
| W H I T E P A P E R |

silanis
Compliance for Electronic
Documents and Signatures
It should also be noted that in the real-estate industry, the
size and appearance of documents is dictated by the recording
requirements of county recorders.
Gramm-Leach-Bliley Act (GLB) and other privacy laws
GLB was enacted at the federal level to address a number
of privacy issues. Since its enactment, several states have
introduced or enacted similar laws. Some such as California’s
SB-1386 provide much more onerous penalties in the case of
disclosure of a consumer’s personal information. These laws
affect systems handling electronic documents and signatures
because the electronic transmission and storage of personal
information is considered at risk in many cases. These laws
place requirements on the owners of these systems to ensure
there are adequate security systems in place to protect
this information and violation of these requirements carries
significant penalties.
Making Business Records Compliant
US E-Government Act
Enacted in 2002, E-Government uses improved internet-
based technology to make it easy for citizens and businesses
to interact with the government, save taxpayer dollars, and
streamline citizen-to-government communications. Twenty-
four (24) initiatives touching on all areas of government
were created to expand the use of e-government. Many of
these initiatives require the use of electronic documents and
signatures. More information can be found at eGov.
FOR MORE INFORMATION
CALL 1-888-SILANIS OR
V I S I T W W W. S I L A N I S . C O M

USA PATRIOT Act

Enacted following 9/11, this law contains a wide variety of
provisions. Section 326, Verification of Identification has
implications of systems using electronic records and signatures.
This section applies to account openings in financial institutions
and requires that the identity of the applicant be verified. With
an electronic system, appropriate techniques using electronic
verification will be required to authenticate an applicant using
an electronic record and signature.

23 We make paperless happen ™

Copyright ©2007 Silanis Technology Inc.
7/7