1 / 32

Evolving Issues in Electronic Data Collection Workshop Interoperability

Evolving Issues in Electronic Data Collection Workshop Interoperability E-SIGN related multi-state Initiatives. E-SIGN related multi-state Initiatives. 44-7001. Definitions (UETA - Uniform Electronic Transactions Act )

marika
Download Presentation

Evolving Issues in Electronic Data Collection Workshop Interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Evolving Issues in Electronic Data Collection Workshop Interoperability E-SIGN related multi-state Initiatives

  2. E-SIGN related multi-state Initiatives 44-7001. Definitions (UETA - Uniform Electronic Transactions Act ) 7. "Electronic Record" means a record that is created, generated, sent, communicated, received or stored by electronic means. 8. "Electronic Signature" means an electronic sound, symbol or process that is attached to or logically associated with a record and that is executed or adopted by an individual with the intent to sign the record. 14. "Security Procedure" means a procedure that is employed to verify that an electronic signature, record or performance is that of a specific person or to detect changes or errors in the information in an electronic record. Security procedure includes a procedure that requires the use of algorithms or other codes, identifying words or numbers or encryption, callback or other acknowledgment procedures. SEC. 106. DEFINITIONS (E-SIGN) For purposes of this title: (4) Electronic Record —The term ‘‘electronic record’’ means a contract or other record created, generated, sent, communicated, received, or stored by electronic means. (5) Electronic Signature —The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

  3. E-SIGN related multi-state Initiatives • E-Signature Law Summary • Arizona A.R.S. 41-132 (by/with state agencies)very specific criteria for linking signature to person (& security of document) • Arizona Electronic Transaction Act (AETA/UETA - in-state commerce) focus on sending/receiving the record “The effect of an electronic record or electronic signature attributed to a person .... is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties’ agreement, if any, and otherwise as provided by law.” • federal Electronic Signatures in Global and National Commerce Act (E-SIGN - interstate and international commerce) signed record “remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.”

  4. E-SIGN related multi-state Initiatives • E-SIGN • SEC. 104. Applicability To Federal And State Governments. • (b) Preservation Of Existing Rulemaking Authority.— • (2)(C) such agency finds, in connection with the issuance of such regulation, order, or guidance, that— • (i) there is a substantial justification for the regulation, order, or guidance; • (ii) the methods selected to carry out that purpose— • (I) are substantially equivalent to the requirements imposed on records that are not electronic records; and • (II) will not impose unreasonable costs on the acceptance and use of electronic records; and • (iii) the methods selected to carry out that purpose do not require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures.

  5. E-SIGN related multi-state Initiatives • E-SIGN • SEC. 104. Applicability To Federal And State Governments. • (3) Performance Standards.— • (A) Accuracy, Record Integrity, Accessibility.— • Notwithstanding paragraph (2)(C)(iii), a Federal regulatory agency or State regulatory agency may interpret section 101(d) to specify performance standards to assure accuracy, record integrity, and accessibility of records that are required to be retained. Such performance standards may be specified in a manner that imposes a requirement in violation of paragraph (2)(C)(iii) if the requirement • (i) serves an important governmental objective; and • (ii) is substantially related to the achievement of that objective. • Nothing in this paragraph shall be construed to grant any Federal regulatory agency or State regulatory agency authority to require use of a particular type of software or hardware in order to comply with section 101(d).

  6. E-SIGN related multi-state Initiatives August 10 & 11, 2000 - California Secretary of State sponsored a Multi-State Digital Signature Summit“in an effort to pool the collective expertise of state policy executives and technology experts and identify ways to remove barriers to the implementation of digital signature technology.” Discussion about E-SIGN at that meeting lead to - Sept 6, 2000 - National Governors’ Association (NGA) hosts meeting regarding state issues relating to implementation of the federal Electronic Signatures in Global and National Commerce Act(E-SIGN). Focused on prospective preemption of state laws, interoperability among states and retention requirements for state agencies. That meeting led to NECCC being charged with coordinating four E-SIGN forums: Legal, Policy, Security/Privacy, and Interoperability.

  7. E-SIGN related multi-state Initiatives • “The primary effect of E-SIGN should be on private entities that wish to use electronic signatures and electronic records as they conduct business. States should only be affected in so far as their activities must recognize and accommodate the use of electronic signatures and electronic records in the private sector.” • “Another area where states should be prepared to deal with electronic signatures and documents is in their use in court. Although specific court documents, such as briefs, are exempted from E-SIGN, electronic contracts admitted as evidence are not.” • What Governors Need to Know About E-SIGN: The Federal Law Authorizing Electronic Signatures and Records,NGA whitepaper, August 1, 2000 States will need to be prepared to accept private entity documents as evidence in courts and by any state agencies regulating those entities,including private entity documents originally created for another state.

  8. E-SIGN related multi-state Initiatives E-SIGN Interoperability forum Vision Statement December 2000 E-SIGN: “Electronic Signatures in Global and National Commerce Act.” “Using electronic signatures means creating signed electronic documents. This forum will begin by asking ‘how do we get from technology neutral e-signatures statutes to agreement about what are sharable, trustworthy signed electronic documents (things that are reliable, usable, authentic, and having integrity)?’” E-SIGN Forums met for a day and a half before the NECCC annual conference in December, 2000.

  9. E-SIGN related multi-state Initiatives • The Interoperability forum defines the essential requirements for a formally formed electronic signature as follows: • Secure electronic signatures • A signature is a secure electronic signature if, through the application of a security procedure, it can be demonstrated that the electronic signature at the time the signature was made was all of the following: • Unique to the person using it. • Capable of verification. • Under the sole control of the person using it. • Linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated.

  10. E-SIGN related multi-state Initiatives • The Interoperability forum defines the essential requirements for a formally formed electronic record as follows: • Secure electronic records • If, through the ongoing application of a security procedure, it can be demonstrated that an electronic record signed by a secure electronic signature has remained unaltered since a specified time, the record is a secure electronic record from that time of signing forward.

  11. E-SIGN related multi-state Initiatives It is recognized that there are many processes to form these signatures and documents. There are also varying levels of certainty desired for identifying a person, attributing a signature to them and assuring the integrity of the signed document. The next step is to define technology neutral classes of Trust Policies that define the requirements for different levels of signatures (and the levels of assuring the integrity and authenticity of the document).

  12. E-SIGN related multi-state Initiatives • These Trust Policies for both secure electronic signature and secure electronic document will allow this group to roughly answer: • If a secure electronic signature is formed using PKI then it also needs... define registration requirements for each Trust Policy, • define PKI specific requirements for each Trust Policy (including how to allow for PKI bridging solutions), etc. to be generally recognized by agencies in various states as in an acceptable format. • If a secure electronic signature is formed without using PKI then it also needs... define registration requirements for each Trust Policy, define technology specific requirements for each Trust Policy, define how/if to allow for bridging solutions(?), etc. to be generally recognized by agencies in various states as in an acceptable format. • If a secure electronic record is formed using XML then it also needs... to be generally recognized by agencies in various states as in an acceptable format. For example, how a PDF document is signed may differ from how an XML document is signed.

  13. E-SIGN related multi-state Initiatives • The NECCC “face-to-face” meeting led to agreement to focus on concrete types of signing that we could build principles around. The agreement was to look at three specific processes: • e-notary, • e-mall/procurement, and • HIPAA driven healthcare data/document exchanges. • These cover the signatures range that was discussed in the face-to-face sessions going from closed EDI style (e-mall/procurement) to more open-ended signing contexts (e-notary).

  14. Federal Policy - Department of the Treasury The Financial Management Service of the US Department of the Treasury has issued (12/22/00) a final version of its Electronic Authentication Policy, for Federal payment, collection, and collateral transactions conducted over open networks such as the Internet. http://www.fms.treas.gov/eauth/index.html

  15. Section 5. Risk Model (Department of the Treasury) (a) All payment, collection, and collateral transactions must be properly authenticated, in a manner commensurate with the risks of the transaction. For any given Federal agency cash flow or program (e.g., corporate user fees, benefit payments, excise taxes, retail product sales, investment collateral, etc.) Federal agencies shall assess overall risk and determine the appropriate electronic authentication technique in accordance with the following risk model. (1) The three general factors used to determine the overall risk of Federal payment, collection, and collateral transactions are: risk of monetary loss, reputation risk, and productivity risk. (2) The risk of monetary loss is determined using a variety of elements, including but not limited to: .... (3) The reputation risk to the Government in the event of a breach or an improper transaction is determined using elements such as: .... (4) Productivity risk associated with a breach or improper transaction is determined using elements such as: ....

  16. Department of the Treasury • Electronic Authentication forms based on risk assessment • smart card PKI • PC based PKI • PIN • none

  17. E-SIGN related multi-state Initiatives • What is a “signature”? • Consider the reasons to use a secure electronic signature(the “legal” reasons for a formal signature - wet or electronic): • 1. to identify the person signing (the identification function); • 2. to indicate that person's approval of the information contained in that data message (the authentication function); • 3. to indicate that the record has not been altered (the integrity function).

  18. E-SIGN related multi-state Initiatives Earlier: “This initial study led to a detailed description of the electronic record. We determined that an electronic record had to be a fully self-documenting object. We chose to describe these objects in eXtensible Markup Language (XML), a text based standard. We determined that an electronic record was made up of one or more documents, contextual information relating this record with other records, and evidential integrity checks.” Victorian Electronic Records Strategy Final Report This can be turned around - a fully self-documented electronic record requires a secure electronic signature to identify the signer, uniquely link the signer’s intent to the document and to assure the integrity of the document. But there are varying levels of certainty desired for identifying a person, attributing a signature to them and assuring the integrity of the signed document.

  19. E-SIGN related multi-state Initiatives What is EDI? Electronic Data Interchange (EDI) is the computer-to-computer exchange of business-related documents in a structured, machine processable format. These documents may be purchase orders, invoices, payment remittances and shipping notices between the State of Ohio and its "trading partners." A trading partner, in EDI parlance, is a supplier, customer, subsidiary or any other organization with which the state of Ohio does business. EDI differs from e-mail and fax. Although both of these methods of transferring documents are electronic, both are unstructured and free-form in the way they are presented. This means that information received via e-mail or fax must be rekeyed and reinterpreted before it can be processed by a computer application. EDI, on the other hand, requires that the information be organized in a structured format which can be easily interpreted and processed by a computer application. Ohio - http://www.state.oh.us/ecedi/welcome.htm

  20. How EDI Works - Briefly (Ohio continued) EDI involves taking a standard computer flat file and reformatting the file into a structured EDI format. This format complies with specific industry standards. This reformatting process is performed by a specialized software program called an EDI translator. Once the file has been put into a structured format, it is transmitted over telephone lines to a third party network. The third-party network called a Value Added Network (VAN) provides a service much like a post office. The VAN receives the transmitted documents and places these documents into an electronic mailbox for the receiving party to pick up. By dialing into the network, the receiving party can access its mailbox and retrieve the transmitted documents. Once the electronic documents have been accessed by the receiving party, the documents once again can be processed through an EDI translator. The translator takes the documents, which are still in EDI format, and translates them into a standard computer flat file. This flat file then can be formatted into a report and printed out or sent directly into a company's computer application for processing.

  21. E-SIGN related multi-state Initiatives Summary different Trust Policies for different processes (& different risks)

  22. Q & A E-SIGN related multi-state Initiatives Russ Savage Electronic Transactions Liaison Arizona's Office of the Secretary of State rsavage@mail.sosaz.com 602.542.2022 602.418.3094 (cell phone) http://www.sosaz.com/pa additional E-SIGN information http://www.state.tx.us/EC/E-SIGN.htm

  23. Evolving Issues in Electronic Data Collection Workshop Interoperability Electronic Signatures Framework formulti-state Interoperability(Thoughts on what’s next)

  24. Electronic Signatures Framework for multi-state Interoperability • What is a “signature”? • Consider the reasons to use a secure electronic signature(the “legal” reasons for a formal signature - wet or electronic): • 1. to identify the person signing identify (the identification function); • 2. to indicate that person's approval of the information contained in that data message (the authentication function); intent • 3. to indicate that the record has not been altered (the integrity function). record integrity

  25. Electronic Signatures Framework for multi-state Interoperability • fully self-documented electronic record (e.g. PKI/XML) (evidence based on test of record) • fully trustworthy record/document system (e.g. EDI) does not have self-documented electronic records (evidence based on testimony about the system) • fully self-documented electronic record in a fully trustworthy document system (e.g. PKI/XML/EDI) • fully trustworthy record/document system does not have self-documented electronic records butcan reliably export aself-documented electronic record (e.g. From EDI to PKI/XML)

  26. Electronic Signatures Framework for multi-state Interoperability Why the fuss about e-signature & e-documents?Because some of mine will migrate to your place and some of yours will migrate to my place.And they need to be readable and verifiable at both places.Trust policies form the foundation. Interoperabilitygetting from here to over there

  27. Electronic Signatures Framework for multi-state Interoperability Arizona’s Notary Act

  28. Electronic Signatures Framework for multi-state Interoperability Arizona’s Electronic Notary Act Electronic Notary in the Presence of a Notary

  29. Electronic Signatures Framework for multi-state Interoperability Arizona’s Electronic Notary Act Electronic Notary without the presence of a Notary

  30. Electronic Signatures Framework for multi-state Interoperability • What is a “signature”? • Consider the reasons to use a secure electronic signature(the “legal” reasons for a formal signature - wet or electronic): • 1. to identify the person signing (the identification function); • 2. to indicate that person's approval of the information contained in that data message (the authentication function); • 3. to indicate that the record has not been altered (the integrity function). • Notarization accomplishes these - • even if the person only makes their mark.

  31. Electronic Signatures Framework for multi-state Interoperability Summary Multi-state reciprocity on electronic notary can reduce the complexity of other interoperability issues by allowing generalized cross-jurisdiction “copy certification” of non-self-documenting records. Arriving at electronic notary reciprocity will address nearly every interoperability issue. The solutions found for it can form the basis for general principles in other interoperability situations. Any issues not addressed will likely surface in the HIPAA and e-mall/e-procurement processes that the E-SIGN Interoperability forum will explore this year. Participation in the E-SIGN Interoperability forum is open to any state employee wishing to participate in finding common e-signature practices across the states.

  32. Q & A Electronic Signatures Frameworkfor multi-state Interoperability Russ Savage Electronic Transactions Liaison Arizona's Office of the Secretary of State rsavage@mail.sosaz.com 602.542.2022 602.418.3094 (cell phone) http://www.sosaz.com/pa

More Related