e-Signature Legislation Takes Effect

TheElectronic Signatures in Global and National Commerce Act, the legislationallowing the use of “e-signatures” in transactions, takes effect this month.The Act gives certain encrypted certificates the same legal authority aswritten signatures, ushering in a new role for encryption in United States.

ENT staffreporter, Christopher McConnell, spoke to Michael Rothman, founder andexecutive vice president of Shym Technology Inc.,an encryption infrastructure vendor. Rothman has a broad range of experience innetworking and security, spending time as the vice president of the METAGroup's Global Networking Strategies service, tracking developments ininformation security, e-commerce, and global communications services.

ENT: What verticals do you expect to firstimplement e-signature infrastructures?

MR: When you think about how a lot of thesetransactions are starting to happen, really where you have a lot of regulatoryoversight those tends to be the vertical markets where it seems to be making alot of sense to be moving to e-signatures and those would be the financialinstitutions as well as health care - places where there’s a lot of consumerprivacy is a huge issue so the capability to encrypt many of those messagesusing digital certificates becomes critical.

The HIPPAAct, the Health Care Information Protection and Privacy Act, really doesrequire how a lot of that data to be stored, who is supposed to access it, andthe fact that it has to have integrity in terms of the messages that are sentback and forth. There’s a lot of regulatory things that are going to drivepeople in those specific verticals to adopt e-signatures sooner than some ofthe other organizations.

ENT: What prompted Congress to pass thee-signature legislation? Was it the technology sector?

MR: It’s always hard to pinpoint thespecific lobbying has taken root. At the time the law was passed, there were 48states accepting e-signatures. There was pressure to get some measure offederal oversight to keep the states from going in their own direction.

Now,we havea legal construct in the form of the federal legislation, as well as the state legislation,you know we’re moving towards that time where we can specifically define what alegally binding e-signature looks like.

From myperspective, the greatest impact of this law is to bring to light the fact thatthere is technology out there that can provide the same measure of authenticityin the online world as through pen and paper in the offline world.

ENT: What practices are involved in ane-signature implementation?

MR: The Federal Law is certainly verynebulous in terms of specific technologies they recommend or the processes thatneed to be put in place to actually issue a credential and used in atransaction

In terms ofthis law having a little rule book saying how to design a product to meet therequirements of this law, [the law is] just not cooked that way to be able tobuild the product’s requirements. You talk to customers and ask “What do theyneed to solve their business problems?” and then you work with them.

ENT: How are e-signatures assigned? On anindividual or company level?

MR: A lot of that is going to be determinedby the specific problem the organization is trying to solve. In some cases acompany does centralized purchasing, an e-signature assigned to an organizationcould be binding in specific trading partnerships. If you’re sending secureemail, on the other hand, everyone that wants to send mail would have to have acertificate.

Chris: Whatkinds of challenges do you foresee IT administrators having implementing ane-signature infrastructure?

[At Shym]we like to think we take care of all of them. But the underlying technologyinfrastructure at work is the digital certificate and the public keyinfrastructure that actually issues the digital certificate. PKI right now is avery complex and very costly technology to actually deploy.

What we’redoing at Shym is working hard to add application security integration, helpinguser integrate e-signatures into their core web and enterprise applications.Today, they’re really going to have to spend a lot of time building this core infrastructurethemselves, because it’s just not available from the existing digitalcertificate vendors.

ENT: What do you see for the encryptionmarket, now that the law has taken effect?

MR: Working within a specific technologycompany, you always want to find that big theme, that huge opportunity thatover time everyone is going to have to be involved in, and I believe thate-signatures is a huge part of that. When you think about where people areprojecting the whole B2B or even B2C transaction and commerce environments thatwe’re moving towards, we’re talking about a multi-trillion dollar opportunity.

The problemthe security industry has had for many, many years is finding a legitimatebusiness problem we can attack. Signatures is something you can apply directlyto a business environment. “How much more business can we do with X company ifwe streamline our customer’s interaction with us?” In some cases the savingscould be very significant. That becomes a real business imperative.

ENT: One of the things you keep touching onis how the government is sanctioning PKI, and it makes me wonder, does thissignify a transition between today and the previous export control controversysurrounding Pretty Good Privacy (PGP)? Do you think the government is changingits stance on encryption in general?

MR: Oh, it sure is. Basically theelimination of the export controls was an indication that that was an untenablenotion and process.  Over time, itreally was impacting United States technology companies from taking advantageof global market opportunities for security solutions.

I wouldn’tassume that the government has this “master plan” to put e-signaturelegislation in place to drive security technology that originated in the US.(laughs) It’s just not that kind of situation. It really ended up being a lotof the agencies, a lot of the lobbies, and a lot of the government being forcedto take a position on e-signatures.

The otherthing I would caution about is: there is no specific mandate that PKI is thetechnology required for the e-signature law. Anyone who is technical in natureis going to sit there and go “there really isn’t many other options to doe-signatures, if you’re not talking about PKI.”  The law was fairly nebulous in its entirety – the reality is PKIis the only technology available today that can meet that need.


ShymTechnology Inc., Needham, MA, www.shym.com