ELECTRONIC SIGNATURES, ELECTRONIC TRANSACTIONS AND ELECTRONIC RECORD MANAGEMENT FOR STATE FORMS - 1734-DEC-2020
Purpose
This policy requires all forms that are designed to be completed by internal or external customers (public or private sector entities) conducting business with the State of California, whether standard (STD) or agency forms, are available in an electronic format. Agencies shall use electronic signatures (hereafter “e-Signatures” or “e-Sign”) in place of a wet signature unless prohibited by law.
This policy identifies the permissible types of e-Signatures, electronic transactions, and electronic records (hereafter “e-Records”) when utilizing forms for state business.
Scope
This policy applies to all business processes conducted using forms managed by Forms Management Center (FMC) including STD forms and agency business-use forms. This policy enables state agency staff to conduct transactions electronically, to accept e-Signatures by other parties, and to sign agreements on the agency’s behalf by using an e-Signature. This policy does not waive or modify any requirement or limitation as to which officers and employees are authorized to bind their agency to a contract.
This policy does not affect a state agency’s right or obligation to have forms be provided or made available in alternate formats when required by applicable policies, laws, or regulations.
Background
Federal legislation known as the Electronic Signatures in Global and National Commerce Act made both electronic contracts and e-Signatures as legal and enforceable, with some exceptions, as traditional paper contracts and forms signed in person.
Following the federal government’s lead, California adopted the Uniform Electronic Transactions Act (California Civil Code § 1633.1-1633.17), which establishes the legal validity of e-Signatures and contracts in a manner similar to the federal law.
California law was revised to make clear that the state is authorized to use any type of e-Signature. See AB 2296 (Chapter 144, Statutes of 2016), effective 1/1/17.
Policy
State agencies shall ensure all forms are digitally available and can accept e-Signatures. When an electronic form is transmitted to a state agency, the chain of approval of all those required to sign that document must be clear and unambiguous. All parties required to sign must have unequivocally approved the same document.
Agency Responsibilities
When implementing the use of e-Signatures, agencies shall:
- Implement an e-Signature policy;
- Implement confidentiality procedures to address accurate identification, authentication, authorization, and accountability;
- Implement integrity procedures to address non-repudiation;
- Maintain an e-Record management procedure to ensure electronic form storage and availability;
- Ensure processes and technologies are in place to accept and enable the use of e-Signatures;
- Format forms requiring signatures to accept e-Signatures.
The Department of General Services (DGS) and FMC permit the use of the following e-Signatures, transactions and record management activities in conducting state business with STD or Agency forms:
- Electronic Signatures: State agencies may accept permissible types of e-Signatures from all parties as legally binding and equivalent to handwritten signatures to signify an agreement. Each type of e-Signature will include the date the document was signed. Where state or federal laws, regulations, or rules require a handwritten signature, that requirement is met if the document contains an e-Signature unless otherwise prohibited by policies, laws, or regulations. Electronic forms must clearly and unambiguously show the chain of approval of all parties required to sign that document.
- Electronic Transactions: State business operations utilizing forms can now be completed electronically. In some cases, state agencies may have a legal obligation to collect a wet signature. In such cases, some forms will still need to be submitted to the agency in paper format. These requirements may change over time as technology adoption is implemented into policy.
- Record Management: An e-Record may serve as the official copy of a business-related document. All relevant records, including e-Records, shall be maintained in a reliable recordkeeping system. Business conducted by electronic means shall be fully documented to meet recordkeeping requirements. Records shall be retained or disposed of in accordance with the approved records retention schedules stated in California State Records and Information Management (CalRIM) as supported by the State Contracting Manual (SCM) and the State Administrative Manual (SAM) 1600 et seq.
Types of E-Signatures Permitted for Use on state and agency forms by State Agencies
Only the following types of e-Signatures (further defined below) can be used on forms by state agencies.
- Name Typed or Stamped
- Recorded Voice
- Personal Identification Number (PIN) or Password
- Digitized Image of Handwritten Signature
- Digital Signature
Permissible Types of E-Signatures Explained
The permissible types of e-Signatures are explained below.
A form needs to include a statement confirming agreement (for example: “I confirm”, “I agree”, or “I accept”) that is tied to the e-Signature to create a binding electronic record. Most business use forms already include this language above the signature block.
- Name Typed or Stamped: A person signing or stamping a form electronically does so by typing or stamping their name in the designated signature field with a statement confirming agreement.
- Recorded Voice: While a voice recording could be considered an electronic signature, simple voice recordings may not establish intent of agreement. Many voice systems include an additional step such as keypad verification to confirm agreement. To use a recorded voice as an e-Signature, it must:
- Be associated with the speaker;
- Be associated with a specific document or record;
- Show evidence of the speaker’s intent to be bound to the terms and conditions in that specific document or record;
- Be captured in electronic format.
- Personal Identification Number (PIN) or Password: When using a PIN or password for an e-Signature, a person accessing an application is requested to enter identifying information, which may include an identification number, the person’s name and a "shared secret" (called "shared" because it is known to both the user and the system), such as a PIN and/or password. The system checks that the PIN and/or password is indeed associated with the person accessing the system and "authenticates" the person. Sometimes the entry of some personal information (for example: name or date of birth) along with the PIN and password is also required.
- Digitized Image of Handwritten Signature: A digitized signature is a graphical image of a handwritten signature. Some applications require a person to create a handwritten signature using a special computer input device, such as a digital pen and pad. Digitized signatures are most often used in face-to-face consumer transactions using credit cards. Some applications can compare the digitized representation of the entered signature with a stored copy of the graphical image of the signature. A digitized signature may be another form of shared secret known both to the person and to the system. Forging a digitized signature can be more difficult than forging a paper signature because the technology that compares the submitted signature image with the known signature image is more accurate than the human eye.
- Digital Signatures: The California Secretary of State has established regulations for Acceptable Technologies for Digital Signatures. See California Code of Regulations, Title 2, § 22003. There are two main types of digital signatures, one using Symmetric Cryptography and the other using Asymmetric Cryptography.
- Symmetric Cryptography or Shared Private Key: In this e-Signature method, a person electronically signs using a single cryptographic key that is not publicly known, for authentication purposes. The same key is used to sign a document and verify the signer’s identity and is shared between the signer and the entity hosting the transaction requiring the signature.
- Asymmetric Cryptography or Public/Private Key: To produce a digital signature, two mathematically linked keys are generated - a private signing key that is kept private, and a public validation key that is publicly available. The two keys are mathematically linked, but the private key cannot be deduced from the public key. The public key is often made part of a "digital certificate," which is a digitally signed electronic document binding the individual’s identity to a private key in an unalterable fashion. Digital signatures are often used within the context of a Public Key Infrastructure (PKI) in which a trusted third party known as a Certification Authority binds individuals to private keys and issues and manages certificates.
Definition of Key Terms
- Authentication: The process of securely verifying the identity of an individual prior to allowing access to an electronic service.
- Automated Transaction: A transaction conducted or performed, in whole or in part, by electronic means or electronic records, in which the acts or records of one or both parties are not reviewed by an individual in the ordinary course in forming a contract, performing under an existing contract, or fulfilling an obligation required by the transaction.
- Electronic: Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
- Electronic Agent: A computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part, without review by an individual.
- Electronic Record: A record created, generated, sent, communicated, received, or stored by electronic means.
- Electronic Signature: An electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record. For purposes of this title, a “digital signature” as defined in subdivision (d) of Section 16.5 of the Government Code is a type of electronic signature.
- Information: Data, text, images, sounds, codes, computer programs, software, databases, or the like.
- Record: Information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.
- Security Procedure: A procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or for detecting changes or errors in the information in an electronic record. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment procedures.
- Transaction: An action or set of actions occurring between two or more persons relating to the conduct of business, commercial, or governmental affairs.
- Wet or Original Signature: A signature that is created when a person physically writes a name in a stylized, cursive format (or even a simple “X”) on a piece of paper.