Upload
belen-sturch
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
LEGAL AND PRIVACY ISSUES RELATED TO AUTHENTICATION
Net @EDU Annual MeetingFebruary 2, 2004
Saundra K. Schuster, Esq.Senior Assistant Attorney
General – OhioCopyright 2004, Saundra K. Schuster
AUTHENTICATIONFOCUS OF SEMINAR
Identify considerations regarding
authentication
Summarize evolution of the law
Discuss relevant law
DEFINITIONSAUTHENTICATION:
Process of verifying the identity of a user in relation to a “document”
Individual Authentication Document Authentication
ELECTRONIC SIGNATURE:An electronic sound, symbol or process attached to or logically associated with a “document” and executed or adapted by a person with the intent to sign the “document”
DOCUMENT OR RECORD:Information that is inscribed on a tangible medium or stored in an electronic or other medium and is retrievable in perceivable form
AUTHENTICATION CONSIDERATIONS
IDENTITY AUTHENTICATIONThe ability of the technology and
associated processes to validate the identity of the parties making the entry
Something unique to the individual (i.e. physical or biometric characteristic, such as voice, fingerprint, signature) Something an individual knows (i.e. pin or password) Something the individual possesses (i.e. token)
AUTHENTICATION CONSIDERATIONS
DOCUMENT AUTHENTICATIONNon-repudiation - Insuring that the
“document” has not been altered once created, and has a nexus with the individual associated with the document
PRIVACY/CONFIDENTIALITYEnsures that a document can’t be used by
unintended recipients, even if intercepted INTEGRITY OF INFORMATION
Information must be protected from unauthorized creation, modification or deletion
LEGAL EVOLUTION OF AUTHENTICATION
Early commercial transactions – barter replaced by negotiation Banks became focal point for transactions
Authenticated instruments by verifying signatures before making payments
Price v. Neal (1762) Established liability of banks for forged documents
LEGAL EVOLUTION: ROLE OF SIGNATURES Visual signature verification was once the
sole method to verify authorization of a document
Became cost prohibitive due to volume Fraud associated with identity subversion is a major concern Development of expanded Authentication
procedures became essential
LEGAL EVOLUTION: UNIFORM STANDARDS
UNIFORM COMMERCIAL CODE (U.C.C.)
Reflects Price v. Neal – est. forgery standard
Says signature may be made manually or by word, mark or symbol if
intended to authenticate writing
LEGAL e-FRAMEWORK
Standards for associating an individual with a document and establishing his/her intent to accept or acknowledge its contents grew out of case law and state & federal statutes.
The statutes encompass issues of:
Validity of electronic format
Privacy
Security
E-LAWS: GENERAL
ELECTRONIC RECORDS AND SIGNATURES IN GLOBAL &
NATIONAL COMMERCE ACT E-Sign Law, 15 U.S.C. §7001 (June, 2000)
Allows electronically signed documents the same legal integrity as paper contracts
Does not apply to documents governed by state law
E-LAWS: GENERAL
GOVERNMENT PAPERWORK ELIMINATION ACT (GEPA)
44 USCA §3504 (OCT., 1998)
Applies to Federal Agencies Encourages use & acceptance of electronic signatures where practicable Option of electronic maintenance, submission or disclosure of information as a substitute for paper
E-LAWS: GENERAL
FEDERAL RECORDS ACT44 U.S.C. §3101 & 3301 (1994)
Requires federal agencies to insure adequate and proper documentation of their policies, decisions, procedures and essential transactions by maintaining “records”
E-LAWS: GENERAL
UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT (UCITA)
July, 1999 Developed as addition to U.C.C. (Art. 2B),
evolved to freestanding model law Applies to licensing of software Replaces concept of “signature” with
concept of “authentication” To be adopted by the states
E-LAWS: GENERAL
UNIFORM ELECTRONIC TRANSACTIONS ACT (UETA)
(July, 1999)
Purpose of law is to remove barriers to electronic transactions relating to business, commercial and government affairs by validating and effectuating electronic records & signatures Developed as model state law, currently adopted by 37 states.
PRIVACY
Privacy issue is the ability to obtain sufficient information about individuals in order to authenticate them as the subject of the record while, at the same time, respecting their rights to privacy.
Privacy concerns include: Misappropriation of the individual’s name or identity Public disclosure of private facts Intentional intrusion in confidential information
E-LAWS: PRIVACY
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)
20 U.S.C. §1232G 34 C.F.R. Part 99, (1974) Keystone federal privacy law for education Imposes a cloak of confidentiality around
student educational records. Prohibits institutions from disclosing
personally identifiable information without permission
E-LAWS: PRIVACYELECTRONIC COMMUNICATIONS
PRIVACY ACT (ECPA)18 U.S.C. §2510 (1986)
Extended provisions of Federal Wiretap Statute to electronic communications Prohibits intentional interception, disclosure or use of an electronic communication Prohibits unauthorized access to or disclosure of electronically stored electronic communications
E-LAWS: PRIVACY
COMPUTER FRAUD & ABUSE ACTCFAA 18 U.S.C. §1030
Criminalizes unauthorized access to a protected computer with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer
E-LAWS: PRIVACYPRIVACY ACT
5 U.S.C. §552a (1998) Imposes certain restrictions on agency
use of personal data. Congress primarily concerned with use
of sophisticated information systems Requires agency provide notice about
how information or records are stored, accessed & used Provides specific standards for computer
matching of electronic records
E-LAWS: PRIVACY
FREEDOM OF INFORMATION ACT5 U.S.C. §552 (Supp. 1998)
Statute requires release of certain information in public agency records to members of the public upon requestStatute amended in 1998 to clarify the status of electronic records under public access lawAll 50 states have “Sunshine Laws” providing access to public documents as well
E-LAWS: PRIVACY
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA, 45 C.F.R. §160.201-205(1996)
Enacted to protect the rights of patients & participants in certain health plans
Institutions who are affiliated with health care providers must provide written notice of their provider’s electronic communication practices
E-LAWS: PRIVACY & SECURITY
U.S.A PATRIOT ACTPublic Law 107-56 (October, 2001)
Technology, Education and Copyright Harmonization Act(TEACH)
H.R. 2215 (Nov., 2002)
Gramm-Leach-Bliley Act15 U.S.C. §6801 (1999)
RISKS & LIABILITIESRISKS AND LIABILITIES
Schools are vulnerable to suits under common law negligence if it failed to protect against disclosure of
electronic records Schools may face liability for improperly
releasing or allowing access to private information or for employing
inadequate security measures for access and information
RISKS & LIABILITIESLIABILITY CONCERNS:
Schools may be liable from action (commission) that arises when they improperly invade the privacy of others
Schools may also be liable from inaction (omission) that arises when schools fail to implement appropriate security measures and policies to maintain a secure system
CONCLUSIONLaws & regulations follow the lead of electronic transaction technology
Flurry of legal activity resulting in overlapping system of state & federal regulations as well as accrediting & professional organization standards
As abuses & risks are identified, additional legal standards will evolve
As disputes occur, the courts will further identify application of the laws