LEGAL AND PRIVACY ISSUES RELATED TO AUTHENTICATION

Net @EDU Annual MeetingFebruary 2, 2004

Saundra K. Schuster, Esq.Senior Assistant Attorney

General – OhioCopyright 2004, Saundra K. Schuster

AUTHENTICATIONFOCUS OF SEMINAR

Identify considerations regarding

authentication

Summarize evolution of the law

Discuss relevant law

DEFINITIONSAUTHENTICATION:

Process of verifying the identity of a user in relation to a “document”

Individual Authentication Document Authentication

ELECTRONIC SIGNATURE:An electronic sound, symbol or process attached to or logically associated with a “document” and executed or adapted by a person with the intent to sign the “document”

DOCUMENT OR RECORD:Information that is inscribed on a tangible medium or stored in an electronic or other medium and is retrievable in perceivable form

AUTHENTICATION CONSIDERATIONS

IDENTITY AUTHENTICATIONThe ability of the technology and

associated processes to validate the identity of the parties making the entry

Something unique to the individual (i.e. physical or biometric characteristic, such as voice, fingerprint, signature) Something an individual knows (i.e. pin or password) Something the individual possesses (i.e. token)

AUTHENTICATION CONSIDERATIONS

DOCUMENT AUTHENTICATIONNon-repudiation - Insuring that the

“document” has not been altered once created, and has a nexus with the individual associated with the document

PRIVACY/CONFIDENTIALITYEnsures that a document can’t be used by

unintended recipients, even if intercepted INTEGRITY OF INFORMATION

Information must be protected from unauthorized creation, modification or deletion

LEGAL EVOLUTION OF AUTHENTICATION

Early commercial transactions – barter replaced by negotiation Banks became focal point for transactions

Authenticated instruments by verifying signatures before making payments

Price v. Neal (1762) Established liability of banks for forged documents

LEGAL EVOLUTION: ROLE OF SIGNATURES Visual signature verification was once the

sole method to verify authorization of a document

Became cost prohibitive due to volume Fraud associated with identity subversion is a major concern Development of expanded Authentication

procedures became essential

LEGAL EVOLUTION: UNIFORM STANDARDS

UNIFORM COMMERCIAL CODE (U.C.C.)

Reflects Price v. Neal – est. forgery standard

Says signature may be made manually or by word, mark or symbol if

intended to authenticate writing

LEGAL e-FRAMEWORK

Standards for associating an individual with a document and establishing his/her intent to accept or acknowledge its contents grew out of case law and state & federal statutes.

The statutes encompass issues of:

Validity of electronic format

Privacy

Security

E-LAWS: GENERAL

ELECTRONIC RECORDS AND SIGNATURES IN GLOBAL &

NATIONAL COMMERCE ACT E-Sign Law, 15 U.S.C. §7001 (June, 2000)

Allows electronically signed documents the same legal integrity as paper contracts

Does not apply to documents governed by state law

E-LAWS: GENERAL

GOVERNMENT PAPERWORK ELIMINATION ACT (GEPA)

44 USCA §3504 (OCT., 1998)

Applies to Federal Agencies Encourages use & acceptance of electronic signatures where practicable Option of electronic maintenance, submission or disclosure of information as a substitute for paper

E-LAWS: GENERAL

FEDERAL RECORDS ACT44 U.S.C. §3101 & 3301 (1994)

Requires federal agencies to insure adequate and proper documentation of their policies, decisions, procedures and essential transactions by maintaining “records”

E-LAWS: GENERAL

UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT (UCITA)

July, 1999 Developed as addition to U.C.C. (Art. 2B),

evolved to freestanding model law Applies to licensing of software Replaces concept of “signature” with

concept of “authentication” To be adopted by the states

E-LAWS: GENERAL

UNIFORM ELECTRONIC TRANSACTIONS ACT (UETA)

(July, 1999)

Purpose of law is to remove barriers to electronic transactions relating to business, commercial and government affairs by validating and effectuating electronic records & signatures Developed as model state law, currently adopted by 37 states.

PRIVACY

Privacy issue is the ability to obtain sufficient information about individuals in order to authenticate them as the subject of the record while, at the same time, respecting their rights to privacy.

Privacy concerns include: Misappropriation of the individual’s name or identity Public disclosure of private facts Intentional intrusion in confidential information

E-LAWS: PRIVACY

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

20 U.S.C. §1232G 34 C.F.R. Part 99, (1974) Keystone federal privacy law for education Imposes a cloak of confidentiality around

student educational records. Prohibits institutions from disclosing

personally identifiable information without permission

E-LAWS: PRIVACYELECTRONIC COMMUNICATIONS

PRIVACY ACT (ECPA)18 U.S.C. §2510 (1986)

Extended provisions of Federal Wiretap Statute to electronic communications Prohibits intentional interception, disclosure or use of an electronic communication Prohibits unauthorized access to or disclosure of electronically stored electronic communications

E-LAWS: PRIVACY

COMPUTER FRAUD & ABUSE ACTCFAA 18 U.S.C. §1030

Criminalizes unauthorized access to a protected computer with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer

E-LAWS: PRIVACYPRIVACY ACT

5 U.S.C. §552a (1998) Imposes certain restrictions on agency

use of personal data. Congress primarily concerned with use

of sophisticated information systems Requires agency provide notice about

how information or records are stored, accessed & used Provides specific standards for computer

matching of electronic records

E-LAWS: PRIVACY

FREEDOM OF INFORMATION ACT5 U.S.C. §552 (Supp. 1998)

Statute requires release of certain information in public agency records to members of the public upon requestStatute amended in 1998 to clarify the status of electronic records under public access lawAll 50 states have “Sunshine Laws” providing access to public documents as well

E-LAWS: PRIVACY

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA, 45 C.F.R. §160.201-205(1996)

Enacted to protect the rights of patients & participants in certain health plans

Institutions who are affiliated with health care providers must provide written notice of their provider’s electronic communication practices

E-LAWS: PRIVACY & SECURITY

U.S.A PATRIOT ACTPublic Law 107-56 (October, 2001)

Technology, Education and Copyright Harmonization Act(TEACH)

H.R. 2215 (Nov., 2002)

Gramm-Leach-Bliley Act15 U.S.C. §6801 (1999)

RISKS & LIABILITIESRISKS AND LIABILITIES

Schools are vulnerable to suits under common law negligence if it failed to protect against disclosure of

electronic records Schools may face liability for improperly

releasing or allowing access to private information or for employing

inadequate security measures for access and information

RISKS & LIABILITIESLIABILITY CONCERNS:

Schools may be liable from action (commission) that arises when they improperly invade the privacy of others

Schools may also be liable from inaction (omission) that arises when schools fail to implement appropriate security measures and policies to maintain a secure system

CONCLUSIONLaws & regulations follow the lead of electronic transaction technology

Flurry of legal activity resulting in overlapping system of state & federal regulations as well as accrediting & professional organization standards

As abuses & risks are identified, additional legal standards will evolve

As disputes occur, the courts will further identify application of the laws