Weighing the Risks and Rewards of E-signatures

One of the highlights of the American Association of Managing General Agents' University Weekend, held last August in Scottsdale, Ariz., was a mock trial and panel discussion addressing the use and enforceability of electronic signatures. Many conference participants rose early Sunday morning to attend the lively presentation, entitled “Electronic Signatures–Are They Legally Binding?” Brian T. Casey and Patrick J. Hatfield, partners from the corporate insurance practice roup at the Atlanta office of law firm Lord, Bissell & Brook LLP, gave an overview of electronic signatures and the federal Electronic Signature in Global and National Commerce Act (ESIGN), then served, respectively, as moderator and panelist during an industry roundtable discussion. Rounding out the panel were Tom Gonser, one of the founders of DocuSign, an electronic-signature service; Christopher W. Heidrick, CPCU, CFP, CLU, ChFC, former senior vice president and national product manager for Marsh's Consumer and Small Commercial Practice, current vice president, personal lines marketing for Fireman's Fund Insurance Co. and speaker on the topics of multichannel and Internet distribution; Scott Anderson, CPCU, CIC, CIW, executive vice president of Concorde General Agency Inc.; and Hon. Michael A. Yarnell, a recently retired judge and member of the American Arbitration Association commercial and construction panels.

Following is an edited transcript of the panel discussion:

Brian Casey: Increasingly, the Internet is being used for business communications and transactions, including insurance sales and services. Insurance companies, agents and consumers now have the option of conducting transactions electronically rather than face-to-face. Yet some people may question the validity and legal viability of electronic signatures, especially in online financial transactions. They may wonder if such transactions are safe and if electronically signed contracts are legally binding. Our goal today is to address the issues we think are most likely to be encountered when dealing with an electronically signed document.

Christopher Heidrick: In 2005, more than 60 million Americans filed their federal personal income tax returns electronically. Last year, in Pennsylvania, more than 40% of taxpayers filed their state income tax returns electronically. About 30% of American households and 30% of small businesses do some form of banking and bill-paying online. Many people shop, buy airline tickets and engage in other online transactions that require some form of a signature, so such consumers are already using e-signature technology, and so far the process has routinely been smooth and seamless.

Consumers' greatest concern about e-signatures is the risk of identity theft. Many people believe that if they provide personal financial data online while engaging in a business transaction, they essentially offer up that information to whomever might be lurking in cyberspace. But, according to a recent study conducted by Javelin Strategy & Research, such fear is largely unfounded. Of all the reported cases of identity theft, the study said, only 12% resulted from Internet transactions or other means involving computer technology. The vast majority of thefts were perpetrated by using such low-tech methods as stealing checks from victims' mailboxes or selling account numbers gleaned from credit cards receipts.

Casey: What assumptions might prevent the insurance industry from embracing e-signature technology, and how accurate are those assumptions?

Patrick Hatfield: Let's look at some common myths regarding e-signatures, compare them with related facts, and see how they hold up.

Myth: The risk of using electronic signatures is too high. Documents signed electronically will be difficult to enforce.

Reality: With appropriate workflow, the risks associated with electronic signatures are the same as, or lower than, those associated with traditional paper-and-ink processes.

Myth: The law is not clear on how to prove an electronic contract.

Reality: For more than 10 years, courts have received and accepted computer records as evidence that processes were followed.

Myth: It's unclear whether state statues or federal laws govern the use of electronic signatures for business transactions.

Reality: The federal ESIGN act and the regulations adopted by individual states are so similar that any differences are not significant for basic insurance processes.

In 2000, Congress enacted ESIGN to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effectiveness of contracts entered into electronically. E-signature, e-disclosure and e-delivery can be legally effective if they comply with ESIGN laws and if evidence (such as an audit trail) shows that the person against whom enforcement is sought followed all the proper steps.

More than 40 states also have adopted legislation based on the Uniform Electronic Transaction Act (UETA), a model act adopted by the National Conference of Commissioners on Uniform State Laws to provide a legal framework for electronic transactions. UETA gives electronic signatures and records the same validity and enforceability as manual signatures and paper-based transactions. Such laws do not give electronic signatures greater status than traditional pen-and-ink signatures; they simply state that electronic signatures satisfy “in writing” requirements and will not be denied enforceability just because they're in electronic form.

Casey: What constitutes a “signature”?

Hatfield: An e-signature is defined as “electronic sounds, symbols or processes attached to or logically associated with a contract or record and executed or adopted with intent to sign the record.” Clicking on a box next to the words “I agree,” or saying “I agree,” fulfills the requirement. (Also, a tangible document can be signed electronically.)

Casey: For the insurance industry, what are the implications of using e-signatures?

Hatfield: In all lines of business, in every state, electronic signatures can be legally binding. The biggest risks are authentication and, most important, repudiation; but there are ways to reduce these risks so they're actually lower than those of traditional signatures. The ESIGN process is not perfect, but it is no less enforceable than the traditional face-to-face, paper-and-ink signature process.

Federal electronic signature laws apply to all states, even those that have adopted their own related laws. By law, certain disclosures must be given “in writing,” like the uninsured motorist waiver or election form disclosure. Such disclosures can be delivered through electronic means, however, if the consumer consents to receive them that way. If an agent or insurer also provides the insured with a hard copy, the requirements are not difficult to meet.

Casey: The electronic signature laws make any transmission “a writing,” even if it doesn't have to be signed. For example, if you deliver your own Gramm-Leach Bliley privacy notices, they have to be in writing. But since they don't have to be signed, and most companies simply drop them in the mail and don't get any kind of acknowledgement that customers have received them, you can deliver the notices electronically and still comply with the legal requirement they that be conveyed “in writing.”

Heidrick: Some of the rewards of electronic signatures, like speed and convenience, are obvious. A reduction in business costs, though, might take longer to realize. Banking-industry studies show that, for an average bank, a typical transaction costs about $1.07 to execute through a teller. That same transaction, conducted over the phone, costs about 54 cents, or 50% less. If the transaction is done via an ATM, the cost again drops by 50% to an average of 27 cents. If it's conducted over the Internet, the transaction costs about 1 cent. The same efficiencies and opportunities for savings await the insurance industry when it more fully adopts electronic processes. For instance, if a producer sends a document by overnight delivery to a customer for his or her signature, and the customer returns it using the same method, the cost typically is about $12 each way. To obtain the same signature using an electronic delivery system costs about one quarter as much.

Tom Gonser: The DocuSign system is a Web service that's priced per page, usually between 10 cents and 50 cents, depending on volume. If you're familiar with eFax, it's similar to that, and includes a number of security elements.

Heidrick: From a quality assurance perspective, there's much to be gained as well. Imagine that 100% of the applications you receive are filled out completely with valid answers and contain no stray marks that can be misinterpreted. When someone asks you to produce a document, you can always find it and never have to worry that it might be misplaced. Your workflow would be easier and more efficient, and would provide you with a better defense in the event of a lawsuit regarding a claim.

I began my career in claims, and I can't tell you how many personal-lines agents E&O claims I paid because an agent couldn't produce the signed application in question or there was a stray mark on the form. We also often paid claims that didn't fall under E&O because we didn't have the physical evidence we needed to defend ourselves. Properly applied, electronic processes can eliminate a lot of those types of errors. Also, in the event of an E&O claim, ESIGN includes specific language that prevents an agent from being held liable if he or she has simply followed the insurance company's established electronic-signature process.

Another reward for carriers is significantly increased compliance. When market-conduct examiners ask to see all of your UM/UIM required disclosures, waivers and other forms, you can simply print out the electronic documents you have on file. The risk of fraud is mitigated, and if it does occur, you can easily identify it and prosecute the perpetrator.

Casey: Does an electronic delivery system user have to install some type of software, or is the service entirely Internet-based?

Gonser: Ours is a print driver, but most of the actual transaction takes place in a Web session.

Casey: Tom, walk us through the online insurance application process.

Gonser: Typically, an applicant goes to the carrier's Web site, finds the words “apply online,” clicks on the link and is taken to a page containing an application for insurance. (We'll assume the visitor is not a current customer and therefore does not enter an existing policy number.) As the insured provides his name, address and other requested information, the insurer's system records the date and time the user entered the system, assigns him a unique number, and stores information about his use of the system in an electronic file or folder created especially for him. To verify the user's identity, a third-party vendor with which the insurer contracts can provide a random series of questions, the answers to which the vendor has collected and maintains on file, such as “What was the amount of your last mortgage payment?” If the applicant answers correctly, the system will prompt him to agree to receive any required disclosures electronically and confirm that he agrees to conduct business with the carrier electronically. The applicant then proceeds to the next couple of screens to complete a state-approved application based on the ZIP code he entered earlier. Once he has answered all application questions, he is asked to review the completed application and, if all the information is correct, to submit it for approval by clicking on the “Submit” button.

Next, internal edits ensure that all application questions have been completed and are accurate, and the answers are valid. For instance, if the app asks for a date, then a date must be entered in the proper field. Once these edits are passed, the application is sent to the carrier's system and an e-mail message is sent to the applicant, informing him that the application is ready for his electronic signature. Once he signs and his identity is verified, the application is sealed, along with all related data, and stored in the carrier's secured database.

Meanwhile, the system has recorded the time and date the applicant opened the application, all the answers he provided, when they were entered, how long he stayed in the system, and when the application was submitted for his signature. The applicant's folder is then electronically sealed so that any subsequent access to the file will be detected. It is stored on a particular database within the company, to which access is limited. Only two or three people might have the passwords and clearance necessary to access the records, and if someone does access and alter them, that action is automatically added to the file record, creating an “audit trail” that resides in a separate file from the application and its contents. In other words, the document cannot be altered without detection.

DocuSign employs the same computer technology that banks and government agencies have used for years; it ensures that a document cannot be altered after being sealed within a carrier's system. Electronic keys–one to scramble the document and the other to unscramble it–work together, so the right key is required to unlock the document. The more digits in the keys, the harder it is to match them. When a document is entered into an electronic signature system, a complicated mathematical computation breaks it down into a jumble of numbers which, when added together, make up a single large number called a “hash.” It's like a unique fingerprint of that document. If a document's hash value or its original data are changed in the slightest way, the hash will not add up and the document can't be de-scrambled. We store the fingerprint in a separate, secure location, and when the system retrieves that document for someone to review, we first check the fingerprint to make sure it still matches, so we know the document we're retrieving is the original. Thus, the document can be viewed, but never modified, because the system checks the fingerprint each time it is opened to be sure the hash values still add up.

Casey: What about transaction data?

Gonser: Transaction data allows us to track when the file containing an application and related documents are opened, when they're signed, and when the file is closed again. If the underlying content had ever been altered, the transaction data would show that the fingerprint didn't match, and it would issue an alert stating as much. Transaction data is securely stored in a separate location.

Casey: Could someone–say, an insurance company employee–go into the company's system and make changes to an application submitted online or to a policy issued online?

Gonser: That would be next to impossible. The National Institute of Standards & Technology has estimated that it would take some very powerful computers–and approximately 149 trillion years–to break the type of security key used to secure the electronic documents we're discussing. And even if someone managed to do so, the audit system would detect the intrusion.

Casey: What if an insured denies having signed and submitted a particular application or other document? Let's suppose an insured named William Smith, who works for Arizona Cable Co., submits an online application for auto insurance and chooses not to purchase UM/UIM coverage. A few months later, an unlicensed and uninsured driver causes an accident in which Mr. Smith is injured and his vehicle is totaled. Mr. Smith cannot obtain reimbursement for his property loss or medical expenses from the uninsured driver, so he files a claim with his own carrier. The carrier denies the claim, citing Mr. Smith's signed waiver of UM/UIM coverage. Mr. Smith insists that he did select the coverage, that the application and waiver on file with the carrier are inaccurate, and that a different William Smith must have submitted them. How might the carrier respond?

Gonser: The insurer can establish that William Smith, the insured in question, logged onto its Web site and submitted the auto insurance application–along with a signed UM/UIM waiver–from the Internet provider (IP) address that corresponds to his home router. The carrier also can establish that the person who signed the document electronically used the e-mail address william.smith@ArizonaCable. com and that William Smith, the insured in question, is the only person with access to that password-protected account. An audit trail can show that, in completing the application, Mr. Smith correctly answered several questions about his background and personal history (such as the amount of his most recent mortgage payment) designed to verify his identity through an authentication service.

Hatfield: With a sound process in place, backed up by technology and credible witnesses, a carrier has a better defense than it would have if it relied solely on paper documents.

Michael Yarnell: In a case like the one outlined, if you can present the technology in an understandable fashion, and if it is, in fact, maintained in a good business process with credible people, I think it greatly strengthens the company's credibility. On the other hand, if the technology involved is explained in a confusing, highly technical way that the jury can't grasp, the company's defense will seem evasive and excuse-laden, and it will be more difficult to swallow. The jury or the presiding judge won't be able to understand or identify with the carrier's position.

Heidrick: It's important to follow a defined, repetitive, understandable business process so customers know what they're agreeing to and are inclined to abide by the agreement. When a disagreement does develop, a court might have to sort it out and render a decision based on the evidence presented and the soundness of the business process involved. When establishing an e-commerce process, think about likely disputes and ensure that it complies not only with the law, but also with common sense. Will a jury believe that your business's system is too reliable to have made an error?

In one of my past roles at a call center for a broker representing several insurers, we frequently bound coverage on the phone. We used digital voice recording to verify applicants' identities but also tried to obtain wet signatures where we felt they were needed. The latter part of the process was quite expensive and time-consuming. Of course, we could bind a policy one day and the customer could experience a loss the next, so we routinely faced E&O exposures. Such exposures can be greatly reduced by the use of electronic signatures, which take only minutes, or even seconds, to obtain.

Insurance is an intangible product or service that's also data-centric, and the distribution system has been inefficient. Sooner or later, this industry will go paperless. In the meantime, we need to reduce the perceived risk level of electronic processes so regulators, company executives, producers and customers become comfortable conducting business in this self-service kind of way.

Hatfield: The issue really is more about workflow and process than it is about technology. If you have a process that prevents errors and omissions, and it's supported by effective technology, then having those measures in place is more important than whether the process is manual or automated. When you think about an e-signature process, think about the process first and technology second, but realize that technology can make it all happen and make it very secure.Since the use of electronic signatures benefits both producers and carriers, producers should encourage companies to adopt this process and, whenever possible, choose to do business with those who offer it.