ELECTRONIC CONTRACTS AND DIGITAL SIGNATURES
© John S. Foster, Esq. 1997-2000 -- Posted with permission
of the author.
Although most transactions between meeting planners and suppliers today are created by the exchange of paper, this traditional way of doing business is rapidly changing. With on-line Requests for Proposals (RFPs) already a reality as well as the ability of meeting planners to check hotel availability via the Internet, can totally electronic or "cyber" contracts be far behind?
By contracting on-line, businesses can improve efficiencies, reduce paperwork, and streamline their operations. At the same time, however, new technologies create challenges for the legal system, which must try to apply existing law in a new context.
Take the following hypothetical exchange of e-mails:
Planner to Hotel:
Can you handle 100 room and meeting space for 150 schoolroom set-up on March 11 and 12, 1998.
Hotel sales person to Planner:
Yes we can handle it. I've checked the books and everything is clear.
Planner to Hotel:
Great!, we'll take it.
Can the above exchange create a contract? Certainly. But several legal issues arise, many of which are the same as encountered in traditional contracts: What are the exact terms of the contract? Is it enforceable? What happens if a message is garbled or sent in error? What if one of the messages was unauthorized or sent by an impostor?
The Internet hasn't changed the basic rules of contract law. Contracts can be formed by oral or written agreement and they can be implied by conduct of the parties. With the advent of on-line communications, they can be formed electronically. Digital or electronic signatures have been in use on a state by state basis for a few years. In 2000 the use of electronic signatures in commerce became sanctioned by the federal government with the passage of the "Electronic Signatures in Global and National Commerce Act', (15 USC§701).
A "cyber", or electronic contract is a contract created wholly or in part through communications over computer networks. A cyber-contract can be created entirely by the exchange of e-mails where an offer and an acceptance are evident or they can be made by a combination of electronic communications, paper documents, faxes and oral discussions.
Electronic contracts can add the element of speed and efficiency to the contracting process but several legal issues must dealt with in the process, as follows:
WHAT ARE THE TERMS OF THE ELECTRONIC CONTRACT?
Frequently parties to a contract do not always clearly address all of the contract terms. Terms may be missing or unclear, or the parties may have exchanged conflicting documents. In these cases, how are the terms of the contract determined?
The general rules of contract law follow a hierarchy of evidence when determining the terms of a vague or incomplete contract, as follows:
a) The terms stated in the discussions and writings exchanged by the parties that are not in conflict;
b) Terms implied by the current and past conduct of the parties;
c) Terms implied by industry custom and practice; and
d) Terms implied by law, i.e., damages for breach, liability for negligence, jurisdiction and venue, etc.
If a planner and supplier exchange promises by e-mail the law will interpret this agreement the same way it would interpret a more traditional contract written on paper. Parties to an electronic contract should be just a careful in articulating the terms as they would be in traditional contracts.
IMPOSTORS AND PERSONS WITHOUT AUTHORITY
The daily news is full of headlines detailing the latest computer scam causing someone to lose a lot of money. The biggest concern in electronic communication is the identity and authority of the person on the other side of the transaction. It is a simple matter for a person to adopt a pseudonym on-line or to send an electronic message that appears to come from someone else. This person could be anyone from a curious competitor to a dishonest person with too much time on their hands. It could even be a disgruntled former employee.
For those who want to engage in on-line contracting, two major issues arise: (1) How can you be sure that the person with whom you are communicating is the person he or she claims to be? and (2) Can an impersonator bind you to an electronic contract?
Since electronic communications does not involve business cards, letterhead or corporate seals it is impossible for one party to determine the other party's authority to book a meeting or sign a contract. Just because someone has a corporate e-mail address and says they are the executive director, vice-president of special events or director of meeting planning does not make it so. Parties to an on-line contract must still exercise due diligence to ascertain who they are dealing with on the other side. The development of digital signatures (discussed below) is helping to solve this problem.
Everyone is (or should be) concerned with someone else impersonating them and fraudulently signing their name to contracts. The key issue of course is who, if anyone, is bound to these contracts. Under current law a forged signature will only bind the forger, not the party being impersonated. The other party to the transaction, however, may be left holding an empty bag if the impostor can't be caught or identified or if the impostor is in no position to perform on the fraudulent contract. The exception to this is if the real party ratifies the signature or was somehow negligent and contributed to the forgery. This is just as true in on-line contracts as it is in traditional paper contracts. Again, digital signatures (discussed below) are solving some of these problems however new laws are being proposed that would hold business people liable for not providing an adequate level of security for their digital signatures.
These issues are not unique to on-line communications. Impostors and persons without authority operate in paper transactions as well. The difference is that in on-line communications there is greater anonymity and greater ease in perpetrating fraud without a great deal of financial investment. Technology companies and lawmakers are dealing with these issues daily and the result is new techniques to combat the potential for fraud in on-line communications. As mentioned above, one of these new techniques is the creation of digital signatures (discussed below). A digital signature can provide assurance that the communication was sent by a known party and not an impostor.
LEGAL REQUIREMENTS FOR ELECTRONIC CONTRACTS:
For the business world in general, and the meetings industry specifically, to embrace electronic contracts the exchange and storage of these records must satisfy certain legal requirements. These requirements generally include the following:
d) Writing and signature
These requirements are not always present in every situation but they are applicable to most.
Authenticity is concerned with the source or origin of a communication. Who is the message from? Is it genuine or a forgery? Every party to an electronic contract must have confidence in the authenticity of the messages it receives. A party who fails to verify the other party's identity in any transaction may have no recourse if a fraud is perpetrated. Communications that cannot be authenticated in a tangible form may not be used as evidence in a court room.
Integrity is concerned with the accuracy and completeness of the communication. Both senders and receivers of electronic communications must be able to tell: is the message sent identical to the message received?, is the message complete or has something been lost in transmission?, has the message been altered in any way either in transmission or in storage? Messages sent over the Internet pass through many routing stations and packet-switching nodes. Hence, there are many opportunities for messages to be altered along the way to their final destination.
For example, a meeting sponsor needs to know that a supplier's reply to a request for proposal is accurate and can be relied on.
Nonrepudiation is concerned with holding the sender to the communication he or she sent. The sender should not be able to deny having sent the communication if he or she did, in fact, send it, or to claim that the contents of the communication as received are not the same as what the sender sent if, in fact, they are what was sent. When a contract is in dispute, the party relying on it must be able to prove that the other side actually agreed to the deal.
WRITING AND SIGNATURE
As a general rule, contracts do not have to be in writing or even signed by either party to be enforceable. Contracts may be formed by conduct of the parties and may be oral unless they fall under the Statute of Frauds. The Statute of Frauds is a series of statutes that have been passed in most states that require that certain types of contracts must be in writing to be enforceable. In the meetings industry two of the types are prevalent:
a) Contracts that can't be performed in one year from the date they are made, and
(Any meeting planned for more than 12 months from now falls into this category)
b) Contracts for the sale of goods over $500.
(Catering contracts for food and beverages fall into this category)
When the statute of frauds applies, there must be a writing sufficient to indicate that a contract has been made between the parties. The definition of a writing is not limited to ink on paper. Rather, the essence of the requirement is that the communication be reduced to a tangible form. Electronic transmissions recorded in a tangible form should meet the writing requirement. To ensure this result it is probably necessary to preserve electronic communications, such as e-mails, in printed form or in a computer log.
In many cases, the law requires that an agreement be both in writing and signed by the person who is sought to be held bound in order for that agreement to be enforceable. If two parties are entering into a contract on-line, these writing and signature requirements may apply.
Generally, a signature is "any symbol executed or adopted by a party with present intention to authenticate a writing. Therefore, a signature need not be ink on paper -- rather, the issue is the intent of the signer. A symbol or code on an electronic record, intended as a signature by the signer, should meet the statute of frauds requirement. Digital signatures (discussed below) should certainly do so.
Confidentiality is concerned with controlling the disclosure of information. Corporate meeting planners for instance may not want the general public to know about the content of the upcoming meeting that concerns a new product. Suppliers may not want everyone to know the special rates being quoted to a particular group.
Most persons are comfortable with traditional contracts because of the security and familiarity with paper documents and handwritten signatures. In on-line contracts the security factor has been missing in the past and there is not much familiar with electronic lines of type. In other words, it is easy to be a victim of fraud when conducting business entirely on-line.
The technology industry recognized early on the pitfalls inherent in on-line communications. They have risen to the occasion by creating systems and procedures for satisfying the business and legal requirements of authenticity, integrity,
nonrepudiation, writing and signature, and confidentiality. The primary tool in use is digital signatures.
A digital signature is an electronic substitute for a manual signature and is generated by a computer rather than a pen. It serves the same functions as a manual signature, and a lot more.
A digital signature is not a replication of a manual or typed signature such as "signed, John Smith". In technical terms, digital signatures are created and verified by a special application that generates cryptographic messages. Cryptography is a branch of applied mathematics and involves transforming clear messages into seemingly unintelligible forms and back again. For digital signatures to work, two different translation keys are generally used. The first, called a public key, creates the digital signature by transforming the data into an unintelligible code. The second key, called a private key, verifies the digital signature and returns the message into its original form.
A person's public key is distributed by the person to other's with whom they do business. One way of accomplishing this is to post the public key on an organization's web page for anyone to access. A public key can also be attached to the document being executed. Individual's using a digital signature will also have a private key that is known only to that individual, or a limited number of corporate officers. The private key is used to create the digital signature. The document's recipient must have the corresponding public key in order to verify that the digital signature is the signer's.
This system is totally secure as long as the private key is kept private. This is because a digital signature is derived from the document itself. Any change to the document will produce a different digital signature.
A digital signature has many advantages over a manual signature. Both are used to signify authorship, acknowledgment and acceptance of terms. A digital signature, however, also serves an important information security purpose that a manual signature cannot. Digital signatures allow the recipient to determine if the digitally signed communication was changed or not after it was digitally signed. This feature provides integrity and authenticity to a communication that a manual signature does not. Additionally, a message sender can include information about the sender's authority and job title as well as the sender's identity encrypted into their digital signature.
HOW ARE DIGITAL SIGNATURES ACTUALLY SIGNED AND THEN VERIFIED?
A sender must first create a public-private key pair before an electronic communication can be digitally signed. As mentioned above, the sender discloses his or her public key to the recipient. The private key is kept confidential by the sender and is used for the purpose of creating a digital signature.
The entire process is started by the sender who runs a computer program that creates a message digest (technically known as a one-way hash value). The program then encrypts the message digest using the sender's private key. The encrypted message digest is the digital signature. The sender attaches the digital signature to the communication and sends both electronically to the intended recipient.
When the digitally signed communication is received the recipient's computer runs a computer program containing the same cryptographic mathematical formula that the sender used to create the digital signature. The digital signature is automatically decrypted using the sender's public key. If the recipient's program is able to decrypt the digital signature successfully, he or she knows that the communication came from the purported sender. Further, the recipient can tell if a communication has been altered or tampered with because the recipient's program will create a second message digest of the communication. This second message digest is then compared to the original message digest. If the two match the recipient has now verified the integrity of the message. Messages, of course, can be a few sentences long or an entire facility contract.
This system is virtually foolproof as long as the public key used by a sender can be verified as indeed belonging to that sender versus an impostor. This potential risk has been solved by the use of third parties to verify an individual's public key. Such a third party is called a certification authority. Several national companies serve in this capacity for individuals and organizations for a nominal fee.
THE LEGAL EFFECT OF A DIGITAL SIGNATURE
Although the law is still evolving in this area, a number of states have passed statutes authorizing the use of digital signatures and outlining details for their use. Most of the state laws are based on the American Bar Association Guidelines for Digital Signatures.
If the proper guidelines are followed, digital signatures should meet all of the legal requirements for electronic contracts. Digital signatures accomplish the following. They can : 1) provide a means to verify the integrity of messages sent, 2) verify the source of an electronic message because only a sender's public key will decrypt a digital signature encrypted with the sender's private key, 3) prevent repudiation by the sender once the authenticity and integrity of a communication have been established, and 4) satisfy the requirement for a writing and signature required by the Statute of Frauds.
Although the meetings industry is still primarily dependent on the use of paper in creating contracts, the full use of electronic or "cyber-contracts" is probably not far away. Such cyber-contracts will not take the place of full scale negotiations but they will definitely speed up the end game of signing contracts once the details are agreed to by the parties. As business and technology race forward, the use of electronic contracts and digital signatures in the future will probably seem as commonplace as sticking a piece of paper in a fax machine for someone far away to sign does today.
© John S. Foster, Esq. 1997-2000, All Rights Reserved, Atlanta, Georgia
JOHN S. FOSTER, ESQ. CHME is an attorney and counsel whose firm FOSTER, JENSEN AND GULLEY, LLC specializes in the legal aspects of meetings & conventions, trade shows & events, and association management,. He is an associate counsel for over four hundred (400) national and regional associations and companies and has been named as one of the 25 most influential people in the meetings industry by MeetingNews. John has been a director of sales and marketing for Hyatt Hotels, Marriott Hotels and Resorts, and Holiday Inns and holds the Certified Hospitality Marketing Executive (CHME) designation from HSMAI. John is also a founding member of the Academy of Hospitality Industry Attorneys (AHIA) and is active in MPI, PCMA, ASAE and IAEM. He is the legal columnist for CONVENE, published by PCMA, the Legal and Negotiation Expert for mpoint.com (PlanSoft) and the author of four books on the legal aspects of meetings and conventions: "MEETING & FACILITY CONTRACTS"; MEETINGS & LIABILITY"; INDEPENDENT MEETING PLANNERS & THE LAW"; and "WHAT EVERY HOTELIER MUST KNOW ABOUT LEGAL AFFAIRS MANAGEMENT" . Information about ordering these books can be obtained from John's firm. His practice is in Atlanta where he can be reached at 404-873-5200 or by e-mail: