Congress has responded by introducing two pieces of legislation. One would give financial institutions the freedom to develop their own electronic authentication procedures without having to worry about complying with numerous state laws. The other bill is aimed at establishing an industry-led, nationally uniform digital signature system.
S. 1594 authorizes a financial institution to use electronic authentication in conducting its business. Introduced in February by Sen. Robert Bennett, R-Utah, the bill has the backing of the Bankers Roundtable, a Washington-based organization that represents 125 of the largest financial institutions.
H.R. 2937, known as the Electronic Financial Services Efficiency Act of 1997, is broader than the Senate version and recognizes all forms of digital authentication as an alternative to existing paper-based methods. The bill establishes a national standard for digital signatures and requires anyone wishing to provide electronic authentication services in the United States to be a registered member of the National Association of Certification Authorities, an organization the bill would establish.
In testimony given over the weeks and months prior to the introduction of these two bills, software firms that make authentication tools and the firms that would use them made it clear they believed states are moving too slowly on the issue of legalizing electronic authentication and are producing legislation loaded with conflicting regulations that might prove too burdensome for electronic commerce to flourish.
Ken Lieberman, senior vice president of VISA USA, told the House Subcommittee on Technology last October he would like to see federal legislation that creates a "safe harbor" for private credit card systems, so that state laws don't add undue burdens.
J. Scott Lowry, president of the Digital Signature Trust Company, told the same committee, "Disparate [state] laws tend to lead to confusion in the marketplace and, in the absence of some unifying force, will likely slow down rather than speed up the pace of adoption of electronic commerce."
Echoing these views, Sen. Bennett stated, "It may be difficult for parties to determine which state law governs a particular transaction, and which technologies that state recognizes, and how that state treats issues of liability." When Rep. Richard Baker, R-La., cosponsor of H.R. 2973, introduced the legislation, he lashed out at states by calling their efforts "haphazard and unfocused, leading to laws ranging from the comprehensive to the limited to the nonexistent."
Not surprisingly, states have dismissed these criticisms as unwarranted and oppose federal legislation where it preempts state law. "I would beg to differ with the Congressman [Baker]," said Todd Sander, deputy director of the Washington State Department of Information Services. "I don't think state efforts at digital signature law are haphazard at all. We have put a great deal of effort into making sure that's not the case."
Sander pointed out that states have been at the forefront of establishing a legal basis for digital signatures, with several states starting work on the issue nearly 18 months ago. Far from being unfocused, states have come together under the auspices of the National Association of State Information Resource Executives (NASIRE), which is working with the Internet Council -- part of the National Association of Clearing House Authorities -- to discuss and coordinate the legal issues, interoperability standards and risk factors associated with electronic authentication.
Sander pointed out that this is an all-out effort, involving the states, federal members of the Internet Council -- such as the Social Security Administration -- and private firms. "It's very important to recognize that the states have been working with the private sector on developing a mechanism to recognize each other's efforts," he said. "We have talked about model legislation, reviewed our draft bills and coordinated implementation of this sort of thing."
The issue of conflicting state laws is also something of a red herring, according to state officials. In testimony before the Senate Banking Committee last October, Daniel Greenwood, deputy general counsel for Massachusetts' Information Technology Division, pointed out that a recent study by the Internet Law and Policy Forum found states to be achieving consensus on nonregulatory legislation that would create legal equivalency between paper and computer records.
Only three states have enacted a regulatory, technology-proscriptive approach to digital signature legislation, Greenwood pointed out; for two of those states, the regulatory statutes are considered "permissive" in nature. In other words, only companies that volunteer to be licensed will be regulated. The rest of the states that have passed laws, have legislation pending or in draft form assure electronic authentication achieves the legal equivalent of paper-based signatures. "Since no real conflict exists between state laws, and no new regulation would be foisted upon electronic commerce," Greenwood observed, "it can be concluded that federal preemption is not called for in the area of electronic authentication."
As for being too slow to establish a legal framework for electronic authentication, experts on the matter are asking: What's the rush? "There's a lot of interest in electronic commerce and payment initiation, but not a significant amount of demand," said Anne Friedman, vice president of Chase Treasury Solutions for Chase Manhattan Bank. "Corporate policy, like law, is hard to change. There's a slow adoption of policy, legal and regulatory change that allows for the adoption of electronic means of communicating, such as digital signatures."
Sander expressed similar views on the market for electronic authentication. "Digital signatures are still a solution in search of a problem," he said. "People don't know what to do with it yet."
Much of the pressure for federal preemption of state legislation appears to be coming from high-tech firms that are used to taking risks and have a certain irreverence toward liability, risk and trust, say critics. Companies that want one-size-fits-all legislation now are the same ones used to releasing software with bugs in it and then rolling out a new version six months to a year later. They are not used to waiting.
However, Friedman and others point out that businesses -- and individuals -- won't use electronic commerce for orders and payments without a trustworthy environment. That takes time and experimentation to establish.
In explaining why it favors a state-led approach to developing digital signature policies and standards, the American Bar Association pointed out that premature legislation at the national level "runs the risk of stunting the natural evolution of market forces that will produce the most cost-efficient, user-friendly, interoperable and effective implementation of digital signatures. While early adopters of digital signature technology desire greater national uniformity in the immediate future, the overall interests of evolving the best public-key infrastructure requires a period of experimentation."
Sander put it more bluntly. "It would be a mistake to commit in a big way too early," he said. "We need to do just enough to learn what we need to learn."
Harry Hammitt is editor/publisher
of Access Reports, a newsletter published in Lynchburg, Va., covering open government laws and information policy issues.
July Table of Contents
