Copyright © 2001 Business Insurance

"Digital Signatures Mean Better Security Online" December 4, 2000

by Roberto Cineceros

 

A new federal act that gives digital and electronic signatures similar legal weight to that held by handwritten signatures is expected to facilitate a multi-trillion dollar boom in Internet-based business transactions.

Insurers, brokers and consultants say they are helping clients address emerging risks related to these signatures, such as the potential for hackers or computer viruses to disrupt or alter contracts executed online.

The main intent of the Electronic Signatures in Global and National Commerce Act is to encourage secure Internet-based commerce by giving electronic or digital signatures equal legal status to that of signatures signed on paper contracts.

Therefore, the act is expected to increase the number of business transactions, including the signing of contracts, completed entirely online.

The act contains specific protections for consumers. Companies, for example, must notify consumers of several rights, including the right to receive paper contracts instead of electronic formats.

A major impact of the act is to create uniformity nationwide, by overriding varying state statues. It is also expected to provide a bigger boom for business to business transactions than to business to consumer transactions, according to proponents.

The federal law provides a nationwide legal framework ``for online transactions affecting interstate and foreign commerce beyond relatively simple credit card-based consumer purchases,'' according to the Arlington, Va.-based Information Technology Assn. of America. The E-Signatures Act was adopted by Congress to avoid state laws that threatened e-commerce because of their inconsistency, the ITAA said.

As more contracts are completed online, however, there is growing risk of tampering with those contracts by hackers or other parties intent on committing fraud on the Internet.

To minimize those risks, high-tech risk management consultants, who sometimes team up with insurance underwriters, are helping clients apply digital signature systems known as public key infrastructure.

PKI is a digital encryption and authentication system for completing transactions and contracts over the Internet with greater authenticity and security than simply typing in a name or using an electronic signature, which may be simply a scanned image of a handwritten signature.

Someone stands a greater chance of winning a multimillion-dollar jackpot playing a state lottery than they do of cracking and copying a PKI digital signature, experts say. But using such digital signatures-different from electronic signatures and usually involving the encryption of an entire document-does not eliminate the possibility that pranksters, impostors or hackers will prevail.

``Digital signatures are not going to do away with criminals,'' said Bob Parisi, senior vp and chief underwriting officer in New York for the Global e-business unit of American International Group Inc. ``If anything, it gives them a new green field to start playing their games on.''

While risks remain, digital signatures provide greater security than do handwritten signatures, which can easily be forged on a contract, says June Yee Felix, chairwoman, president and CEO in New York for CertCo Inc., a provider of risk management and security measures for business-to-business e-commerce. One of those security features is the application of PKI, she said.

Digital signatures using PKI are as unique as human signatures and can provide evidence of tampering, she explained. ``They can't be photocopied, duplicated, or easily forged like physical signatures,'' Ms. Felix said.

Ms. Felix expects her business, like that of other companies offering risk management and security services for business-to-business e-commerce transactions will benefit from the Electronic Signatures Act.

The Electronic Signatures Act is ``technology neutral,'' however, because it does not require the use of encryption or specific encryption technology, AIG's Mr. Parisi said. But the quality of security offered by digital signatures rests on the technology used to create them, he explained. Currently, PKI is the dominant technology for securing digital signatures. But whether PKI will eventually go the way of the Betamax video-recording format remains to be seen, he said.

In contrast, electronic signatures, by definition, take a much simpler and less secure form. They can take the form of a human signature scrawled on paper and then scanned into a computer or a signed fax copy. Thus, they are more susceptible to forgery.

The odds that someone can replicate a digital signature are less than one in 1 billion, said Kevin Kalinich, director of network liability for Aon Technology Risk Group in Chicago.

Encrypted digital signatures using PKI technology do not look like signed human signatures. They are derived from a branch of applied mathematics used to transform messages into unintelligible forms and then back again to readable formats, Mr. Kalinich explained.

Their use typically relies on having access to sets of numbers, one referred to as ``public key'' and the other a ``private key.''

A private key is needed to encrypt and create the signature or to convert contract language or other data into the unintelligible forms. The public key, whose numerical code is known to more parties than know the code for the private key, is then used to decrypt and read the document.

Even if several people know a public key code, that information is not sufficient to derive the private key. Therefore, they cannot use their public key information to forge or alter a document sent by the holder of a private key.

To further assure that the appropriate parties have sent, received or signed a contract and its specific language, a third party referred to as a certification authority is employed.

Certification authorities are vendors trusted by both parties to a business transaction. They verify that the parties have received and signed agreements through the application of their key codes. The authorities also maintain secure repositories for electronic documents known as digital certificates, which are issued once the authority has verified the authenticity of the parties to a transaction.

The E-Signatures Act is expected to change many business-to-consumer financial transactions by allowing entire transactions, including the signing of documents, to take place online.

But the use of digital signature technology and certification authorities, along with the Electronic Signatures Act, mostly will help spur the growth of large, business-to-business transactions, said David Colton, ITAA vp and counsel.

Consumers using the Internet for purchases already have protection through fraud laws, such as one that limits their liability to $50 when unauthorized persons use credit cards, Mr. Colton explained. But similar protections don't exist for large business transactions.

Now however, business transactions can be protected through the use of digital signatures that can be secured and verified for their authenticity. Parties conducting Internet transactions can do so with greater confidence, experts say.

That will happen because the actual transmission of contracts will be more secure. Additionally, digital signatures will help resolve legal disputes that could otherwise arise in the course of conducting business online. The signatures can establish definitively that a specific party signed off on a particular contract or document. Thus, they help ensure the validity and enforceability of contracts arranged over the Internet.

Insurance, real estate, securities and other financial industries are expected to benefit from the use of digital signatures, Mr. Colton said. The act will also help spur the expected growth of Internet-based business exchange markets that connect buyers and sellers of commodities-such as paper, metals, chemicals-or almost anything necessary to run a business or create finished products.

Internet-based business-to-business transactions will grow to $5.7 trillion in 2004, up from $215 billion in 1999, according to estimates by AMR Research Inc., a Boston-based provider of research and analysis on e-business strategies and technologies.

One concern for insurers offering coverage for losses related to the use of digital signature stems from a lack of ``best practice'' standards for PKI vendors, Mr. Parisi said. To improve its underwriting ability AIG has teamed up with vendors it believes provide quality PKI and other security services.

Once all the high-tech safeguards are in place, simple human missteps still present significant risk of hacker or virus intrusions, several experts said.

Just as some employees stick notes with their employers' computer-system passwords to the front of their computers, they might do the same with public, or even private, key codes.

Once a hacker has a valid digital signature they ``have the key to the kingdom,'' said Jeffrey Grange, vp of Chubb & Sons Inc.'s Department of Financial Institutions in Warren, N.J. ``Once you have those there is nothing to stop you.''

The codes can also fall into the wrong hands when employees store them in cell phone memories or in other electronic personal devices used to conduct company business.

``How many people lose cell phones?'' Mr. Parisi asked rhetorically. ``It happens every day.''

Risk management policy procedures should be in place to circumvent such potential losses, agrees Mr. Kalinich. Those procedures should address who will control access to encryption keys, which employees can access them and what they are authorized to use them for. A procedure policy should also state who has authority to bind the company through a contract.

Meanwhile, electronic transactions may need to state they are not contracts and if they are intended as contracts they should clearly state what conditions must exist for them to become a binding agreement. For example, one might need to state that a contract is binding only upon the sending party receiving an e-mail receipt stating that all supporting documents have been received.

The E-Signatures Act has made such policies more important because of the casual use of the Internet, Mr. Kalinich explained. Employees may think they are conducting casual Internet interactions when in reality they could be executing contracts.

When it comes to hackers, there are potential first-party losses should a hacker break into a system and cause damage to the company operating that system. There are also potential third-party liabilities. They could occur, for example, should a hacker break into a system and abort a sale, harming a client of the company whose security system was compromised.

Various insurance products are available or are coming available to address risks associated with Internet transactions and digital signature applications, said Emily Freeman, practice leader for Marsh Inc.'s e-Business Risk Solutions in San Francisco. Depending on the underwriter, coverages are blended in or excluded from different products under a variety of policy structures, she said.

Yet issues raised by digital signature use were never contemplated when traditional insurance policies were created and whether they will cover related losses remains to be determined, insurers say.

Traditional fidelity insurance purchased by financial institutions, for example, usually requires that transactions take place on the premises of the financial institution, Chubb's Mr. Grange said. But now those transactions might take place over the Internet. Additionally, the forgery coverage provided by traditional fidelity policies contemplated only the use of ``wet'' signatures and not the digital form, he noted.

There also are related legal questions raised by the technology.

What constitutes electronic forgery has yet to be determined by the courts, Mr. Grange said. To help its clients, Chubb is close to launching a first-party, e-commerce policy with a specific insuring agreement for policyholders who conduct business using digital signatures.

The policy would protect against cyber attacks, unauthorized access, virus attacks and vandalism.

© Copyright Business Insurance 2000, 2001