The Role of the Business Manager in Implementing an Electronic Transaction Process

1
The Role of the Business Manager inImplementing
an Electronic Transaction Process

• Electronic Signatures and Electronic Records
  Under Colorados
• Uniform Electronic Transactions Act (UETA)

Colorado Department of State, 1700 Broadway,
Suite 300, Denver, CO 80290 303-894-2200 Fax
303-869-4871 www.sos.state.co.us
2
Licensing Division Secretary of States Office
Barbara Groth, J.D. UETA Program ManagerPhil
GehlichUETA Program IT AnalystCarrie
LondonAdministrative Assistant
3
Business Managers Role

• Existing electronic processes or records
• Database information collection, storage and
  retrieval
• Email
• Internal time cards, leave slips, expense reports

4
Business Managers Role

• New electronic process
• Often involves converting a paper process to an
  electronic process
• Critical to document workflow and procedures as
  initial step
• Opportunity for re-engineering paper process
• Be open-minded electronic process need not
  duplicate paper process

5
Business Managers Role

• Electronic process
• Perform risks analysis
• Perform benefits analysis
• Perform costs analysis
• Consider legal, business and technology issues
  and options in each analysis

6
Business Managers Role

• Electronic process
• Consider quantitative factors, e.g.
• Reduction in cost for storage of paper records
• Less time spent inputting data or processing
  applications
• Greater accuracy due to reduction of
  transcription errors
• Cost of new equipment or software
• Instantaneous transmission, compared to time
  and expense of mail or courier

7
Business Managers Role

• Electronic process
• Consider qualitative factors, e.g.
• Change in customer satisfaction
• Potential for increase or decrease in fraud

8
Business Managers Role

• Consult with your legal advisor in AGs office
• Consult with your IT advisors
• Consult with the UETA team

9
Business Managers Role

• Legal issues
• Statutory requirements or prohibitions
• Federal Laws Regulations, e.g.
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Drivers Privacy Protection Act (DPPA)
• Colorado Laws Rules, e.g.
• Prohibitions on using or recording SSNs (see
  23-5-127, C.R.S. 4-3-506, C.R.S.)
• Open records laws

10
Business Managers Role

• Examine why pen and ink (wet) signature is
  requested on a paper document
• Its required by law
• It serves an important purpose, even if not
  mandated
• Its always been done that way

11
Business Managers Role

• Purpose of a signature
• Serve to authenticate a record by identifying the
  signer with the signed record
• Serve ceremonial function call signers
  attention to significance of signing and
  potential legal implications
• Serve to express signers approval or agreement
  of contents
• Serve to express finality of document (not a
  draft not accidentally submitted)

12
Business Managers Role

• If signature needed on electronic record
• What type of electronic signature?
• Create document/form to capture signers intent
  to sign
• Create document/form to fulfill reason for
  requesting signature

13
Business Managers Role

• Evaluate whether these attributes of your
  electronic process need be set at low, medium or
  high level
• Authentication
• Confidentiality
• Integrity
• Non-repudiation
• Authorization
• Auditability
• Preservation

14
Business Managers Role

• Authentication
• The process of identifying an individual
• Authentication merely ensures that the individual
  is who he or she claims to be
• Authentication says nothing about the access
  rights of the individual
• Not necessarily the same as an electronic
  signature, which must demonstrate intent to sign
• May not care about identity in some cases

15
Business Managers Role

• Confidentiality
• Assurance that information is not disclosed to
  unauthorized persons, processes, or devices
• Assurance that information is protected against
  intentional or accidental unauthorized disclosure

16
Business Managers Role

• Integrity
• Information protected against corruption,
  tampering, or other alteration
• By unauthorized persons
• By accidental actions of authorized persons
• By intentional actions of authorized persons
• Assurance of accuracy and completeness of
  information
• Need to capture questions asked on form, not just
  responses

17
Business Managers Role

• Non-repudiation
• Evidence that can be used to contradict a person
  who is (falsely) denying sending or receiving a
  specific communication or engaging in a specific
  transaction.

18
Business Managers Role

• Non-repudiation
• Some authorization and electronic signature
  technologies, e.g. digital signatures, assure
  high confidence that identity or signature cannot
  be repudiated
• Such technologies also assure that any change in
  document after digital signature applied will
  invalidate signature
• Content of document cant be repudiated if
  digital signature still valid

19
Business Managers Role

• Non-repudiation
• PINs and passwords easily compromised
• People cant remember them, so they write them
  down
• People intentionally let others borrow them
• People using same computer can often discover
  them
• People may intentionally use one PIN or password
  for multiple people, such as both spouses
• People are scammed into revealing them through
  phishing attacks or social engineering
• They can be hacked, intercepted, etc.
• PINs and passwords do not assure that data not
  changed
• PINs and passwords provide low (no?) assurance of
  non-repudiation

20
Business Managers Role

• Authorization
• The process of granting or denying access to
  systems, networks or applications based on
  identity

21
Business Managers Role

• Auditability
• Also referred to as Accountability
• The ability to identify the person or
  organization that performed, or is responsible
  for, the actions affecting information
• Audit trail
• Who, what, when, how

22
Business Managers Role

• Preservation
• Consider records retention issues
• More problematic to store electronic records long
  term in usable form than paper
• Must be able to migrate applications/systems as
  versions/equipment changes
• Electronic records with secure signatures
  especially difficult

23
Conclusion

• Business manager must take the lead in
• Managing an electronic process implementation
• Reviewing existing electronic processes
• Should request input from other sources Legal,
  IT, UETA
• Should understand laws and rules that may affect
  implementation of process

24
Conclusion

• Business manager has role in shaping ultimate
  form of UETA rules through involvement of UETA
  team with your analysis and implementation
• Well learn from your experience and it will help
  us shape rules that work
• Your implementation much more likely to be
  compliant with rules finally adopted

25
Additional Information

• Contact a member of the UETA Team
• Licensing tab at www.sos.state.co for info on
  UETA Program
• General Information
• UETA Statute (24-71.3, C.R.S et seq.)
• FAQs about UETA (the Act)
• Glossary
• Power Point Slide Shows
• Calendar of Presentations and Demonstrations
• UETA Task Force
• Resources Links

26
Contact Information

• Colorado Department of State
• Licensing Division, UETA Program
• 1700 Broadway, Suite 300
• Denver, CO 80290
• 303 894-2200
• Barbara Groth ext. 6423
• Barbara.Groth_at_sos.state.co.us
• Phil Gehlich ext. 6624
• Phil.Gehlich_at_sos.state.co.us