Authenticating an individual Is not enough to establish a reasonably defensible electronic transaction

As described more fully below, it is not enough to simply record a click or authenticate the individual’s identity. Creating reasonably enforceable electronic agreements involves deploying robust electronic signature processes, namely those that include reasonable identification and audit features.

From background checks, to the release of employment records, to authorizing the use of electronic communications, we desire to use electronic tools to register our consents due to the greater level of convenience. Such electronic consents are supported by long-standing legal frameworks establishing that electronic transactions are legally equivalent to ink and paper transactions. Pandemic restrictions accelerated the interest of public and private organizations to embrace electronic consent processes.

More and more organizations are obtaining consents electronically. For example, the IRS accepts electronic signatures for Form 8821, which authorizes the release of tax information to third parties (such as mortgage lenders or benefits agencies). Electronic consents also are used by the Social Security Administration (SSA). The SSA’s Electronic Consent Based Social Security Number Verification Service (eCBSV) specifically allows financial institutions and related entities to verify Social Security numbers—for number holders that have provided written consent with a wet-ink or electronic signature. These electronic consents are convenient for the user. Click with a mouse or touch an image of a button on a screen, and the authorization is made.

Some organizations mistakenly believe that obtaining such electronic consent is simple. The transition to electronic consent often requires more than simply adding a simple checkbox, an image of a button to a website, a typewritten or graphical rendering of a signature, or validating the individual's identity. Just as “wet-ink” consents can be challenged, so too can electronic documents that include electronic consents. To respond to such challenges, organizations should consider collecting substantive digital evidence to demonstrate the existence and nature of the consent. For that reason, organizations may want to consider leveraging established digital transformation technologies, such as e-signature solutions, that support the full consent lifecycle, from the deployment of authorization language to the procurement and recording of consent and that create robust digital audit trails and include fraud prevention features that will help respond to challenges to the consent process. 

To demonstrate that an electronic consent is valid, organizations must be able to demonstrate:

• Nature & Scope: Produce evidence tying the consent to an authorization that describes the nature and scope of the consent.

• Intent: Show that the consent indicates an individual’s intent to agree to the authorization.

• Identity: Offer evidence that a specific individual offered the consent.

• Integrity: Demonstrate that the evidence was not modified or altered.

Mature e-signature solutions are designed to address these elements. However, a simple check box or an image of a signature, does not, on its own, provide organizations with all that they need to create a reasonably defensible electronic consent. Those simple processes lack the identification and audit features that are necessary to provide organizations with reasonable evidence of who they were transacting with and what the nature and scope of the transaction was.  Without an end-to-end process addressing the elements noted above, organizations may struggle to rebut challenges to their electronic consent processes.

Background for Electronic Consents

At their essence, electronic consents involve the electronic signing of electronic records. Individuals are presented with an authorization via an electronic record (e.g., a web-based description of the nature and scope of consent) and indicate their consent via an electronic process that is associated with the record. US federal and state laws are broadly supportive of electronic contracting processes. And the laws are technology neutral, meaning that electronic consents can be captured via key presses, online check boxes or click-through mechanisms, reply emails, oral recordings, and reply SMS messages.

However, although there is broad legal support for electronic consents, that does not mean that any consent will adequately substantiate who consented and what nature and scope of the consent was.  Like wet-ink consents, electronic consents can be challenged in a number of ways:

• An individual can claim that there was no consent process.

• An individual can claim that they did not intend to provide their consent.

• An individual can claim that someone else provided the consent and that they never consented to anything.

• An individual can claim that the authorization or document that they consented to was different from the one presented now.

Organizations wishing to leverage electronic consents should adopt robust and well documented consent processes that address all of these issues, such as through established e-signature solutions. Recording a click on an “I agree” button, or some other simple method of input, may be sufficient to demonstrate that a consent was obtained, but without quality identification, robust workflow, and audit processes, organizations may struggle to establish who consented, when they consented, and what specifically did they consent to. 

Electronic Consents in Practice

Suppose that an organization wishes to set up a process whereby individuals can authorize the disclosure of records relating to them—perhaps a disclosure of motor vehicle records or a freedom of information request. The first step in designing a demonstrable electronic consent is to associate the electronic consent with an authorization. This step is fairly straightforward. For example, systems could be deployed so that when an individual clicks on a certain area of a web page (e.g., on an image of a button) that contains an authorization, a signal is sent indicating that the click was registered. The process associates this electronic action with the authorization. If an individual were to claim that there was no consent, the organization would have to substantiate its process,  produce evidence to demonstrate that the process was followed, and identify the electronic action associated with the authorization as the affirmative act.

Even with such evidence, the individual could claim that even though there may be an electronic action associated with an authorization or other record, the individual never intended to provide a consent. To rebut this claim, organizations would have to collect, collate, and produce circumstantial evidence indicating that the electronic action was intended to indicate consent. In the offline context, organizations may provide disclosures near signature blocks that evidence consent (e.g., “By signing this record I consent to . . .”). And similar processes can be adopted in the digital world. Clear language stating that a particular action will be interpreted as an indication of consent supports the conclusion that an individual performing the action intended to provide their consent. For example: “By clicking Submit below, you indicate your consent to release your information to your employer.”

Another challenge that someone may raise to an electronic consent is that someone else provided the consent. You may have a clear connection between an electronic consent mechanism and an authorization that clearly establishes consent with a defensible audit trail, but do you know who provided the consent? How do you respond to the electronic version of, “That’s not my signature?”

In the electronic context, the authentication process can be handled in a variety of ways. Organizations can require that individuals create accounts (e.g., login and password), and use the account information, IP address, contact information, and other information provided by the individual to help establish that a specific individual provided their consent. Electronic signature platform accounts, identity-based electronic signatures (otherwise known as digital signatures), and even video verification of identity using government-issued records, are other ways that organizations may consider for authentication. When considering the level of effort that should be undertaken to authenticate individuals, organizations should consider the risks associated with not being able to prove that a specific individual consented to a certain action. For a simple consent to view a web page, there may be no need to authenticate identity. However, for a consent to disclose sensitive personal, financial, or medical information, robust authentication measures may be called for, including the use of established e-signature solutions.

It must be emphasized, though, that authentication alone is not sufficient to establish a demonstrable consent. Even if an organization is 100% confident that it is transacting electronically with Gerri Smith, they must still be able to provide evidence of the intent to consent to a specific action or document and provide an audit trail that is above reproach, to demonstrate what Gerri Smith consented to. Demonstrable electronic consent requires addressing all of the four issues noted above.

For example, when presented with evidence of an electronic consent to disclose information to an employer or other third party, an individual may claim that they consented to a different disclosure or document. “I asked you to disclose my records to Company A, not Company B. That consent you are showing is wrong.” Or “I agreed to a different document than the one you’re showing me now.” This is similar to the “wet-ink signature” challenge in which someone photocopied or scanned the individual’s signature and placed it onto a different document. To rebut these challenges, organizations need to establish clear processes and/or audit trails showing that the authorization presented now is the same authorization that was associated with the consent for a specific disclosure or document. It will not be enough to simply show that the consent was made at a certain time, particularly if the authorization no longer exists or if the authorization has variable fields that may change for each authorization.

E-signature solutions that record the authorization as presented at the time the consent or document was provided and demonstrate that the record was not tampered with (e.g., fraud prevention mechanisms), can therefore serve as essential tools to document the entire process and address any disputes that might arise. And having individuals ready to describe and attest to the integrity of the process further bolsters arguments that an individual consented to a specific authorization or document.

Conclusion

Electronic consents can be an important and helpful tool for public and private sector organizations. But to be confident that consents will be defensible, organizations must be able to satisfy all four of the following steps:

• Tie the consent to an authorization that describes the nature and scope of the consent.

• Show that the consent indicates an individual’s intent to agree to the authorization or document.

• Offer evidence that a specific individual offered the consent.

• Offer evidence of the authorization that the individual agreed to.

Such steps, including the audit trails and fraud prevention measures, are interrelated and critically important to establishing a reasonably defensible electronic consent process. Organizations must recognize that the authentication of an individual on its own will not establish the necessary audit trail as to what an individual consented to and will not demonstrate that the authorization or document is a true copy. If electronic consent processes developed in-house or reflecting scaled down electronic signature solutions lack quality identification and audit features, like those provided by established e-signature solutions, organizations risk not being able to demonstrate that they obtained a specific consent from a specific individual for a specific document.

Organizations seeking to obtain reasonably enforceable electronic consents should therefore assess whether their proposed solutions include identification and audit features, such as those included with established e-signature solutions or platforms. Solutions and platforms that include rigorous audit trails and fraud mitigation features can help convert electronic consents from a mere convenience, to convenient and reasonably enforceable solutions that, should a dispute arise, can reasonably be substantiated to third parties or in courts of law.

Authored by James Denvil.