The Catholic University of America

ELECTRONIC CONTRACTING AND SIGNATURES

November 12-14, 2003

Margaret L. O'Donnell

The Catholic University of America

Washington, D.C.

FERPA and E-Signatures

I.Proposed FERPA Regulation on Signed and Dated Consent

A. FERPA and Written Consent

The Family Educational Rights and Privacy Act (FERPA)[1] applies to all schools that receive funds (including student financial aid) under an applicable program of the U.S. Department of Education. Most student records are considered education records that are protected by FERPA, and this includes computer records. The statutory directive requires written consent prior to disclosure of personally identifiable information of students unless the disclosure meets one of the 10 exceptions listed in the statute at 34 CFR § 99.31.

Colleges and universities have been pondering whether electronic signatures qualify for the written consent requirement[2] under FERPA for at least seven years. Way back on March 8th, 1996, an anonymous posting under NACUANET[3] posed the following question:

Has anyone researched the issue whether, under FERPA, an institution may release a transcript and other information from a student's educational record, either to that student or to a third party, pursuant to an electronic request from the student via the Worldwide Web? Or does FERPA require a student's written consent before any such information may be released? Also, has anyone sought (and obtained) an advisory opinion from LeRoy Rooker (of the Family Policy Compliance Office) on this issue? [4]

B. The Proposed Regulation on E-Signatures

On July 28, 2003 the Family Policy Compliance Office (FPCO) issued proposed regulations amending 34 CFR § 99.30 that address when signed and dated written consent may be accepted in electronic form.

The proposed guidance would add an extra section to 34 CFR § 99.30 as follows:

(d) "Signed and dated written consent'' under this part may include a record and signature in electronic form provided the educational agency or institution follows a process to--


(1) Identify the individual and authenticate the identity of the individual requesting disclosure of education records;
(2) Attribute the signature to the consent;
(3) Secure and verify the integrity of the consent in transmission and upon receipt; and
(4) Document and record the signed message

The preamble to the regulation specifically states that FERPA is technology neutral with respect to the disclosure and signature requirements.

Note that the scope of the regulation is fairly narrow. It does not deal with electronic records in general; it simply addresses the question of when written consent for disclosure of education records to a third party may take the form of an electronic signature.

What the regulation does is ask the school to consider how the traditional functions of a signature can be accomplished in the electronic format. The school must then devise a process to capture these functions when switching to an electronic format.

C. Prior Guidance from FPCO on electronic requests for record release

The current state of affairs is that schools are already able to honor electronic signatures for release of records to the student provided certain conditions are met, and can also honor electronic requests for release of a transcript to another school when a student seeks to transfer to that school.

FPCO has provided the following advice informally by email to schools:

This Office has advised previously that an institution may use a PIN combined with the student identification number to authorize disclosure of information from education records directly to the eligible student, but only so long as the institution allows only the eligible student to have access to the PIN. If the institution allows anyone else, including administrative staff, to have access to a student's PIN, there can be no assurance that the disclosure will be made only to an authorized party as required under FERPA. Regardless of the methods an institution uses to allow students to obtain access to their records, the primary consideration is whether there is reasonable assurance that the information is accessible only to the student.

The reasoning on this is that the written consent rules do not apply to a student trying to access his/her own records.

As for release of records to another Institution of Higher Education (IHE) The FPCO, in an opinion letter to Cornell[5] back in 1994 discussed an electronic request from a student to release records to another school. In that letter the FPCO stated that if a student requests his transcript be forwarded to another school, whether the request is made in person, in writing, by telephone, or by electronic transmission, FERPA would not prevent such release as 34 CFR § 99.34 provides that a college can send a student's education record to another school in which the student is seeking to enroll without prior written consent if the student initiates the disclosure. The letter states: "However, when such a request is made by a student by telephone or electronic transmission, the school should be reasonably sure that the request was indeed made by the student."

II. Different Types of Signatures

A. Traditional Signatures

What are the traditional functions of a pen and paper signature? Each of the listed elements in the proposed regulation is related to something that was either implicit or explicit in the paper world. Under the U.S. law tradition[6], a pen and ink signature serves the following functions:

¨ identification;

¨ authentication;

¨ declaration of will;

¨ authorization;

¨ safeguard against undue haste;

¨ non-repudiation of origin and receipt;

¨ notice of contents;

¨ integrity; and

¨ originality.



While the electronic signature process does not use all of the above words to describe what must be in the process, in essence schools are being asked to capture the function of most of the above elements, with the possible exception of safeguard against undue haste.

D. Electronic Signatures

As the proposed regulations state, the general guidelines contained in the regulations are adopted from several different electronic signature laws, The Government Paperwork Elimination Act (GPEA), which applies to filing forms electronically with Federal agencies, the Electronic Signatures in Global and National Commerce Act (ESIGN), a federal law[7] which validates the use of electronic signatures and records, and The Uniform Electronic Transactions Act (UETA), which is an electronic signature model law for states proposed by the National Conference of Commissioners on State Laws. The definitions of electronic signature under these three laws are as follows:

Government Paperwork Elimination Act (GPEA)

The term "electronic signature" means a method of signing an electronic message that a) identifies and authenticates a particular person as the source of the electronic message; and b) indicates such person's approval of the information contained in the electronic message. (GPEA 44 U.S.C. § 3504)

Electronic Signatures In Commerce Act (ESIGN)

The term "electronic signature" means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. (ESIGN 15 USCS § 7006)

Uniform Electronic Transactions Act (UETA)[8]

"Electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record. (UETA Section 2 Part (8))

Note the difference in the definitions. The GPEA definition identifies what needs to be done, and it is stated explicitly rather than implicitly. For example, the signature needs to identify and authenticate, as well as indicate the person's approval of the information contained in the electronic message. The ESIGN and UETA definition focus more on the technical specifications of how this can be accomplished. The latter definitions do not deal with attribution issues.

Electronic signatures can generally be divided into two categories, those that rely on

cryptographic control, and those that do not. Non-cryptographic means of authenticating identity include a PIN and a Password (shared secret); a smart card; a digitized signature; and biometrics, which is taking a person's unique physical characteristic, turning it in to digitized form, and interpreting it by computer. A cryptographic electronic signature uses either asymmetric or symmetric cryptography. Asymmetric cryptography is known as PKI, which stands for Public Key Infrastructure. PKI is a technology which uses asymmetric algorithms and a pair of crypto keys, one public, and one private. If one of the keys is used for encryption, only the other key can be used to decrypt the encrypted object. The private key is kept secret by the owner, but the public key can be widely distributed.[9] This technology can serve as the basis for a highly secure system of establishing identity pursuant to electronic signature. The same technology works to ensure data security in transit and storage. When PKI is used, the signatures are referred to as digital signatures. For an excellent overview of electronic signature technologies, see 64 FR 10896, March 5, 1999, the Proposed Implementation of the Government Paperwork Elimination Act. The notice at section five defines all of the above terms, and the entire document is a useful resource when developing a policy on use of electronic signatures.

While digital signatures have been touted as the ultimate solution for verifying identity in cyberspace, use of digital signature technology has been slow to catch on as a process widely used in commerce, especially open commerce, e.g. between two parties who have no prior relationship. Parties at both ends of the transaction need to have the infrastructure in place in order to use digital signatures. [10]

If you look at the definition of an electronic signature under E-Sign, one question that comes to mind is, can your name appended to the end of an email message be considered an electronic signature? While it may meet the definition of an electronic signature under E-Sign, commentators have noted "that e-mail, as the product of a computer, is likely to have an aura of reliability that is particularly unwarranted in light of the arguably greater ease with which such evidence can be fabricated."[11] Because of the ease with which e-mail can be fabricated to look like it comes from someone other than the sender, a simple e-mail request (without any other identifiers) would not suffice to meet the process set forth in the proposed FERPA regulations.

There are three legislative models which electronic signature legislation follows.

The first is the mandatory or prescriptive approach, in that it mandates the use of a particular technology, PKI. The second is the minimalist approach, which is completely technology neutral, and the third is a hybrid of the first two, which gives certain technologies the benefit of legal presumptions. [12]

The FERPA proposed regulation is technology neutral. The safe harbor proposed in the regulations, the Standards for Electronic Signatures in Electronic Student Loan Transactions would give the benefit of certain legal presumptions, but does not mandate a particular technology. However, the process set forth in the standards is very rigorous.

Utah in 1994 became the first state to adopt electronic signature legislation, and went with the mandatory approach, dictating the use of digital signatures, or PKI.[13] However, only a few states have adopted the mandatory approach. E-Sign, the GPEA, and UETA are all technology neutral.

III. Required Elements under the Proposed Regulations

A. Identification and Authentication

This requires the school to establish a reasonable way to identify the individual and authenticate the identity of the student as the source of the electronic message when the school receives a request for access or consent to disclosure of records. A subtle permutation of the terms in the electronic signature world is that "identification" is the initial mechanism by which the school will verify who a student is in cyberspace, and "authentication" is the process for verifying identity on a repeated basis. When someone in the Office of General Counsel takes a student law clerk over to the computer center to obtain a user ID for access to the Office of General Counsel computer system, the process would be identification. When an employee types in a username and password in the morning to get her computer up and running, she is authenticating to the system.

How do registrars currently validate the identity of the requester when a written signature comes in on a piece of paper requesting disclosure of records to a third party? There is a firm practice established in the paper world with respect to transcripts. Registrars seem to have a higher bar for transcripts, but much of what will be requested to be sent out by e-requests will be transcripts as well.

See page 95 of the 2001 edition of the American Association of Collegiate Registrars and Admissions Officers (AACRAO) FERPA Guide, which states:

Most institutions require a written request from the student to release a transcript to a third party. In the 1991 AACRAO Survey on FERPA, only 10 percent of responding institutions indicated they would accept a telephone request to release a transcript. Of those institutions that indicated they would honor a telephone request, most qualified this response by indicating they would release the transcript only to another institution to which the student had applied for admission.

Institutions generally require the student to send a letter with their name, name attended under, dates of attendance, any degrees they received, date of birth, SSN, and signature along with the request. The information in the file is checked against the information in the written request. If it matches, the transcript is sent out. [14]

In an online world, authenticating the requester's identity will also most likely involve a data match. What is required in terms of the authentication will depend on what process is used to establish identity up front. The institution should ask whether the policies for identification and authentication are the same for various functions, e.g. accessing e-mail, releasing education records, and accessing online reserves. The weakness of one process can affect the security of another. If a school has very low level security for accessing e-mail, and poor password protection policies, then the school cannot be sure that the password has not been compromised when a student seeks to use the same password (if that is what is required) to release education records. Some of the following questions will need to be addressed.

¨ What process does the University use to assign a student his/her unique identifier?

¨ Is this done in person with presentation of photo ID?

¨ Is the unique identifier permanently assigned or can it be reissued?

¨ Who is permitted to assign the identifier?

¨ What applications can read or use the identifier?

One option for dealing with e-signatures, which approximates the paper world, is to require additional identifiers (beyond user ID and password) to authenticate the identity of the individual making the request. The same identifiers used in the paper world by the school could be added to the form, e.g. name, name attended under, dates of attendance, any degrees they received, date of birth, and student identification number.

Another option would be to have the computer system generate a random question or series of questions based on the information on that student contained in the database, e.g. what grade did you receive in Physics last semester? Still another way, and this is in use at some schools now in connection with password management, is to have the student answer a series of questions when they first receive their authenticatable identity. The same questions can be asked at a later time when deciding whether or not to authorize the request for release of records. Questions about events that are no longer recent history may not work with alumni seeking to send out a transcript, so this process may have limited utility.

An alternative to requiring multiple identifiers is to shore up the front-end process of issuing the unique identifier. If the process at the front end is relatively secure, then perhaps further identifiers beyond user ID and password are not necessary. For example, the identity is established in person (getting an authenticatable identity) before the Registrar or a specially trained person elsewhere on campus, and the credentials required are either one government issued picture ID, or two non-government I.D.s, one of which is a photo ID. Alumni who have long since forgotten any PIN they might have had could be asked to send in a written signature (by fax or mail) to obtain a new PIN that can be used to make electronic requests. This process could also be used with Distance Education programs, where in person presentation of a photo ID may not be feasible. Faxing or mailing a photocopy of the picture ID and other credential could also be utilized, or there could be a standard form that would be signed by a notary public. If a school wanted the process to be ultra secure and to guard against "undue haste" the school could always add an opt-in provision as is done with the FAFSA[15] process, which will be discussed below.

PKI is a system that is set up to authenticate the identity of the individual making the request with a fair degree of certainty because only the sender has the particular private key that has been used to encrypt the request. The key is either stored on a smart card, on the person's computer, or downloaded from the campus server. The receiving end, here the school, must use a public key to decrypt the message.

B. Attribution

The preamble to the regulations refers to a process to "attribute the electronic signature to the unaltered message or document to prevent repudiation by the sender." While attribution is related to identification and authentication, it is a bit different. When establishing a process for attribution, the process must require the electronic signature to "identify and verify what is signed to the extent that there is a degree of inseparability between the instrument and the signature itself." [16] From the institution's point of view, the question is how will the system in place prevent the sender of the request from repudiating or disclaiming the transmission? In the paper world, if litigation ensues, (and assume for the discussion that this is non-FERPA litigation, e.g. a negligence claim to recover damages for an injury or harm) the school knows that its first line of defense will involve presenting a piece of paper with a written signature consenting to disclosure of information. What must the school present in the electronic world to invoke this first line of defense? While the burden of proving the disclosure was valid under a FERPA claim would rest on the institution, in an invasion of privacy action the burden might vary depending on what the state law sets up with respect to electronic signatures.[17] If the school disclosing the information must prove that consent was given electronically, a process for attribution will be necessary.

Establishing attribution is more of a challenge in the low technology environment. This goes back to the first step of initial identification, and also goes to questions of best practices for managing passwords. The security of the environment at the institutional level in which the authentication occurs determines whether or not the school will be able to attribute a request to a particular individual. For example, campus authentication should, wherever feasible, avoid sending passwords over the wire in clear text. Even if passwords are encrypted for release of FERPA data, if the authentication the user performs for other purposes using the same password, such as getting e-mail is not secure, the overall ability to make a valid attribution of identity in connection with the release of FERPA information will have been compromised. Some schools use one set of passwords for the registration/transcript function and a different password for e-mail and other functions.

When you move up to the level of using PKI, you have a digital signature which is an attachment to an electronic message that includes a mathematical digest of the message. The digital signature is specific to both the signer of the message, as well as to the message itself, binding the two together. While supporters of PKI argue that the process automatically eliminates problems of attribution, at least one commentator has argued this is not always the case:

Merely confirming that a digital signature can be validated with reference to a certificate cannot take the place of designing a security system within which electronic agreements can be negotiated and executed. Any form of computer security can be understood as a chain that binds the participants in the information system. The security of the system is only as strong as the weakest link in the chain. The activation of a non-repudiation bit communicates nothing if there is a weak link in the security technology chain that purports to bind the identity of a person to the contents of a digital signature certificate, or the intent of the signer manifested by the act of signing to the concept of non-repudiation. Such a weak link might arise as a result of a confusing interface design which leads individuals to activate the non-repudiation bit without knowing what significance others assign to it; a software application that activates the non-repudiation bit without seeking any confirmation from the person whose intention it purports to express that it should be activated; or a flaw in the design of the security system which permits one person to activate the non-repudiation bit in the digital signature certificate of another person without authorization. [18]

C. Integrity in Transmission and Upon Receipt

The preamble to the regulation talks about verifying the integrity of the signed message or document in transmission and upon receipt. In the paper world this is usually accomplished either through the postal service (or legal presumptions given to use of the U.S. Mail Service) or through fax machines. The phone company keeps records on when a fax was sent. [19]

Most computer systems have the ability to use SSL, which stands for Secure Socket Layers. This is an encryption system that can be used to encrypt the documents in transit. However, it does not protect the documents once they reach the target server. SSL is the type of encryption used by the FAFSA[20] program to encrypt documents in transmission. Not all universities use this system, and some use it for access to some processes (student applications online, student record systems access) but not for other processes. This is a minimal level of security, and universities are experimenting with more secure systems, such as PKI and Kerberos, which also encrypt the data in storage once received. To give you an idea of what type of work some institutions are doing on data security, see http://shibboleth.internet2.edu/.

A good discussion of protecting the integrity of the document upon receipt can be found in an OMB document published at 64 Fed. Reg. 10896 (March 5, 1999), entitled: Proposed Implementation of the Government Paperwork Elimination Act. Sections 6 contains the following suggestions to government agencies considering implementing electronic signature processes. The same suggestions could be adopted by an institution of higher education receiving an electronic signature.

d. Access to the electronic data, after receipt, needs to be carefully controlled yet available in a meaningful and timely fashion. Security measures should be in place that ensure that no one is able to alter a transaction, or substitute something in its place, once it has been received by the agency. Thus, the receiving agency needs to take prudent steps to control access to the electronic transaction through such methods as limiting access to the computer database containing the transaction, and performing processing with the data using copies of the transaction rather than the original. Moreover, the information may be needed for audits, disputes, or court cases many years after the transaction itself took place. Agencies should make plans for storing data, and providing meaningful and timely access to it for as long as such access will be necessary.

e. Ensure the "Chain of Custody.'' Electronic audit trails must provide a chain of custody for the secure electronic transaction that identifies sending location, sending entity, date and time stamp of receipt, and other measures used to ensure the integrity of the document. These trails must be sufficiently complete and reliable to validate the integrity of the transaction and to prove that, (a) the connection between the submitter and the receiving agency has not been tampered with, and (b) how the document was controlled upon receipt.

D. Document and Record the Signed Message

How the record and authentication will be captured in an electronic world raises questions of preservation. In the short term, preservation of the record is not likely to be a problem. Many experts agree that technology obsolescence presents problems for the storage and retrieval of digital records, but there is not a firm agreement on how to solve the problem.

FERPA has no record retention requirement per se, but the burden is on the institution to prove consent should a complaint be filed, and thus there is an implicit need to have some sort of record. The AACRAO Retention of Records Guide[21] states under Retention Schedule F that a student's written consent for records disclosure should be kept "until terminated by the student or permanent." The "until terminated by student" would refer to open ended requests for disclosure, such as a blanket release from the student to send his/her transcript to any employer who might request a copy. In this instance there is an ongoing need to keep a copy of the release. As for one time releases, in actual practice most registrars keep the paper copies of written record requests for only one or two years. Given this short time frame, there is not that much of a concern as to obsolescence of digital records, as the electronic format in most instances is retrievable in the short term.

If institutional policy differs and mandates a longer term for record retention, or if the consent is open ended, then there is a need to look at the unique issues surrounding storage of electronic records. A federal Food and Drug Administration (FDA) Draft Guidance[22] suggests including the following when drafting an electronic records maintenance policy:

¨ How electronic records will be maintained;

¨ Storage conditions and precautions;

¨ Retrieval and access restrictions;

¨ The technical approach to long- term electronic record storage;

¨ Personnel responsibilities for relevant tasks

The guide also suggests controlling for factors that could affect the reliability of electronic records, including the media and hardware used, the software (both application and operating systems) used to read, process and display electronic records, and the process of extracting information in human readable form. The latter suggestion, the ability to produce the document upon request in human readable form, is what is likely to concern most attorneys.

E. An implicit fifth requirement

Identification and authentication, verification, attribution, and documentation are explicit proposed regulatory requirements. What is implicit in the proposed regulations is the requirement to establish a process. The regulations state: "an agency or institution may accept electronic consents and signatures when reasonable security is provided for the process." The proposed regulations could have gone further and required a written policy, but they do not. What institutions must realize is that reaching consensus on what the process will be might take a little bit of effort and collaboration. In other words, a school cannot simply switch over to electronic signatures, but must have put in the time required to consider and weigh the various ways in which reasonable security for the process can be provided.

The OMB document entitled Procedures and Guidance: Implementation of the Government Paperwork Elimination Act, published on May 2, 2000 at 65 Fed. Reg. 25508 contains some useful suggestions on considering risk in the process of adopting electronic signatures that could be utilized by Institutions of Higher Education. The following considerations are suggested therein:

¨ What is the relationship between the parties?

¨ What is the value of the transaction?

¨ What is the risk of intrusion?

¨ What is the likely need for accessible, persuasive information regarding the transaction at a later point?

What is reasonable is a context question, and dependent upon what type of information is being disclosed and the entity to which it is being disclosed should be enter into the discussion of process. A school making an electronic disclosure to an entity with which it has a long term relationship might require a lower level of security that when the disclosure is to an entity that does not have an ongoing relationship with the institution.

IV. Sample Process For Consideration

University X has data in the student administration system on all alumni. Much of this is private data. The University offers lifetime email forwarding. To activate the lifetime email option, the former student has to web in to a special page on the alumni web site, and request an alumni email address. To obtain this address, the alumnus has to supply (on an encrypted web page) a few pieces of data (for example six fields) and request the account. The alumnus is issued a temporary account at the time of the request. Once someone in the alumni office has checked the six fields against what is in the Student Information System, and a match is confirmed, the account is made permanent. The alumnus selects his/her own password.

If the alumnus wants to request that a transcript be sent to either an email address or a physical address, the alumnus webs in to a new page, using the log in and password to get to the page. This page is encrypted. Verisign is a company that offers an encryption service, and there are other companies as well. Once logged in, the alumnus requests that his transcript be sent to X University. The alumnus supplies the email or physical address and contact person to the Registrar via the web page.

The alumnus making the request is then sent an email to his alumni account, with a web link in it. The web link is unique and not readable by humans. The alumnus needs to click that link which takes him to an encrypted log in page. The alumnus logs in and approves the sending of the transcript by clicking on the yes button. At that point someone in the Registrar's Office gets the request and sends it. While all of this is going on, the university tracks and records the IP address of the request, and the IP address of the click through. The university would also record all the details of the transaction, e.g. how many times the alumnus asked for the transcript, where he/she wanted it to be sent, etc.

How does this process meet the proposed regulation for FERPA electronic signatures?

Identify the individual and authenticate the identity of the individual requesting disclosure of education records.

This is done in two parts. First, by the original supplying of data (six different fields) by the alumnus when he/she requests an alumni account, and second, when the alumnus uses the password to log in to the web page.

Attribute the signature to the consent.

This is accomplished both through the pin and password on the encrypted log in request page, and through the click on the link by the alumnus.

Secure and verify the integrity of the consent in transmission and upon receipt.

The verification happens four ways. First, you send the email to the alumnus for confirmation. Second, the alumnus clicks on the link you sent (which is not a link readable by humans, e.g. not registrar@cua.edu). Third, the alumnus logs in again when they get to the encrypted log in page. Fourth, the alumnus approves the release of the transcript by clicking on the "yes" button.

Document and record the signed message.

This is done by tracking and recording the IP address of the request and the click through and other details of transaction. This all goes into a database which is kept by the university.

V. U.S. Department of Education Standards for E-Signatures as a SafeHarbor

In the preamble to the July 28th, 2003 proposed regulations, the Department of Education states that while agencies and institutions are not limited to any particular technology or method, the Standards for Electronic Signatures in Electronic Student Loan Transactions (hereinafter "Standards")[23] established under the Federal student loan programs satisfy the written consent requirement in FERPA. The Standards are what DOE has come up with to meet (ESIGN) as it applies to electronic transactions conducted by lenders, guaranty agencies, schools and borrowers under the student loan programs authorized by Title IV of the Higher Education Act of 1965. If an institution is especially risk averse and wants to adopt a fairly iron clad process, the Standards process may be followed. For most schools it is likely that full scale implementation of these Standards would be considered too onerous when you are simply releasing a transcript rather than setting up a process for disbursement of a loan. That being said, reading the Standards will be useful to schools in defining a process. It may be that elements of the Standards might be adopted, rather than the entire Standards.

What elements from the Standards might be useful to incorporate? There is what could be loosely referred to as an "opt-in" provision in Section 2 of the Standards, in that a borrower must affirmatively consent to use an electronic record. A suggestion has been made that as a way of shoring up the front end process, a student, prior to being given a PIN/Password, could be asked to sign an agreement that he/she agrees to conduct business with the university electronically. This might include an explanation of what uses will be made of the PIN/Password, and why it is important to keep the PIN/Password secure. What this process does is provide the traditional "safeguard against undue haste," and such a process might be to the university's benefit down the road.

The section on establishing attribution in the Standards discusses an express agreement by the borrower not to share or disclose the PIN or password, as well as a procedure by which the borrower may notify the lender and other parties that the PIN or password has been compromised. Once again, these might be useful suggestions to incorporate into a process for students who will be using electronic signatures.

Comments to the Notice of Proposed Rulemaking seemed to indicate a certain level of confusion as to whether compliance with the Standards was mandatory or optional. The stated intent of the preamble in the proposed regulations was to make compliance with the Standards optional, with the understanding that a school that uses the guidelines in the Standards will be considered compliant. It is likely that the final version of the rule will clarify this misunderstanding.

VI. Liability Issues

The question to what liability a school might have should something go awry with the electronic signature process remains unanswered. The standard set forth in the preamble to the proposed regulations is one of reasonableness.[24] At the minimum, a school should not use electronic signatures for release of information to third parties without an articulated process that incorporates the four elements set forth in the proposed regulations. A guide to use in establishing the process would be to explain how the actions taken would meet the legal functions of a traditional signature. One point that technology gurus[25] involved in the process of authentication and identification agree upon is that a simple email request will not suffice. Email is simply too easy to forge. Those schools who have staff working with Internet2 initiatives will have helpful technical support close at hand.

State law will govern on any negligence claim for a tort claim such as invasion of privacy, identify theft, etc., and thus counsel will want to review the law at the local level. The fact that universities must have information security programs under the Gramm Leach Bliley Act[26] may end up raising the standard for university information security practices. See Liability for Negligent Security: Implications for Policy and Practice by Nancy Tribbensee online at http://www.educause.edu/ir/library/pdf/erm0354.pdf for a discussion of the liability issues in the context of overall computer and network security.

VII. Conclusion

The regulations as proposed leave institutions with a good deal of leeway for experimentation with various forms of electronic signatures. Institutions are in the position of in part setting the standard for what is reasonable by what they adopt collectively as an industry. Legislation mandating various forms of privacy continues to be popular, and thus the collective wisdom would seem to be that an institution that is careless with private data is not in tune with the values of the students that it serves.

VIII. Smart Tips Checklist

¨ Add an Opportunity to Review page and Check the Request page to the disclosure process (as is done when buying a book at Amazon.com).

¨ Periodically access a representative number of electronic consents to ensure that the content can be read (by a human as opposed to a machine) and evaluated.

¨ Provide an acknowledgment of receipt of the request, and an acknowledgment of records sent.

¨ Consider an "out of bounds" process as a supplement to electronic transactions. For example, Penn State assigns a PIN to each of its students only after the student provides in person third party verification and has his/her identity entered into the database.

¨ Stay ahead of the curve and consider authentication issues in the context of wireless communication devices.

Helpful Guidance:

On Electronic Signatures in General

64 Fed. Reg. 10896, (March 5, 1999)

Proposed Implementation of the Government Paperwork Elimination Act

65 Fed. Reg. 25508, (May 2, 2000)

Procedures and Guidance: Implementation of the Government Paperwork Elimination Act

Internet 2 Middleware Initiative: Identifiers, Authenticators and Directories: Best Practices for Higher Education: May 20002.

Articles for Background Reading

Winn, Jane K., The Emperor's New Clothes: The Shocking Truth about Digital Signatures and Internet Commerce, 37 Idaho Law Review 353 (2001)

Susanna Frederick Fischer, Saving Rosencrantz and Guildenstern in a Virtual World? A Comparative Look at Global Electronic Signature Legislation ,7 Boston University Journal of Science & Technology (Summer, 2001)

Wittie, Robert, and Winn, Jane, Electronic Records and Signatures under the Federal E-Sign and UETA, 56 Bus. Law. 293 at 294 (November 2000)

On Security

National Institute of Standards and Technology Computer Security Resource Center



[1] 20 USC § 1232g

[2]34 CFR § 99.30 sets forth the conditions for written consent.

a) The parent or eligible student shall provide a signed and dated written consent before an educational agency or institution discloses personally identifiable information from the student's education records, except as provided in § 99.31.

(b) The written consent must:

(1) Specify the records that may be disclosed;

(2) State the purpose of the disclosure; and

(3) Identify the party or class of parties to whom the disclosure may be made.

(c) When a disclosure is made under paragraph (a) of this section:

(1) If a parent or eligible student so requests, the educational agency or institution shall provide him or her with a copy of the records disclosed; and

(2) If the parent of a student who is not an eligible student so requests, the agency or institution shall provide the student with a copy of the records disclosed. (Authority: 20 U.S.C. 1232g (b)(1) and (b)(2)(A))

[3] The listserv for the National Association of College and University Attorneys.

[4]Posting of Anon. to NACUANET@peach.ease.lsoft.com (March 8, 1996) at http:// www.nacua.org/nacuanet (last visited Apr. 15, 2003).

[5].Letter dated June 30, 1994 to Dr. David S. Yeh, contained in the NACUA Family and Educational Rights and Privacy Act, A Legal Compendium, 2d Edition,edited by Steven J. McDonald, at page 229.

[6] See Towle, Holly, E-Signatures-Basics of the U.S. Structure, 38 Houston Law Review 921 (2001)

[7] 15 U.S.C. § 7001 et seq. ESIGN provides that a signature, contract or other record may not be denied legal effect, validity or enforceability solely because it is in electronic form or because an electronic signature was used in its formation. The law does not require anyone to use an electronic signature, and it also does not deny anyone the right to determine the means for authenticating an electronic signature. Records required to be kept by federal, state or local law may now be retained in electronic format if the record remains accessible to all who are entitled to access it, and it is in a form that can be retrieved for later reference. ESIGN applies to transactions in interstate or foreign commerce. State laws that interfere with electronic signatures are pre-empted, however, if the state has enacted the Uniform Electronic Transactions Act (UETA), that law applies unless inconsistent with ESIGN.

[8] Adopted in 41 States , see Huddleson, Graynor and Flick, and Whelan, Survey: Uniform Commercial Code, The Business Lawyer, 58 Business Lawyer (August 2003)

[9] Winn, Jane K., The Emperor's New Clothes: The Shocking Truth about Digital Signatures and Internet Commerce, 37 Idaho Law Review 353 at 362. (2001).

[10] "One major obstacle to wide scale deployment of digital signatures in electronic contracting systems seems to be the complexity of the business administration systems it purports to replace. In order to use digital signatures as a functional analog of the messy patchwork of systems now used to authenticate the identity and good faith of contracting parties, the policies and hierarchies that make up a public key infrastructure would have to be integrated with other elements of business information systems that are necessary to permit contract negotiations and contract formation to be automated. The policies and hierarchies of individual organizations as well as those supporting the public key infrastructure would have to be standardized for automated transaction processing to be possible among parties with no prior business relationship. After nearly a decade of work in this area, the problem seems to be no closer to resolution than it was five years ago. " Id. at 363-364.

[11]. Robins, Mark D., Evidence at the Electronic Frontier: Introducing E-Mail at Trial in Commercial Litigation, 29 Rutgers Computer & Tech. L.J. 219 (2003)

[12] Susanna Frederick Fischer, Saving Rosencrantz and Guildenstern in a Virtual World? A Comparative Look at Global Electronic Signature Legislation ,7 Boston University Journal of Science & Technology (Summer, 2001) at: http://www.bu.edu/law/scitech/volume7/Fischer.pdf

[13]. See Utah Code Annotated §§ 46-3-201 -46-3-504, and Wittie, Robert, and Winn, Jane, Electronic Records and Signatures under the Federal E-Sign and UETA, 56 Bus. Law. 293 at 294 (November 2000)

[14] Conversation with Barmak Nassirian, Associate Executive Director, External Relations, AACRAO, Sept. 22, 2003.

[15] FAFSA stands for Free Application for Federal Student Aid. The U.S Department of Education has issued Standards for Electronic Signatures in Student Loan Transactions and I use the term FAFSA to refer to this process in general.

[16] Lewis, Mark, E-Commerce: Digital Signatures: Meeting the Traditional Requirements Electronically: A Canadian Perspective; 2 Asper Rev. Int'l Bus. & Trade L. 63 at 68 (2002).

[17] The E-Sign Act does not disturb state laws that give presumptions to users of particular procedures, as attribution is beyond the scope of E-Sign, which deals simply with authentication.

[18]Winn, supra note 8 at page 374.

[19]Taub, Eric: Ease of Paperless E-mail Sidelines the Forlorn Fax, New York Times, March 13, 2003 Section G, Page 7. "But electronic signatures have been slow to catch on as an alternative to faxed documents for legal purposes. To make the system work, both parties need the same software for creating the signature. What is more, the legality of electronic signatures has not been tested in the courts. E-mail is also more vulnerable to being read by electronic intruders with nefarious intentions or by a government agency. E-mail can be electronically intercepted, but because faxes use telephone lines, a court wiretap order is needed to read someone else's fax transmission.
Faxes are also date-stamped and arrive virtually instantaneously, along with a confirmation. Although the time and date could be altered on the fax machine, the phone company's records will not lie when establishing when a fax was sent. Both e-mail transmission dates and text can be easily altered, and because of the vagaries of computer servers, e-mail may arrive hours or days after it was sent, or sometimes not at all, making it difficult to construct a timed paper trail."

[20] Free Application for Federal Student Aid

[21] Retention of Records: Guide for Retention and Disposal of Student Records: 1998 Update published by AACRAO

[22] Online at http://www.fda.gov/OHRMS/DOCKETS/98fr/00d-1539-gdl0001.pdf.

[23] Online at http://ifap.ed.gov/dpcletters/attachments/gen0106Arevised.pdf

[24]" In cases where FERPA requires a signed and dated written consent under § 99.30 for a disclosure, such as issuance of a transcript to an employer, these proposed regulations specify that an agency or institution may accept electronic consents and signatures when reasonable security is provided for the process. " 68 Fed. Reg. 44420 (July 28, 2003). (emphasis added)

[25] I am referring here to those persons working with the various Internet2 initiatives. See the link in resources below.

[26]15 U.S.C. § 6801 et seq., also known as the Financial Services Modernization Act.










Links updated 6/26/08 rab