Another audit trail example is in an employment case deciding
whether an employee had agreed to an arbitration agreement upon
hiring. This case has broader implications; it illustrates controls
you need to have in place for any system where you will accept
electronic signatures to assure they are valid and enforceable. The
case is Adams v Quicksilver, Inc. No. G042012 (Cal. App. 4th Div.
Feb. 22, 2010) (unpublished), Adams, (the plaintiff) disputed the
validity of the electronic signature on the employer’s arbitration
agreement. The agreement was delivered via email when she was
hired. There was no authentication required to access the hyperlink
in the email. The agreement had two places to “sign” by typing a
name into fields, including one at the end of the document. When
questioned, the employer gave Adams a copy of her “signed agreement” from their online system. The agreement showed Adam’s
full first, middle and last name typed into the document. Adams
claimed she never signed the agreement, and argued that she never
signed her middle name on any legal documents.
She was able to provide several other examples of legal documents
where her middle name was not used. Of note here, and the reason
for highlighting this case, is that the system workflow allowed any
user to go into a file and alter it at any time, and there was no audit
trail showing how the signature was obtained. It therefore could not
be determined with certainty who signed the agreement and when
it was signed. The audit trail that the company did have showed
the employer had accessed the record after it was saved for storage,
which could have been innocent—but which cast additional doubt
on the authenticity of her signature. The court noted specifically that
attribution was not proven, and significantly there was no password
or other credential necessary to access and sign the agreement, nor
was there an audit trail for the access and signature at the time the
employer said it would have been signed by Adams. The system
did not have the proper controls to limit alterations and access, and
to record an audit trail at all points from the beginning.
You can compare and contrast this “employee onboarding” case
with another, that similarly had implications for agreements beyond
those with an employee. In Mitchell v. Craftworks Restaurants &
Breweries, Inc., 2018 WL 5297815 (D.D.C. Oct. 25, 2018), the
Court considered the “totality of the circumstances” and whether
they were sufficient to prove Mitchell’s intent to proceed electroni-
cally. Again, this was about the enforceability of an electronically
signed arbitration agreement in an employment context, which
was electronically signed during regular “onboarding” of Mitchell
as an employee. Here, Mitchell was required to acknowledge that
she understood and accepted the electronic process as being the
same as a paper or handwritten acknowledgment and consent to
the documents. Differing from the Adams case above, Mitchell
was required to enter a unique personal password before digitally
signing the documents. Documents were “signed” by clicking
a button to assent. The court found that the security measures
(password), combined with the plaintiff’s assent on several other
onboarding documents at the same time as the Arbitration Agree-
ment was signed, provided context that led to a conclusion that
there was intent by Mitchell to proceed electronically. Note, this
is not a case where there was a regulatory or legal requirement
to deliver a disclosure or other document “in writing” and thus
the company did not have to follow all the E-SIGN procedures
before using an electronic system.
The takeaway—have strong controls and audit trails. This is
important especially when you look at your residential lending
systems—make sure that the customer has a unique log in to the
system that they control, that the customer is authenticated with
questions only they could know the answers to, and that employees
cannot go into a record and edit a document after it was supposedly delivered and/or signed—otherwise known colloquially as
a “tamper seal” to preserve integrity of the timing and records.
Attributing Signature to a Specific Person:
How do you attribute a specific person’s signature to an electronic
signature, when you can’t compare handwriting for example? How
do you make sure the signer that is indicated is the actual person
who did the act of signing?
Controls plus evidence of workflow and
an audit trail can prove attribution and
intent; they can win or lose a case.
Can we require a customer to accept
electronic statements and notices?
No. The customer has the right to request
and receive paper records, however you may
charge a reasonable fee for those records. In
other words, you can incentivize customers
by providing free statements online, and
charging a modest fee for mailing them—but
you can’t require they use the online system.
What if a customer requests
information that we are required to
send them under Regulation DD
(or similar) by email?
Nope; you still have to go through the whole
E-SIGN process, even when they have
affirmatively made the request via email.
Note: You can send them a version through
their email, but you need to mail one too if
you don’t complete the E-SIGN process.
Can we have the customer sign a
paper document consenting to E-SIGN
along with their other account opening