The enforceability of electronic agreements may be at risk in cases where the signing process is not protected by adequate data security. In a February 2009 decision, a federal court declined to attribute an electronic signature to an employee because her employer failed to provide adequate security for its intranet passwords.
In the case of Kerr v. Dillard Store Services,1 an employee brought suit for race discrimination, and the employer attempted to enforce an arbitration agreement that it required its employees to electronically sign via the company’s intranet. Although the employee’s electronic signature was present on the record of the arbitration agreement kept on the company’s computer system, the employee denied that she knowingly or intentionally signed the agreement. Moreover, the evidence showed that the employer had repeatedly asked plaintiff to sign the agreement over a course of five or six months, and she had refused to do so.
In this case, the company’s online signing process appeared to be quite good. It required the plaintiff to enter her social security or employee identification number, enter her secure password, and then click the “accept” button at the bottom of the agreement screen. The employer’s computer system then recorded the plaintiff’s signature along with the applicable date and time. In addition, it automatically generated an e-mail to the plaintiff thanking her for electronically signing the arbitration agreement, and providing a procedure that plaintiff could follow if she wanted to deny that she had electronically signed the agreement. Moreover, the evidence indicated that this e-mail was sent to plaintiff and had been opened.
The problem, however, was the security surrounding the signing process, particularly as it related to the authentication of the signer’s identity. Although the company had various security policies in place, supervisors could access an employee’s account by resetting the employee’s confidential password and logging in under the employee’s default password. And in this case, the evidence showed that when the plaintiff claimed that she did not know how to access the company intranet system, a supervisor reset her password and then demonstrated how to use the system.
The plaintiff argued that during this demonstration the supervisor signed the agreement while on the plaintiff’s account. Although the court found no evidence to suggest that this may have happened, after reviewing the facts it concluded that the company had not demonstrated by a preponderance of evidence that “plaintiff knowingly and intentionally executed” the arbitration agreement. Thus, the court declined to attribute the purported electronic signature to the plaintiff, and declined to enforce the arbitration agreement.
The primary reason given by the court was that the employer “did not have adequate procedures to maintain the security of intranet passwords, to restrict authorized access to the screens which permitted electronic execution of the arbitration agreement, to determine whether electronic signature were genuine or to determine who opened individual e-mails.” As the court noted, it is not inconceivable that a supervisor logged on to plaintiff’s account and executed the agreement, particularly in light of the fact that in the past the plaintiff had repeatedly refused to sign the agreement.
The court acknowledged that “[a]n electronic signature . . . may be attributed to plaintiff as her own act through circumstantial evidence ‘including a showing of the efficacy of any security procedure applied to determine the person to which the . . . electronic signature was attributable.’” In this case, however, because of the lack of security, as well as the confusion surrounding the demonstration by a supervisor as to the operation of the intranet account, the court concluded that the employer “has not demonstrated the efficiency of its security procedures with regard to electronic signatures.” Thus, since the employer has the burden of proof, the court concluded that “its evidence that plaintiff executed the arbitration agreement is not persuasive.”
At its essence, the court was dealing with an electronic signature created by someone logged in to plaintiff’s intranet account. However, because the employer could not show adequate security procedures with respect to the login process (e.g., a supervisor could have logged in), the court concluded that it would not attribute the signature to the plaintiff in the face of her credible denials.
Whenever a business relies on electronic signatures to create binding agreements with its employees, customers, or suppliers, it must have the ability to attribute the signature to the purported signer. While almost anything can be an electronic signature (e.g., a typed name, a code, clicking an “I accept” button, etc.), it is critical that such signature be attributed to a specific purported signer. As the court pointed out, this is commonly done through the use of a security procedure, such as requiring the signer to log into an account using a secure user ID and password. Where the security is not adequate, however, the attribution may fail.
While this is perhaps the first case to reach this conclusion with respect to an electronic signature, its emphasis on the need for appropriate data security for electronic records is somewhat similar in approach to the 9th Circuit opinion in American Express v. Vinhnee.2 In the Vinhnee case, the court held that business records of a credit card holder’s transactions were inadmissible due to a failure to establish that the company provided adequate security to ensure the integrity of those records while they were stored on the company’s computer system.
Increasingly, laws and regulations require companies to develop and implement a comprehensive written information security program designed to provide appropriate security for the data they collect and use (particularly personal information).3 The Kerr case illustrates an important corollary—i.e., that adequate security may also be a precondition to the enforceability of electronic transactions.