E-Signature Laws Provide Legal Framework For Blockchain

Brian Casey

By Brian Casey

 

Today, there is certainly much hype and hope for successful deployments of distributed ledger, or blockchain, technology especially in the cryptocurrency world. There also seems to be a general perception that there is not a clear, or even an existing legal framework for blockchain transactions, be they commercial or consumer in nature. While there are certainly specific laws that can apply to particular types of blockchain-based transactions, such as federal and state securities laws in the case of cryptocurrency initial coin offerings, many blockchainers may not realize that there is an existing legal framework that readily accommodates a broad base of blockchain transactions; these are state, and in a few cases, the federal, electronic signatures and records laws.

 

Locke Lord blog Sept

These laws apply across many industries, including banking, structured finance, consumer finance, manufacturing and distribution of commercial and consumer goods, but, to make my points concrete, I am going to explain how to apply this framework to an insurance product given my insurance industry focus.

 

The federal electronic signature law, the Electronic Signatures in Global and National Commerce Act,[1] applies only in the three states that have not adopted the model state-based electronic signature law, known as the Uniform Electronic Transactions Act.[2] ESIGN provides for reverse preemption of itself and defers to UETA.[3] Therefore, UETA, which has been adopted in 47 states, is the primary law of the land, which establishes that electronic signatures, formation of electronic contracts, electronic delivery of documents required to be delivered in writing (irrespective of whether they require a signature) and satisfaction of written record retention requirements through electronic records cannot be denied legal effect on the basis of their electronic nature. Therefore, the focus of this article is on UETA and its relationship to blockchain transactions and distributed ledger technology used to create these transactions.

 

Many insurers have relied upon UETA to implement the use of electronic signatures for new insurance policy applications and to satisfy their obligation to deliver insurance policies in written form via electronically delivered insurance policies.

 

To understand why UETA applies to blockchain created transactions, it is important to recognize what types of transactions might be effectuated thereby and the key concepts in and rules established by UETA. Blockchain enabled transactions might include the electronic signature of electronically created contracts, the electronic delivery of documents, the automatic execution of a “smart contract’s” provisions that are triggered when agreed upon third party data, or oracles, enter the blockchain. Blockchains can also serve as the electronic repository for data and records entered into them. The drafters of UETA recognized the concept of a digital asset token in 1999, stating that “[t]he technology has yet to be developed which will allow for the possession of a unique electronic token embodying the rights associated with a negotiable promissory note. Section 16’s concept of control is intended as a substitute for possession.”[4]

 

UETA is intentionally designed to accommodate the advent of future technologies. To be sure, [UETA] has been drafted to permit flexible application consistent with its purpose to validate electronic transactions. [UETA’s] provisions… validating and effectuating the employ of electronic media allow the courts to apply them to new and unforeseen technologies and practices. As time progresses, it is anticipated that what is new and unforeseen today will be commonplace tomorrow. Accordingly, this legislation is intended to set a framework for the validation of media which may be developed in the future and which demonstrate the same qualities as the electronic media contemplated and validated under this Act.[5]

 

User Authentication

Identifying and authenticating electronic signatories is not a new issue or that difficult of a challenge or process. Many businesses using online means for obtaining and receiving electronically signed records from their customers already use customer authentication procedures, such as “shared-secrets” where by a new consumer is authenticated by answering online questions which evoke personal data that would most likely only be known by the consumer (sometimes this data is sourced directly from a consumer report provided by a consumer reporting agency); furthermore, for existing customers, many businesses, especially those in the financial services and insurance industries, customer authentication is a regular business function because of privacy and anti-money laundering compliance obligations. So, the point is that most businesses using e-signature technology already get the authentication issue, and applying that in the blockchain context should be relatively simply.

 

Electronic Signatures

UETA (and ESIGN) provide that electronic contracts and other signed records cannot be denied their legal effectiveness solely because they were created by e-signatures. Thus, to the extent a contract or other document is signed by a user through an (electronic) blockchain, UETA (and ESIGN) step in to support the legality of blockchain effected e-signatures.

 

This article was originally published on June 13, 2018 by Locke Lord as a Law360 article written by Brian Casey. Click the button below to View or Download the Complete Article:

What Every InsurTech Should Know About Privacy and Cybersecurity

by Theodore Augustinos | May 14, 2019 | InsurTech, Privacy/Data Security/Cyber Risk | Bermuda, European Union, Hong Kong, United Kingdom, United States

LL-SQ-RGB-border-c

As an early stage or startup InsurTech, you’re highly focused on all the right things: identifying a challenge for the insurance industry, developing an innovative technical solution, making it practical and scalable, getting it funded, and implementing it. The industry for which InsurTech seeks to develop and deliver solutions is awash, however, in requirements and restrictions related to the collection, use, sharing, and protection of data. What do you need to know about the insurance industry’s privacy and cybersecurity issues that affect your InsurTech solutions?                                                                                                                                                        

Make Privacy and Cybersecurity your Competitive Edge

Insurers, producers and others that are potential sources of funding and potential customers for InsurTech solutions are increasingly focused on privacy and cybersecurity issues. This focus is driven by their developing legal and regulatory environment, and by their interest in mitigating privacy and cybersecurity risk. Your ability to attract interest will only improve if you display awareness of and sensitivity to these issues. Your InsurTech will stand out and enjoy a competitive edge if you have basic answers to the questions any investor or customer will ask about privacy and cybersecurity compliance and risk mitigation. Conversely, your great ideas will be undermined if you give the impression that your solution hasn’t been built with these issues in mind.                                                                                                                                                                                                                                                                                                                                                     

To exploit this potential competitive advantage (and avoid the risk of the uninformed), you may not need to become a privacy and cybersecurity expert, but you do need to have some understanding of the issues that will be of concern to your potential investors and customers.

         

The following are suggestions for turning potential privacy and cybersecurity pitfalls into a competitive advantage.

1. Know what data you collect and process. Privacy and cybersecurity issues are determined by the types of data collected and processed. Make sure you know what your designers and programmers are setting up in terms of types and methods of data collection. Privacy and cybersecurity issues turn on types of data, and you need to have, and to be able to provide, full visibility into your data collection and processing. Companies sometimes collect more data than they intended or knew about, simply because designers and programmers thought additional data sets might be useful someday, or in some future application. Know what data you’re collecting and processing.                                                                                                                                             

2. Appreciate the rules of the road. There is a complex, changing, and increasingly onerous regime of privacy and cybersecurity requirements that affect the customers of InsurTech. Insurers, producers and other users of InsurTech solutions will need to make certain that your solution satisfies these requirements. Assume that any data collected and processed by your solution can be subject to these requirements. You don’t need to be expert in these requirements, but you do need to be aware of them.

 

Basically, depending on what laws and regulations apply, know that information that is identifiable to an individual may be subject to notice, disclosure and other requirements; limits on use and transfer; restrictions on retention; and rights of access, correction, portability and erasure. In some jurisdictions, other types of data including certain commercial data may also be restricted, and data related to military and dual use technologies can also be subject to data export and other restrictions. In addition, InsurTech customers may have contractual obligations or published policies and notices that restrict the collection, use, storage and transfer of certain data. Build your solutions with the understanding that your potential customers may not be able to use them unless they are consistent with these requirements.