Legal issues in EDI

This article is intended to provide accurate information in regard to the subject matter covered. The publisher and author are not engaged in rendering legal services. If legal or other professional assistance is required, the services of a competent professional should be sought.

The advent of computer modems, the Internet and E-mail software has promoted an ever increasing exchange of information without the use of paper documents. This phenomenon has a number of benefits:

*Reduced costs. Eliminating paper saves money at every step in a record's life. The cost of the paper itself is eliminated, distribution and storage costs are dramatically reduced, and the need for recipients to transcribe the information into their own computer systems is eliminated;

*Faster, more complete data interchange. A large document can be sent electronically in a few minutes, across the country or across the world, at little or no cost. Further, if additions or corrections must be made, these can also be done very rapidly via electronic transmission. In contrast, a paper document will take at least overnight. If pages must be corrected or added, similar delays will be attendant upon them. If the quantity of paper to be shipped is large, the expense can be quite high, particularly if fast delivery is needed.

*Much quicker availability and access to information. Large quantities of material can be made available to a large audience almost instantaneously, and in a highly usable, easily searchable format. In contrast, a very large set of paper documents may require days or weeks to search effectively.

These advantages have gained wide acceptance for EDI in the commercial world as a method of enhancing efficiency and profitability. Over time, the Internet is changing from an academic and computer buff phenomenon into an arena for many mainstream commercial enterprises.

Use of EDI has, however, raised a number of legal issues for parties contemplating its use. This article will examine those issues and touch upon possible solutions.

DATA SECURITY

The issue most commonly raised with E-mail and Internet communication is that of the security and protection from alteration of data so transmitted. The Internet was not devised with data security in mind and, thus, sophisticated hackers or criminals can, if they so desire, intercept and alter information being transmitted. This possibility, in the context of commercial communication, has resulted in fears that commercial information such as contract papers, regulatory filings, or credit card numbers can be altered, forged, or stolen, wreaking havoc on the parties whose data has been intercepted.

Problems with Security Schemes

Suggested solutions to this issue often include encryption schemes, so that data intercepted by parties without keys to the encryption scheme are useless to them. In such schemes, the information to be transmitted is run through a sophisticated mathematical algorithm which encodes the data. In order to decipher the data, a recipient must have the key to the algorithm, through which the data must be run.

While at first appealing, the use of encryption schemes has a number of drawbacks. First, it is necessary for both parties in a transaction to have access to the keys. Thus, for many consumer transactions, such as ordering a product and giving a credit card number, encryption schemes are impractical because the customers are unfamiliar with the scheme and therefore do not have the encryption key available. Nor do they have the necessary encryption software on their computer in most cases. Thus, encryption schemes are more suitable for continued communications between the parties with prior or ongoing relationships.

A second problem with encryption schemes is that it has recently become apparent that many of them are easier to decode than was previously thought. Although this can often be overcome by use of additional hardware or software, it adds a layer of complication and removes encryption further from usage by strangers who are not parties to a common encryption scheme.

An alternative to encryption schemes imposed by the parties to a communication has been the development of secured communication services provided by third parties. In this case, the third party provides either dedicated lines, or its own encryption or other security routines. One party, perhaps an organization offering goods for services for sale, subscribes to the scheme, thus making it available to all other parties who wish to enter into a transaction. Such a scheme offers a high degree of security to the parties in a transaction. However, it imposes additional costs on the transaction, thus raising prices. All such costs--dedicated phone lines, equipment and personnel of the third-party provider, overhead, etc.--are ultimately reflected in the price of the transactions consummated over such a service.

Another approach often discussed is the use of third parties to guarantee the authenticity and accuracy of transmissions, in something like the fashion that notary publics are used to guarantee written signatures. In such a scheme, a transmission is sent to the third-party guarantor, who then authenticates it and transmits it to the ultimate recipient, along with a certification that the transmission is, in fact, genuine and accurate. The theory behind such a scheme is that the third-party guarantor, being highly specialized, is capable of developing and offering encryption and authentication techniques sufficiently sophisticated to deter any attempts at fraud. Again, such an approach imposes additional costs, which are ultimately reflected in the prices of goods and services.

Are Security Schemes Cost Effective?

While each of the above schemes has some appeal, and may have some utility, it is advisable to engage in a rigorous cost benefit analysis prior to initiation of any of them. From both a legal and commercial standpoint, implementation of any security scheme could, in many cases, impose costs that far outweigh the benefits.

From a commercial standpoint, such schemes may simply not be cost-effective. For many EDI communications, the reality is that the contents of the communication are of absolutely no interest to anyone but the parties to the communication. For these, implementing elaborate security schemes guarding against the rather slight possibility that a hacker would alter them purely out of malice may simply be paranoia. For communications whose nature may invite fraud--e.g., economic transactions--the level and cost of protection must be weighed against the actual need.

Under normal circumstances, a very large percentage of all non-EDI transactions takes place between complete strangers, and with only rather minimal guarantees that the parties are who they claim to be. For example, mail order businesses often take phone orders, and accept credit card numbers without viewing the actual card or other identification, or take orders based upon a written order form with no proof whatsoever that the party ordering is the real party, or that a credit card number is either legitimate or in good standing. Retailers commonly accept credit cards with no other form of identification, and usually accept checks with only a driver's license, a document easily and commonly forged, as identification. Rarely, except in the case of very large dollar transactions, do businesses require any authentication procedure more elaborate than those just described. In transactions between commercial entities, the authentication demanded of the other party is often even smaller. A phone call, fax or unsigned memo or invoice may be all that is deemed necessary to proceed on a deal.

The reason that these practices continue to be utilized is that they work. Only a very small percentage of all transactions involves either actual fraud, or an attempt by either party to rescind a transaction based upon a claim of fraud or mistake. Banks frequently just absorb the cost of forged checks, and credit card companies absorb the cost of fraudulent transactions. The cost of additional security is simply deemed to be greater than the cost of absorbing the loss from some small percentage of transactions. If some subset of transactions is deemed in need of additional security, that security is implemented very narrowly, so as to minimize its cost. Thus, for checks over some amount, say $1,000, the bank that it is drawn upon may require that the signature on the check be compared to that on the account's signature card. Under that amount, the bank simply takes its chances.

From a legal perspective, such schemes may be equally unhelpful. In those somewhat rare cases where a legal dispute arises as to the authenticity or accuracy of a document, and which justifies the expense of pursuing the dispute, absolute, "hard" authentication of the transaction or its originator is often unnecessary, just as it is usually unnecessary with paper documents. In court, a wide variety of other factors are admissible to prove the author of a document, its authenticity or the validity of a transaction. Such circumstantial factors as delivery and receipt of the goods or services, course of dealing, or phone records may be adequate to authenticate the transaction, particularly if there are a number of such factors.

Such proof is equally applicable to EDI transactions. A party who claims not to have ordered goods electronically will still be faced with the fact that they were delivered and used. Other proof, such as Email records of third-party communications providers, anecdotal testimony and other proof, will still be available, and must be refuted.

For most communications which do require authentication, schemes short of encryption or secured communications lines are often adequate. For example, personal identification numbers (PINs), long used in automatic teller machines, provide a method of authentication analogous to signatures. Such schemes are equally applicable to EDI and are already being implemented, using PINs as direct signature substitutes.

The Environmental Protection Agency (EPA) has adopted a scheme allowing certain regulatory filings to be done electronically, completely eliminating paper records. Authentication and certification of the accuracy of the transmissions is done through use PINs provided to the filing party. As part of a contract allowing the electronic filing, the filing party signs a document agreeing that use of the PIN constitutes a signature certifying the authenticity and accuracy of the document.1 Since the law already provides that a signature is any mark intended by its maker to be a signature, there is no reason to think that such a signature substitute is not a legally binding signature, should the issue be litigated.

A slightly different authentication scheme has been developed by the Securities and Exchange Commission (SEC) for its electronic filing scheme. In this case, the party filing electronically must create a paper certification stating that the transmission was accurate and authentic.2 Again, there is no reason to believe that such a certification would not be completely adequate should the matter be litigated. If the paper certification contains adequate information, such as transmission time, file size, and other parameters, this scheme may also prove an effective means of detecting alterations by third parties, since alterations to the transmission will likely either delay it or alter the file size, thus allowing their detection.

The Internal Revenue Service (IRS) is even more lax. IRS allows taxpayer submissions by EDI without specifying what is needed to demonstrate or guarantee accuracy. It simply requires taxpayers to document their procedures, and places the burden upon them to demonstrate accuracy if need be.3

That regulatory agencies such as those above accept this level of authentication and security for required filings is highly instructive for other organizations. SEC, EPA and IRS all engage in ongoing disputes and litigation with regulated parties. All are clearly confident that these schemes are adequate for their own needs, will survive legal challenge and will produce admissible and persuasive evidence.

BALANCING NEED WITH COST

Whether an organization's EDI uses justify these or any security measures is an issue that must be carefully considered prior to making the expenditures required by any security scheme. Implementation of the most elaborate measures for all communications will be a cumbersome and costly waste. As with banks and checks, expensive measures should be confined exclusively to those transmissions whose value and risk factors actually justify the cost. If the subset of information requiring complete security is small, there is always the availability of courier services or the mail to be considered. These require no sophisticated hardware or software, no knowledge of security routines, and for small numbers of documents, may be far more cost effective than elaborate security measures for Internet transmission. Mail has the additional protection of harsh and eagerly enforced penalties against tampering or theft.

RECORDS RETENTION AND EDI

The question of records retention practices is very much complicated by use of electronic data interchange. Good retention practices for electronic records within an organization are generally somewhat more complicated than those for paper records. Electronic data systems tend to be engineered with redundant backup capability in mind, rather than systematic information elimination. Thus, even within an organization, rigorous procedures and practices are necessary to ensure that the potentially numerous multiple backup copies of records scheduled for destruction are, in fact, destroyed.

When electronic records are routed over the Internet or through a thirdparty communications provider, the situation is vastly more complicated. The backup capabilities and practices of the third-party provider are generally unknown, and the organization which created the records sent to the third party has no control over them. Thus, even if an organization is rigorous about destroying electronic records scheduled for disposition, copies, or at least communications records, may still exist in the hands of third-party communications providers. Should these documents come to the attention of opponents in litigation, and the originator believes or has represented that the originals have been disposed of, the result could be quite unpleasant.

These third-party copies would probably be fully discoverable in litigation. The third-party provider's contract will probably be a standard arm's length commercial contract, rather than an agency agreement. Thus, the third party has no standing4 to assert any defenses on behalf the originating party. It probably has no defenses of its own to assert, either. Further, the third party might have little incentive to fight a subpoena. Such a fight would be costly, and would produce little, if any, benefit to the third party. In the absence of contractual language guaranteeing the privacy of such communications, there is little likelihood that the third party would be liable to the records' originator. Even if there were such language, a subpoena might be sufficient excuse to avoid liability. From the third party's standpoint, the best solution would be simply to hand over everything and be done with it.

On the other hand, even if the originator has defenses available, they would probably not be applicable to subpoenas directed at others. The originator would thus find itself skewered by a double blade: the party with standing has nothing to challenge; the party in possession of the desired material has no standing to challenge.

This situation is most obvious, and most dangerous, if the records retained by the third-party provider are records which would be clearly privileged in some fashion if maintained by the originator. For example, EDI communications between the party and its attorneys would be privileged from discovery, if retained in the files or data system of either the attorney or the party. Whether such a privilege could be asserted by the originator over a copy retained by a third-party carrier operating under a standard commercial contractual relationship, and maintaining that copy for its own purposes, is debatable. An originating party might well find its most sensitive communications exposed by a well-placed subpoena to a third-party service provider with a good backup system.

This is in direct contrast to many forms of written communication. For example, a letter from attorney to client in the custody of the postal service has a high degree of privilege legally accorded it. Even supposing the postal service could locate such a letter, it is doubtful that it could be successfully subpoenaed by a litigant. The attorney-client privilege remains, even while the letter is in the hands of the post office. The privacy of a letter deposited with the postal service is further reinforced by criminal penalties. It is possible that a court would be persuaded that an E-mail communication is analogous to a letter, and ought to be accorded the same privileges while in the hands of a third party, but it is by no means certain. To find out, one must necessarily be in the desperate position of facing such a subpoena.

Organizations contemplating the use of E-mail or EDI for communications would be well advised to acquaint themselves with the retention practices of their service providers. At the least, they can become aware of the backup and retention practices of those providers, and can plan accordingly. It may also be possible to alter the service provider's backup practice to conform to the retention policies of the customer. Either possibility is a considerable improvement over dealing with the issue after the fact.

SUMMARY

In many respects, EDI is no different from any other form of communication. In others, it is a legal no-man's-land. While availing oneself of the opportunities to be had, it is necessary to recognize and plan for the uncertainty. An understanding of the issues and a pro-active approach to solving them will allow maximum benefit at minimum cost and risk.

ENDNOTES

1. Terms and Conditions Memorandum for Submission of Reformulated Gasoline and Antidumping Reports via Electronic Data Interchange, 40 C.F.R. Part 80. 2. 17 C.F.R. 232.302, Securities and Exchange Commission EDGAR filing regulations. 3. Revenue Procedure 91-59. 4. Standing is the right to assert a legal right or privilege, or to assert a legal defense.

Copyright Association of Records Managers and Administrators Inc. Jul 1996
Provided by ProQuest Information and Learning Company. All rights Reserved