Managing the law of technology

Managing technology in any manner is a difficult proposition. Technology growth is a decentralized activity; new ideas and new developments come from many sources, each with their own notions of the future and their own assumptions of how technology ought to be managed. Consequently, the idea of technology management is somewhat at odds with technology development, since the concept of management inherently presumes some sort of centralized control, while modern technology development flourishes precisely because it is not centrally managed.

Technology and the Law

Technologies with legal implications face the same situation with respect to their management by the legal establishment. Centralized control and management seem, on one hand, highly desirable; yet the nature of the legal system and the legal process is inherently decentralized. Consider a recent example: electronic signatures.

The advent of electronic commerce and electronic analogues of paper documents has created a demand for electronic signature technology. Both the technology field and the law have responded to this demand; there are now several electronic signature technologies available, and a number of laws authorizing the use of electronic signatures on the books. When examined in detail, however, these two responses illustrate the conundrum facing the legal management of technology.

Initially, the variety of technologies appears to be a boon - pick the most convenient, secure, costeffective, or whatever priorities dictate and you are on your way. Aside from determining which technology is most suitable - a difficult issue in and of itself - the question of legal acceptance immediately arises. This is unavoidable: a signature of no legally binding effect is of little value, regardless of how cost effective or provably valid it may be.

The answer to the question seems reassuring: many state and federal laws appear to permit the use of electronic signatures. Upon closer inspection, however, reassurance is displaced by uncertainty. A digital signature technology can be any of several things - a stylus and pad arrangement that produces a digital version of an actual signature, a personal identification number imbedded in a document, a scanned image of a pen and ink signature pasted to a document, a digital authentication stamp, or any of several other possibilities.

Which of these is acceptable? It depends. A few digital signature standards actually specify technical parameters in a manner that allows relatively easy determination of what technology might meet the standard, but most do not. In fact, many contain no technical standard of any kind. The reader gets no indication of what is acceptable and therefore no guidance as to whether a signature created by such technology would have any legally binding effect.

Furthermore, although some digital signature laws do have technical standards, they are necessarily of limited scope. They either cover a single, narrow subject area because an agency with jurisdiction over a narrow type of activity promulgated them or they are from a single jurisdiction (i.e., one state) and are therefore of no force in another jurisdiction or geographic area. Thus, even a carefully thought-out and well-written law may be of limited value. Worse, a law that attempts to apply technical standards may be authored by someone with a limited or incorrect grasp of the technology.

A final complication is the legal process itself. Technologies change rapidly, but law changes slowly. Any law that attempts to address technology in a very specific manner will inevitably be outdated quickly due to inherent slowness in the lawmaking process itself. A federal statute may take five or more years to be passed or amended significantly In information technology terms, this is an extensive period, during which time technology will have outpaced the contemplated changes in the law. The net effect can produce laws that authorize only older and perhaps outdated technologies because newer technologies did not exist when the lawmaking process commenced.

The Cycle of Regulation

This scenario has played itself out repeatedly with a variety of information technologies: optical imaging, digital signatures, and the Internet, just to name a few. In every case, technology users have been forced to make carefully considered choices when using innovative technologies. For example:

Should we use a process clearly authorized by one law, and hope that other agencies and jurisdictions will follow the lead set by that one standard?

Should we proceed where there is no clear standard at all, and hope that agencies or jurisdictions will grant ex post facto acceptance to our choice?

Should we wait to move forward until there is a clear and universal standard, at the risk of lagging behind technologically? Each of these choices has costs, and for some users, the costs of a wrong choice are high.

Fortunately, the legal system's attempts to regulate new technologies go through a maturation process, one that ultimately produces more rational and long lasting standards than are initially generated. The process may be described as follows:

Initial recognition. The legal system discovers the technology, and decides that it must be explicitly recognized in some way. At this point, the lawmakers or regulators often have little understanding of the technology but nonetheless feel it must be sanctioned. The technology goes on various technology laundry lists with minimal thought as to whether it ought to be there, and laws are passed which explicitly authorize it, whether they need to or not.

Concern. Subsequently, concerns surface that the technology is not adequately secure or is in some other way subject to serious abuse. Such concerns often arise without actual study or investigation to determine whether any real evidence supports them. At this point, laws limiting the technology's use or limiting the kinds of technology that may be used temper prior authorizations. Such laws often take the form of detailed technical regulation intended to limit potential abuses by forcing the use of prescribed technologies only or by mandating use in a carefully specified manner.

Analysis of the concern. The limitations imposed by detailed regulation eventually force a reexamination of the perceived problem's actual scope and whether the imposed limitations and detail actually have the utility supposed of them. This analysis often reveals that the limitations have no effect, or that the perceived threat is much less severe than was previously believed.

Performance-based regulation. The reexamination of the issues eventually generates performance-- based regulation. In this scenario, rather than prescribing detailed technical standards, the law attempts to describe general performance characteristics and desired results, leaving the precise mechanism by which those characteristics are achieved to developers and users. At this point the regulatory process is relatively mature, and laws of this kind may stay on the books unchanged for a long period of time.

Past History

Imaging technology illustrates this process. When imaging first came to prominence, legislatures around the country were quick to add it to the list of technologies approved for admissibility in court (see, for example, the 1992 version of the Georgia Rules of Evidence). In virtually every case, this was a complete waste of time; the Uniform Rules of Evidence, in effect in nearly every jurisdiction in the country, had long permitted the admission into evidence of every kind of electronic data, regardless of media or format, making the specific addition of imaging completely superfluous. According to Rule 1001 of the Uniform Rules of Evidence:

An "original" of a writing is the writing itself or any counterpart intended to have the same effect by a person executing or issuing it. If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original."

and

A "duplicate" is a counterpart produced by the same impression as the original, or from the same matrix or by means of photography, or by equivalent technique which accurately reproduces the original.

A duplicate is admissible to the same extent as an original unless II) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original (Rule 1003).

Shortly thereafter, concerns arose that images could be altered, a quality that made them particularly unreliable for legal purposes. Never mind that every other kind of record, electronic or paper, can be altered with equal ease, and never mind that the actual extent of such purported alteration was never actually established. Legislatures and agencies around the country immediately stepped into the breach and passed requirements limiting the use of imaging to WORM (write once, read many times [i.e., non-rewritable]) technology and/or imposing a variety of detailed requirements intended to ensure that imaging systems were secure against fraud or other wrongdoing.

These concerns eventually were reexamined and found to be out of line with the actual scope of the risk. (Compare the Securities and Exchange Commission's current imaging regulations at 17 CFR 240 17a-4 and the comment on them at 62 FR 6473 with its prior No Action Letter.) Further, limiting the use of imaging to WORM technology was, in some cases, a serious impediment to the usefulness of imaging to users. Most of these requirements were ultimately replaced by broadly worded performance-based standards. The following language is typical of newer requirements:

Electronically generated VAR formula and supporting records.

(1) Electronically generated records are acceptable for VAR formula records and supporting documentation (including PTDS), provided that they are complete, accessible, and easily readable. VAR formula records must also be stored with access and audit security, which must restrict to a limited number of specified people those who have the ability to alter or delete the records. In addition, parties maintaining records electronically must make available for EPA use the hardware and software necessary to review the records (40 CFR 80.157 Volumetric additive reconciliation ("VAR") Equipment Calibration and Recordkeeping Requirements).

and

Each record required by this part must be legible throughout the specified retention period The record may be the original or a reproduced copy or a microform provided that the copy or microform is authenticated by authorized personnel and that the microform is capable of producing a clear copy throughout the required retention period. The record may also be stored in electronic media with the capability for producing legible, accurate, and complete records during the required retention period. Records, such as letters, drawings, and specifications, must include all pertinent information, such as stamps, initials, and signatures. The licensee shall maintain adequate safeguards against tampering with and loss of records (10 CFR 34.87, Form of Records).

These provisions come from different sources - the first from the United States Environmental Protection Agency and the second from the United States Nuclear Regulatory Commission. Yet they have converged on performance-- based standards that operate similarly and permit the use of technology providing reasonable safety and security. Using one of these standards assures compliance with a great deal of the other. (See, for example, Revenue Procedure 97-22 and Revenue Procedure 98-25, among many examples.)

The Future

The attitude underlying the above two provisions reflects the future of information technologies' legal regulation. Although the acceptance cycle runs true to form with the introduction of new technologies, past experience helps shorten the cycle. As regulatory authorities gain experience with new technologies and with the pitfalls of poorly thought out regulation, they move rapidly toward more mature, longer term rules. To do this, the regulatory body must clearly understand what its goal is in regulating the technology: Data integrity? Ease of audit? Readability and legibility?

Once the regulators understand the goal, they need only express it in law as a requirement, and the precise technology need not be stated. Regulated parties must meet the goal, and most are happy to do so, given the consequences of not doing so. In return, regulated parties have flexibility in finding ways to meet the goal that also meet organizational requirements.

What We Can Do

The user community can aid the speed and efficiency of the process. All legislatures are sensitive to input from the business and technology community. This fact can ensure that new statutes reflect technical realities and are not unduly restrictive or short-sighted. In a similar manner, most regulatory agencies are required to accept input from the public prior to promulgating rules. Finally, many industry associations devise model rules and technical standards that often serve as the basis for statutes and regulations. Such organizations often have political influence as well. Participation by the user community in any of these areas will have a significant and positive effect on the resulting regulation; that effect will directly benefit the user community. Users should therefore be prepared to participate in the setting of technical standards and, where possible, in the drafting of statutes and regulations.

John C. Montana, J.D., is "chief records brain" of BrainCore, a records management consulting firm. Montana specializes in records retention and destruction and the legal requirements and ramifications of records retention. He is also a practicing attorney. He may be reached at montana@csd.net.

Copyright Association of Records Managers and Administrators Inc. Jul 1999
Provided by ProQuest Information and Learning Company. All rights Reserved