Electronic Signature Policy

Policy Approval Authority President
Responsible Division Division of Administration and Finance
Responsible Officer(s) Vice President for Administration and Finance and Chief Financial Officer
Contact Person Sarah Chinniah
Primary Audience Faculty
Staff
Date Submitted to Policy Library Committee 05-13-2020
Status Active
Proposed Adoption Date 06-01-2020
Effective Adoption Date 05-18-2020
Policy Category/Categories Governance / Administration
Information Technology

Purpose


In order to increase the efficiency and effectiveness of NIU operations that require or request signatures to indicate approvals or acknowledgements, NIU may accept electronic signatures to replace previously required handwritten original signatures on paper documents.

To the fullest extent permitted by law, NIU accepts electronic signatures as legally binding and equivalent to handwritten signatures to signify agreement or approval. This policy establishes the process for designating transactions that can legally accept electronic signatures and how NIU will accept and verify electronic signatures. Where nonrepudiation of the authenticity of a particular signature is required, a digital signature, as defined below, may be required.

Policy Narrative


1. Federal and State Law

Enacted to aid and encourage electronic commerce, the federal Electronic Signatures in Global and National Commerce Act (E-SIGN) of June 2000 (link) states that “With respect to any transaction affecting interstate or foreign commerce . . . a contract . . . may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation. [15 USC § 7001(a)(2)].

The Illinois Electronic Commerce Security Act (Illinois Act or ECSA) of 1998 [5 ILCS 175] also seeks to facilitate and promote electronic commerce and says that where an existing law requires a signature, then an electronic signature satisfies that rule of law [5 ILCS 175/5-120(a)].


2. Definitions

2.1. Electronic Signature
NIU defines an electronic signature in the similar way defined by E-Sign Act or Illinois Electronic Commerce Act.

E-SIGN defines an electronic signature as:

• an electronic sound, symbol, or process,
• attached to or logically associated with a contract or other record, and
• executed or adopted by a person with the intent to sign the record. [15 USC § 7006(5)]

The Illinois Act defines an electronic signature as a “signature in electronic form attached to or logically associated with an electronic record.” Furthermore, an “electronic signature may be proved in any manner, including by showing that a procedure existed by which a party must of necessity have executed a . . . security procedure for the purpose of verifying that an electronic record is that of such party in order to proceed further with a transaction.” [5 ILCS 175/10-110]. An electronic signature is secured, for example, when it can be verified that an electronic record has not been altered since a specified point in time. [5 ILCS 175/10-105]
2.2. Digital Signature: a Type of Electronic Signature

A digital signature is a type of electronic signature, specifically defined by the Illinois Act as “a type of electronic signature that is created by transforming an electronic record . . . and encrypting the resulting transformation with an asymmetric cryptophytes using the signer's private key . . . and the signer's corresponding public key.”

A digital signature is, by definition, considered to be a security procedure [5 ILCS 175/15- 10], but it is not the only acceptable security procedure that may be used to prove an electronic signature.

By definition, all digital signatures are electronic signatures, but not all electronic signatures are digital signatures.

2.3. Data Classification
In the context of information security, data classification is based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.

Public Data: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data. Public data typically rates low in most or all risk categories.

Private Data: Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Restricted Data: Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data. Restricted data generally requires a high risk in one or more categories.

Check Data Classification Guidelines and Procedures for more details.
2.4. Other Definitions
Authentication: ensures that the user who attempts to perform the function of an electronic signature is in fact who they say they are and is authorized to “sign”.

Authorization: verifying that an authenticated user has permission to access specific electronic University services and/or perform certain operations.

Data Steward: a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data.

Data Trustee: a University official with authority to approve policies and procedures and make data usage and access decisions.

Electronic Record: a contract or other record created, generated, sent, communicated, received, or stored by electronic means.

Non-Repudiation: the inability of either party in a voluntary transaction to reject, disown, or disclaim the validity of that transaction.

Repudiation: the willful act of either party in a voluntary transaction to reject, disown, or disclaim the validity of that transaction.

Transaction: a discrete event between a user and a system that supports a business or programmatic purpose.

3. Scope

Wherever possible, NIU encourages that members of its community do business electronically and use electronic signatures to conduct transactions that may have previously required handwritten signatures on paper documents.

Where a transaction requires that the authenticity of the signer be more rigorously proven and where the party to the contract or transaction cannot legally repudiate the authenticity of their signature on a document, then a digital signature will be required. The policy also establishes the process for designating transactions that would accept digital signatures and how NIU will implement digital signatures. Until NIU establishes its preferred and approved methods for the use of digital signatures at the University, such contracts or transactions will need handwritten signatures on paper documents.

Ultimately, each Data Trustee will be accountable for selecting the appropriate signature method along with documenting the selection procedure and reasons for selecting a signature method and the Data Steward will be responsible for implementing the appropriate signature method.

Under applicable Illinois law, electronic signatures and digital signatures cannot be used for the following transactions:

• Where a rule of law clearly indicates an intent for the transaction to be handwritten, as opposed to in an electronic format. In these situations, a law that simply requires the information to be “in writing”, “written” or “printed” can be satisfied through an electronic signature.

• To a rule of law governing the creation or execution of a will or trust. An electronic copy of a will or trust that is already created or executed can be sufficient for other purposes, so long as the validity of the electronic document is reasonably not in question.

• To any record that serves as a unique and transferable instrument of rights and obligations including, without limitation, negotiable instruments and other instruments of title wherein possession of the instrument is deemed to confer title.

However, an electronic transfer of title can be valid if the electronic version is created, stored, and transferred in a manner that allows for the existence of only one unique, identifiable, and unalterable original with the functional attributes of an equivalent physical instrument, that can be possessed by only one person, and which cannot be copied except in a form that is readily identifiable as a copy.

Under the law, external third parties are not required to accept or use electronic signatures in transactions. In those situations, the University and the external third party will need to come to an agreement on the acceptable form of signature on the transaction, or default to handwritten signatures on paper documents.

4. Implementation Procedures


E-signatures may be implemented using various methodologies depending on the associated risks that may include fraud, non-repudiation, and financial loss. The quality and security of the e-signature method should be commensurate with the risk and any requirements to assure the authenticity of the signer.
4.1. Risk Assessment
The Data Trustee and Data Custodian should first consider the risk associated with the transaction, including but not limited to, taking care to assess the probability and impact of:

• Inconvenience, distress, or damage to NIU’s reputation
• Financial loss or liability
• Harm to NIU programs or public interests
• Unauthorized release of Private or Restricted Data
• Civil or criminal violations; and
• Bodily or financial harm to individuals
4.2. Method Selection

Wherever possible, electronic signatures should be implemented. Digital signatures or handwritten signatures should be reserved for circumstances when they are required by law, regulation, or other applicable policy or authority.
4.2.1 Level: Level 1 Risk: None to Low
Authentication: NIU Account IDs and passwords are not required for authentication, but a signer’s identity could be authenticated using a government-issued identification document.

Assurance Level: Little or no confidence in the asserted identity’s validity.

Recommendation: Basic Electronic Signature - A signatory clicks a checkbox in an electronic agreement to signify agreement or approval.

Use Case: This is appropriate for low-risk transactions. E.g. Basic form submissions without legal implications.
4.2.2 Level: Level 2 Risk: Low to Medium
Authentication: NIU Account IDs and passwords are required for authentication to an electronic form or document, after which a signatory may click on a checkbox to signify agreement or approval.

Assurance Level: Sufficient confidence in the asserted identity’s validity.

Recommendation: Electronic Signature – NIU Authentication with logging of signed in user and time stamp of signature.

Use Case: This is the most common use case appropriate for individuals within the NIU community. E.g. Most internal process flows, forms and approvals.
4.2.3 Level: Level 3 Risk: Medium to High

Authentication: NIU Account IDs and passwords are required to authenticate to an established Electronic Signature Service (e.g. DocuSign, Adobe Sign etc.).

Assurance Level: High confidence in the asserted identity’s validity.

Recommendation: Electronic Signature using established Electronic Signature Service (e.g. DocuSign, Adobe Sign etc.).

Use Case: This is required in transactions involving external parties who doesn't’t have NIU credentials. E.g. contracts involving external vendors.

4.2.4 Level: Level 4 Risk: High
Authentication: NIU Account IDs and passwords or approved Digital certificates are required to authenticate to a digital signature solution that provides encryption and nonrepudiation for selected electronic documents.

Assurance Level: High confidence in the asserted identity’s validity.

Recommendation: Digital Signature, or other “secure electronic signatures” under the ECSA.

Use Case: This is required in the smaller set of transactions where signature nonrepudiation is required by law. E.g. Transactions involving sending/signing any documents that are going to the European Union.
4.2.5 Level: Level 5
Level: Very High

Authentication: A document is required to be printed and an individual must provide an original signature in ink.

Assurance Level: Very high confidence in the asserted identity’s validity. Recommendation: Handwritten Signature.

Use Case: This is required in the smaller set of transactions where Illinois law or administrative codes require original inked signatures. E.g. Negotiable instruments and other instruments of title where possession confers title.

4.3. Method implementation
When implementing an electronic or digital signature process, all applicable laws, rules, regulations, and NIU policies and procedures must be followed. In addition, the transactions should comply with these requirements:

Electronic Signatures:

• The signer must perform an action to signify agreement or approval, such as clicking a checkbox, typing their name into a text box, or importing a graphic representation of a handwritten signature.

• Please note that checkboxes alone may not be sufficient when it is necessary to verify the electronic signature or transaction’s execution.

• The signer’s first and last name must be visible and legible below the electronic signature.

• The time and date of the electronic signature must be captured, stored, and available for retrieval along with the electronic record.

• Under the ECSA, the State of Illinois may establish minimum security requirements for the use of electronic records and signatures at State Agencies, like NIU for these purposes. As of the original date of this policy, the State has not adopted such minimum-security requirements. If such minimum-security requirements are established, then they must be followed for the use of electronic signatures at NIU.

Digital Signatures, or other “secure electronic signatures”:

• As a subset of electronic signatures, non-repudiated and encrypted digital signatures will use a digital signature software application and digital certificates that has yet to be purchased or implemented. Until this is available, any signature that requires this level of legal assurance or poses a high risk to NIU will continue to use handwritten signatures.

• Under the ECSA, the State of Illinois has established minimum security requirements for the use of digital signatures and secure electronic signatures at State Agencies, like NIU for these purposes. The Illinois Department of Innovation & Technology asserts that, by Legislative directive, it is the sole source of digital certificates for State of Illinois agencies, boards, commissions, universities and those who do business with them. When digital signatures or other secure electronic signatures are available at NIU, the University must follow the State-established minimum-security requirements for such digital signatures or other secure electronic signatures.

5. Compliance

Any individual that uses electronic or digital signatures for NIU operations in violation of this policy or other NIU policies, procedures, or applicable state and federal laws may be subject to appropriate sanctions that may include disciplinary actions up to and including termination. Faculty and staff violations will follow appropriate HR disciplinary processes. Student violations will follow disciplinary procedures applicable to student misconduct.

Anyone aware of possible violations of this Policy must report them immediately to their supervisor, department head, or to the Office of Vice President and CFO.

Policy originally submitted 5/13/2020
Back to top of page