Most software platforms for presenting and signing electronic records (a “platform”) capture and preserve information concerning the delivery and signing process for each record presented on the platform. The file preserving this information is often referred to as an “audit log.”
Audit logs serve a number of purposes, and in particular serve a vital role when the authenticity of an electronic signature is in dispute. In such a dispute, the person seeking to enforce the electronic signature will be required to prove that the signature was executed by the person against whom enforcement is sought. A properly created audit log can help provide such proof.
To understand how and why the audit log performs this important function, some background information on the law governing attribution of electronic signatures is a useful first step.
For electronic signatures, the two U.S. laws most often relevant are (i) the Electronic Signatures in Global and National Commerce Act (“ESIGN”) and (ii) the Uniform Electronic Transactions Act as approved and recommended by the ULC in July 1999 (“UETA”). Both laws define an “electronic signature” similarly: an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
Therefore, a disputed signature will only be enforceable if it is possible to prove that the signature was, in fact, executed or adopted by the purported signer – that is, that the signature may be “attributed” to the signer. The information captured by the audit log, concerning both (i) the authentication of the signer during the signing event, and (ii) the sequence of events leading up to the execution of the signature, is often key to establishing attribution. A recent judicial decision highlights how a comprehensive audit log can provide compelling evidence that the electronic signature was, in fact, executed by the purported signer.
In Harpham v. Big Moose Inspection, the enforceability of a contract for home inspection services was at issue. The purported signer disputed the electronic signature. In addition to describing how electronic contracts were delivered and presented, the affidavit of the party seeking to enforce the signature also described the information captured by the platform’s audit log, which showed (i) when the agreement was posted to the defendant’s secure website, (ii) the date a link to the agreement on the secure website was emailed to the plaintiffs, (iii) the two times someone using plaintiff’s access credentials to the secure site accessed the agreement, (iv) that someone using the same credentials signed the agreement electronically by clicking a button indicating acceptance, and (v) that the defendant generated and stored a record of that agreement. The court found that by setting forth the information captured by the audit log, the defendant had produced sufficient admissible evidence of attribution, and that the plaintiff would have to do more than simply deny the signature’s authenticity to avoid summary disposition.
One final note – audit logs should always be protected by the platform so that they cannot be altered without detection. Failure to protect the audit log in this manner can create doubt that the information in the audit log accurately reflects the steps in the transaction.
Margo Tank is a partner at Buckley Sandler, helping financial services companies and technology clients navigate regulatory compliance issues related to electronic signatures and records.
David Whitaker is senior counsel for Buckley Sandler and advises financial services companies in transactional, legal and regulatory matters related to digital financial services, including e-signatures, records and payments.