By: Ashley Verdon and Neil Eddington
September 30, 2016
If you belong to one of the ever-increasing number of businesses using electronic signatures, then it might be time to review your authentication security procedures in place. As electronic signatures become the norm in conducting business, California courts are busy with cases challenging their enforceability. Recently, in Espejo v. Southern California Permanente Medical Group (2016) 246 Cal.App.4th 1047, the Second District Court of Appeal ruled that an employer sufficiently authenticated an employee’s electronic signature to an arbitration agreement. In doing so, the court offered some clarity as to what evidence is necessary to enforce an electronic signature under the Uniform Electronic Transmissions Act (“UETA”). (Cal. Civ. Code §1633.)
California adopted the UETA to strengthen enforceability of electronic agreements in the place of traditional ink signatures. Section 9 states that an electronic signature may be attributed to a signee “if it was the act of the person.” (Cal. Civ. Code §1633.9(a) [emphasis added].) The statute offers little in demonstrating how this is proven, but suggests it may be done in any manner, such as showing an effective security procedure. (See Cal. Civ. Code §1633.9(a).) The recent opinions in Espejo and its predecessor, Ruiz v. Moss Bros. Auto Group, Inc. (2014) 232 Cal.App.4th 836, 844, offer a blueprint to conduct this analysis while also making clear that simply asserting that the signature is the product of the signee is not sufficient to authenticate the signature.
In Ruiz, the Fourth District Court of Appeal held that an employer failed to prove that its employee, Ruiz, electronically signed an arbitration agreement as a condition of employment. Ruiz, supra, 232 Cal.App.4th at 844. Though the employer submitted “true and correct” copies of an arbitration agreement with a dated, electronic signature of Ruiz’s full name, the employer only offered its unsupported assertion that Ruiz was the person who electronically signed the 2011 agreement. The court reasoned that, absent any explanation of how Ruiz’s signature, or the date and time next to it, came to be written on the agreement, the employer failed to prove it was “the act of” Ruiz. (Ibid.)
After Ruiz, the court decided Espejo, another employee-employer dispute over the authenticity of the employee’s electronic signature. This time, however, the court reached the opposite conclusion, aided by the employer’s declaration offering “the critical factual connection the Ruiz declaration lacked.” Espejo, supra, 246 Cal.App.4th at 1062. This declaration sufficiently explained how the signature was the act of Espejo, the employee, by including the following facts:
- Espejo was “directly and orally” given a “private and unique username and password” over the phone;
- Espejo then was required to reset his password before being allowed to proceed to a page where he was prompted to “opt to agree to complete the employment documents using an electronic signature”;
- After the opt-in, Espejo could then access the employment agreement and dispute resolution procedure agreement using his unique username and password;
- Finally, these security steps showed that Espejo’s name “could have only been placed on signature pages of the employment agreement and dispute resolution procedure by someone using Espejo’s unique user name and password” and therefore must have been made by Espejo on the date, time, and at the IP address listed on the documents. (Ibid.)
The court found this summary persuasive and held it sufficiently demonstrated Espejo’s signature was the act of Espejo.
The Ruiz and Espejo cases provide guidance as to how courts will interpret the UETA’s Section 9 language. When the authenticity of an electronic signature is challenged, it is important that businesses not only have effective security procedures in place, but also can show that the signature was the act of the claimed signee. Though it did not establish an explicit test, the factors that the Espejo court found persuasive can help guide this determination and are as follows: (1) whether unique log-in information is provided solely to the signee; (2) whether the signee resets the password to one of his or her choosing; (3) whether the signee is required to log-in again using the reset password; and (4) whether the signee agrees to sign the documents electronically. The existence and showing of these procedures will likely make for sufficient authentication after Espejo.