Most software platforms for signing electronic records (an "electronic signature platform") capture and preserve information concerning the delivery and signing process for each record presented. The file preserving this information is often referred to as an audit log. Audit logs serve a number of purposes, and a particularly vital role when the authenticity of an electronic signature is in dispute. In such a dispute, the person seeking to enforce an electronic signature needs to prove the signature was executed by the person against whom enforcement is sought. A properly created audit log can help provide that proof.
To understand how and why the audit log performs this critical function, some background information on the law governing attribution of electronic signatures is useful. The two most relevant laws for electronic signatures in the US are the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act as approved and recommended by the ULC in July 1999 (UETA). Both define an electronic signature as an electronic sound, symbol or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Thus, an electronic signature can be an I agree button, a PIN or password, a digitalized image, a voice signature or other biometric, or a process that results in an expression of intent to sign the record. A disputed signature is enforceable only if it can be proved that the signature was, in fact, executed or adopted by the purported signer – and that the signature may be "attributed" to the signer; that is, the identified signer signed the record in question. Information captured by the audit log, concerning both the authentication of the signer during the signing event and the sequence of events leading up to the execution of the signature, is key to establishing attribution.
The decision in Harpham v. Big Moose Inspection1 highlights how a comprehensive audit log can provide compelling evidence that an electronic signature was, in fact, executed by the purported signer. At issue in this case: the enforceability of a contract for home inspection services. The purported signer disputed the electronic signature. In addition to describing how electronic contracts were delivered and presented, the affidavit of the party seeking to enforce the signature also described the information captured by the platform's audit log, which showed (i) when the agreement was posted to the defendant's secure website; (ii) the date a link to the agreement on the secure website was emailed to the plaintiffs; (iii) the two times someone accessed the agreement on the same day using the email link; (iv) that the person accessing the agreement signed the agreement electronically by clicking a button indicating acceptance; and (v) that the defendant generated and stored a record of that agreement. The court found that by presenting the information captured by the audit log, the defendant had produced sufficient admissible evidence of attribution, and that the plaintiff would have to do more than simply deny the signature's authenticity to avoid summary disposition.
A number of other cases have reinforced the importance of the use of an audit log to attribute a disputed signature to the signer, including Moton v. Maplebear Inc.;2 Bynum v. Maplebear Inc.;3 and Espejo v. Southern California Permanente Medical Group.4 In all these cases, the audit log generated by the chosen electronic signing platform included sufficient data to enable the courts to accept the audit log data as evidence supporting attribution of the signature to the signer.
We recommend that transaction audit logs track at least the following information whenever feasible:
- The date and time the signer(s) accesses the signing platform
- The date and time when alterations are made to the electronic record and by whom
- Confirmation that the person accessing the signing platform has successfully completed the authentication process (eg, entering an authorized user ID and password)
- The date, time and system identifier of each electronic record accessed by the person on the signing platform
- The date and time each electronic record is signed, the platform identifier for the electronic record being signed and the identity of the person signing the electronic record (based on the completed authentication process)
- The signer's IP address and
- Data on any tamper-seal information applied to the electronic record.
Finally, protecting the integrity of the audit log itself is paramount to proving attribution. Failure to protect the audit log can create doubt that the information in the audit log accurately reflects the steps in the transaction, which limits its usefulness and may prevent its successful introduction into evidence or otherwise impact its evidentiary value.
1 2015 WL 5945842 (Mich. App. Oct. 13, 2015).
2 2016 US DIST LEXIS 17643 (S.D.N.Y. Feb. 9, 2016).
3 2016 US DIST LEXIS 17644 (E.D.N.Y. Feb. 12, 2016).
4 Case No. BC562377 (Cal. App. Apr. 22, 2016).