Lesson 5: Standards for an Acceptable Electronic Document Receiving System
CROMERR requires that all acceptable electronic document As defined in § 3.3 of CROMERR, any information in digital form that is conveyed to an agency or third-party, where "information" may include data, text, sounds, codes, computer programs, software, or databases. "Data," in this context, refers to a delimited set of data elements, each of which consists of a content or value together with an understanding of what the content or value means; where the electronic document includes data, this understanding of what the data element content or value means must be explicitly included in the electronic document itself or else be readily available to the electronic document recipient. receiving systems are able to generate legally-defensible data to prove document integrity according to the five standards below.
- The e-document is not alterable without detection
- Alterations to the e-document are documented by the system
- The e-document can only be submitted intentionally
- Submitter and signatories can review the COR of the e-document
- If an e-signature is required, then the e-document meets e-signature requirements
Review each standard for a full explanation.
The e-document is not alterable without detection
The system must be able to prove that its electronic documents cannot be altered without detection during transmission or at any time after receipt. This is a basic data integrity requirement that ensures what was sent is what was received.
Alterations to the e-document are documented by the system
The system must provide a record of any alterations to the electronic document during transmission or after receipt.
The e-document can only be submitted intentionally
The system must be designed so that the electronic document can only be submitted knowingly, and with intent, and not by accident.
Submitters and signatories can review the COR of the e-document
Submitters and signatories must have: (1) the opportunity to review the Copy of Record As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an , which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt. (COR As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt.) in a human-readable format that clearly and accurately associates the electronic document information with descriptions; and (2) the opportunity to repudiate the electronic document based on this review.
COR refers to a true and correct copy of an electronic document received by an electronic document receiving system As defined in § 3.3 of CROMERR, any set of apparatus, procedures, software, records, or documentation used to receive electronic documents., which can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A COR includes:
- All electronic signatures contained in or logically associated with that document;
- The date and time of receipt; and
- Any other information used to record the meaning of the document or the circumstances of its receipt.
For example, if the COR is maintained as an XML file, then the COR should include the XSL style sheet used in conjunction with the file to present it back to the signer.
If an e-signature is required, then the e-document meets e-signature requirements
If an e-document requires an e-signature, then it must meet the following requirements:
- E-signatures must be valid at the time of signing.
- E-documents cannot be altered without detection after signing.
- Each signatory must have an opportunity to:
- Review the e-document content, in human-readable format, before signing; and
- Review the required certification statement, which includes criminal penalty implications of false certification, at the time of signing.
- Signatories must sign either an electronic signature agreement As defined in § 3.3 of CROMERR, an agreement signed by an individual with respect to an electronic signature device that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from compromise; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature. or subscriber agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated. for the e-signature device used to create his or her e-signature.
- The system must automatically respond to the receipt of an e-document with an acknowledgement identifying the e-document received, the signatory, and the date and time of receipt. It must also be sent to at least one address that does not share the same access controls as the account used to make the electronic submission.
- For each e-signature device, the identity of its unique user and the users' relationship to the entity for which he or she is signing has been determined by the state, tribe, or local government.