Legal issues in documenting: e-commerce transactions.

• Author: Frye, Emily
• Position: Cover Story

While electronic commerce offers speed, convenience, and cost advantages over traditional paper-based transactions, it raises many business and legal issues. One of the most complex is transaction documentation.

A discussion of legal issues in documenting e-commerce transactions begins with basic questions, such as what constitutes adequate business records of an e-commerce transactions? Moreover -- since records are not kept just for business purposes -- what constitutes legally adequate records of e-commerce transactions? Broadly speaking, concerns around documenting e-commerce transactions fall into two categories: creating and capturing adequate records, and maintaining adequate records over time.

Electronic commerce programs focus on facilitating transactions, not on creating legally adequate records, and records managers therefore may not have been consulted in decisions about what e-commerce software to deploy. Ideally, however, records managers should be involved in planning, designing, and implementing e-commerce processes; selecting and implementing the software; and training users on how and when to use it for records management purposes. Records mangers can help to ensure that the undertaking does not increase the company's risk.

Companies that fail to maintain proper electronic records may be in the mainstream now, but in five years they likely will be in trouble -- embroiled in litigation, enduring expensive regulatory examination, or bedeviled by fraud. It is far better to build records management into e-commerce from the beginning than to attempt to retrofit it later when opposing counsel, regulators, or auditors begin to ask hard questions about the evidence establishing who did what, when, and who owes whom.

Creating and Capturing a Legally Adequate Record

In evaluating the software's ability to create and capture legally adequate records, records managers will want the answer to these questions:

* What data must be created and captured to show what the participants did?

* Is the process designed to create and capture that data? If not, how can we modify it to do so?

* What metadata is sufficient to support and validate each transaction? To validate the system?

* Is such metadata also captured and stored? Is it stored separately or as part of transaction records?

* How are the content and metadata that make up the complete record linked and verified?

* Where will transaction records reside? How will they be secured? How will they be retrieved?

Authenticating Transactions

Authenticating transactions is an important and difficult facet of creating and capturing legally adequate records. The price tag for failure can be immense. Meridien Research estimates the cost of online credit card fraud -- including consumers falsely claiming they never ordered items -- to be $9 billion in 2001.

Authentication has two aspects: participant verification and transaction content verification.

Authenticating Participants

Currently there are many technological options but no standard method of authenticating the participants in an electronic transaction. The Electronic Signatures in Global and National Commerce Act (ESIGN), which was intended to facilitate electronic commerce, removes legal barriers to recognizing electronically authenticated (or signed) transactions as valid. It does not prescribe any technique for authenticating the parties to an e-commerce transaction and has produced mass confusion about which authentication techniques might be acceptable in a given situation.

Fortunately for the...