An interesting court case was recently sent for trial in New York federal court. The case revolves around an appropriate level of authentication for an individual who electronically signed an insurance application.

In Prudential Ins. Co. of Am. v. Dukoff, No. 07-1080, 2009 U.S. Dist., the insurance company wanted to void a life insurance policy on the basis of false statements made in an online application and signed via a click-through agreement. Such agreements are common on the Internet for acceptance of web site policies and software license agreements. The insured in this case argued that the online application did not contain a valid electronic signature under the NY Electronic Signatures and Records Act, so the allegedly false statements in the online application could not be used to deny coverage.

The court ruled that neither the insurer nor the insured is entitled to summary judgment and that the case should go to trial. In doing so, the court relied in part on an opinion issued by the Office of General Counsel of the New York State Insurance Department on September 16, 2005:

• Generally speaking, a checked box on an electronic form on the Internet constitutes a valid electronic signature in New York… provided that the insurer, agent or broker using such technology to transact business is capable of verifying that the person providing the electronic signature is actually the party to be charged. Without such verification measure in place, the Department would not consider a checked box to be a valid signature.

The court ruled that “Prudential may use statements made in the insurance application to challenge the insurance contract’s validity only if Prudential could reasonably identify the person who made them.” In computer security terms, we are talking about non-repudiation of electronic signing transactions.

We will be tracking the case as it goes through trial and any subsequent appeals because the court’s reasoning has significant implications in several areas relevant to e-commerce and health information exchange, including patient consent management, electronic record access, and e-prescribing. In order for these electronic transactions to achieve significant adoption, they must have strong non-repudiation characteristics. Those who rely on electronic signatures to authorize transactions, sign documents, release data, provide care, or dispense drugs must have assurance that the individual who authorized the transaction is who he or she claims to be AND had the right to perform the transaction. According to NIST guidance, NIST Level 3 credentials provide non-repudiation capabilities, and do so through the design of the registration process and the operation of credentials during authentication. This level of credentials should become the minimum standard for legal electronic signature when repudiation of a transaction presents a risk to the enterprise.