12. Secure Electronic Record.

(a) If a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved has been applied to an electronic record in a trustworthy manner and has been relied upon reasonably and in good faith by the relying party to verify that the electronic record has not been altered since a specified point in time, such record shall be treated as a secure electronic record from such specified point in time to the time of verification.

(b) For the purposes of this Section 12 and of Section 13, whether a security procedure is commercially reasonable shall be determined in light of the procedure used and the commercial circumstances prevailing at the time the procedure was used, including:

(i) the nature of the transaction;

(ii) the sophistication of the parties;

(iii) the volume of similar transactions engaged in by the parties involved;

(iv) the availability of alternatives offered to but rejected by any party;

(v) the cost of alternative procedures; and

(vi) the procedures in general use for similar types of transactions.

(c) Whether reliance on a security procedure was reasonable and in good faith shall be determined in light of all the circumstances known to the relying party at the time of the reliance, with regard to:

(i) the information that the relying party knew or should have known of at the time of reliance that would suggest that reliance was or was not reasonable;

(ii) the value or importance of the electronic record, if known:

(iii) any course of dealing between the relying party and the purported sender and the available indicia of reliability or unreliability apart from the security procedure;

(iv) any usage of trade, particularly trade conducted by trustworthy systems or other computer-based means; and

(v) whether the verification was performed with the assistance of an independent third party.

Source: Singapore Electronic Transactions Act §16; Illinois Electronic Commerce Security Act §10-115; UCC Article 2B § 115(b) (November 1, 1997 draft); ABA Digital Signature Guidelines § 5.4.

Comments: This section sets forth the criteria that must be satisfied for an electronic record to qualify as a "secure" electronic record in a technologically neutral manner. Records that qualify as secure electronic records are accorded the presumptions set forth in Section 14.

This section attempts to balance the risk of loss between the sender and recipient of an electronic record, with the recipient bearing the burden of proof with respect to evidence or information that is available to or under the control of the recipient. This includes an evaluation of whether the security procedure is commercially reasonable under the circumstances, of whether the security procedure was implemented by the relying party in a trustworthy manner and, finally, of whether the security procedure was implemented and relied upon by the relying party reasonably and in good faith. This latter point takes into account the fact that if the relying party has knowledge indicating that reliance on the security procedure is not appropriate, the relying party should be charged with it and should not be able to rely on a security procedure that it knows may be unreliable. Once this burden is met by the recipient of an electronic record, Section 14 gives rise to a refutable presumption that the electronic record has not been altered, and imposes upon the purported sender the burden of going forward with evidence to rebut the presumption. The relying party is deemed to be responsible for information and events that are under its control.

In order for an electronic record to be deemed secure it must be possible to verify the integrity of the record through:

(1) A qualified security procedure

(2) that is commercially reasonable under the circumstances

(3) that is implemented in a trustworthy manner

(4) and relied upon reasonably and in good faith.

Because no single security procedure is sufficient for all situations, commercial reasonableness, trustworthy implementation and good faith by the relying party are all relevant factors to be considered, even with the strongest of security procedures in place.

By tying secured the electronic record to the "time of verification", this section recognizes that the fact that an electronic record is verified by a security procedure and qualified as a secure electronic record at a particular point in time does not necessarily ensure that it will be a secure electronic record indefinitely into the future. This section thus contemplates that the electronic record will be subjected to the appropriate qualified security procedure to verify the integrity of the electronic record not only when it is necessary to act on the record--but also at such later time when it may be necessary to establish the integrity of the electronic record, such as in court.

13. Secure Electronic Signature. If, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, an electronic signature is executed in a trustworthy manner and reasonably and in good faith is relied upon by the relying party, such signature shall be treated as a secure electronic signature at the time of verification to the extent that it can be verified that said electronic signature satisfied, at the time it was made, the following criteria:

(a) it was unique to the person using it;

(b) it was capable of being used to objectively identify such person;

(c) it was created in a manner or using a means under the sole control of the person using it, that cannot be readily duplicated or compromised; and

(d) it is linked to the electronic record to which it relates in a manner such that if the record was changed to electronic signature would be invalidated.

Source: Singapore Electronic Transactions Act §17.

The security procedure must satisfy four criteria before it can be deemed a prescribed security procedure:

(1) Uniqueness: This requirement is intended to ensure that there is no reasonable likelihood that more than one person would produce the same signature absent fraud or other inappropriate conduct.

(2) Objective Identification: This requirement is intended to ensure that a reasonable person could identify the author of the electronic signature.

(3) Reliability: There must be reasonably reliable assurance that the

person identified as the signer is the person who signed the electronic record, and that the signature was not altered after it was made.

(4) Linkage to Record Signed: A secure signature must be both created and linked to the electronic record being signed in a manner such that the fact of such alteration would be disclosed if either the record or the signature is altered after the signature is made.

14. Presumptions Relating to Secure Electronic Records and Signatures.

(a) In any civil proceedings involving a secure electronic record, it shall be presumed, unless the contrary is proved, that the secure electronic record has not been altered since the specific point in time to which the secure status relates.

(b) In any civil proceedings involving a secure electronic signature, the following shall be presumed unless the contrary is proved:

(i) the secure electronic signature is the signature of the person to whom it correlates: and

(ii) the secure electronic signature was affixed by that person with the intention of signing or approving the electronic record.

(c) In the absence of a secure electronic record or a secure electronic signature, nothing in this Part shall create any presumption relating to the authenticity and integrity of the electronic record or an electronic signature.

(d) The effect of presumptions provided in this section is to place on the party challenging the integrity of a secure electronic record or challenging the genuineness of a secure electronic signature both the burden of going forward with evidence to rebut the presumption and the burden of persuading the trier of fact that the nonexistence of the presumed fact is more probable than its existence.

(e) For the purposes of this section:

(i) "secure electronic record" means an electronic record treated as a secure electronic record by virtue of Sections 12 or 21; and

(ii) "secure electronic signature" means an electronic signature treated as a secure electronic signature by virtue of Sections 13 or 22.

Source: Singapore Electronic Transactions Act §18.

Section 14(d) makes clear that the effect of the presumptions is to allocate both the burden of going forward with the allegations and evidence, as well as the ultimate burden of persuasion, to the party challenging the integrity of a secure electronic record or challenging the genuineness of a secure electronic signature. These presumptions apply only in the context of a civil dispute, not a criminal matter.