New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 7 - DIGITAL / ELECTRONIC SIGNATURE
Section 1.12.7.13 - REQUIREMENTS FOR LEGALLY BINDING ELECTRONIC SIGNATURE
Current through Register Vol. 35, No. 18, September 24, 2024
Where an electronic signature is required by law or otherwise deemed desirable, it is critical that the electronic signature and the associated signing process satisfy all of the applicable legal requirements. Generally, creating a valid and enforceable electronic signature requires satisfying the following signing requirements.
A.A person (i.e., the signer) must use an acceptable electronic form of signature. Electronic signatures can take many forms, and can be created by many different technologies. No specific technology or form of signature is required. Generally, any electronic "sound, symbol, or process" can be used as the form of signature. Examples of commonly used electronic forms of signature include, but are not limited to:
B. The electronic form of signature must be executed or adopted by a person with the intent to sign the electronic record, (e.g., to indicate a person's approval of the information contained in the electronic record). A person's intent to sign is often inferred from his or her approval of the reason for signing as stated in the text of either:
C. The electronic form of signature must be attached to or associated with the electronic record being signed. Specifically, it must be attached to, or logically associated with, the record being signed. Satisfying this requirement requires storing the data constituting the electronic form of signature, and doing so in a way that permanently associates it with the electronic record that was signed. Where the electronic form of signature consists of a symbol or a sound (such as a typed name, a digitized image of a handwritten name, a PIN, a digital signature, a voice recording, etc.), the data representing the symbol or sound must be saved. Where the electronic form of signature consists of a process (such as clicking on an "I Agree" button), the system must be programmed so that completion of the process generates some specific data element to indicate completion of the signing process, or some other procedure (such as generation of a log record or audit trail) to record the act of signing. It is also recommended that the following additional data elements be appended to or associated with the signature data provided privacy considerations have been taken into account:
D. There must be a means to identify and authenticate a particular person as the signer. Meeting this burden of proof requires establishing a link between an identified person and the signature. An electronic form of signature may or may not provide proof of identity. Many forms of signature do not contain or directly link to the identity of the person making them (such as clicking an "I Agree" button), or if they do provide evidence of identity, such identity may not be reliable (e.g., a typed name). Other security procedures may be used to accomplish this objective. The signer's identity may be authenticated as part of an overall process of obtaining access to a website or electronic resource that includes the record to be signed. If the act of signing is performed during the session authorized by the authentication process, the signature itself is attributed to the signer because the person accessing the record for signing has been duly authenticated.
E. There must be a means to preserve the integrity of the signed record. The usability, admissibility, and provability of a signed electronic record requires procedures be undertaken to ensure the continuing integrity of both the electronic record and its electronic signature following completion of the signing process. Data integrity is concerned with the accuracy and completeness of electronic information communicated over the internet or stored in an electronic system, and with ensuring that no unauthorized alterations are made to such information either intentionally or accidentally. Ensuring "integrity" requires "guarding against improper information modification or destruction, for the full retention period of the record. Electronic records are easily altered in a manner that is not detectable. In an electronic transaction of any significance, the parties to the transaction must be confident of the integrity of the information before they rely or act on the record.