Nearly four years have passed since enactment of the Electronic Signatures in Global and National Commerce Act (ESIGN Act) opened the door for higher education institutions to use electronic records and electronic signatures (e-sign) in place of traditional paper records and handwritten signatures. During that time, acceptance of e-sign has accelerated steadily on campuses across the nation, driven by two key factors. First, e-sign appeals to today's internet-savvy generation of applicants who are accustomed to the convenience and immediacy of online transactions. Second, schools recognize its potential to simplify and speed the admissions and financial aid processes and reduce administrative overhead.
To date, e-sign has found its greatest acceptance on federal financial aid documents. Not coincidentally, this is the arena in which the Department of Education (DOE) first provided definitive guidance on e-sign requirements with the July 2001 publication of Standards for Electronic Signatures in Electronic Student Loan Transactions. In the absence of similar guidance for other e-sign applications, many schools have been reluctant to broaden its use, not wanting to possibly run afoul of the requirements of the Family Educational Rights and Privacy Act (FERPA).
That may soon change, however, in the wake of DOE's recent amendment of ?99.30 of FERPA. The amendment allows students to use an electronic signature to consent to the release of transcripts and other personal data, and also details the standards that must be met to assure that e-sign is legally comparable to a pen-and-ink signature. These standards track very closely with those detailed earlier by DOE for e-sign on federal financial aid forms. With the amendment now in effect, schools have the guidance they need to construct an e-sign system that meets regulatory muster for all matriculation-related documents.
Removal of this final impediment is expected to spur institutions still on the sidelines to get into the e-sign game. To ease the way, they can learn much from the experience of schools who already have taken that step. Among these trailblazers, no school has longer experience with e-sign than American InterContinental University (AIU) Online. In June 2002, we became the first higher education institution in the United States authorized by DOE to allow students to use e-sign on federal financial aid documents. A year later, we were the first U.S. university or college to offer secure e-sign capabilities on all legal documents required for a student to apply and enroll in one of our online degree programs, including electronic signatures on transcript request forms.
AIU Online's initial launch of e-sign followed several months of development work during which we collaborated closely with DOE officials to assure that our approach complied fully with their requirements in three critical areas:
Authentication. The DOE standards require that the name, date of birth and Social Security number associated with an electronic signature must be authenticated by a third party against an approved database;
Security. Transmission of social security numbers from a school to the third-party authenticator must be 100 percent secure, to prevent unauthorized access to applicants' personal data; and
Disclosure. Applicants must be fully informed of their rights regarding the use of electronic signatures, including their right to opt out of the e-sign system.
The DOE standard allows considerable latitude in selecting the independent source of data against which applicant-provided data is compared. Such sources can include but are not limited to national commercial credit bureaus, commercially available data sources or services, state motor vehicle agencies and government databases. However, school databases are not an acceptable source.
Information that is to be verified must, at a minimum, include the applicant's name, Social Security number or driver's license number and date of birth.
In designing AIU Online's e-sign capability, we decided to authenticate electronic signatures through the Student Authentication Network (STAN) of NCS Pearson, the only third-party vendor authorized to authenticate using the Social Security Administration database as its independent data source. NCS Pearson already was providing this service for many lenders participating in the federal student loan program, so the methodology was in place and readily adaptable to our needs. To protect applicants' privacy, data transmitted to NCS Pearson was encrypted using the industry standard of 128-bit, Secure Sockets Layer encryption.
AIU Online's disclosure procedures tracked the detailed requirements of the DOE standards. Their purpose was to make sure that applicants understood that they:
Must affirmatively and voluntarily consent to receive and/or sign electronic records, with the consent applying to all transactions, forms and records requiring a legal signature;
Must demonstrate electronically that they have the capability to receive electronic communications;
Can withdraw consent to receive electronic records at any time, and understand the consequences of and procedures to follow for doing so;
Should print documents after they are signed electronically and store confidential electronic documents in a secure environment, just as they would paper-based documents; and
Will be notified in advance if changes in hardware or software requirements might affect their ability to receive electronic documents.
Two types of forms were targeted initially--the federal verification worksheet and student authorization forms. The verification worksheet was chosen because DOE had accepted copied and faxed signatures on this form since 1995, making the e-sign option a logical evolutionary step. Although the DOE standards allowed AIU Online the option of creating the PINs that each applicant would use as their electronic signature, we opted instead to use the Federal Student Aid (FSA) PIN, which applicants are required to obtain in order to apply for federal financial aid.
The AIU Online e-sign system went live in August 2002, and acceptance by applicants was strongly positive from the outset. After just nine months, usage of the e-sign option by applicants for financial aid exceeded 80 percent and has remained at that level since.
Based on this positive response, AIU Online decided to expand our use of e-sign beyond financial aid documents to all admissions-related documents requiring a legal signature. In all but one case, the documents involved were for our own internal use, so privacy concerns were not an issue. That was not the case with the transcript release form.
FERPA states that confidential information about an applicant cannot be released without "signed and dated written consent." Since FERPA as originally enacted did not address the usage of e-sign, the acceptability of an electronic signature on a transmission release form was an open question. In our view, DOE's acceptance of e-sign on federal financial aid documents provided sufficient precedent for us to proceed. Other institutions chose to wait for more definitive DOE guidance before extending their use of e-sign to FERPA-covered documents.
That guidance arrived in July 2003, when DOE issued a proposed amendment to FERPA that authorized e-sign and defined standards for its use. The proposed standards tracked closely with those outlined in the DOE's earlier standards for use of e-sign on federal financial aid forms, particularly in the areas of security and third-party authentication. Since our plans for using e-sign on transcript release forms met the standards defined in the proposed amendment, we launched the full implementation of our e-sign capability the following month.
In expanding our use of e-sign, AIU Online couldn't use NCS Pearson's STAN system for authentication, because the Social Security Administration database can be used only for federal financial aid purposes. Instead, we contracted with Experian, one the nation's largest credit bureaus, to authenticate PINs using the variables of name, date of birth and Social Security number. To maintain consistency across all documents, we also adopted the Experian authentication system for financial aid documents. And, we began issuing our own PIN numbers to applicants, which they can use as an electronic signature on all AIU-administered documents.
Once again, applicants eagerly embraced the e-sign option. Acceptance of e-sign by other higher education institutions has not, however, kept pace, as many still do not accept e-signed transcript release forms. Now that the final FERPA amendment is in effect, schools can accept electronic signatures on transcript release forms with confidence that they are in full compliance with student privacy requirements.
The FERPA amendment also resolves another longstanding debate within the educational community regarding PIN usage and authentication. Some schools had maintained that simply having applicants click on an "accept" button created an "electronic signature," and that neither a secured environment nor third-party authentication was necessary. Others, including AIU Online, have insisted that creating a legally binding signature and protecting applicants' privacy rights only can be achieved through the use of a confidential PIN in a secured environment and third-party authentication of the PIN's validity. With the FERPA amendment finalized and enacted, the debate is over and the proponents of authentication have prevailed.
E-sign clearly is a solution whose time has come. The benefits for both students and institutions are evident, and the necessary regulatory framework is in place.
AIU Online took the plunge into electronic signatures. If your institution is still standing on shore to venture out as we did, we hope you'll find that the water's fine.
Robin Throne currently serves as Executive Advisor to both Career Education Corporation and its Online Education Group, the parent corporation of American InterContinental University Online.