On May 26, 2020, HUD issues guidance via a HUD-Notice regarding the utilization of Electronic signatures and electronic file transmission. While this guidance has been in the works for quite some time, the publication is perfectly timed, as many management agents have been faced with challenges when conducting household certifications during the COVID-19 Pandemic.
- Updated on 11/10/20 due to H-2020-10 which clarified that IPAs cannot access EIV data in electronic format.
Applicability
This guidance is this notice applies to:
- Project-based Section 8 programs under the United States Housing Act of 1937 (42 U.S.C. 1437)
- Section 202 Senior Preservation Rental Assistance Contracts (SPRAC);
- Section 202/162 Project Assistance Contract (PAC);
- Section 202 Project Rental Assistance Contract (PRAC);
- Section 811 PRAC;
- Rent Supplement;
- Section 236 (including RAP); and
- Section 221(d)(3)/(d)(5) Below-Market Interest Rate (BMIR).
E-Transaction Laws
There are three Laws that speak to the use of electronic signatures in transactions involving federal organizations.
- Electronic Signatures in Global and National Commerce Act (E-SIGN) (15 U.S.C. § 7001 et. seq., effective October 1, 2000)
- The Uniform Electronic Transactions Act (UETA)
- Government Paperwork Elimination Act (GPEA)
Electronic Signatures
In this Notice, HUD permits industry partners to use electronic signatures if the proper protocols governed by applicable E-Transaction Laws are adhered to. The notice relies heavily on the “Use of Electronic Signatures in Federal Organization Transactions, guidance issued by the Federal Chief Information Officer (CIO) Council in January 2013. In order to determine whether the electronic signature can be used on a document that requires a signature under law, the e-signature method should be evaluated using the “functional equivalence approach”. This approach considers the purpose and use of the document that would typically require a signature on paper and specifies how the purpose of use can be met in an electronic format. In the notice, HUD lays out requirements for an electronic signing process that will comply with the requirements under all three E-Transaction Laws, and addresses the following:
- An electronic form of signature;
- Intent to sign;
- Association of signature to the record;
- Identification and authentication of the signer; and
- The integrity of the signed record.
1. Electronic Forms of Signature
Electronic signatures can take many forms, including symbols, sounds, codes, and even unique biometrics-based identifiers. HUD’s notice includes a list of examples of the differing types of electronic signatures
- A typed name (e.g., typed at the end of an e-mail message by the sender or typed into a signature block on a website form by a party);
- A digitized image of a handwritten signature that is attached to an electronic record;
- A shared secret (e.g., a secret code, password, or PIN) used by a person to sign the electronic record. (“Shared” means that the secret is known both to the user and to the system);
- A unique biometrics-based identifier (e.g., a fingerprint, voiceprint, or a retinal scan); or
- A digital signature**. (“Digital signatures are encrypted data produced by a mathematical process applied to a record using a hash algorithm and public-key cryptography. Digital signatures are considered the most “secure” type of electronic signature. They include a certificate of authority to ensure the validity of the signatory (the signature’s author and owner). Digital signatures are sometimes used as an electronic signature, as part of a process to authenticate a person or device, and to verify the integrity of the record.”)
- A sound recording of a person’s voice expressing consent;
- Processes such as using a mouse to click a button (such as clicking an “I Agree” button); and
- Using a private key and applicable software to apply a “digital signature” or
- scanning and applying a fingerprint.
Requirements for Systems with Digital Signatures
A “digital signature” is very different from the other types of electronic signatures. A digital signature is “Encrypted data produced by a mathematical process applied to a record using a hash algorithm and public-key cryptography”. Sounds complicated, but any system or application that uses a username and password or multi-factor authentication includes digital signatures. If such a system or application is used, it must be in compliance requirements under the National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS), Digital Signature Standard 186-4, and any other Federal Government digital signature requirements. In order for a program or application to be compliant, it must contain a security feature that ensures that the digital signature is unique, protected and that only the signer has control over the use of the signature.
2. Intent to Sign
For an electronic signature to be legally effective and binding, it must be executed or accepted by the signer with an intent to sign. Meaning, it must be made expressly clear to the signer that a signature is being created and that it will be legally binding. Examples Include:
- “By signing below, I agree to the foregoing contract terms”;
- “By checking this box, I agree to the terms of use”;
- “Click to agree”;
- “By signing below, I attest that the information provided is true and agree to allow the O/A or HUD to verify such information”, and
- “I hereby certify that…”.
3. Association of Signature to the Record
The E-Transaction laws require that the electronic signature must be attached to or associated with the record being signed. The e-signature must be permanently associated in such a way that it can be demonstrated at a later date that the record was signed and reflects the exact content or data included within the record at the time the e-signature was applied. “Association” means:
- The process must be clear to the signer as to exactly what they are signing;
- The signer must be able to review the record before signing it and to clearly understand the conditions of the record they are signing; and
- The electronic form of the signature applied by the signer must be linked to the record being
4. Identification and Authentication of the Signer
The process of collecting an e-signature must address the identification and authentication of the signer. Essentially, when reviewing your process, ask yourself, if the signer later asserts that they did not sign the document, can your process prove they did? The way to do this is to establish a documentable link between an identified signer and their signature. Keep in mind that depending on the method used to collect the signature, proof of identity could actually be determined by the electronic form of the signature being used. No specific methods of identification or authentication are required under E-Transaction laws. The method used just needs to comply with the requirement that it be as reliable as appropriate for the purpose in question.
5. Integrity of the Signed Record
The E-signatures policies and procedures utilized must ensure that electronically signed documents cannot be altered. This means that if any revisions to the document are made, the process used must be able to provide an “audit trail”, showing all revisions made, the date and time the revisions were made, and the identity of the individual who made the revisions.
Impacted Documents
This Notice pertains to all HUD forms and owner/agent-created documents and verifications. Make sure to check your state and local laws! Some state and local laws or entities may require the use of wet signatures on some forms, such as:
- HUD-50059
- HUD-9887
Electronic Transmission
In HUD Notice 2020-04, HUD also provided guidance regarding the electronic transmission of forms and documents between the applicant or tenant and the agent.
Applicants and Tenants
-
Submission to O/A
If an O/A chooses to utilize electronic communication procedures, Applicants and tenants may also choose to communicate electronically with the O/A. Their choice must be made affirmatively (not assumed with an opt-out procedure). (See E-SIGN Act, 15 U.S.C. 7001(c)(1)(A)). They may complete most documents online or by hand and then transmit and/or scan and email them electronically to an O/A. Applicants and tenants may also submit information and documents using other methods, such as online systems, tablet or smartphone apps, email, or other electronic media. O/A may designate specific methods as acceptable for electronic transmission. However, applicants and tenants must have the opportunity (if they desire) to provide information and documents in paper copy, including both before they have provided any information or documents electronically or after they have done so and wish to discontinue.
-
Transmission to Applicants and Tenants.
O/A may provide documents and notices electronically or make such documents available in an electronic format when state and local laws permit. If an O/A chooses to provide documents electronically, the O/A should inform applicants or tenants of their option to receive such documents in paper form. If required notices, forms, and brochures are distributed electronically, HUD recommends that O/A request an electronic acknowledgment of receipt. Where HUD does not specifically require applicant or tenant acknowledgment of receipt, O/A should nonetheless maintain records showing that they provided applicants or tenants with the electronic file or the electronic address used to access the document. When providing documents, forms, or notices electronically, O/A must be sure to comply with tenant notification requirements in Handbook 4350.3, HUD program Notices, and state and local laws, and regulations. When local, state, federal laws or regulations require that specific documents be provided by first-class mail, delivered in person, or other specified means, this document must be provided using the stated required procedures and may not be solely transmitted electronically. (Refer to Section VIII of this Notice.)”
Transmission Methods
Encryption & Passwords
- When transmitting documents electronically, industry partners must use National Institute of Standards and Technology (NIST) compliant methods. Examples include putting the documents inside an encrypted wrapper, such as a password-protected DOC, PDF, or ZIP file.
- Passwords should not be included in the same transmission as the documents. It is preferable to provide the recipient with the password by calling, texting, or in a separate email.
- HUD strongly recommends using an encrypted transfer mechanism such as a shared link with an encrypted cloud storage service, an encrypted mail service, or web encrypted transfer tools.
EIV Data
When transmitting and storing Enterprise Income Verification (EIV) system data, vendors must adhere to NIST compliant standards. EIV data stored electronically must be in a restricted access directory or, if placed on portable media, labeled appropriately and encrypted using a NIST Compliant Cryptographic Module. Similarly, all emails containing EIV data must be encrypted using a NIST-compliant cryptographic module.
Other Methods of Transmission
Other possible methods for transmitting electronic documents and data must comply with HUD’s security requirements. They may include but are not limited to the following:
- Removable electronic media, such as thumb drives or SD cards;
- Direct access (i.e., providing login information to a system in order to access electronically signed and/or stored documents); and
- Another compliant technology is developed.
Personally Identifiable Information (PII)
All documents containing or conveying PII must be encrypted or transmitted in a secure manner in order to safeguard this information.
- When faxing sensitive PII, use the date stamp function; confirm the fax number, verify that the intended recipient is available and confirm that he/she has received the fax. Ensure that none of the transmission is stored in memory on the fax machine and that all paper waste is disposed of properly (shredded). If possible, use a fax machine that uses a secure transmission line.
- If a secure line is not available, contact the recipient’s office prior to faxing to inform them that information is coming. Next, contact the recipient’s office following transmission to ensure they received it. For each event, the best course of action is to limit access of PII only to those individuals authorized to handle it and create a paper trail and verify that information reached its destination.
- When sending sensitive PII via email or via an unsecured information system, make sure the information and any attachments are encrypted.
- Do not place PII on shared drives, multi-access calendars, on Intranet, or the Internet unless they are compliant with the terms of this Notice, including Section VI.C.2. e. Do not let documents with PII sit on a printer, scanner, or fax machine where unauthorized employees or contractors can have access to the information.
Electronic Storage
Electronic and cloud-based file storage has become more prevalent in business management over the years; Affordable housing providers are required to collect a large amount of sensitive data and as a result, much care needs to be taken to ensure the protection of such data. In this notice, HUD details the requirements that must be adhered to if files are to be maintained electronically. As with the transmission of documents, files stored electronically must have the data encrypted using a NIST compliant encryption solution and must be maintained in a restricted access directory, meaning, only staff that needs access to the files in order to perform their job functions should have access to the directory. Furthermore, if the EIV data is included in the electronic file, only those with signed EIV Rules of Behavior are permitted to access the files. While Notice H 20-4, does permit IPAs (Independent Public Auditors) to access the owner/agents’ electronic files when conducting HUD financial audits, access is not permitted if the electronic files contain EIV data. IPAs are only permitted to access EIV income information within hard copy files and only within the offices of the owner or managing agent. HUD clarified IPA access with the publication of Notice H 2020-10. It is also important to keep in mind, that a resident’s VAWA status is confidential and information regarding VAWA status cannot be in a shared database or be disclosed to any other entity or individual. In the notice, HUD also lays out data security management requirements that owners/agents must comply with when storing files electronically.
- Encryption both at transmission and at rest;
- Use and disclosure of data;
- Passwords for all employees or agents/contractors;
- Using and accessing electronic data and systems, backing up data, and data protection;
- Use of emails, message content, encryption, and file retention;
- Mobile devices – ensure they are secure, used appropriately, and protected from theft;
- Unauthorized access;
- Reporting malicious malware in the event it is inadvertently imported;
- Audit and access logs; and
- Data Destruction.
Security Breaches
Owner/agents are required to report any breach to the integrity of any electronic data that contains either sensitive information or information pertaining to electronic signatures to the entity that owns or administers the data. Such security policies should comply with federal, state, or local laws, regulations, and guidance. Additionally, a method to track electronic activity associated with sensitive documents and information must be utilized. If a data breach occurs, owners/agents should have a method to provide notification to those affected by the breach. The tracking method used should also track data in such a manner to allow for security audits of the electronic data when requested by federal or state agencies.
Implementing Electronic File Storage Systems
As you can see, the requirements regarding the use of e-signatures and e-storage are quite technical and very complex. As so much sensitive applicant and tenant data is collected by affordable housing providers, it is critical that management work closely with IT staff to ensure these requirements are met and to establish data security management policies prior to implementing an electronic file storage system.
