Utility Industry Group Implementation Guideline for Electronic Data Interchange

This Legal Considerations section has been included to illustrate some of the legal issues associated with EDI, not as a definitive statement of all such issues. Your lawyer should be consulted to address all legal issues. Also, the contents are subject to further modification and approval of the Legal & Business Controls Task Group of the Data Interchange Standards Association.

3

Legal Considerations

3.1

General Introduction

Electronic Messaging Systems (EMS) and applications such as EDI affect practices. Because the law does not directly address the complexities of these technologies, doing business via EMS may involve legal uncertainties. EMS complexity can only increase as more sophisticated hybrid and enhanced service offerings become available. The law has not kept pace with the complexity of EMS.

Businesses require control over their contractual correspondence. Such control includes determination of when correspondence is transmitted, to whom it is transmitted, when it reaches the recipient, and an appraisal of the accuracy, integrity and risks of the communication. Some of the legal issues include, e.g., various offer and acceptance rules, the propriety of paperless communications, competency of sufficiency of evidence, EMS and electronic mailbox control, legal and regulative record retention issues, ownership and liabilities, and various risks of transmission. Further study is required to identify problem areas and to propose flexible and adaptive rules fostering greater legal certainty.

Most commercial law has been developed without specifically considering electronic messaging systems such as EDI. The precise legal status of EDI transmissions is therefore unclear in many cases. It may be appropriate for commercial law to be modified to delineate the rights and duties of EDI users with greater certainty.

EDI has been used successfully for a considerable number of years. For a large and impressive list of companies, legal uncertainties have not posed a substantial obstacle to the adoption of EDI. In many instances, the legal risks of using EDI - when compared to the risks associated with traditional paper-based trading systems - have been considered manageable. Certain legal risks have been addressed with special agreements between trading partners and the adoption of appropriate in-house policies.

It is important that new users consult with counsel throughout the EDI implementation process. This chapter provides a very brief introduction to some of the issues counsel should consider addressing when a new user implements EDI. The full range of issues that must be dealt with, and the importance of any particular issue, will vary from one user to the next.

EDI implementation should bring about a rethinking by the business entity of its entire records management and retention policies. The ultimate decision regarding scope and duration of retention of electronic (i.e., EDI) records will depend on the company's overall business strategy and requirements.

3.2

Record Keeping

Internal control systems should be reevaluated in the context of EDI to assure responsibility for data maintenance, including audit trail, transaction reconciliation, and backup capability.

When business transactions are recorded on paper documents, businesses can store those documents as evidence of what took place. EDI does away with the transmission of paper documents, of course. Internal record keeping systems should therefore be reevaluated in the context of EDI. Among the issues to be addressed are these:

  • Will the user keep a record of each EDI message sent and received?
  • Will EDI messages be reformatted or altered by the user before final storage?
  • On what medium (paper print-out, magnetic disk, etc.) will EDI messages be stored?
  • Will records (or "audit trails") be kept to show when and by what means messages were sent, transferred through intermediaries, and received?
  • Will records be kept to show how the user compared and reconciled related messages?
  • To what extent can the records that are kept be expected to be admissible in any potential judicial or other proceedings.
  • How long will EDI records be kept?
  • Will the stored record maintain/include the authentication "stamp" or nonrepudiation signature?
  • If paper documents no longer being kept, will controls over the retention of resulting machine-sensible files be tightened?

3.3

Authentication

It is important that the source and the integrity of data transferred between the trading partners be assured before the data is acted on. The security and controls needed to provide a proper level of assurance is a business decision that should be based on an assessment of the risks involved. The decision to implement a Message Authentication Code (MAC) should be mutual between trading partners and stated as a requirement in the trading partner agreement.

Traditionally, paper documents and signatures have been used to authenticate the data that constitute commercial transactions. Authentication of EDI transmissions requires different methods. With the implementation of any particular EDI system, users and their counsel should consider these issues in the context of the user's particular needs:

  • Will the integrity and completeness of data transferred between trading partners be adequately assured before it is relied upon?
  • Will the source of a message, and the legal authority of that source, be satisfactorily verified before the message is relied upon?
  • If determined necessary, will adequate records be kept to show that authenticity of messages were tested?

Users and their counsel should refer to Xl 2.42 and Xl 2.58 regarding methods commonly used under the Xl 2 standards to authenticate messages.

EDI poses no different threat than any automated system which utilizes telecommunications. The issue is automation and electronic data vs. a paper-based system. EDI formats simply provide a structure to that data.

3.4

Trading Partner Agreements

Given the inadequate treatment of EMS and EDI in the law, users should exercise care in developing and entering into trading partner and third party agreements. Comprehensive trading partner and third party agreements should be considered prior to commencing EDI trading. In addition to conventional "standard terms and conditions" which (with some variability) are used to define conventional trading relationships (such as the terms and conditions typically appearing on purchase orders), users should consider what impact data communications and computer systems have on their business correspondence and trading relationships, as well as including the manner of customarily doing business, such as use of responses, acknowledgement 997, etc. - and thus appropriate provisions for EDI trading.

Many EDI users enter a special agreement with each of their trading partners to govern their EDI. The provisions that should be included in such an agreement will vary from user to user. Among the issues that might be addressed in a trading partner agreement are these:

  • The specification of the type of EDI format the parties will use.
  • The specification of the third party network (if any) each partner will use.
  • The division of the costs of conducting EDI.
  • The confidentiality of messages.
  • The authentication of messages.
  • The records trading partners must keep.
  • An affirmation of the legal enforceability of the transactions entered under the agreement.
  • The procedures for requesting and communicating legal offers, acknowledgements and acceptances and amendments thereto.
  • The specification of the time when messages become effective.
  • The interpretation of EDI codes.
  • The specification of the substantive terms and conditions that will govern underlying transactions communicated through EDI.
  • The allocation of responsibility (including liability for any resulting damages) for any EDI error or fraud or for the occurrence of uncontrollable disasters.

Similar considerations are required for financial institutions and clearing houses used in the transmission of the Payment Order/Remittance Advice (820).

3.5

Third Party Agreements

If user employs a Value Added Network (VAN), the VAN will probably require that the user enter into a data communications agreement with it. Among the issues the user should consider addressing in such agreement are the following:

  • A description of the services to be provided.
  • The warranty by the VAN of its services.
  • The liability of the VAN for a breach of the agreement or any damages resulting from the mistakes of the VAN or its employees.
  • The security, confidentiality, and integrity of messages handled by the VAN.
  • The responsibility of the VAN in the event of a system failure or disaster.
  • The disposal of data stored by the VAN in the event of a disagreement or an interruption or termination of services.
  • A description of the applicable pricing structure.
  • The termination of the agreement.
  • An assumption of an independent third party review of the third party vendor.

3.6

Laws, Rules, and Regulations

There is no adequate or comprehensive source of "EDI law"; thus no attempt is made to list any.

When implementing EDI, users and their counsel should consider whether any special laws, rules or regulations apply to the users such as utilities and government contractors should carefully consider whether regulations applicable to them restrict the implementation of EDI. It is not uncommon, for example, for government regulations to be written to require (or at least be construable to require) documents written on paper or ink signatures.

The American Bar Association (ABA) has developed a "Model Electronic Data Interchange Trading Partner Agreement and Commentary". Copies of this document may be obtained by writing to:

      American Bar Association
      750 North Lake Shore Drive
      Chicago, Illinois 60611
      Telephone: (312) 988-5000

Return to the top

Return to Table Of Contents