Lawsuits Loom as Digital Commerce Advances

Companies trying to market new online-authentication services are rushing to build defenses for the day when they will be hit by multimillion-dollar liability lawsuits, industry executives say.

Once operational and backed up by new legislation, digital-certificate systems are expected to allow online buyers and sellers to electronically verify each others' identity, confirm online payments and deliveries, and record disputes over electronic contracts without ever inking signatures or shaking hands.

So if an online deal goes sour -- an electronic identity is forged, a delivery never turns up, or a promise is broken -- the industry will have no established laws protecting it from aggrieved customers wielding multimillion-dollar liability lawsuits, say executives.

With the help of certification technology, businesses could begin making large-scale deals via the Internet by 1997, said Ted Barassi, an executive at New York-based Certco LLC, which now markets a certification system.

Without digital certificates, it will be difficult for companies -- especially smaller companies -- to trade with unfamiliar online clients.

These certificate-offering companies face some routine business problems, such as winning consumer confidence, providing good customer service and making its technology work. But few profitable businesses are ever built on such untested legal foundations as are the certificate companies.

Simply put; there's no legislation or court-approved case law divvying up liability for errors and fraud among the certification companies and their customers.

That legal uncertainty makes it difficult for the companies to guarantee the online transactions they broker, and transaction guarantees are needed to make the business profitable, according to a research report prepared by the Gartner Group, a research firm based in Stamford, Conn.

"We are assuming the role of a certificate issuer. No one has ever done that in a commercial marketplace before, so the responsibility you assume is hard to define," said Wilson.

The lack of existing legislation -- or even court-approved case law -- exposes the certification companies to potentially unlimited liability judgments when a deal goes wrong, said Barassi.

"The absence of law is not helpful because no one can predict" how a lawsuit will be decided, said Wilson. "That's why people are proceeding with caution."

Other companies that intend to offer certification services are Nortel in Nashville, Tenn., Cylink Corp. in Sunnyvale, Calif., and the government-backed United States Postal Service, based in Washington.

The fear of unlimited liability has forced digital-certificate companies to build innovative legal defenses and lobby for new laws in an otherwise featureless legal landscape inhabited by numerous ambitious lawyers.

"Anybody who tells you that industry and the companies have a complete understanding of the liability question, I can't believe they're telling you the truth," said Michael Baum, policy chief at VeriSign Inc., Mountain View, Calif. VeriSign is also marketing a digital-certificate system.

Industry executives are trying to build their legal defenses on carefully written warranties and carefully developed technologies. They also hope to borrow from U.S. laws on notary publics and credit cards, seeking coverage from insurance companies and are lobbying governments for greater protections.

For example, VeriSign's standard contract -- its Certification Practice Statement -- seeks to minimize the company's liability. VeriSign does "not warrant the accuracy, authenticity, reliability, completeness, currentness, merchantability or fitness of any information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of [certificate-] issuing authorities," according to the contracts.

But "just because you disclaim something doesn't mean it is a valid disclaimer," said David Loundy, a lawyer based in Highland Park, Ill. A judge might decide the disclaimer was too complex for a user to understand, opening up the company to a lawsuit, he said.

Moreover, a contract that excludes too much risk leaves customers with too little assurance, said VeriSign's rival, Barassi.

"We designed our certification system to manage risk to the point we feel it is insurable," he said.

Via insurance, Certco can subcontract the risk of losing multimillion-dollar lawsuits, leaving it to concentrate on building its certification business, he said.

"You want to insure against being sued," said Baum.

But insurance companies are reluctant to insure such companies "because they don't know what the risk is," said Loundy.

Neither Barassi nor Baum would discuss whether they have insurance or the terms of any insurance deal.

For GTE's Wilson, security can be found in a steady relationship with a credit card company.

"We are going to be behind a credit card company," he said, allowing GTE to write one contract with Mastercard International, Purchase, N.Y., which then shares the risks of lawsuits. "We try to control the liability, the key being a contract with the customer ... [that] divides up the responsibilities and liabilities," he said.

Under the deal announced in July, GTE will provide one element of certification technology -- digital signatures -- to support the online transaction technology developed by Mastercard, Visa, Microsoft Corp., Redmond, Wash., and Netscape Communications Corp., Mountain View, Calif.

Existing laws distribute the liability for credit card deals that go awry, allowing online buyers, sellers and the banks that process credit card transactions to share the usually low cost of fraud and errors. Similarly, Cylink is providing technology to the U.S. Postal Service to create a nationwide Electronic Commerce System intended to allow the online transmission of time-stamped, legally binding documents.

Another tactic is to follow the example set by the Mastercard or Visa credit card consortiums, which provide credit card services via banks who sign their service contract.

"We think we've solved the problem with a mixture of [reliable] technology and risk-management expertise" derived from Certco's origin in the banking industry, Barassi said. However, he declined to say whether Certco hopes to build a Visa-type alliance with the banks.

Notary law provides one analogy -- but not a perfect analogy -- that could be used to limit certification companies' loss in any court case, said Barassi.

However, the law on notaries was not designed to allow companies to absorb multimillion-dollar lawsuits while earning pennies per certified transaction, said Wilson.

Another tactic is to win protective legislation by persuading government officials "to see the world the way we do. That's been our primary focus so far," said Barassi. Such a law could lay out rights and responsibilities for certification companies, and provide some protection against lawsuits.

Utah and several other states are preparing digital signature and electronic commerce laws, helping certification companies estimate -- and perhaps limit -- their liability.

Baum and Barassi are also working with a committee at the United Nations that is drafting model laws for electronic commerce. The committee, whose model laws serve only as examples for governments around the world, may soon begin drafting model digital-certification laws.

Also, officials at the Justice Department are drafting a bill for congressional debate in 1997 governing companies that store other peoples' encryption keys. Justice Department officials won't discuss the details or the scope of the law, which may be extended to cover digital-certification companies.

However, "we have not had too much faith [that they will] get anything done," Barassi said.