There\u2019s been a lot of hype surrounding the new "e-sign" law (officially known as the Electronic Signature in Global and National Commerce Act), which gives electronic and digital signatures the legal enforceability of handwritten signatures. Whether the law\u2014which took effect in October 2000\u2014ignites an explosion of worry-free online business transactions or lays a minefield of privacy and security traps, one thing is clear: By legitimizing electronic and digital signatures, the federal government has moved e-commerce a step forward and created important choices for CIOs. Perhaps the most important choice CIOs face is whether to use simple electronic signatures or the more secure but more costly digital signatures.The act, which President Clinton signed in June 2000, gives CIOs a lot of leeway in terms of the electronic-signature technology they can use. It broadly defines an electronic signature as "an electronic sound, symbol or process" executed or adopted with the intent to sign a contract or record, and the law doesn\u2019t give examples of specific technologies. Valid electronic signatures might include such things as text blocks at the end of an e-mail, click-through agreements, digitized images of handwritten signatures, user names and passwords, and digital signatures.Regardless of their legal validity, not all electronic signatures are created equal. The major differentiators are security and authentication. At the low end of the safety spectrum are click-through agreements, plain-text "signatures" (such as a name typed at the end of an e-mail message) and user name\/password pairs. These are a lot cheaper than higher-end solutions, but you should weigh cost against the severity of your privacy needs when deciding whether to adopt lower-end solutions or the most secure technology out there: digital signatures. For example, it may not be worth the effort to require a digital signature to download a $20 piece of shareware software, but a digital signature may be perfectly appropriate to control downloads of $500,000 ERP packages.Why Digital Signatures?Digital signatures are to ordinary electronic signatures what calculus is to arithmetic. They\u2019re much more complex mechanisms that rely on encryption technology to provide a tamper-resistant method of communicating and authenticating documents and signatures. Basically, you "sign" a document by attaching a piece of text encrypted with your private key (a type of encryption password that is matched to a public key that can decrypt what the private key encrypts). The recipient can then authenticate your identity using your public key. If the public key works, the recipient knows that the message must have come from you. An encrypted hash mark (a number generated by mathematically analyzing a document that will change if the document is changed) ensures that the document has in fact been sent without modification. This way, you can\u2019t repudiate the document later on, and both you and the recipient face less risk of fraud.Nonetheless, digital signatures have downsides. One is cost. Digital signatures tend to be complex, expensive and cumbersome to implement, and they often slow down the speed of the transmission. Public-key infrastructure (PKI) is particularly costly compared with other types of electronic signatures, like click-through agreements and user name\/password combinations.Another potential downside is that the technology isn\u2019t particularly widespread. Until it begins to catch more fire, the challenges in obtaining a digital signature and learning to use its software may dissuade potential customers and business partners from engaging in e-commerce with your company. Worse, it might drive customers to other, less secure competitors that haven\u2019t erected these barriers. Given these concerns, even the most security-conscious companies will want to limit the use of digital signatures to situations where the risk and cost of fraudulent transactions outweigh the challenges of the solution.SafecrackingObviously the biggest benefits of digital signatures are the security of the document and the ability to authenticate the sender. Because it\u2019s so hard to tamper with an encrypted or digitally signed document, parties can rely on the document\u2019s integrity from the time it\u2019s sent to the time it\u2019s received. But it\u2019s not foolproof. For example, just because someone has a valid public\/private key pair doesn\u2019t mean you can always authenticate the sender\u2019s identity. It could still be the proverbial "Dog on the Internet" from the now famous New Yorker cartoon\u2014a very sophisticated dog, perhaps, but a dog nonetheless. Key pairs could also be issued in someone else\u2019s name, allowing individuals to pose as others on the Internet. However, more certificate authorities are sprouting up and requiring various levels of authentication before they\u2019ll issue a digital certificate to an individual. Using a digital certificate issued by a trusted third party (known in the industry as a certificate authority) can help prevent fraud and ensure the authenticity of the document. In some cases, it may even be appropriate for a company to invest in the necessary hardware and software to become its own certificate authority and issue digital certificates to customers and business partners.But even a digital signature issued by the most trusted certificate authority won\u2019t completely ensure the integrity or authenticity of digital documents or signatures. You still have to protect your passwords, or key pairs, from prying eyes. Because most digital signature users store their keys on their PCs and access them through a password, an unauthorized user sitting at someone else\u2019s PC could hack into the private key and send out messages impersonating the owner. The hacker could use the stolen key pair like a rubber-stamp signature or a stolen credit card to wreak havoc in cyberspace for the rightful owner. It is therefore important to take standard security precautions against password theft. For example, lock your office doors, avoid easy-to-guess passwords, and change passwords often. You should also notify the certificate authority of any unauthorized use so that the authority can invalidate the digital signature and issue a new one.Despite their shortcomings, digital signatures will likely take a prominent place in e-commerce and other areas where privacy, confidentiality and authenticity are concerns. Banks, credit bureaus and investment brokers could turn to digital signatures given the sensitivity and value of the information exchanged. The health-care sector is already focusing on digital signatures for help in complying with the impending regulations of the Health Information Portability and Accountability Act of 1996, which addresses the confidentiality of medical records that are digitally stored and distributed. Basically, if your business handles personal or confidential information\u2014and risks liability for exposure\u2014you should consider digital signatures as your way of doing business online. And as software vendors make digital signatures and PKIs faster, less expensive and easier to use, your cost-benefit analysis should become more clear.