v>EPA
Cross-Media Electronic
Reporting Regulation
(CROMERR)
Electronic Signature Agreement Guide
Electronic Signature Agreement Requirements 2
Electronic Signature Agreement Example 4
Electronic Signature Agreement Template 6
Subscriber Agreement Example 8
Subscriber Agreement Template 10
-------�
vvEPA
Electronic Signature Agreement Requirements
Attached is an example of electronic signature agreement language that may be used, in part, to satisfy the electronic
signature agreement or subscriber agreement requirement of 40 C.F.R. § 3.2000(b)(5)(v). Applicants need to include a copy
of the electronic signature agreement in their CROMERR application.
CROMERR requires that users sign an electronic signature agreement, or
ESA, normally as part of the registration process. This agreement must
include language that obligates the registrant to protect the electronic
signature device (or signature credential) from compromise, and to
immediately report any evidence of compromise to the system
administrator. The agreement must also include a statement that the
registrant understands that any electronic signature executed with the
electronic signature device is as legally binding as a handwritten signature.
ESAs are not needed for reports that do not require an electronic
signature.
The ESA can be done electronically, but can also be done on paper with a
handwritten signature as described in 3.2000(b)(5)(vii)(C). When done on
paper it is called a subscriber agreement. See the box to the right for
definitions of electronic signature agreement and subscriber agreement.
An ESA is an agreement done online, while a subscriber agreement is done
on paper with a handwritten signature. Usually, signatories execute one
of these agreements when they register with the system to receive their
electronic signature device.
ESAs completed electronically may be signed using the electronic signature
device the signatory establishes during the registration process. If this
device is not used, the system application must describe how the system
ensures that the ESA has been signed by the registrant.
Storing Subscriber Agreements
Systems using the subscriber agreement alternative must store the paper
agreements so they are protected from alteration and destruction for as
long as there may be any enforcement interest in the signatures executed
with the associated electronic signature device, or at least five years after the signature credential has been deactivated.
Key Definitions
An electronic signature agreement is an
agreement signed by an individual with
respect to an electronic signature device
that the individual will use to create his or
her electronic signatures requiring such
individual to protect the electronic
signature device from compromise; to
promptly report to the agency or agencies
relying on the electronic signatures
created any evidence discovered that the
device has been compromised; and to be
held as legally bound, obligated, or
responsible by the electronic signatures
created as by a handwritten signature.
(See 40 CFR3.3)
A subscriber agreement is an electronic
signature agreement signed by an
individual with a handwritten signature.
This agreement must be stored until five
years after the associated electronic
signature device has been deactivated.
(See 40 CFR3.3)
-------�
vvEPA
Note that this item must be addressed only for reports that require an electronic signature, including priority reports, where
the system requires a paper electronic signature agreement to be signed by users. This is most commonly used by systems
using the CROMERR subscriber agreement alternative under 40 CFR 3.2000(b)(5)(vii)(C). Applications should describe how
they plan to store paper electronic signature agreements in a way that protects them from tampering, destruction, and
unauthorized access. Typically, program offices store original signed paper subscriber agreements in locked filing cabinets
that are only accessible by designated staff.
Specific ESAand Subscriber Agreement Requirements
Below is a list of specific items to focus on in electronic signature agreements. The agreement must include the following:
(1) The signatory agrees to protect their signature device, such as a password or hardware token, from compromise;
(2) The signatory agrees to report any evidence of
compromise; and
(3) The signatory understands that the signature they
submit electronically with the device carries the
same legal force and obligation as a hand written
signature.
ESA Best Practices
• Using the ESA to determine the registrant's signing
authority: CROMERR requires that systems determine
with legal certainty that the individuals who sign
submissions to environmental agencies are explicitly
authorized to do so, by their management and/or by the
agency to which they report. Some ESAs include a
signature block for a responsible official from the
registrant's authorization for the signatory to sign on
behalf of the organization. If the ESA is also used to
certify that the signer has the authority to sign on behalf
of the organization, a new ESA may need to be submitted
each time the authorization changes (e.g., if a company
comes under new ownership). For this reason, EPA
recommends that ESAs not include signatory
authorization in the ESA. Many States find it less
burdensome to include authorization in a separate
document or use another means to confirm signatory
authorization.
• Notarization of paper subscriber agreements: Some approved CROMERR systems require that paper subscriber
agreements be notarized. This is not required by CROMERR but can be an effective way to ensure at the time of
registration that the registrant is who they claim to be.
• Citing regulations in the ESA: CROMERR does not require that the ESA cite specific laws or regulations under which
reporting is required, or law or regulations that govern electronic signatures.
EPA recommends that you do not include the
bolded language below in your ESA: "No document
shall satisfy any reporting requirement or be of any
legal effect until properly received."
Some ESAs submitted as part of previously
approved CROMERR applications included this
language. However, EPA has determined that this
language may become an impediment to certain
enforcement proceedings. EPA may need to
conduct enforcement proceeding based on
documents that users attempt to submit but might
not be properly received. Inaccurate or false
submissions may be used in enforcement
proceedings even if rejected by the receiving
systems. The bolded language above may preclude
EPA from using such documents in an enforcement
process.
-------�
v>EPA
Electronic Signature Agreement Example
U.S. Environmental Protection Agency
ELECTRONIC SIGNATURE AGREEMENT
In accepting the electronic signature credential issued by the U.S. Environmental Protection Agency (EPA) to sign
electronic documents submitted to EPA's Central Data Exchange (CDX), and as a representative for:
Electronic Signature Holder Company Information
Organization Name
(pre-populated w/credential info)
Address
(pre-populated)
City, State, Zip
(pre-populated)
Province
(pre-populated)
Country
(pre-populated)
Phone Number
(pre-populated)
E-mail Address
(pre-populated)
Registrant's Name
(pre-populated)
CDX User Name
(pre-populated)
I, Populated from registration ,
(Name of Electronic Signature Holder)
(1) Agree to protect the electronic signature credential, consisting of my Central Data Exchange (CDX) user
identification and password, from use by anyone except me. Specifically, I agree to maintain the secrecy of the
password; I will not divulge or delegate my user name and password to any other individual; I will not store my
password in an unprotected location; and I will not allow my password to be written into computer scripts to
achieve automated login;
(2) Agree to contact the U.S. EPA CDX Help Desk at 1-888-890-1995 as soon as possible, but no later than 24
-------�
vvEPA
hours, after suspecting or determining that my user name and password have become lost, stolen or otherwise
compromised;
(3) I agree to notify CDX within ten working days if my duties change and I no longer need to interact with the CDX on
behalf of my organization. I agree to make this notification by notifying the CDX Technical Support staff at 1-888-890-1995
or helpdesk@epa.gov
(4) Understand that I will be informed through my registered electronic mail (e-mail) address whenever my user
identification or password have been modified;
(5) Understand that CDX reports the last date my user identification and password were used immediately after
successfully logging into CDX;
(6) Understand and agree that I will be held as legally bound, obligated, and responsible for the use of my
electronic signature as I would be using my hand-written signature;
(7) Understand that whenever I electronically sign and submit an electronic document to the CDX, I will receive an
e mail at my registered e mail address; This e-mail will inform me that a submission has been made to CDX from
my user account and will contain instructions to view information regarding the submission, including my Copy of
Record (CoR);
(8) Agree that if I receive an e mail notification for any activity that I do not believe that I performed, I will notify the
CDX Help Desk as soon as possible, but no later than 24 hours, after receipt;
(9) Agree to contact the CDX Help Desk if I do not receive an e mail notification within 5 business days for any
electronically signed submission using my credentials;
(10) Agree to report, within 24 hours of discovery, any evidence of discrepancy between any electronic document
I have signed and submitted and what the CDX has received from me by contacting the CDX or service Help
Desk;
(11) Agree to notify the EPA if I cease to represent the regulated entity specified above as signatory of that
organization's electronic submissions by contacting the CDX Help Desk as soon as this change in relationship
occurs and to sign a surrender certification at that time; and,
(12) Agree to retain a copy of this signed agreement as long as I continue to represent the regulated entity
specified above as signatory of the company's electronic submissions.
Name of electronic signature holder:
Transaction ID:
Date:
pre-populated from Registration
pre-populated from 20-5-1
-------�
vvEPA
Electronic Signature Agreement Template
Electronic Signature Agreement
In accepting the electronic signature credential issued by [ insert state/commonwealth namei to sign electronic documents
submitted to iinsert name of reporting systeml, and as a representative fori
Electronic Signature Holder Company Information
Organization Name
(pre-populated w/credential info)
Address
(pre-populated)
City, State, Zip
(pre-populated)
Province
(pre-populated)
Country
(pre-populated)
Phone Number
(pre-populated)
E-mail Address
(pre-populated)
Registrant's Name
(pre-populated)
CDX User Name
(pre-populated)
I, Populated from registration ,
(Name of Electronic Signature Holder)
IThe following certifications are required7
(1) Agree to protect the electronic signature credential, consisting of my linsert name of reporting system1 Iinsert signature
credential type, e.g., usemame and password!, from use by anyone except me. Specifically, I agree to maintain the secrecy of
the [insert signature credential type]'. I Will not divulge 0T delegate my [insert signature credential typeI to any Other individual; I Will
not Store my [insertsignature credential typeI in an Unprotected location; and I will not allow my [insertsignature credential typeI to
be written into computer scripts to achieve automated login;
(2) Agree to contact the [insert name of reporting systemI at [insert reporting system phone numberldS SOOn 3S possible, but no
later than 24 hours, after suspecting or determining that my [insert signature credential tvpei have become lost, stolen or
otherwise compromised;
-------�
vvEPA
(3) Understand and agree that I will be held as legally bound, obligated, and responsible for the use of my
electronic signature as I would be using my hand-written signature;
IThe following certifications are optional but recommended7
(4) I agree to notify linsert name of reporting systeml within ten working days if my duties change and I no longer need to interact
with finsert name of reporting systeml on behalf of my organization. I agree to make this notification by notifying finsert name of
reporting system] Staff at finsert reporting system contact information1;
(5) Understand that I will be informed through my registered electronic mail (e-mail) address whenever my user
identification or password have been modified;
(7) Understand that whenever I electronically sign and submit an electronic document to finsert name of reporting system],
I will receive an e mail at my registered e mail address; This e-mail will inform me that a submission has been
made to finsert name of reporting system] from my user account and will contain instructions to view information regarding
the submission, including my Copy of Record (CoR);
(8) Agree that if I receive an e mail notification for any activity that I do not believe that I performed, I will notify
finsert name of reporting system] as soon as possible, but no later than 24 hours, after receipt;
(9) Agree to contact finsert name of reporting system] if I do not receive an e mail notification within 5 business days for
any electronically signed submission using my credentials;
(10) Agree to report, within 24 hours of discovery, any evidence of discrepancy between any electronic document
I have signed and submitted and what finsert name of reporting system] has received from me by contacting finsert name of
reporting system]'.
(11) Agree to notify finsert name of reporting system] if I cease to represent the regulated entity specified above as
signatory of that organization's electronic submissions by contacting finsert name of reporting system] as soon as this
change in relationship occurs and to sign a surrender certification at that time; and,
(12) Agree to retain a copy of this signed agreement as long as I continue to represent the regulated entity
specified above as signatory of the company's electronic submissions.
Name of electronic signature holder:
Date:
finsert mailing address for reporting system]
-------�
vvEPA
Subscriber Agreement Example
Electronic Subscriber Agreement
Please complete the following form and mail to:
Florida Department of Environmental Protection
Attn: {Contact.contactName}
2600 Blair Stone Road
{Contact.addressLine2}
Tallahassee, FL 32399
User ID:
Name:
Telephone:
Email:
Street Address:
City:
State:
Zip Code:
I, , the undersigned, am hereby submitting this Subscriber Agreement to the Florida Department of
Environmental Protection (FDEP) in application for a Personal Identity Number that shall, along with my
username, password and additional personal security information, serve as the Electronic Signature Device and
equivalent of my handwritten signature on all electronically submitted reports, documents, applications, files and
forms to the FDEP. I hereby:
1. Agree to protect my electronic signature device and security question/answer pairs from compromise
and from use by any other party, including anyone who may be acting as my agent;
2. Promptly report (within 24 hours after discovery) to the FDEP any evidence of the loss, theft, or other
compromise of this electronic signature device and/ or security question/answer pairs;
3. Review and, if necessary, repudiate, any electronic reports, documents,
-------�
vvEPA
applications, files and forms that may have been submitted to the FDEP after this
loss, theft or compromise;
4. Promptly review (within 24 hours after discovery), the acknowledgements (email and onscreen) and
copies of submitted documents using this electronic signature device, and;
5. Promptly report (within 24 hours after discovery) evidence of discrepancy between any electronically
submitted information signed using this electronic signature device and what was received by the
FDEP's electronic receiving system.
I understand that I shall be held as legally bound, obligated, and responsible by the electronic signature created
using this electronic signature device as by my handwritten signature.
Applicant Signature: Date:
Notarization of Electronic Signature Device and Subscriber Agreement
[Note: Notarization is not required by CROMERR]
In the State of:
and the County of:
On before me, , (date of signing) (Notary's name)
personally appeared , personally known to me (or proved to me on the basis of satisfactory evidence) to be
the person whose name is subscribed within this instrument and acknowledged to me that he/she executed the
same in his/her authorized capacity and that by their affixed signature on this instrument do affirm their lawful
execution thereof.
Witness therefore my hand and official seal (Notary Seal)
(Signature of Notary)
-------�
vvEPA
Subscriber Agreement Template
Electronic Subscriber Agreement
Please complete the following form and mail to:
\insert State/Commonwealth name]
Attn: \Insert contact name 1
\insert contact address]
User ID:
Name:
Telephone:
Email:
Street Address:
City:
State:
Zip Code:
I, , the undersigned, am hereby submitting this Subscriber Agreement to the finsert state/commonwealth agency] in
application for a Personal Identity Number that shall, along with my username, password and additional
personal security information, serve as the Electronic Signature Device and equivalent of my handwritten
signature on all electronically submitted reports, documents, applications, files and forms to the [insert
State/Commonwealth agency]. I hereby:
1. Agree to protect my electronic signature device and security question/answer pairs from compromise
and from use by any other party, including anyone who may be acting as my agent;
2. Promptly report (within 24 hours after discovery) to the finsert state/commonwealth agency] any evidence of the
loss, theft, or other compromise of this electronic signature device and/ or security question/answer
pairs;
3. Review and, if necessary, repudiate, any electronic reports, documents, applications, files and forms that
may have been submitted to the \insert state/commonwealth agency] after this loss, theft or compromise;
4. Promptly review (within 24 hours after discovery), the acknowledgements (email and onscreen) and
-------�
vvEPA
copies of submitted documents using this electronic signature device, and;
5. Promptly report (within 24 hours after discovery) evidence of discrepancy between any electronically
submitted information signed using this electronic signature device and what was received by the [insert
state/commonwealth agency?s electronic receiving system.
I understand that I shall be held as legally bound, obligated, and responsible by the electronic signature created
using this electronic signature device as by my handwritten signature.
Applicant Signature: Date:
NOTE: Notarization is optional
Notarization of Electronic Signature Device and Subscriber Agreement
In the State of:
and the County of:
On before me, , (date of signing) (Notary's name)
personally appeared , personally known to me (or proved to me on the basis of satisfactory evidence) to be
the person whose name is subscribed within this instrument and acknowledged to me that he/she executed the
same in his/her authorized capacity and that by their affixed signature on this instrument do affirm their lawful
execution thereof.
Witness therefore my hand and official seal (Notary Seal)
(Signature of Notary)
-------� |