SECTION 2B-114. COMMERCIAL REASONABLENESS OF ATTRIBUTION PROCEDURE.

(a) The commercial reasonableness of an attribution procedure is determined by the court.

(b) In making a determination about the commercial reasonableness of an attribution procedure, the following rules apply:

(1) An attribution procedure established by law or regulation is commercially reasonable for the purposes for which it was established.

(2) Except as otherwise provided in paragraph (1), commercial reasonableness is determined in light of the purposes of the procedure and the commercial circumstances at the time the parties agree to or adopt the procedure.

(3) An commercially reasonable attribution procedure may require the use of any security devices that are reasonable under the circumstances.

Uniform Law Source: Article 4A-201; 202.

Attribution procedure, Section 2B-102; Person, Section 2-102.

1. Purpose and Effect of a Commercially Reasonable Attribution Procedure. Attribution procedures are relevant to authentication of electronic records, attributing performance to a party, and allocating risk in reference to alleged errors or changes in a record or message.. If a commercially reasonable attribution procedure is established between persons and followed, enhanced legal recognition is accorded to a message or performance. Conforming to a commercially reasonable attribution procedure for that purpose results in an authentication as a matter of law. In other contexts, if there is a question of who sent the message or performance, compliance with a commercially reasonable attribution procedure to identify a party makes the alleged originator of the message attributable for the message or performance. On the other hand, failure to use a commercially reasonable authentication procedure does not indicate that there is no authentication or that the purported sender is not responsible for the message or performance.

2. Agreement or Adoption. This Article does not dictate the form of a commercially reasonable attribution procedure. Evolving technology and commercial practice make it impractical to attempt to predict future developments and unwise to preclude these developments by a statutory mandate. Instead, the Article relies on the parties to select a procedure. An attribution procedure must be established by agreement or adopted by both parties. A procedure of which one party is not aware, does not qualify. On the other hand, agreement or adoption need not precede the transaction. Parties dealing for the first time may adopt a procedure for authentication of messages. The adopted procedure would have the full force of an attribution procedure if it is commercially reasonable.

3. Commercially Reasonable. Use of an attribution procedure establishes presumptions concerning the authentication, record or message to which the procedure was applied only if the procedures is commercially reasonable. This requirement buffers against over-reaching and protects parties who lack knowledge of technology. The cost of requiring that this standard be met lies in a degree of uncertainty that the parties cannot control by agreement. Yet, it is an important protection for users of these systems. Consider the following:

Illustration: General Motors creates a procedure with franchisees that requires merely that a message contain the franchisee's E-mail address as an identifier. A bad guy uses that system and causes loss of $100,000 in the name of the franchisee. If the contract controls, the franchisee is liable for the loss unless the procedure is commercially unreasonable. It would most likely be unreasonable in this case.

What is a commercially reasonable procedure must take into account the cost relative to value of transactions. This is implicit in the idea of commercial reasonableness. How one gauges commercial reasonableness obviously depends on a variety of factors, including the agreement, the then current technology, the types of transactions affected by the procedure and other variables.

The procedure may include various approaches, including algorithms, codes, identifying words or numbers, encryption, callback procedures or any other reasonable security device.