(a) Subject to subsection (b), an electronic authentication, message, record, or performance is attributable to a person if:

(1) it was in fact the action of that person, a person authorized by it, or the person's electronic agent; or

(2) the other personparty, using in accordance with a commercially reasonable n attribution procedure for identifying a person, in good faith reasonably concluded that it was an act of the other person, a person authorized by it, or the person's electronic agent.; or

(c) A person is liable for losses in the nature of reliance, if the losses occur because:

Uniform Law Source: 4A-202; 4A-205; UNCITRAL Model Law.

"Computer program". Section 2B-102. "Electronic agent". Section 2B-102. "Electronic message". Section 2B-102. "Good faith". Section 2B-102. "Party". Section 1-201. "Person". Section 1-201. "Presumption". Section 1-201. "Record". Section 2B-102.

Committee Votes:

a. Reasonable care standard in (a)(3) selected by consensus.

b. Reviewed without change. (Nov. 1997).

1. Attribution to a Person. Attribution to a person means that the electronic record is treated in law as having come from that person. The section thus deals with risk allocation highly relevant to the anonymous nature of electronic commerce. The section balances goals of enabling electronic commerce in an open environment (as contrasted to the closed systems such as funds transfer and credit card transactions), while stating reasonable standards to apportion risk in that open system. The rules here do not apply to funds transfers, bank accounts, credit card liability, or other subject matter outside Article 2B.

2. Act of the Person or Electronic Agent. There are three circumstances under which a message or action is attributed to a party. The first (subsection (a)(1)) simply makes a person responsible for the record or performance if the person or its agent actually performed or actually created the record. General agency law applies where the issues deal with human agents. In addition, a person is responsible for the actions of its electronic agent. An "electronic agent" is an automated system that responds to or initiates actions without human review and is selected or adopted by a person for that purpose. Having opted to use an automated system, the person is held responsible for its operations. The idea of an electronic agent does not exist under current law, but has importance in electronic contracting for information because of the increasing use of preprogrammed software to acquire information assets. The principle underlying this concept is that a person who created and set out the automated system has responsibility for its conduct. The rules here parallel the UNCITRAL Model Law. Article 13 provides that as between the parties, a message is deemed that of the originator if sent "by an information system program by or on behalf of the originator to operate automatically."

3. Use of Attribution Procedure. Subsection (a)(2) focuses on attribution procedures for authentication. It makes a message attributable to a person if the other party used the procedure and reached the conclusion that it came from the other person because of that use. This establishes a level of certainty when the parties adopt a commercially reasonable system of identification. Attribution in this form creates a presumption that it was the party identified who in fact sent the message, created the record, or engaged in the performance or authentication. The presumption is rebuttable.

4. Duty of Care. Subsection (c) deals with when can a person be held accountable for messages not sent by it and not within an attribution procedure, but on which the other party relied. The underlying loss allocation principle recognizes a limited concept of protected reliance where the cause of the reliance lies in a lack of reasonable care by the person to whom the message is attributed. Since this is reliance-based liability, if the message, performance or context clearly indicates that the indicated source is incorrect or gives reason to doubt the source, reliance may not be protected. Where the reliance is reasonable, the receiving party has a protected right under this article if a lack of reasonable care lies at the heart of the actions that caused the reliance..

Current law uses several different approaches to analogous problems: 1) in the telephone system, a person is responsible for any charges incurred for long distance calls from its equipment and using its number; fault and authorization are irrelevant; 2) credit card and electronic funds regulations limit liability for a consumer for unauthorized use of its card or number; 3) in commercial funds transfers, the presence or absence of a "security procedure" conditions risk; 4) in check collections, an absolute liability rule is imposed on many recipients of fraudulent instruments unless the party whose signature was forged negligently contributed to the fraud.

The Drafting Committee elected the intermediate position reflected in this Draft. The position draws a balance between limiting the risk exposure of alleged senders and protecting reliance interests of recipients of messages. Unlike in credit card and funds transfer systems, one cannot safely predict the relative nature of the sending and receiving parties, their economic strength, or technological sophistication. Individuals with limited resources are as likely to be on either side of a transaction in electronic commerce as are large corporations. Because of this, the rule creating a dollar cap for consumer risk for credit cards and funds transfers is not viable in this open system, heterogeneous environment. In cases where the electronic process involves transactions between large businesses and consumers, allocation of the risk of fraud or false attribution developed in a way that responds to the better ability of the system operator to spread loss than the consumer. Our context requires a more general structure that goes beyond consumer issues; the problems will not routinely entail consumer protection questions or, even, a licensor with better ability to spread loss. Nor can the loss be placed on the operator of the system as a means of spreading loss since unlike in some other context, the messages here entail in a publicly run system.

One alternative would use communications law rules for allocation of risk. In telephone systems, the proprietor of a system (telephone) is responsible for all calls using that number, even if produced by a hacker engaged in entirely illegal and unauthorized access. The loss allocation there, of course, is between the owner of the system and the system operator. Here, however, it is between two other parties.