What to Look for in an Electronic Signature Solution to Minimize Risk

 PART 3 - In the last blog entry for our ongoing series on Digital Signature ROI, we asked the question, “What Makes an Electronic Signature Legal?” To answer that question, we showed how numerous state, national and international laws clearly demonstrate that electronic signatures must be afforded the same legal status as wet ink signatures in nearly all circumstances. 

However, just because the signature can be admitted as a piece of evidence does not mean that the signature will hold up under scrutiny. Just like an ink signature can be called into question because it was created under dubious conditions, an electronic signature can also be called into question based on how it was created. You certainly don’t want your contracts and other critical documents being overturned simply due to an ill-considered choice of electronic signature provider.

For example, in a wet ink scenario, lawyers can bring in handwriting experts and probe into the contract process at a company to determine how and if a particular person signed a document. Likewise, in an electronic signature solution, vendors build their product to provide specific evidence to prove that the electronic document was in fact signed by a particular person over the internet. 

Yet, no one feature or single piece of evidence can provide you with complete assurance when it comes to electronic signatures. Assurance is in fact a multifactor equation; many features and capabilities have to be considered to determine the assurance level of your electronic signatures.

Here are eight key assurance factors to be looking for when shopping around for an electronic signature solution, as well as questions to ask your vendors. Some of these points are required by legislation and regulation, while others are elements that will be required from an evidentiary perspective.

1. Authentication / Identification. Users prove they are who they say they are by providing, validating or accessing some type of shared information. 

• Does the digital signature service require users to authenticate themselves before applying an electronic signature to a document? 
• How strong is the authentication method? Does the system require that a user only receive an email at a unique email address, or does it require them to enter a PIN or password, or enter a one-time password delivered to their mobile device?
• Does the service rely on third-party services that use public databases to clearly identify a user prior to signer?
• Can documents be accessed without authentication?
• Can previously identified users be added to the service via integration with other systems?

2. Audit Trail. A feature that tracks the actions of signers and documents in each transaction to provide evidence of the entire transaction taking place.

• Does the online signature solution track every event in the signature process?
• How detailed are the events being stored? What information is kept?
• How is the audit trail stored? Is it secured against tampering?
• Can the audit trail be integrated into the document?
• Can the audit trail be downloaded from the service and separate from the document(s) being signed?

3. Information / Notice / Consent. ESIGN and other laws require that the user know they are engaging in an electronic signature process, and provide them with the opportunity to opt in or out.

• Is the user presented with an appropriate and visible notice about using electronic signatures?
• Is the user provided an opportunity to decline to use the service?
• At how many points is a user presented with this type of information?
• Is the consent to use e-signatures presented clearly and also tracked as an auditable action?

4. Signature / Intent / WYSIWYS (what you see is what you sign). The user must take some form of action to electronically sign documents during an electronic signature process in order to clearly indicate the intention to sign. Documents to be signed should also be clearly visible and readable to a user.

• How is the user prompted to sign a document?
• Is the process clearly communicating intent?
• How is the signature represented during the process?
• How is the document to be signed viewed by a user? Is it the same as the final signed / printed version? Does the document change as part of the signature process?

5. Association. The signature of the user must be associated with or linked to the data or records being signed to prove the connection between them.

• How is the signature linked to the documents being electronically signed?
• Is the process straightforward? 
• Does the association of the signature rely on standard cryptographic methods or proprietary means?

6. Integrity. A user signs the version of the document they are looking at during signing, and expects that document to remain as is after signature. An electronic signature system must protect the integrity of documents before, during and after signing.

• How are documents protected during signing?
• How is the integrity of a document protected?
• Does the eSignature service provide strong tamper evident controls on the documents upon signature? In other words, if the document is tampered with, will the document let you know?
• Can the service protect and also prove the integrity of a document at any point from the first signature to the last?

7. Standards / Verification Independence. The electronic signature service should provide signatures on electronic records that follow standards and do not rely on the service to be validated.

• What format are the documents produced in? Is it proprietary?
• Are documents and signatures human-readable and also accessible using free viewing software?
• Is each electronic signature part of the document?
• Can the signatures be validated without having to invoke the electronic signature service that produced it?
• Do the signatures rely on international cryptographic and document standards, such as RSA, DSA, SHA, PAdES and PDF?

8. Long-term standing. Some documents need to be trusted not just for months or years, but decades or longer. Organizations that rely on these kinds of documents need to be mindful of how their electronic signature systems deal with this issue.

• Can the electronic signatures be validated in the longer-term?
• Will the format of the documents contribute to their standing?
• Does the digital signature service use technology that is based on standards that can be validated into the future?
• Are the systems used for signing proprietary to the vendor or based on well-known cryptographic tools?

The level to which any one electronic signature solution meets the points above may vary, and some of these factors may be more or less important depending on your organization’s needs, market requirements and risk profile.

In general, best practices dictate that organizations should choose those services that are not only cost and time-effective, but also valid and sustainable for the longer term…not simply expedient for the task at hand. Next time, we’ll discuss how digital signature technology, specifically, best meets the points described above in minimizing legal risks.