Digital Signature Legal FAQs

Please note that while the information contained within this FAQ is intended to assist you in understanding the legal and privacy ramifications of the SIGNiX digital signature service, it is not intended as legal advice. Always consult with your own legal counsel regarding the use of electronic signatures.
 

Are electronically signed documents legally binding?

Yes. In the United States, electronic signatures have been legally accepted since 2000 when the ESIGN Act was passed. In fact, some types of e-signatures (like the digital signatures SIGNiX uses) offer a lot more evidence than a handwritten signature. The tamper evident seal we provide for every signature provides more security than was ever possible in a paper world.

What laws and regulations does SIGNiX comply with?

SIGNiX's products are fully compliant with ESIGN, UETA, ETSI, CFR21 part 11, SSAE16, Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

What is the ESIGN Act?

The “Electronic Signatures in Global and National Commerce Act”, or ESIGN Act, is the United States’ Federal law that approved the use of electronic records. It was passed by Congress and was signed by President Clinton on June 30, 2000.

With the ESIGN Act, the government established that electronic signatures have the same legality as a traditional signature on a piece of paper. This legislation opened the door for digital signature companies like SIGNiX to be seen as a secure and legally enforceable way to sign documents. In fact, SIGNiX signatures exceed the requirements of ESIGN compliance. 

What is the significance of the ESIGN Act?

The ESIGN Act was intended to speed up the adoption and acceptance of Internet-based transactions. Before the ESIGN Act, businesses struggled to figure out how to handle online transactions. Many companies were accepting electronic signatures, but they weren’t sure whether those signatures were considered legal. The ESIGN Act allows transactions to be completed online, and SIGNiX’s digital signatures provide better fraud control than was possible with traditional signatures.

What types of documents can be originated and executed in electronic form under ESIGN?

ESIGN extends all existing laws in interstate and foreign commerce to allow original documents and signatures to be in electronic form, with the following specific exceptions designed to protect consumers in certain cases:

• Wills, codicils, or testamentary trusts
• Adoption, divorce, or other matters of family law
• Documents governed by the Uniform Commercial Code, as in effect in any State, other than sections 1–107 and 1–206 and Articles 2 and 2A
• Court orders or notices, or official court documents (including briefs, pleadings, and other writings) required to be executed in connection with court proceedings
• Cancellation or termination of utility services (including water, heat, and power)
• Default, acceleration, repossession, foreclosure, or eviction, or the right to cure, under a credit agreement secured by, or a rental agreement for, a primary residence of an individual
• The cancellation or termination of health insurance or benefits or life insurance benefits (excluding annuities)
• Recall of a product, or material failure of a product, that risks endangering health or safety
• Any document required to accompany any transportation or handling of hazardous materials, pesticides, or other toxic or dangerous materials

As electronic documents become more commonplace, future laws and regulations may relax these restrictions.

Do you offer an e-consent page?

Yes, all SIGNiX products feature a comprehensive and customizable e-consent to comply with requirements set by the ESIGN Act.

Why do we have to bother consumers with an e-consent page?

The ESIGN Act recognized that not all customers want to use electronic records, and the legislation makes sure no one is forced to use electronic records.

The ESIGN requires the signers’ consent before providing records in electronic form. Before getting this consent, the signer must see the following disclosures:

• The consumer has the right or option to use paper records instead.
• Information about the hardware and software required to access or retain electronic records.
• Information on how to get paper copies of the electronic records and whether a fee will be charged for providing these copies.
• Information about whether their consent applies only to the current transaction, or to all transactions of a specific type
• Information on how to withdraw their consent and what conditions, consequences and fees may apply if consent is withdrawn after it has been given.
• Information about how to update their electronic contact information.

If a consumer has given consent to receive all records of a specific type in electronic form and there are any significant changes to the hardware or software requirements for accessing or retaining new electronic records of this type, we will inform consumers about the new requirements, and the e-consent process will be redone. In this case, no fees will be charged for withdrawal of consent, and there won’t be any conditions or consequences for withdrawal that were not disclosed at the time of the original consent.

Is the e-consent customizable?

Yes. In fact, we recommend that customers work with their legal counsel to develop a customized legal consent that best fits their industry needs.

What is UETA? Is it also an electronic signature law?

UETA is the “Uniform Electronic Transactions Act,” a model electronic signature law for use by states created by the National Conference of Commissioners on Uniform State Laws. It was approved and recommended for adoption by states in July 1999.

ESIGN is based on UETA and adopts its principal features and underlying policies. 47 of 50 states have modeled their state laws on UETA, and the three remaining have created their own laws designed to recognize electronic signatures.

Are there any significant differences between ESIGN and state electronic signature laws (UETA)?

Individual states have their own electronic signature laws based on UETA that interact in complex ways with the national ESIGN law. Since part of the purpose of the national law is to harmonize the state laws, there are limits on how much states can deviate. As a result, there are few significant differences between federal and state law on most issues relevant to designing an effective electronic signature process. Even so, always be sure to consult with your legal counsel on special exceptions that may apply to your business.

What qualifies as an electronic signature under ESIGN?

Existing laws define a signature as “a mark affixed to or logically associated with a writing with intent to sign the writing.” The ESIGN Act extends the definition of “mark” to include “an electronic sound, symbol, or process.” This definition of an electronic mark is deliberately very general to allow the marketplace to find the most cost-effective types of electronic marks for each purpose.

Are SIGNiX digital signatures compliant with the EU Signature Directive?

Yes. Directive 1999/93/EC, approved in 1999, set out a detailed definition of several categories of electronic signatures. SIGNiX signatures easily fit into the definition of an Advanced Electronic Signature:

“...an electronic signature which meets the following requirements:

(a) it is uniquely linked to the signatory;

(b) it is capable of identifying the signatory;

(c) it is created using means that the signatory can maintain under his sole control; and

(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable...”

SIGNiX creates a unique signing identity for each signer which further identifies the signatory with SIGNiX’s strong user authentication options. The certificate is created and only invoked when the user needs to use it for signatures. Finally, because SIGNiX uses digital signatures, the data is directly linked to the signature and provides standards-based tamper-evidence.

If a document signed with a SIGNiX signature goes to court, how would its validity be demonstrated?

Proving an electronic signature in court involves a two-step process: having the electronic record of the signature admitted as evidence and then demonstrating its trustworthiness.

Admissibility can be achieved by expert testimony describing the record creation process and supporting its accuracy and by expert testimony that the records in question were created during the routine practice of a regularly conducted business activity.

Once the signed record is admitted, its trustworthiness is demonstrated by evidence of signer identity verification, effective cryptographic tamper-proofing, and an audit trail of the specific actions performed by the system during production of the record.

There are several elements of our signature process that enable a compelling demonstration of validity in court.

• A log of actions taken on each document is provided with each transaction. This TotalAudit^TM includes details including the transaction start, user access to the system, user acceptance of e-consent, presentation of document(s), user authentication, signature / initials / acknowledgment, communication and completion of transaction.
• Each signature is completed with a digital signature, providing tamper evidence of the content of the document at the time of each signature, not only when the document is finished. Moreover, these signatures are standards-based, stored in the PDF produced by the system (not stored in the system), and can be independently verified outside of the SIGNiX environment.
• Each digital signature is time-stamped so that there is proof of the time each signature occurred.
• Each signature’s digital certificate is verified at the time of signing and is embedded into the PDF document to provide long-term signature validity.
• Users can be authenticated by the system in a variety of ways, including SMS (text message), Know Your Customer (KYC) (eg: validating SSN, DOB), and knowledge-based authentication. These higher-end authentication options provide clear verification of the user’s identity and intimately tie the user to the transaction and signature.

What does the system do with the information it receives from users?

Sensitive customer data is handled in a highly secure manner as described in the SIGNiX privacy policy, which you can read by clicking here.

Is it legal for the system to ask for the Social Security Number to identify the user?

Yes. There are no laws prohibiting organizations from asking for a user’s Social Security Number or prohibiting organizations from denying an individual service for providing an incorrect Social Security Number. Our system uses the Social Security Number to verify users with a third-party source and does not interact with the Social Security Administration. The system does not use the Social Security Number as a Personal Identification Number (PIN).

Who has access to a user’s personal information?

Personal information will not be sold or shared with any third parties, unless authorized by or requested through an authorized channel or required by law. User data is stored in a secure database and is transmitted to and from the system in encrypted format.

The information will be compared with information in third party databases to validate the user, but if the information is different from that in the third party database, the third party database will not be updated.

Does the system keep records of user activity?

As with most online businesses, the system logs information about access to the website, including the addresses from which a member came to the site. This is done in order to monitor security, diagnose problems and administer the website. This information is also used to perform statistical analysis. The information is only analyzed in aggregate form — an individual member’s personal information will never be disclosed.

The system also keeps logs that note when members use their digital signatures. These logs do not record the contents of such uses but will record detailed information about the individual transaction details to allow the system to provide assistance in the event of disputes, detect suspicious patterns of activity, and provide an independent line of evidence that a specific signature ceremony occurred. The content of these logs will never be shared with a third party, except in the specific case that a user requests information as part of a dispute resolution process.

The system acts as a personal agent for users, delivering information requested by the user to the websites they use. The system does not accept responsibility for the actions and policies of third party sites accessed by users, or for any personal information users have provided to these sites. Nor does the system accept responsibility for the information users have authorized the system to give to these third party sites, or for information obtained by these sites from users in the course of their use of these sites’ services. Users should be careful to review any privacy policies posted on those sites before signing up with them or using them.

What information may be recorded when a user creates a digital signature using SIGNiX?

Signatures made by SIGNiX may contain the following information:

• The digital certificate of the signer, containing the signer’s name and a link to their SIGNiX digital identity.
• A reliable timestamp, recording the time the signature was created.
• Information on what type and version of operating system, browser, and PDF viewer the signer was using at the time of signing. This information may be needed in case of a dispute, as evidence of whether the viewer was able to correctly reproduce the document being signed.

In addition, the SIGNiX Signature Authority records audit log entries that provide an independent record of when the signing occurred and what user was authenticated and authorized it.

 

To see how easy it is to use SIGNiX's Independent E-Signatures™ to save money and secure your business's workflows, schedule a free demo.