E sign Requirements: How to make sure an esignature is valid
I remember about 15 years ago talking about the ‘paperless office’ and what a great idea it was; not just because of the climate change benefits, but also because it was just really convenient. At that time, it was fairly nascent, we had all embraced software that created digital documents, but some of the operations of using electronic communications were still a little…’out of the ark’.
Now, we are in a much better place. We have more seamless and connected document handling, and Cloud based creation and control of documents – in fact I am writing this using Google docs so I can access it from anywhere, using any device, as long as I log in. However, the paperless office is still not quite there. In a report by Fujitsu, they found that 62% of organizations said that their paper consumption has remained the same, if not increased. There may be many reasons why the paperless office is more like the ‘almost, but not quite, paperless office’. At ApproveMe we believe that one of those is that documents are not just typing on a page, they are interactive, often requiring sign-off. However, adding esignatures to an electronic document needs to be done so that they are valid. In this article we will look at what makes an esignature valid, and how this can take, at least some of the paper burden, off the shoulders of commerce.
Technology to make an esignature valid?
Esignatures are applied to a digital document using specialist software applications. There are a number of methods of applying an esignature but there are certain technological methods that make an esignature actually valid. The e sign requirements that make for a truly valid esignature are:
Hashing: This is a mathematical transformation, not quite waving a magic wand, but almost. Hashing takes the content of a document and creates a ‘hash’ from it – this creates a unique fingerprint of the data, sort of like its DNA. This hash is then associated with the document and used later to check the document; you, as the user of the document, see the content as normal. The neat thing about this, is that if someone tries to change the document content AFTER it has been signed, the hash changes and any signatures on the document will become ‘invalid’ – that is you will see a change has occurred, usually within an audit trail or the esignature itself may indicate it.
Authentication of the signatory: The person that signs the document needs to be identified as being, who they say they are. In the real world this is usually done by a notary checking an identity document, such as a driver’s license. In the digital world, this is done using a digital certificate. Digital certificates are issued by companies called ‘certificate authorities’ and certificates represent a digital version of you. They are composed of two main parts, a private key (that is never revealed but used to encrypt things) and a public key which is used to decrypt something encrypted using the matching private key. It’s like the digital version of ying and yang.
Encryption: The document hash is encrypted using the private key of the certificate of the user; this makes the actual digital signature or esignature. A timestamp is also associated with the signature at the point of adding it; this is important for non-repudiation. If you check any of the esignatures on a contract, they will only show as valid IF the hash hasn’t changed. Remember the hash is equivalent to the content at the time a signature is applied. If that content changes, the hash changes, and so no longer matches – this sets the signature as invalid.
Laws to make an esignature valid
Hopefully you’ll never end up in court over a disputed contract, but if you do, you’ll want to make sure that the effort you have put into making your contract process fully digitized is worthwhile. Fortunately, there are laws governing the use of esignatures. In the USA there is the ESIGN Act. This act, which came into law in June 2000, sets out what criteria an esignature needs to meet to be upheld in a court of law. The following esign requirements will protect your esignature reputation:
All signatories need to have access to the signed file. So for example, ApproveMe allows you to create a document portal using your own WordPress website. The portal is where all contracts and documents reside. Anyone associated with a document can then be given access to it through this portal.
All parties must agree to the use of an electronic signature in any given transaction
You must be able to prove document integrity (this is where the hash and the encryption come in)
You must be able to prove the identities of the signatories (this is where the digital certificate and sometimes sign in credentials come in)
Other countries have similar laws set up to encourage and make legal the use of esignatures, for example in Europe you have the eSignature Directive (1999/93/EC).
Making it count
Esignature software, like ApproveMe uses the three parts of e signing requirements to create securely signed digital documents that are compliant with laws like ESIGN. However, to make e signing seamless and easy to use, you need to build a process around the whole contract creation and signing event; in other words you need to have more that just the basics. ApproveMe offers you an esignature platform, which gives you contract templates, allows you to manage the lifecycle of those documents and contracts, and apply multiple, secure e signatures to them. It also gives you a full audit trail of the process so you can spot any anomalies and make sure that if you do end up in court with a contested contract, you have all the evidence you need to make sure you win. We may not quite be paperless yet, but with secure esignature technologies we have no real excuse to not be.