The past two decades have seen an explosion in using electronic signatures for confirmation of a variety of electronic transactions. Rapidly evolving technology contributed to the shift away from paper to online transactions. The one thing that remains the requirement of a signature to confirm agreement with the terms and conditions of an agreement. So maybe you’ve got questions around electronic signature legality? When should they be used, and will they hold up in court if challenged? What makes them legally binding? We provide all of the answers here.
Understanding Electronic Signatures
Electronic signatures are used to acknowledge acceptance of the terms of a contract or other agreement by electronic means. Some examples of electronic signatures include:
- Typing your name at the end of an email sent out to business colleagues
- Typing out your name on a document or other electronic form
- Sending an image of your handwritten signature via fax, email, or other electronic means
- Entering your personal identification number (PIN) into an ATM
- Clicking check boxes or radio boxes to signal agreement with an online contract
- Using a pen or your finger to electronically sign your name on a touch screen device like a smartphone or tablet
Don’t confuse electronic signatures with the term digital signatures, which refer to how computer programs leave a digital fingerprint on the documents they generate. It’s a way of protecting the information contained within a document and ensuring that it can only be read by the intended recipient.
Wondering about enforceability? Don’t worry – the laws are in place and courts have already been fine with this in the US and many other countries, you’ll just want to ensure your signature and documents comply with some of the elements covered below.
The History of Electronic Signature Law
Wet signatures, or the use of a pen or seal to confirm the legality of an agreement, became the standard in business and government agreements. The first use of electronic signatures started around the Civil War period. Soldiers and those sympathetic to both sides used telegraphs to communicate with each other in Morse code. The New Hampshire Supreme Court ruled that agreements made over a telegraph were legally binding in 1869.
The next shift toward widespread use of electronic signatures came with the introduction of the fax machine in the 1980s. People could now sign documents on one side of the country and fax them to someone on the opposite side. Parties no longer had to rely on the postal service to transmit documents back and forth.
Concerns about the legality of using electronic signatures led the United Nations to publish the UNICINTRAL Model Law on Electronic Commerce (MLETR) in 1996. It established guidelines upon with other countries built their own laws around the use of electronic documents for various transactions. MLETR also addressed legal effects and gaps around maintaining electronic documents.
Electronic signatures are legally accepted with laws to back them up in 33 countries including USA, Canada, the UK, the EU, China, Russia, Australia, Switzerland, and more. For a complete list please reference this document.
E-Signature Laws in the United States
The U.S. followed up with two laws to ensure the validity of electronic contracts and to make electronic signatures defendable in court. The Uniform Electronic Transactions Act (UETA) received approval from the National Conference of Commissioners on Uniform State Laws back in 1999. It gives states a framework upon which to determine the legality of using electronic signatures to facilitate commercial and government transactions. Each state has the option of accepting or rejecting UETA guidelines.
The federal government followed up by establishing the Electronic Signature in Global and National Commerce Act, also known as the E-Sign Act, at the federal level in 2000. It’s the standard still used today in validating electronic contracts and agreements used in U.S and international commerce transactions. UETA and the E-Sign Act work hand-in-hand in determining the legality of electronic signatures on documents.
E-Signature Laws in Canada
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) act establishes the framework governing the use of electronic documents and signatures in the private sector. The law went into effect in April 2000 and now covers a variety of industries, including broadcasting, banking, and health.
The law establishes how businesses collect, use, and disclose any personal information from those who enter electronic agreements. Its goal is to remain consistent with the laws governing other Canadian trading partners like the EU. The law governs any private enterprise operating in Canada. However, certain provinces with their own legislation would not necessarily be subject to PIPEDA’s regulations.
E-Signature Laws in the UK and Europe
The United Kingdom adopted the Electronic Communications Act in 2000 to govern the use of e-signing in commerce. That ended up supplanted by the Electronic Identification, Authentication, and Trust Services regulation, or eIDAS, by the European Union (EU) in 2014. It oversees electronic transactions by overseeing any related electronic identification and trust services. eIDAS establishes standards around using electronic signatures and other means of digital authentication of a document.
Other countries outside of the EU came up with their own laws governing electronic signatures. For example, Switzerland operates under ZertES, a federal law that outlines the security conditions that must exist to encourage the use of validated electronic signatures, giving them the same legal weight as a handwritten signature.
Are Electronic Signatures Admissible in Court?
U.S. laws at the state and federal level give electronic signatures the same legal significance as one placed on a paper agreement with a ballpoint pen. The courts have ruled in favor of agreements completed via electronic signature software thanks to the E-Sign Act. That means the law works as intended, which is to give businesses and consumers the confidence that their electronic signature will hold up under a legal challenge.
That doesn’t mean that the courts will uphold every electronically signed document as valid. A judge will still evaluate the circumstances under which a business or other party obtained the signature. They’ll look for indications that someone falsified a signature or tampered with a document after being signed.
Other reasons a judge might rule against the legality of an electronically signed document include:
- Lax security (will also relate to record retention which is vital, but the documents should be secured and accessed only by those with ownership, involvement, or just cause to do so)
- Lack of traceable audit logs (these ideally should be tied to an IP address for specific users to confirm a signer’s identity digitally, with timestamps; audit logs also help deter against tampering, or give proof if it’s occurred)
- Lack of authentication of the document
Ways of Verifying and Accessing Electronic Signatures
Each document management provider establishes their own standards for validating electronic signatures. Many use a digital signature to establish the validity of a document. It helps to think of a digital signature as more of a fingerprint. A document provider creates a digital signature using encryption to place a sort of fingerprint, or digital certificate, into every document that requires an electronic signature. The sender’s software makes sure the certificate matches up with a public digital certificate for verification of the document.
Software solution providers (like ApproveMe.com) can also add other layers of security to documents to ensure their validity and to keep the content from being accessed by anyone other than the recipient. Other ways of verifying electronic signatures include:
- Creating an auto-generated certificate to establish an audit trail for every electronic signature
- Making sure document comply with state and federal laws governing the use of electronic signatures
- Using SSL security
- Encrypting signature images and not saving them on a FTP server
The best way of ensuring the legality of an e-signature is to follow the guidelines established by the laws governing electronic documents. For U.S. document management providers, that means doing their best to comply with the E-Sign act and relevant state laws governing ecommerce. Any failure to provide proper security around collecting information on electronic documents could lead to a court ruling against the validity of an electronic signature.
Consider these aspects when assessing legality and best practices for your electronically signed documents:
- Intent to sign (signee’s should have the clear ability to either sign or back out of completing a signature)
- Consent (signee’s should be prompted to confirm their approval of applying a signature)
- Signatory identity (being able to authenticate the signatory and apply a ‘signer ID’ that is unique to each signer. This is like a notary checking a signatory’s identity at the time of signing)
- Signature audit (having an audit trail that can be checked showing the time the signature was applied tied to a specific user by IP address. This is actually above and beyond what a hard copy document can do and also allows detailed audit of multiple signatory information)
- Document integrity (ensuring that the document can’t be changed after a signature is applied. This is a digital way of having checks and measures on an electronic document, so if even a period is changed to a comma, the change will show up and the signature become invalid)
- Record retention (both parties should be given access to the completed document)
For more on protecting electronic signatures validity online, read here.
Legality Requirements of Electronic Signatures by Industry
It’s a good idea to look at how a digital transaction management provider (DTM) complies with the standards that govern specific industries. Here’s a rundown of some common laws regulating the management of electronic documents used in commerce and government.
Companies responsible for handling credit card payments and processing payment information must comply with PCI DSS standards established for the financial industry. The guidelines establish protections for cardholder data and other sensitive information. Businesses face steep fines for failing to keep that data secured.
Any business responsible for handling the personal health information (PHI) of consumers must make sure their tools and systems comply with the Health Insurance Portability and Accountability Act (HIPAA). The federal law mandates how health providers handle billing transactions and any other communications involving PHI in verbal, paper documents, or electronic form. HIPAA emphasizes that health providers must share only the minimal amount of data necessary to conduct business or complete a transaction.
Companies doing business with the federal government must adhere to the standards outlined in the Federal Information Security Management Act (FISMA), passed into law back in 2002. The legislation outlines a comprehensive framework for keeping information related to government information, assets, and operations protected against all threats, whether natural or man-made. There are nine steps a company must follow to remain compliant with FISMA.
- The company must categorize all information needing protection
- The company must select minimum baseline controls
- The company must refine controls through a risk assessment procedure
- The company must document controls in a system security plan
- The company must implement security controls in all relevant information systems
- The company must assess how effective each security control is after implementation
- The company must determine the level of risk to a business case or mission
- The company must issue authorization to allow processing in an information system
- The company must continuously monitor all security control
International Commerce With the EU
If a company conducts business with consumers in Europe, they should look for a DTM that works to comply with the General Data Protection Regulation (GDPR) data privacy protection law. That means a company must make sure that electronic signatures and other essential data does not fall into the wrong hands because of lax security protocols.
The EU assesses fines depending on the severity of any data breaches. Some companies, like British Airways and Marriott, have already faced penalties in the millions because of exposing the personal information of customers captured through digital transactions, including online contracts.
Documents Which Can’t Be Completed via E-Signare Solutions
Transactions that require a wet signature by law cannot be electronically signed, including documents like a power of attorney, will, or sworn declaration. An agreement cannot receive an electronic signature if one party demands a wet signature instead. A lot of major financial agreements require a notarized document, which means an authorized person must witness the signing of an agreement in person.