Is your electronic signature safe?

Is your electronic signature safe?

Are electronic signatures safe? The number of electronic signing options to choose from has multiplied in the past few years. There are many reasons why you need an electronic signature in your business, but the use of different solutions may cause you to question if your data, your documents, and your signatures are safe. It is essential to make the right selection when choosing a provider, so read on to discover what makes Docusign eSignature safe, compliant, and legally binding.

Electronic Signature Security

It is essential to use an electronic signature solution that protects you and creates documents that you can trust. Our electronic signature solution permits a range of methods for identifying and authenticating signers. This range of signature types meets international electronic signature law and EU directives. Docusign eSignature follows a compliance process to keep documents and electronic signatures safe.

On 1 February 2022, the expert Industry Working Group on Electronic Execution of Documents published its interim report, which analyses the current state of e-signatures in England and Wales.

The report detailed how individuals and businesses can and should safely use electronic signatures. Electronic signatures are better and more secure in many ways than traditional methods and should be the norm rather than the exception.

According to Lord Justice Birss, Deputy Head of Civil Justice, "there's every reason to adopt these methods now. Both the legal and technical frameworks already exist—and there's no reason to wait." You can read the full report here.

How does Docusign keep electronic signatures safe?

• Docusign authenticates the signer's identity, so electronic signatures are not forged.

• Docusign eSignature documents are linked to the signer via an email address, IP address, or other information. You can click the signature to validate it.

• You must keep the agreement's contents the same after signing it. Any changes are flagged for all signing parties to see.

• An audit trail is generated for each document, which captures everything that happens to it with time and date stamps. The audit trail includes details such as when the document was opened, viewed, and signed. If the signer agrees to access their location, it may also show the geo-location where it was electronically signed. The audit trail is available to all participants in the transaction.

• Docusign meets and exceeds some of the strictest global security standards. It is ISO 27001, ISO27017 and ISO27018 certified and maintains compliance with the 'Payment Card Industry Data Security Standard'.

• Docusign is GDPR compliant and meets the correct security protocols.

• Docusign's Certificate of Completion is court-admissible and contains the audit trail of the signees' email addresses, timestamps, and IP addresses. Detailed certificates of completion can include specific details about each signer on the document, such as the consumer disclosure indicating the signer agreed to use e-signature, the e-signature image, key event timestamps, and the signer's IP address and other identifying information.

• Once the signing process is complete, some providers, including Docusign, create a tamper-evident seal. The provider digitally seals the documents using Public Key Infrastructure (PKI). This is an industry-standard encryption management technology, and this seal indicates the electronic signature is valid and that the document hasn't been tampered with or altered since the date of signing.

How does Docusign verify a signer's identity?

E-signature technology offers multiple options for verifying a signer's identity before they can access the document and sign, including:

• Email address: signers enter their email address, which is compared to the email address used in the invitation

• SMS: signers must enter a one-time passcode sent via SMS text message

• Knowledge-based authentication (KBA): signers are asked personal questions gathered from commercially available databases, such as past addresses or vehicles owned.

• Photo ID upload: Signers are verified using their government-issued photo IDs, such as passports or driver's licences.

• Electronic or bank-based IDs: signers can submit their login credentials for existing bank accounts or government accounts to prove their identity.

For situations where additional levels of security and signature validity are necessary, some providers offer two extra levels of e-signature that comply with the European Union's (EU) eIDAS requirements:

• Advanced Electronic Signature: This type of signature requires identity verification, and authentication to establish a link to the signer. It also includes a certificate-based digital ID issued by a trusted service provider.

• Qualified Electronic Signatures: This requires an even more secure signature version that utilises a "secure signature creation device" and is deemed the legal equivalent to a wet signature in the EU.

What are the legal, compliance, and security risks associated with non-compliant eSignature solutions, including their impact on contract enforceability and data protection?

Many other applications simply 'paste' an image into a PDF. Why is this a problem? This creates a document that has no real value. It is unsafe because the document is not linked to any assurance that it was signed by a particular person or any 'proof' to make the signature legally binding.

If you can modify the document's content after it has been signed without others being able to tell, using this process could put you, your team and your agreements at risk.

Consider this example: A bad actor could take a photo of your signature on a paper document or an email and simply 'upload' that image into one of these apps. He can then create a contract, say you agreed to pay them £5,000 and try to collect it. What evidence is there that you did or did not sign or that this bad actor created the agreement fraudulently?

How do non-compliant eSignatures impact identity verification and audit trails and lead to legal disputes?

Using apps that include just a typed PDF signature is dangerous because you cannot claim that one document should be deemed reliable. An audit trail from a compliant e-signature solution is permissible in court to protect from fraud and identity theft. Apps without an audit trail do not offer sufficient protection to the signer or the content - without it - it is difficult to track the signing process or determine who has actually signed the document. Docusign e-signature logs, on the other hand, can show that an agreement is legitimate through the audit trail.

An electronic signature solution is far more secure than traditional types of signatures used in PDFs. Wet signatures and PDF signatures can be easily forged or tampered with. Without increased security measures like encryption and digital certificates that come with reputable electronic signature solutions, there is greater exposure to risk, including data breaches and financial loss. Electronic signature solutions can also meet legal requirements for signing documents, reducing the risks of legal issues and compliance later. Your business is at risk if you use e-signature software that isn't compliant with legislation. Your legal team or advisors can help you to conduct a risk assessment for your documents.

What types of fraud and financial consequences can occur with non-compliant eSignature platforms?

Non-compliant, unauthorised transactions can lead to contract breaches, gaining access to sensitive material, and identity theft. If you don't comply with regulations such as GDPR, your business can also be subject to financial loss through fines or damage to your reputation.

Electronic signature vs handwritten signature

Nowadays, an electronic signature is more widely accepted than a handwritten one because it has security and authentication layers. An electronic signature carries layers of information about who signed what, where, and when. A handwritten signature can be easily copied or tampered with, but an electronic signature that follows security protocols such as those used by Docusign cannot. Find out more about the differences between an using an electronic signature solution and creatinga handwritten signature.

What makes an electronic signature legal?

The 'eIDAS regulation,' which came into force on 1 July 2016, ensures electronic signatures are legally binding. This EU regulation means that any electronic document you send between two EU countries is safe, legally compliant, and regulated. The regulation EU No. 910/2014 allows members of the EU to conduct seamless transactions across countries.

Are electronic signatures legal in the UK?

The short and simple answer is ‘Yes.’ The Law Commission of England and Wales has formally ruled that electronic signatures can be used to sign formal legal contracts under English law.

Law Commissioner Stephen Lewis said, “Contract law in the UK is flexible, but some businesses are still unsure if electronic signatures would satisfy legal requirements. We can confirm that they do.” The Law Commission published an electronic document report on September 4th, 2019, confirming that electronic signatures are legally binding across the board, including for deeds and government documents. Many law firms and company legal teams also use electronic signatures for their work, including Womble Bond Dickinson, a leading UK law firm. 

How can businesses ensure their eSignature provider meets international standards, and what are the best practices for selecting a compliant provider?

Signers need to feel that the documents they are signing are completely secure. The UK eIDAS regulations set out rules for UK trust services and establish a legal framework for the provision and effect of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication. Docusign complies with UK and EU eIDAS regulations and invests in keeping compliant with the highest international security standards, including enterprise-wide ISO 27001:2013 certification, PCI-DSS, and SOC 1 Type 2 and SOC 2 Type 2 reports. DocuSign also supports Public Key Infrastructure (PKI)--based digital signatures that utilise digital certificates to verify identity. DocuSign can deliver the signature types defined under eIDAS, including EU Advanced Electronic Signatures (AES) and EU Qualified Electronic Signatures (QES).

Which electronic signature solutions are safe?

If you care about the security of your signature, be sure to use an electronic signature solution that protects you and creates documents you can trust. A good solution will protect you from unwanted changes after you sign. It will also ensure there is an audit trail and authenticate a signer’s identity to offer vital security and protection. Docusign provides all of these attributes and more. To discover the benefits for yourself, sign up to try DocuSign for free.

To discover the benefits for yourself, sign up to try Docusign for free.