Electronic Signature FAQs
White Papers & Articles
What is an electronic signature?
An electronic signature, like its paper equivalent, is a legal concept. The U.S. Electronic Signatures in Global and National Commerce Act (e-SIGN) defines an electronic signature as "an electronic sound, symbol, or process attached to, or associated with, a contract or other record and adopted by a person with the intent to sign a record." Based on this definition, an electronic signature can be broken down into the following components: 1) a method of signing, 2) data authentication; 3) user authentication; and 4) capture of intent.
What is a digital signature?
The term digital signature refers to the encryption / decryption technology used as the foundation for a variety of security, e-business and e-commerce products. Based on public/private key cryptography, digital signatures are used in secure messaging, public key infrastructure (PKI), virtual private networks (VPN), secure socket layers, and electronic signatures.
Contrary to what the name might suggest, a digital signature alone is not a type of electronic signature. Rather, digital signature encryption can and should be used by electronic signature applications to secure the data and verify the authenticity of a signed record. Further, a digital signature alone does not capture a person's intent to sign a document and be legally bound to an agreement or contract.
Are electronic signatures legal?
Yes, both federal and state law gives electronic signatures the same legal status as handwritten signatures. Forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have adopted the Uniform Electronic Transactions Act (UETA) promulgated by the Uniform Law Commission (also known as the National Conference of Commissioners on Uniform State Laws). See the ULC web site for more information.
Three states, Illinois, New York and Washington, have not adopted the uniform act, but have statutes pertaining to electronic transactions.
Additionally, the Electronic Signatures in Global and National Commerce Act (ESIGN), a federal law, provides that electronic signatures are legally enforceable for intrastate commerce and within those states that have not adopted UETA.
Do legal requirements differ from state to state?
Yes and no. The federal Electronic Signatures in Global and National Commerce law and the state Uniform Electronic Transactions Acts (UETA) are similar in substance, and together enable the use of electronic signatures in commerce throughout the US. That said there may be additional regulations, or compliance requirements that apply to certain processes (like truth-in-lending disclosures, or protecting the privacy of medical records). But these requirements exist for paper processes as much as for electronic ones.
Have e-signed documents been challenged in court?
Yes, there is a growing body of case law that is establishing precedence for electronic records and signatures. Examples include: Lorraine v. Markel, Vinhnee V. American Express, Campbell v. General Dynamics Government System Corp., 2005 NY Slip Op25526, Shattuck v. Klotzback, Hotmail Corporation v. Van$ Money Pie Inc.
While in some cases, electronic records were accepted as evidence and the transaction under question upheld, in other cases the court did not admit, or at least criticized, the electronic records as evidence.
What are some of the key take-aways from recent court rulings?
In a landmark ruling on the admissibility of electronically stored information (ESI), US Magistrate Judge Paul W. Grimm discussed examples of the essential elements of an effective e-contracting process, notably "creating and securely archiving and retrieving an audit trail of the entire ESI management process, from the steps to verify the identity of the persons signing the record all the way through to sealing electronically the document and then securely archiving and retrieving the e-contract."Moreover, Judge Grimm noted, "These same steps enhance the overall persuasiveness of the hard copy of the e-contract as well."
How can we ensure our electronic records will be enforced in the event of a dispute?
The key to ensuring an enforceable e-signed record and staying out of court in the first place, is to capture and reproduce as much electronic evidence as possible. Creating persuasive electronic evidence can be accomplished by recording and reproducing the exact process used to build the person's understanding of what they were agreeing to and signing. This includes the exact appearance and order of all of the web screens, documents and legal disclosure that were presented to people; how long they spent on each page; and all actions that they took during the review and signing process, such as clicking on buttons to accept, sign, initial and confirm.
What is the ESIGN Act?
The Electronic Signatures in Global and National Commerce Act (e-SIGN) is a U.S. Federal law that was passed in 2000 that enabled the use of electronic records and signatures for commercial transactions. The act essentially enables organizations to adopt a uniform e-signature process across all 50 states with the assurance that records cannot be refused by a court of law solely on the basis that they were signed electronically.
Because the act is technology-neutral and doesn't favor any one type of solution over another, the onus is on the organization to determine how it plans to meet the e-SIGN Act's requirements for capturing signing intent and authenticating data and signers.
Are there any special requirements for presenting legal disclosures over the web?
As with paper transactions, an organization must still prove that it presented consumers with the government-mandated disclosures in the required format and within the required timeframe. In addition, the merchant must be capable of demonstrating that the consumer has consented to receiving disclosures electronically, and that he/she can access the information in the electronic format provided.
Delivering disclosures via your Web site requires more than simply posting disclosures on a Web page. Evidence of the entire disclosure delivery process, including how the disclosure was rendered to the consumer's browser, and which actions the consumer took, must be securely stored in a single audit trail.
What is better from a legal standpoint, an electronic signature or a digital signature?
Although they sound similar, e-signatures and digital signatures are completely different things, and should not be compared. An e-signature is a legal concept. It is the electronic equivalent of a wet ink signature on paper, and must therefore have certain characteristics for evidentiary purposes.
As defined by the US federal ESIGN law, an electronic signature is "an electronic sound, symbol, or process attached to, or associated with, a contract or other record and used as the legal equivalent of a written signature." A digital signature, on the other hand, is an encryption technology used to secure data. It can and should be used as part of an e-signature for security, but alone, does not meet the legal requirements.
Are e-signatures secure?
Yes. Once a document is signed electronically, it cannot be altered in any way without visible detection. Any attempt to alter or delete the content or signatures will automatically render the document and electronic signatures visibly invalid.
What are the top security features to look for in an e-signature solution?
- User authentication
- Data authentication
- Process control
- Process evidence
User authentication is the process of identifying an individual and ensuring that the person is who he or she claims to be. Data authentication, on the other hand, is the process of verifying the information contained in a signed document to ensure that it hasn't changed since it was signed. Electronic transactions can be controlled by workflow rules to reduce the risk of non-compliance and errors. The importance of process evidence is to prove exactly what took place at every stage of the document review and signing process.
What is the difference between user identification, authentication and attribution?
Identification takes place the first time you conduct a transaction with an online user. Common approaches to user identification are self-identification (user enters personal information about themselves) and third-party identification (when that information is verified against a third party verification service such as Equifax).
User authentication is the process of verifying credentials entered by a user. The most common approach and widely accepted standard for user authentication in online transactions is user name and password. Digital certificates, tokens or biometrics are other options for very high risk processes.
Attribution is the process of associating a signature to an individual. This is a unique challenge in a face-to-face environment when the method of signing is click-to-sign. Attributing the signature is important to be able to demonstrate who was 'holding the mouse". The best approaches for establishing attribution are voice signature, SMS password and affidavits.
Does the law require a minimum level of user authentication?
In a word, no. The federal ESIGN law does not specify the type of user authentication to be used with e-signatures. The definition of an e-signature under ESIGN refers to user authentication in the phrase "a contract or other record . . . adopted by a person"; however, it does not specify how the signer should "adopt" the contract or record.
Ideally, the choice of a user authentication method should depend on the risk profile of the organization and the process it is automating. Smart cards with digital certificates may make sense when signing highly sensitive military requisitions, but are clearly not feasible, or even necessary, for consumers applying for a loan online.
What is the best way to identify and authenticate users over the web?
Consider how customer identity is verified in other remote channels, such as call centers and by mail. These processes identify applicants using out-of-wallet information, sometimes verified against third-party verification services.
Once a user's identity is established, it makes sense to issue electronic credentials for future transactions. Because most Web-based consumer-facing processes are one-time or infrequent, it is not practical or cost-effective to issue digital certificates or hardware-based authentication devices to end users. A better option is to use password or leverage electronic credentials that have already been issued for other processes.
Electronic Signature Security
Security is a top concern online, so it is important to ensure your e-signature provider meets the...
Beginner's Guide to Electronic Signatures
This beginner's guide introduces business and IT executives to the key concepts and considerations for moving to paperless, signing processes,...