Safely using electronic signatures
Question: My equipment rental operation is adopting an e-commerce platform, and we’re wondering how safe and legally enforceable electronic signatures are. We also are wondering how necessary all of this is. Any help you can provide would be appreciated.
Answer: The United States and Canada have enacted laws at the federal and state and/or provincial/territorial levels recognizing the validity and enforceability of electronic signatures. In the U.S., the federal Electronic Signatures in Global and National Commerce (ESIGN) Act of 2000, and the Uniform Electronic Transactions Act (UETA), a uniform state law approved by the national Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999, established the legal framework for the enforceability of e-signatures. Canada uses the Uniform Electronic Commerce Act (UECA) other than in Quebec, which uses the Act to Establish a Legal Framework for Information Technology (AELFIT) and the Civil Code of Québec (CCQ). In broad terms, however, they achieve largely the same effect by recognizing and validating the use of e-signatures.
The ESIGN Act defines an electronic signature as “an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” Thus, an electronic signature can take a variety of forms, including:
- A typed name or signature block.
- A signature adopted and applied through an electronic signature platform.
- A signature created using a stylus or finger on a touchscreen.
- Clicking an electronic confirmation or acknowledgement on a website.
- Scanned copies of physically signed documents.
- Scanned or electronic signatures applied to or pasted in an electronic document.
In the 20-plus years since the creation of these laws, electronic signatures have become ubiquitous and, with few exceptions, are now accepted by businesses, governments and judiciaries throughout the U.S. and Canada. In fact, propelled in part by the increased need for conducting transactions remotely as a result of the coronavirus (COVID-19) pandemic, the use of electronic documents, records and signatures has accelerated and is swiftly becoming the minimum standard for conducting business transactions throughout the world. Nonetheless, some documents still require “wet” signatures and/or are subject to more stringent requirements, such as:
- Certificated securities, for example, stock certificates.
- Certain types of powers of attorney.
- Some types of real estate transfer documents and other real estate agreements.
- Court orders, pleadings, motions, notices and other similar documents.
- Documents required by law to accompany the transportation of hazardous materials.
- Wills, codicils and testamentary trusts.
- Health care proxies.
- Documents relating to family law matters, such as adoptions and divorces.
- Negotiable instruments and certain types of instruments of title.
- Product recall notices affecting health or safety.
Ordinary contracts, however, will typically be enforceable if signed electronically.
In terms of safety, electronic signatures actually are safer and more secure than wet signatures in a number of ways. Wet signatures can be forged or tampered with relatively easily, while electronic signatures now offer a number of different layers of protection.
Audit trails. Unlike wet signatures, e-signatures also come with an electronic record that serves as an audit trail and proof of the transaction. The audit trail includes the document’s history, including the details of when it was opened, closed, downloaded, viewed and/or signed.
Metadata. In that vein, metadata — data about data, such as author, creation date, modification date and file size — also can be used to demonstrate the maintenance of the integrity of the document and the preservation of the link between the signature and the document.
Geolocation. Depending on the provider, and if the signatory agreed to allow access to his or her location, the record also will show the geolocation where the document was signed.
Certificates of completion. These are certificates that include details about each signatory on the document, including the consumer disclosure indicating the signatory agreed to use an e-signature, the signature image, event timestamps, the signatory’s IP address and other unique identifying information.
Tamper-evident seals. After signing is complete, documents can be digitally sealed using public key infrastructure (PKI). The seal validates the signature(s) and evidences the fact that the document hasn’t been tampered with or altered since the date of signing.
Signature verification. A number of options exist for verifying a signatory’s identity, including:
- Access code. The sender provides an access code via SMS, text or other electronic means that must be entered by the signatory.
- Phone call. Each signatory must call a phone number provided by the sender and enter the signatory’s unique name and access code.
- Signatory-specific information. The proposed signatory must answer questions about his or her personal information, such as previous addresses.
- ID verification. Verification of signatories using their government-issued photo IDs or European eID schemes.
- Email address. The signatory enters an email address that is compared to the email address included in the invitation.
Security management. Security management protocols, such as business continuity and disaster recovery planning, secure coding practices, formal code reviews and regular code-base security audits also are common at more reputable e-signature providers.
Handled properly, electronic signatures now offer considerably more protection from fraud than wet signatures, as well as the added benefits of speed, ease of use and elimination of deal friction. As the electronic age races forward, they will become more widely used and progressively more integrated not only with other documentation systems, but also with swiftly advancing telematics and other equipment monitoring, control and automation systems.
Enhanced security. Where enhanced security and/or verification may be required, some providers offer additional levels of e-signature security that comply with the EU’s electronic identification, authentication and trust services (eIDAS) regulatory requirements. Levels of security vary, so it is important to choose an established provider that maintains security protocols across multiple levels, including systems, buildings, data and processes. Data encryption, transfer via https, redundant systems, geographically disbursed mirrored data centers, commercial grade firewalls, malware protection, physical access control and monitored video surveillance all are strongly recommended.
Legal compliance. Compliance with applicable laws, rules, regulations and industry standards governing electronic transactions and signatures — including, for example, PCI DSS, CSA, STAR, ISO 27001:2013, and SOC Types 1 and 2 — is, of course, also a must. Where applicable, the ability to comply with specialized industry regulations, such as HIPAA, and certain agency standards, such as those maintained by FINRA, the FTC, the FHA and/or the IRS also may be important depending on your type of business and/or data content.Handled properly, electronic signatures now offer considerably more protection from fraud than wet signatures, as well as the added benefits of speed, ease of use and elimination of deal friction. As the electronic age races forward, they will become more widely used and progressively more integrated not only with other documentation systems, but also with swiftly advancing telematics and other equipment monitoring, control and automation systems. They also will be augmented by tools designed specifically for use in inspecting, checking-out, and checking-in equipment, such as 360-degree video recording tools which can automatically attach date/time-stamped videos of equipment damage to electronic documents as well as organize and file them. This will almost certainly prove valuable for purposes of defending against lawsuits as well as pursuing collections in connection with equipment damage and alleged defects. Consequently, my advice is to move your electronic transaction processes forward quickly with known and credible providers. Today’s competitive advantage will almost certainly be tomorrow’s competitive necessity.