The Business of Electronic Signatures
Businesses are deploying security solutions that provide the capability to let customers sign documents, get approvals for services such as home loans and bind the related approval audit trail into the document, electronically. This is analogous to capturing wet ink on paper. This is the world of electronic signatures being deployed by businesses across industries. Security professionals and architects need to be intimately familiar with the technology, its application and its integration within the existing IT infrastructure.
E-Signatures Enable E-Approvals
So why are businesses serious about electronic signatures? Why should security professionals and architects “beef up” their skills in this area? It is because by eliminating the inefficiencies of paper and routing this paper to customers, an organization can immediately capture a customer’s commitment to contracts and agreements instead of waiting days or weeks for the business opportunity to be realized.
Approvals are a key component of business processes. Paper-based approval is time intensive and costly. Keep in mind that about 80 percent of all business documents are forms. Most forms typically require a signature. A signature is used to authorize action, to demonstrate responsibility and legally to indicate intent of decisions. Handwritten signatures are an impediment to e-business. Electronic signatures enable electronic approvals, resulting in business efficiencies.
There are numerous examples of business applications that can benefit from an infrastructure that is capable of supporting electronic signatures. These business applications include auto financing, mortgage origination, legal contracts, lease agreements, change-order requests, RFPs and more.
The business objective is to provide customers with the ability to electronically access, review, sign and return legal disclosures and contracts at the speed of the Internet. With electronic signatures, the resulting business transaction is legally binding and enforceable.
Several pieces of legislation have been enacted that enable consumers, enterprises and government organizations to use the Internet to engage in transactions and business processes that require a personal signature, including signing important documents, applying for credit cards and opening bank accounts. These include:
- The Electronic Signatures in Global and National Commerce Act (E-SIGN)
- Uniform Electronic Transactions Act (UETA)
- Uniform Commercial Code (UCC Article 9)
- The Government Paperwork Elimination Act (GPEA)
- Section 508
These give electronic signatures the same legal status as handwritten signatures. Just like a traditional pen-and-paper process, an electronic signature permanently binds a person’s consent to the exact contents of a document using industry-standard cryptographic algorithms. Once the electronic signature is applied, deleting or transferring it into another document or altering the document’s contents render the electronic signature invalid.
The Electronic Signatures in Global and National Commerce Act (E-SIGN) was signed by former President Clinton on June 30, 2000. This legislation provides the same legal recognition and enforcement for electronic signatures, contracts and records as their paper counterparts.
Several states have enacted the Uniform Electronic Transactions Act (UETA). UETA is similar to E-SIGN in that it allows for the same legal acceptance of electronically created records and signatures as paper records and ink signatures. It also outlines the parameters for the creation of a valid e-signature and the maintenance of electronic documents. UETA was drafted by the National Conference of Commissioners on Uniform State Laws (NCCUSL), and it must be adopted on a state-by-state basis. UETA focuses on identifying parameters for the creation of a valid electronic signature as well as maintaining electronic documents.
The Uniform Commercial Code (UCC) establishes a legal infrastructure for commerce and has been adopted in all 50 states. Article 9 of the UCC defines the rules for secured transactions, including the negotiation, ownership and transfer of chattel paper.
The Government Paperwork Elimination Act (GPEA) requires federal agencies, by Oct. 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically when practicable and to maintain records electronically when practicable. The Act specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity or enforceability merely because they are in electronic form and encourages the federal government’s use of a range of electronic signature alternatives. The GPEA was signed into law in October 1998.
In 1998 Congress amended the Rehabilitation Act to require federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 was specifically enacted to eliminate barriers in IT, to make available new opportunities for people with disabilities and to encourage development of technologies that will help achieve these goals.
Electronic and Digital Signatures
Electronic signature legislation requires that an electronic signing process must meet the following criteria to be considered legally binding:
- The signature must be unique to the person using it.
- The signature must be verifiable as belonging to the user.
- The signature must be under the sole control of the person using it.
- The signature must be permanently attached to the data in such a way that it authenticates both the attachment of the signature to the data and the integrity of the data transmitted.
- The signer must intend the signature to have the same force and effect as a signature affixed by hand.
An electronic signature may be used for electronic approvals if it supports these capabilities:
- It combines the cryptographic functions of a digital signature with the image of the person’s handwritten signature. The image of the person’s handwritten signature contained in the electronic signature is what visually demonstrates the person’s consent, understanding and responsibility toward the document.
- It authenticates data. It does so by using a hashing algorithm, thereby permanently linking the act of consent embodied by the signature to the exact contents of the signed document. Each time the document is opened an electronic signature automatically verifies and detects if data has changed since the document was signed. If a change is detected, the previously applied electronic signature is invalidated.
- It provides secure authentication by permanently referencing the individual’s digital certificate within the signature file.
These capabilities of electronic signatures make them legally binding and very difficult to repudiate.
A digital signature is typically used as part of an electronic signature solution. A digital signature is a cryptographic algorithm that secures and verifies the origin and integrity of digitally signed binary data. With a digital signature, the signer has a private key, and the recipient has the corresponding public key, both keys issued from the same certificate authority (CA). If either key is incorrect or if the digital certificate used to obtain the keys is invalid, the transaction cannot be executed.
State of Electronic Signatures Today
Technology is available to electronically sign the content of a document or a form. This document or form is presented to the user in Acrobat PDF, Microsoft Word or Excel, Adobe Capture or PureEdge InternetForms. Following the signing, the electronic signature(s) and any rela