Increasingly organizations are moving away from their paper-based ways of doing business and implementing document management with workflow to streamline their processes. It makes sense to take a process that repeats itself frequently like invoice approval routing or contract reviews and automate the flow of information.
Frequent questions arise including: “What about our approval processes, are they compliant without a physical signature? Are digital signatures using PKI required to make a transaction valid?” Or just “what makes you think this is legal?” Let’s start by looking at the laws regarding electronic signatures and what’s required of you.
There are two laws that go hand in hand regarding electronic signatures. The first is the Electronic Signatures and National Commerce ACT (ESIGN Act) and the second is the Uniform Electronic Transaction Act (UETA).
The ESIGN Act was specifically enacted to grant both personal and commercial transactions the same legal status as a written signature. It clearly states that “… contracts entered into electronically will be legally effective and valid, and that consumers who enter into contracts electronically have the same protections they have when contracting in the "brick and mortar" world." ESIGN goes on to ensure that any agreement signed electronically will not be denied legal force, effect, validity, or enforceability solely because an electronic signature was used in its formation.
The Uniform Electronic Transaction Act was developed by the National Conference of Commissioners on Uniform State Laws (NCCUSL) to provide a framework for the use of Electronic Signatures in government or business transactions. UETA makes electronic records and signatures as legal as paper and manually signed signatures.
Both pieces of legislation identify electronic signatures with the same definition. Section 2 of the UETA and Section 106 of the ESIGN act state that electronic signatures must be "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
As you can see, the definition of an electronic signature is quite broad, allowing organizations a fair amount of flexibility in how they migrate to ESIGN compliant approvals. This is great news if you’re looking to automate your business processes yet have heard about the complexities that can be introduced with a digital signature using a public key infrastructure (PKI).
ESIGN and UETA do provide some clear guidelines on what is required of you, especially in the area of consumer related transactions. Let’s take a look at five key features you need in your document management system to ensure an ESIGN compliant process:
Applications of Signatures
Most full-featured document management systems offer the ability to sign a document through either a secure workflow or through its ability to apply and burn a signature to an image file or PDF. With the advent of pads and smartphones we are seeing solutions with the ability to apply a signature that is written through the use of a stylus, mouse or even a finger. Based on the ESIGN/UETA description any of these techniques will work.
Notification and Consent
Additional requirements include provisions for consumer protection. The Consumer Disclosure clause states that the consumer must be notified that they are not required to use an electronic signature for execution and that they must provide their consent to the electronic process. As a product designed for both internal use and consumer applications, your document management system needs to address this condition by requiring that the signatory consents to these terms before signing. Frequently this is done through a web portal with conditional acceptance.
Your document management solution must provide a granular security model that requires that the individual executing the agreement authenticate before being granted access to the approval process. In addition, the right solution will provide a complete audit trail of any transactions to further ensure the validity of the signatory.
Subsection D of the ESIGN Act details the retention requirements of contracts and records. It states that if a “statute, regulation or other rule of law” requires the retention of the file then “that requirement is met by retaining and electronic record”. Any document management system worth the investment should clearly address any concerns regarding this condition.
Accuracy and Availability
This requires that the record must be available to all parties involved. This can be accomplished easily by allowing all signatories, with the ability to, save a copy of the record to their own computer.
It is important to note however that the record be created in a format that is both accurate and accessible. This simply means that the technology used to read, display and transfer the record is non-proprietary and a generally acceptable format. A solution with open architecture, which also embraces the use of standard file formats, will allow for full compliance here as well.
As you can see, there are many ways to take advantage of digitally signing documents that are fully ESIGN/UETA compliant without the cost and complexity that a PKI solution introduces. There are certainly applications that require the high level security provided by using PKI, but it is typically not applicable for the average business that’s approving invoices, contracts and personnel requests.