Digital Signatures In the Legal Market

Automated signing solutions are all around us: at the supermarket checkout; when we receive a package; at the doctor's office. Despite this, paper-based signing still finds its way into our regular operations, and too often remains there unquestioned. Isn't it strange how everyday (aka, convenient) ways of doing things linger despite there being more efficient, faster and cheaper alternatives?

A recent ALM online reader survey revealed that within polled law firms and legal departments, nearly half of all documents are printed for the sole purpose of adding signatures. A staggering 34% of all respondents indicated that they print 75% or more of documents for the purpose of adding signatures. The survey also found that, overall, an average of 1.24 days is added to paper-based signature processes. Clearly, this indicates that what was once an everyday way of signing off on documents simply doesn't make sense with the electronic and digital signature solutions that are available today.

Given this, are electronic signatures the way to go, or should I pursue a digital signature solution? What are the nuances and true “difference makers” between digital signatures and electronic signatures, and what does this technology really look like? How will it impact my IT roadmap?

What's In a Name?

Embracing automation tools for workflows, cases, and overall business processes is not just a “nice to have,” but a necessity in modern legal business. These tools enable legal professionals to streamline their work processes, enhance their internal and external collaboration, and shorten turnaround times. However, one of the main obstacles many organizations encounter in trying to fully automate is the need for signatures, which arises in most of the document-centric processes lawyers handle on a regular basis. Without the ability to securely sign electronic documents, lawyers and other legal professionals are forced to resort to paper each time a signature is required. This results in wasted staff time, lengthened workflow turnaround times, and increased spending on paper-related resources.

Electronic signatures solve these problems quickly and efficiently by enabling lawyers to add secure and compliant signatures to electronic documents in any format, and quickly deliver these documents to any recipient. Bypassing the costly and time-consuming “print-sign-scan” process, they can quickly provide clients with signed electronic records that can be easily validated to ensure signer identity and content integrity. But not all electronic signatures are created equal.

The Difference Between Digital and Electronic Signatures

It's important to understand the differences between digital signatures and electronic signatures when exploring which technology is right for your firm. These terms are often (and incorrectly) used interchangeably.

“Electronic signature” is an umbrella term for any technology used to associate a person with the electronic content they are trying to sign. It is defined by ESIGN (the Electronic Signatures in Global and National Commerce Act of 2000; http://1.usa.gov/HNiqix) and UETA (the Uniform Electronic Transactions Act; http://bit.ly/1rnw50v) as “an electronic sound, symbol, or process.” An electronic signature can be as basic as a scanned image of a signature, the “I Accept” checkmark on a website, or a signature captured using an electronic pad at a grocery store. By themselves, most electronic signatures cannot ensure identity of the signer or the content integrity, nor do they eliminate the risk of signers denying that they signed the document.

Digital signatures are the more technologically advanced form of electronic signatures, providing additional security, flexibility and compliance with laws and regulations, both in the United States and internationally. Digital signatures are based on Public Key Infrastructure (PKI) technology, the only signature standard published, maintained and accepted by governments around the world, including the U.S., Canada, the European Union and Latin America, as well as by independent bodies such as ISO, OASIS, IETF and W3C. Through the use of cryptographic operations, digital signatures create a “fingerprint” unique to both the signer and the content, thus ensuring the identity of the signer and that the content of the document hasn't changed since it was signed. Further, because digital signatures are based on international PKI standards, they can be easily validated by anyone using common applications (such as Microsoft Word and Adobe Reader) without requiring proprietary verification software.

When legal entities explore automation technologies, certain characteristics, such as security and compliance, play major roles in their choice of solution. The same goes for automated signing technologies. When asked what they look for in a digital signature solution, 87% of ALM survey participants cited security and integrity of sensitive data, while 86% cited ease of use and 81% cited ease of implementation. With this in mind, digital signature technology might be the appropriate choice for firms looking to automate signature processes that are of high business value.

Digital Signatures Under the Hood

Best Practices for Selection and Deployment

Best practice guidelines need to be considered when evaluating digital signature solutions. This begins by defining the elements that make up any standards-based digital signature solution:

Public-key (Asymmetric) Cryptography. The technology behind standard digital signatures. It relies on two separate but linked keys, namely a private key and a public key

Private Key. The data used to create a digital signature. It binds the electronic identity of its owner with the document or data at hand, thus eliminating the possibility of having someone deny that the signature is theirs. This key must be kept private and maintained under the sole control of the owner, be it a person or a legal entity

Public Key. The data used to verify a digital signature. It is bound to the identity of the key owner in the form of a digital certificate (see below), and is made available to anyone who wants to validate the signed information

Digital Certificate. An electronic document used to confirm that a specific public key belongs to a specific individual or organization. It is issued to the key owner by a trusted Certificate Authority (CA) and includes the identity information of the key owner and the issuer, as well as certificate expiration date, key usage specification, public key value, and more.

Managing Signature Credentials. User signature credentials (private keys and digital certificates) must be securely stored and managed to avoid misuse. There is a decentralized approach (more traditional and inflexible) and a centralized approach (central server-based, simplified and more cost-effective) to managing signature credentials, and the decision between the two should be made based on your legal organization's needs, its existing infrastructure, and your choice of certificate type.

Managing Users. The digital signature solution must manage the users, either directly or (ideally) in automatic synchronization with an existing user management directory such as Microsoft Active Directory. This eliminates the associated costs of managing users in two separate systems, one for standard user management and one for the digital signature system.

User management needs to include the automated ability to enroll new users, create their keys, issue their certificates, and update/renew/revoke them when necessary. For example, an active user's certificate needs to be renewed each time it is about to expire, using the same private/public key pair or a newly created key pair (re-key). Conversely, if a user has left the company or if the private key is suspected to be lost or stolen, the associated certificate must be revoked. You should select the user authentication method that best fits the security level your organization requires. The digital signature solution should be able to use the same authentication method already in use by the organization to access file servers, mail servers, applications, etc.

Identity Proofing. While typically law firms confirm the identity of employees at the time of hire, it is imperative to review these procedures in the context of issuing the digital certificates that will be used to sign on behalf of the organization. Where appropriate, additional identity proofing may be necessary in organizations where higher levels of security and control are required to meet legal and risk requirements. By verifying the identity of a signer before providing a digital certificate, organizations can rest assured that their important documents are being signed by the actual person represented in the signature.

Documenting Standard Operating Procedures (SOPs). Finally, you must not neglect documenting the standard operating procedures surrounding digital signature use in your organization and consolidating them in a single repository. This is critical, whether for the purpose of a risk management or information security policy, as part of a disaster recovery plan, or simply for the ease of training new users. Examples of procedures that should be established and documented include identity-proofing, signer enrollment/de-enrollment, training, authentication, identification of documents and forms requiring signatures, information to be included in the signature block, use of graphical signature images, use of reason codes, and solution administration.

The Digital Signature Bottom Line

Whether you are looking to try out and use electronic or digital signatures in your law firm or legal department, automating signature processes is a critical component to better automation and workflow within your organization. In addition, having a base understanding of what differentiates digital signatures from electronic signature methods will help legal professionals identify which option would work best for them and meet their security, information governance and compliance requirements.

Eliya Fishman is Legal Market Manager for ARX's CoSign digital signature solution.

Automated signing solutions are all around us: at the supermarket checkout; when we receive a package; at the doctor's office. Despite this, paper-based signing still finds its way into our regular operations, and too often remains there unquestioned. Isn't it strange how everyday (aka, convenient) ways of doing things linger despite there being more efficient, faster and cheaper alternatives?

A recent ALM online reader survey revealed that within polled law firms and legal departments, nearly half of all documents are printed for the sole purpose of adding signatures. A staggering 34% of all respondents indicated that they print 75% or more of documents for the purpose of adding signatures. The survey also found that, overall, an average of 1.24 days is added to paper-based signature processes. Clearly, this indicates that what was once an everyday way of signing off on documents simply doesn't make sense with the electronic and digital signature solutions that are available today.

Given this, are electronic signatures the way to go, or should I pursue a digital signature solution? What are the nuances and true “difference makers” between digital signatures and electronic signatures, and what does this technology really look like? How will it impact my IT roadmap?

What's In a Name?

Embracing automation tools for workflows, cases, and overall business processes is not just a “nice to have,” but a necessity in modern legal business. These tools enable legal professionals to streamline their work processes, enhance their internal and external collaboration, and shorten turnaround times. However, one of the main obstacles many organizations encounter in trying to fully automate is the need for signatures, which arises in most of the document-centric processes lawyers handle on a regular basis. Without the ability to securely sign electronic documents, lawyers and other legal professionals are forced to resort to paper each time a signature is required. This results in wasted staff time, lengthened workflow turnaround times, and increased spending on paper-related resources.

Electronic signatures solve these problems quickly and efficiently by enabling lawyers to add secure and compliant signatures to electronic documents in any format, and quickly deliver these documents to any recipient. Bypassing the costly and time-consuming “print-sign-scan” process, they can quickly provide clients with signed electronic records that can be easily validated to ensure signer identity and content integrity. But not all electronic signatures are created equal.

The Difference Between Digital and Electronic Signatures

It's important to understand the differences between digital signatures and electronic signatures when exploring which technology is right for your firm. These terms are often (and incorrectly) used interchangeably.

“Electronic signature” is an umbrella term for any technology used to associate a person with the electronic content they are trying to sign. It is defined by ESIGN (the Electronic Signatures in Global and National Commerce Act of 2000; http://1.usa.gov/HNiqix) and UETA (the Uniform Electronic Transactions Act; http://bit.ly/1rnw50v) as “an electronic sound, symbol, or process.” An electronic signature can be as basic as a scanned image of a signature, the “I Accept” checkmark on a website, or a signature captured using an electronic pad at a grocery store. By themselves, most electronic signatures cannot ensure identity of the signer or the content integrity, nor do they eliminate the risk of signers denying that they signed the document.

Digital signatures are the more technologically advanced form of electronic signatures, providing additional security, flexibility and compliance with laws and regulations, both in the United States and internationally. Digital signatures are based on Public Key Infrastructure (PKI) technology, the only signature standard published, maintained and accepted by governments around the world, including the U.S., Canada, the European Union and Latin America, as well as by independent bodies such as ISO, OASIS, IETF and W3C. Through the use of cryptographic operations, digital signatures create a “fingerprint” unique to both the signer and the content, thus ensuring the identity of the signer and that the content of the document hasn't changed since it was signed. Further, because digital signatures are based on international PKI standards, they can be easily validated by anyone using common applications (such as Microsoft Word and Adobe Reader) without requiring proprietary verification software.

When legal entities explore automation technologies, certain characteristics, such as security and compliance, play major roles in their choice of solution. The same goes for automated signing technologies. When asked what they look for in a digital signature solution, 87% of ALM survey participants cited security and integrity of sensitive data, while 86% cited ease of use and 81% cited ease of implementation. With this in mind, digital signature technology might be the appropriate choice for firms looking to automate signature processes that are of high business value.

Digital Signatures Under the Hood

Best Practices for Selection and Deployment

Best practice guidelines need to be considered when evaluating digital signature solutions. This begins by defining the elements that make up any standards-based digital signature solution:

Public-key (Asymmetric) Cryptography. The technology behind standard digital signatures. It relies on two separate but linked keys, namely a private key and a public key

Private Key. The data used to create a digital signature. It binds the electronic identity of its owner with the document or data at hand, thus eliminating the possibility of having someone deny that the signature is theirs. This key must be kept private and maintained under the sole control of the owner, be it a person or a legal entity

Public Key. The data used to verify a digital signature. It is bound to the identity of the key owner in the form of a digital certificate (see below), and is made available to anyone who wants to validate the signed information

Digital Certificate. An electronic document used to confirm that a specific public key belongs to a specific individual or organization. It is issued to the key owner by a trusted Certificate Authority (CA) and includes the identity information of the key owner and the issuer, as well as certificate expiration date, key usage specification, public key value, and more.

Managing Signature Credentials. User signature credentials (private keys and digital certificates) must be securely stored and managed to avoid misuse. There is a decentralized approach (more traditional and inflexible) and a centralized approach (central server-based, simplified and more cost-effective) to managing signature credentials, and the decision between the two should be made based on your legal organization's needs, its existing infrastructure, and your choice of certificate type.

Managing Users. The digital signature solution must manage the users, either directly or (ideally) in automatic synchronization with an existing user management directory such as Microsoft Active Directory. This eliminates the associated costs of managing users in two separate systems, one for standard user management and one for the digital signature system.

User management needs to include the automated ability to enroll new users, create their keys, issue their certificates, and update/renew/revoke them when necessary. For example, an active user's certificate needs to be renewed each time it is about to expire, using the same private/public key pair or a newly created key pair (re-key). Conversely, if a user has left the company or if the private key is suspected to be lost or stolen, the associated certificate must be revoked. You should select the user authentication method that best fits the security level your organization requires. The digital signature solution should be able to use the same authentication method already in use by the organization to access file servers, mail servers, applications, etc.

Identity Proofing. While typically law firms confirm the identity of employees at the time of hire, it is imperative to review these procedures in the context of issuing the digital certificates that will be used to sign on behalf of the organization. Where appropriate, additional identity proofing may be necessary in organizations where higher levels of security and control are required to meet legal and risk requirements. By verifying the identity of a signer before providing a digital certificate, organizations can rest assured that their important documents are being signed by the actual person represented in the signature.

Documenting Standard Operating Procedures (SOPs). Finally, you must not neglect documenting the standard operating procedures surrounding digital signature use in your organization and consolidating them in a single repository. This is critical, whether for the purpose of a risk management or information security policy, as part of a disaster recovery plan, or simply for the ease of training new users. Examples of procedures that should be established and documented include identity-proofing, signer enrollment/de-enrollment, training, authentication, identification of documents and forms requiring signatures, information to be included in the signature block, use of graphical signature images, use of reason codes, and solution administration.

The Digital Signature Bottom Line

Whether you are looking to try out and use electronic or digital signatures in your law firm or legal department, automating signature processes is a critical component to better automation and workflow within your organization. In addition, having a base understanding of what differentiates digital signatures from electronic signature methods will help legal professionals identify which option would work best for them and meet their security, information governance and compliance requirements.

Eliya Fishman is Legal Market Manager for ARX's CoSign digital signature solution.