Digital Signatures In the Legal Market

What's In a Name?

Embracing automation tools for workflows, cases, and overall business processes is not just a “nice to have,” but a necessity in modern legal business. These tools enable legal professionals to streamline their work processes, enhance their internal and external collaboration, and shorten turnaround times. However, one of the main obstacles many organizations encounter in trying to fully automate is the need for signatures, which arises in most of the document-centric processes lawyers handle on a regular basis. Without the ability to securely sign electronic documents, lawyers and other legal professionals are forced to resort to paper each time a signature is required. This results in wasted staff time, lengthened workflow turnaround times, and increased spending on paper-related resources.

Electronic signatures solve these problems by enabling lawyers to add secure and compliant signatures to electronic documents in any format, and quickly deliver these documents to any recipient. Bypassing the costly and time-consuming “print-sign-scan” process, they can quickly provide clients with signed electronic records that can be easily validated to ensure signer identity and content integrity. But not all electronic signatures are created equal.

The Difference Between Digital and Electronic Signatures

It's important to understand the differences between digital signatures and electronic signatures when exploring which technology is right for your firm. These terms are often (and incorrectly) used interchangeably.

“Electronic signature” is an umbrella term for any technology used to associate a person with the electronic content they are trying to sign. It is defined by ESIGN (the Electronic Signatures in Global and National Commerce Act of 2000) and UETA (the Uniform Electronic Transactions Act) as “an electronic sound, symbol, or process.” An electronic signature can be as basic as a scanned image of a signature, the “I Accept” checkmark on a website, or a signature captured using an electronic pad at a grocery store. By themselves, most electronic signatures cannot ensure identity of the signer or the content integrity, nor do they eliminate the risk of signers denying that they signed the document.

Digital signatures provide additional security, flexibility and compliance with laws and regulations, both in the United States and internationally. Digital signatures are based on Public Key Infrastructure (PKI) technology, the only signature standard published, maintained and accepted by governments around the world, including the U.S., Canada, the European Union and Latin America, as well as by independent bodies such as ISO, OASIS, IETF and W3C. Through the use of cryptographic operations, digital signatures create a “fingerprint” unique to both the signer and the content, thus ensuring the identity of the signer and that the content of the document hasn't changed since it was signed. Further, because digital signatures are based on international PKI standards, they can be easily validated by anyone using common applications (such as Microsoft Word and Adobe Reader) without requiring proprietary verification software.

When legal entities explore automation technologies, certain characteristics, such as security and compliance, play major roles in their choice of solution. When asked what they look for in a digital signature solution, 87% of ALM survey participants cited security and integrity of sensitive data, while 86% cited ease of use and 81% cited ease of implementation.

Digital Signatures Under the Hood

Best Practices for Selection and Deployment

Best practice guidelines begin by defining the elements that make up any standards-based digital signature solution:

• Public-key (Asymmetric) Cryptography. The technology behind standard digital signatures. It relies on two separate but linked keys, namely a private key and a public key
• Private Key. The data used to create a digital signature. It binds the electronic identity of its owner with the document or data at hand, thus eliminating the possibility of having someone deny that the signature is theirs. This key must be kept private and maintained under the sole control of the owner, be it a person or a legal entity
• Public Key. The data used to verify a digital signature. It is bound to the identity of the key owner in the form of a digital certificate (see below), and is made available to anyone who wants to validate the signed information
• Digital Certificate. An electronic document used to confirm that a specific public key belongs to a specific individual or organization. It is issued to the key owner by a trusted Certificate Authority (CA) and includes the identity information of the key owner and the issuer, as well as certificate expiration date, key usage specification, public key value, and more.

Managing Signature Credentials

User signature credentials (private keys and digital certificates) must be securely stored and managed to avoid misuse. There is a decentralized approach (more traditional and inflexible) and a centralized approach (central server-based, simplified and more cost-effective) to managing signature credentials, and the decision between the two should be made based on your legal organization's needs, its existing infrastructure, and your choice of certificate type.

Managing Users

The digital signature solution must manage the users, either directly or (ideally) in automatic synchronization with an existing user management directory such as Microsoft Active Directory. This eliminates the associated costs of managing users in two separate systems, one for standard user management and one for the digital signature system.

User management needs to include the automated ability to enroll new users, create their keys, issue their certificates, and update/renew/revoke them when necessary. For example, an active user's certificate needs to be renewed each time it is about to expire, using the same private/public key pair or a newly created key pair (re-key). Conversely, if a user has left the company or if the private key is suspected to be lost or stolen, the associated certificate must be revoked. The digital signature solution should be able to use the same authentication method already in use by the organization to access file servers, mail servers, applications, etc.

Identity Proofing

While law firms typically confirm the identity of employees at the time of hire, it is imperative to review these procedures in the context of issuing the digital certificates that will be used to sign on behalf of the organization. By verifying the identity of a signer before providing a digital certificate, organizations can rest assured that their important documents are being signed by the actual person represented in the signature.

Documenting Standard Operating Procedures (SOPs)

Finally, you must not neglect documenting the standard operating procedures surrounding digital signature use in your organization and consolidating them in a single repository. This is critical, whether for the purpose of a risk management or information security policy, as part of a disaster recovery plan, or simply for the ease of training new users. Examples of procedures that should be established and documented include identity-proofing, signer enrollment/de-enrollment, training, authentication, identification of documents and forms requiring signatures, information to be included in the signature block, use of graphical signature images, use of reason codes, and solution administration.

Eliya Fishman is Legal Market Manager for ARX's CoSign digital signature solution.

Automated signing solutions are all around us: at the supermarket checkout; when we receive a package; at the doctor's office. Despite this, paper-based signing still finds its way into our regular operations, and too often remains there unquestioned.

A recent ALM online reader survey revealed that within polled law firms and legal departments, nearly half of all documents are printed for the sole purpose of adding signatures. A staggering 34% of all respondents indicated that they print 75% or more of documents for the purpose of adding signatures. The survey also found that, overall, an average of 1.24 days is added to paper-based signature processes.

Given this, are electronic signatures the way to go, or should I pursue a digital signature solution? What are the nuances and true “difference makers” between digital signatures and electronic signatures, and what does this technology really look like? How will it impact my IT roadmap?

What's In a Name?

Embracing automation tools for workflows, cases, and overall business processes is not just a “nice to have,” but a necessity in modern legal business. These tools enable legal professionals to streamline their work processes, enhance their internal and external collaboration, and shorten turnaround times. However, one of the main obstacles many organizations encounter in trying to fully automate is the need for signatures, which arises in most of the document-centric processes lawyers handle on a regular basis. Without the ability to securely sign electronic documents, lawyers and other legal professionals are forced to resort to paper each time a signature is required. This results in wasted staff time, lengthened workflow turnaround times, and increased spending on paper-related resources.

Electronic signatures solve these problems by enabling lawyers to add secure and compliant signatures to electronic documents in any format, and quickly deliver these documents to any recipient. Bypassing the costly and time-consuming “print-sign-scan” process, they can quickly provide clients with signed electronic records that can be easily validated to ensure signer identity and content integrity. But not all electronic signatures are created equal.

The Difference Between Digital and Electronic Signatures

It's important to understand the differences between digital signatures and electronic signatures when exploring which technology is right for your firm. These terms are often (and incorrectly) used interchangeably.

“Electronic signature” is an umbrella term for any technology used to associate a person with the electronic content they are trying to sign. It is defined by ESIGN (the Electronic Signatures in Global and National Commerce Act of 2000) and UETA (the Uniform Electronic Transactions Act) as “an electronic sound, symbol, or process.” An electronic signature can be as basic as a scanned image of a signature, the “I Accept” checkmark on a website, or a signature captured using an electronic pad at a grocery store. By themselves, most electronic signatures cannot ensure identity of the signer or the content integrity, nor do they eliminate the risk of signers denying that they signed the document.

Digital signatures provide additional security, flexibility and compliance with laws and regulations, both in the United States and internationally. Digital signatures are based on Public Key Infrastructure (PKI) technology, the only signature standard published, maintained and accepted by governments around the world, including the U.S., Canada, the European Union and Latin America, as well as by independent bodies such as ISO, OASIS, IETF and W3C. Through the use of cryptographic operations, digital signatures create a “fingerprint” unique to both the signer and the content, thus ensuring the identity of the signer and that the content of the document hasn't changed since it was signed. Further, because digital signatures are based on international PKI standards, they can be easily validated by anyone using common applications (such as Microsoft Word and Adobe Reader) without requiring proprietary verification software.

When legal entities explore automation technologies, certain characteristics, such as security and compliance, play major roles in their choice of solution. When asked what they look for in a digital signature solution, 87% of ALM survey participants cited security and integrity of sensitive data, while 86% cited ease of use and 81% cited ease of implementation.

Digital Signatures Under the Hood

Best Practices for Selection and Deployment

Best practice guidelines begin by defining the elements that make up any standards-based digital signature solution:

• Public-key (Asymmetric) Cryptography. The technology behind standard digital signatures. It relies on two separate but linked keys, namely a private key and a public key
• Private Key. The data used to create a digital signature. It binds the electronic identity of its owner with the document or data at hand, thus eliminating the possibility of having someone deny that the signature is theirs. This key must be kept private and maintained under the sole control of the owner, be it a person or a legal entity
• Public Key. The data used to verify a digital signature. It is bound to the identity of the key owner in the form of a digital certificate (see below), and is made available to anyone who wants to validate the signed information
• Digital Certificate. An electronic document used to confirm that a specific public key belongs to a specific individual or organization. It is issued to the key owner by a trusted Certificate Authority (CA) and includes the identity information of the key owner and the issuer, as well as certificate expiration date, key usage specification, public key value, and more.

Managing Signature Credentials

User signature credentials (private keys and digital certificates) must be securely stored and managed to avoid misuse. There is a decentralized approach (more traditional and inflexible) and a centralized approach (central server-based, simplified and more cost-effective) to managing signature credentials, and the decision between the two should be made based on your legal organization's needs, its existing infrastructure, and your choice of certificate type.

Managing Users

The digital signature solution must manage the users, either directly or (ideally) in automatic synchronization with an existing user management directory such as Microsoft Active Directory. This eliminates the associated costs of managing users in two separate systems, one for standard user management and one for the digital signature system.

User management needs to include the automated ability to enroll new users, create their keys, issue their certificates, and update/renew/revoke them when necessary. For example, an active user's certificate needs to be renewed each time it is about to expire, using the same private/public key pair or a newly created key pair (re-key). Conversely, if a user has left the company or if the private key is suspected to be lost or stolen, the associated certificate must be revoked. The digital signature solution should be able to use the same authentication method already in use by the organization to access file servers, mail servers, applications, etc.

Identity Proofing

While law firms typically confirm the identity of employees at the time of hire, it is imperative to review these procedures in the context of issuing the digital certificates that will be used to sign on behalf of the organization. By verifying the identity of a signer before providing a digital certificate, organizations can rest assured that their important documents are being signed by the actual person represented in the signature.

Documenting Standard Operating Procedures (SOPs)

Finally, you must not neglect documenting the standard operating procedures surrounding digital signature use in your organization and consolidating them in a single repository. This is critical, whether for the purpose of a risk management or information security policy, as part of a disaster recovery plan, or simply for the ease of training new users. Examples of procedures that should be established and documented include identity-proofing, signer enrollment/de-enrollment, training, authentication, identification of documents and forms requiring signatures, information to be included in the signature block, use of graphical signature images, use of reason codes, and solution administration.

Eliya Fishman is Legal Market Manager for ARX's CoSign digital signature solution.