Atrium is a technology company and a corporate law firm, and as one might imagine, somebody will eventually need to sign just about any document the firm drafts. Signing is such an integral part of just about everything we do that when we started investigating various ways to add signing deeply into our workflows, we quickly found the solutions to be limiting.
Some of the problems we ran into were not being able to upload documents en masse to popular e-signature platforms because it was so tedious to identify signature boxes, not being able to re-flow a document based on different inputs such as a name, not being able to easily upload packets of documents, having limited means to add deep integrations into our own app, and so on.
But then we started to ask ourselves: what could possibly be so hard about electronic signatures? All we see on the back of these documents in an audit trail. What more is there?
What we found is that incorporating e-signing into your workflows all comes down to satisfying some relatively simple requirements. Also, a caveat: what we found applies to laws and regulations in the United States, not other countries.
What are signatures?
A signature is an indication that a person has agreed to the terms of a contract. In researching this, though, we found that the actual signature itself is mostly symbolic and does not, alone, prove that the person who signed was actually there, actually read the agreement, or really understood the contract. What is important, however, is showing that a person has seen the document and has indicated some form of agreement, and creating a trail of proof of this seeing and agreeing. In some cases, this could be as simple as a person making a written confirmation over email, or even somebody continuing to do what was agreed to (like showing up to work in response to an employment offer). When the contract itself has a relatively small amount of material value associated with it, the need for showing that somebody saw and agreed to a contract is substantially reduced. The more important the agreement, the more this need increases. If you had, for example, a real estate purchase agreement, the parties might require that there be a notary and witnesses to the signing. (Our lawyers also inform me that there are some types of agreements that require written, signed contracts.)
Why does all this matter? Because if a contract is ever contested, there needs to be some way for the person defending the agreement to make reasonable claims that the other person was indeed aware of what they were signing and that they indicated their agreement.
What is e-signing?
In doing this research for our products, our lawyers informed us that there are two federal laws that broadly apply to e-signatures in the US: the ESIGN Act, and the Uniform Electronic Transactions Act (UETA). Combined, these lay out some broad requirements for what constitutes an electronically signed agreement.
Electronically signing a document is more or less the same as a wet signature: there needs to be something that shows the person who is signing is who they say they were, and there needs to be a demonstration that this person saw the agreement and had an intent to sign. Importantly, e-signatures are to be seen as equally valid under the law as a wet ink signature, provided the agreement is not legally excluded from being electronically signed.
Agreement to do business electronically
We found that the parties must agree to do business electronically and, for consumers, there are extra protections. The protections for consumers include consenting to do business electronically, being able to withdraw this consent, and having the appropriate UETA disclosures made available.
What this means, in practice, is including an extra checkbox agreeing to this disclosure, providing a means for people to withdraw consent, providing a link to the disclosure, and, of course, recording that this consent was given at the time of signing.
Access to the written agreement and retention
The agreement itself cannot be withheld from the signing parties—instead, it needs to be easily accessible. What this means, in practice, is that the signee must have seen the agreement before signing. To go even further, it makes sense to have the person view and download the agreement before being able to sign. If you have ever seen an end-user license agreement (EULA), where you must scroll to the bottom before being able to sign, you have seen an example of where this has been applied. The agreement must also be retained somewhere so that, going forward, the signees can see a reproduction of the agreement. Therefore, doing something like having somebody sign an agreement, keeping no record of the signature, and no record of what exactly they signed, would likely not stand up to scrutiny.
An important part of e-signing is authentication. To reasonably prove somebody’s identity for e-signing, you need to be able to show that they have authenticated themselves in some manner that ties back to their identity. For example, an account holder may be required to authenticate themselves by verifying their driver’s license. Typically authentication comes in the form of an account or link tied back to a confirmed email. Thus, a signee needs to have an account linked to a confirmed email, or the signing link must be accessed through a link sent to the signee’s email. Further forms of authentication could be 2-factor authentication with a phone number, or a pre-exchanged PIN code or password— all of which add extra protection against claims of false identity.
Acknowledgment and Intent
At the end of a signing, the signer needs to make some type of indication that they are signing a document, either in the form of typing their name or checking a box confirming that they agree to the terms.
In e-signing, companies will record all of the above events in a database. As a best practice, companies also organize all of these events into a human-readable document, providing an audit trail of the events leading up to and proving the signature. You will no doubt have seen one of these audit trails if you have ever used any popular e-signing platform.
An audit trail will state who created the document, the first time it was viewed for each of the signees, that each party consented to do business electronically, that each signee signed, and that the document is fully executed.
It is ideal if each of these entries contains a timestamp, a name, an identifier (such as an email address), an IP address—if appropriate, and any other pertinent information. Moreover, adding things such as a unique identifier for the document and even a hash of the document adds extra security down the road in case somebody questions the authenticity of the audit trail.
What is not e-signing?
Going into this, we, as engineers, had some misconceptions about what constituted an e-signature.
Cryptographic Signatures or Tamperproofing
E-signing is not the same as cryptographic signing. There is no requirement that a person be cryptographically identified or that their “signature” is somehow cryptographically hashed with the document itself. While these tamper-resistant features would no doubt add some level of authenticity to the process, the reality is that in a dispute, the parties would be looking for a paper trail of intent rather than mathematical proof. Just proving that somebody signed a document is not all that is needed. In fact, it is acceptable in some cases to change a document after it has been signed (e.g., filling in dates), as long as the material terms were not altered. Even if a document was cryptographically signed, that does not mean there is some evidence that a person understood the terms of the agreement or saw the agreement itself.
E-signing also has nothing to do with the handwritten signature of the person. While many services let you put your own signature on the document, this part is purely so that people who are used to wet-ink signatures feel confident that their signature is on the document.
There are no specific security requirements unique to e-signing. While there are many regulations and standards around the safekeeping of sensitive information, and it is highly advisable to follow these best practices, they are not pre-requisites in and of themselves to e-signing.
What cannot be e-signed?
Even though just about any agreement can be signed electronically, there are a number of exceptions. Some of those exceptions broadly include documents having to do with family matters (e.g. divorces, annulments, and wills), court documents, cancellation of health insurance, some types of financial documents dealing with securities, and so on. Since there are a wide variety of different types of exclusions, it is worth researching if a particular type of agreement is excluded.
As mentioned before, if there is significant risk associated with an agreement where none of the parties want to be in the position of defending the authenticity of the signatures or agreement itself, e-signatures may not be the best way to sign an agreement. An attorney will be able to advise on the risks associated with e-signing any particular agreement.
E-signatures are becoming an increasingly popular way of having documents executed. The process itself of signing a document is not technically challenging, but it is important to get the requirements correct in order to avoid any questions down the road. As always, it is advisable to consult an attorney if there are questions about risk or legal questions, especially as it applies to a particular jurisdiction.