• No results found

Demystifying Digital Signature Usage for Global Business

N/A
N/A
Protected

Academic year: 2021

Share "Demystifying Digital Signature Usage for Global Business"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

WHITE PAPER

Summary

There are many applications of electronic signature spanning from simple consumer “click to agree” to multipart business contract transactions including those solutions geared for specific industry requirements in pharmaceuticals, banking and government. In addition, electronic signature usage, its legal requirements, and cultural acceptance differ by country. This complexity has created confusion, particularly among multi-national companies executing electronic transactions internationally. The legal differences surrounding electronic signatures are mainly parted along civil and non-civil law countries. Companies conducting business in civil-law markets such as Europe and Asia may be particularly interested in how the legal differencesaffect electronic signature for their business. Let’s have a look at the electronic signature landscape, untangle the differences between electronic signature and digital signature and discover why DocuSign is the only solution you need for both.

Demystifying Digital Signature Usage

for Global Business

Electronic Signature Landscape & Legality

In the past decade the electronic signature has transformed business transactions from the common handwritten signature to rapidly executing and legally binding electronic information that leverages encryption technology to provide features such as version control, tamper-evident documents, authenticated signatures and permission-based views and editing.

Electronic signature, or eSignature, is the broad umbrella category under which all electronic signatures fall. Included in this category are digital signatures, a specific signature technology implementation of electronic signature. Both digital signatures and other electronic signature solutions offer the capability to sign and authenticate the signer. However, they differ in their purpose, underlying technologies, geographical use, and as mentioned before, legal and cultural acceptance. In particular, electronic signature and digital signature usage varies significantly between common-law and civil law countries.

Common-Law & Civil-Law In common-law countries (i.e. the U.S., Canada, and the U.K.) the laws are derived from custom or judicial precedent. Laws are written and then interpreted by the populace. The courts then determine if an interpretation of a particular law, such as those pertaining to electronic signature, is right. Electronic signature solutions in common-law countries evolved from this legal understanding.

The legislation in civil-law countries, including many in the European Union and Asia, is more prescriptive. It is a legal code to be followed as written. The laws surrounding electronic signature are understood to be realized with PKI-based technology and certificates. This solution is commonly referred to as ”digital signature”.

(2)

Electronic Signature in Common-Law Countries

Electronic signature is widely accepted and used in common-law countries such as the United States, Canada, Australia and the United Kingdom. The legal focus is on the facts and circumstances surrounding the event of signing rather than a particular technological approach. Consequently, the legal definition of an electronic signature includes requirements such as the signer’s adoption of the signature symbol, affixing his signature to the document, and his intention to sign.1

For example, the electronic signature as defined by the U.S. ESIGN Act2 is broadly described as an “electronic sound, symbol or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record”. All 50 states have laws that define electronic signatures the same way.

In addition to the intent, the ESIGN act also requires that the signing be attributed to the individual but the specifics of authenticating and verifying the signer and verification are left to the agreeing parties. However, the stronger the authentication, the lower the risk of repudiation. Some regulations also dictate that an electronic record of the transaction or “audit trail” must also be retained.

Finally, some laws also require that the record is tamper-evident whether at rest or in transit, ensuring its integrity both before and after signing.

While electronic signature acts that are different from ESIGN exist in Canada, the U.K., and Australia these and other common-law countries have similar legal processes for and cultural acceptance of electronic signatures. In nearly all countries, including civil law jurisdictions, even a basic electronic signature is admissible as evidence in a court.

1. 15 U.S.C. § 7006(5); UETA § 2 (7)

2.Electronic Signatures in Global and National Commerce Act

Key electronic signature legality terms

• Safe harbor – a legal provision that affords protection from liability as long as specified conditions are adhered to. • Authentication – the process to

verify the identity of the signer. • Admissibility – whether electronic

signature will be accepted as evidence by the court. • Presumption of Authenticity –

signed documents are presumed authentic in court, and the signatory must disprove the presumption that he signed. • Repudiation – repudiation often

occurs when an individual denies involvement in a transaction. The term “non-repudiation” refers to protection against an individual falsely denying involvement in a transaction.

(3)

Electronic Signature in Civil Law Countries

Strong document and signing verification processes such as notarial acts have legally and historically been the procedure for pen and paper in civil law countries. By extension, electronic signature regulations often describe a specific authentication method for electronic signatures in these countries. The digital signature is used to comply with these regulations primarily in civil law countries, such as those in Europe, Asia and Latin America.

Digital signature is a specific type of electronic signature technology that uses an encryption method defined by the X.509 Public Key Infrastructure (PKI) standard and a specific process of authentication, the digital certificate.

Electronic Signature in the EU is two-tier

In the European Union (EU) the Electronic Signatures Directive (1999/93/EC) defined electronic signature. The EU directive has adopted the “two-tier” approach to electronic signatures.

In this model, basic electronic signatures that provide any method of authentication make up the foundational tier, and cannot be denied admissibility as evidence in court. The directive defines the second tier, the “advanced electronic signature”, with specific requirements for authentication as necessary for the safe harbor equivalent to a written signature. Although X.509 digital signature technology is not explicitly mentioned in most laws, the frequent use of the term qualified certificate implies that AES uses some form of underlying digital signature technology.

Digital signature in the EU – AES and QES

The Directive defines the Advanced Electronic Signature (AES) and a related advanced signature, the Advanced

Electronic Signature created with a Qualified Digital Certificate, referred to here as a Qualified Electronic Signature (QES ). The EU Directive defines AES as an electronic signature which meets the following requirements3:

1. Uniquely linked to signer

2. Capable of identifying the signer

3. Created using a method under the signer’s sole control

4. Linked to the signed data such that any changes are tamper-evident

Although the Directive never explicitly mentions X.509 digital signatures, these requirements were written with it in mind. As a result, a strong cultural preference for X.509 digital signatures persists in the EU, despite the fact that electronic signature technology has progressed to include other solutions that also meet these requirements.

3.EU Directive 1999/93/EC on a ‘Community framework for electronic signatures’ Art. 2(2)

PKI encryption system

In this system, two related keys are provided to each user, a private key for signature encryption and a public key for verification. Private keys are held securely with the signer while a public key is distributed and verifies the signature but does not reveal the private key.

Digital Certificate

A digital certificate is an electronic document that provides a form of authentication and is issued by a trusted source, the Certificate Authority.

Certificate Authority (CA) A Certificate Authority (CA) issues a digital certificate based on signer identification

requirements and ensures the authenticity of the signer.

(4)

Related to the AES signature is the QES signature. This signature involves a highly stringent process where a government-approved Certificate Authority issues the certificate used to create the AES using an approved “secure-signature-creation device”4 (SSCD). European and other standards bodies have determined that an SSCD must take the form of either a physical ID card with smart chip or other hardware token carried by the signer.

When is a Qualified Electronic Signature (QES) necessary?

In transactions where a handwritten signature is a requirement to give a document full legal effect, a QES is the only way to meet the requirement electronically. In most EU countries, very few transactions fall into this category. They usually include:

• Patent Assignments and Licenses • Trademark Assignments

• Real Estate transactions requiring the presence of a notary • Insurance agreements

• Articles of Association (bylaws) • Sales of Vessels

• Bills of Exchange

For transactions not explicitly requiring a handwritten signature, the story is very different. The intended advantage of a QES is to the same legal effect as a handwritten signature by assuring the identity of a signer and the authenticity of the electronic document at the highest level. This is why the European electronic signature framework is often referred to as a “two-tier” regime; it recognizes the validity and admissibility of many types of electronic signatures and authentication methods, but it gives a heightened legal status to qualified signatures.

Under common law principles, such a distinction is virtually meaningless, since any signature, written or electronic, is considered evidence and must be proven in every case. But in many civil law countries, the distinction is significant because a handwritten signature (and by extension, QES) is presumed authentic, and puts the burden on the signer to prove that the signature is not theirs. This legal disparity is the primary reason European legal practitioners advise their clients to only use QES solution.

In practice, due to the cost and inconvenience of adherence to strict standards, QES is largely confined to the e-government sector.5 While its rigorous authentication method provides a safe harbor for meeting the statutory definition of an AES, depending on the nature and risk level of the transaction, this class of electronic signature is wholly unnecessary. In addition, allowing individual countries to determine their own trusted qualified digital certificate providers has led to fragmentation that has stifled the development of QES solutions viable across more than one EU member country.6

4.EU Directive 1999/93/EC on a ‘Community framework for electronic signatures’ Art. 5.1(a)

5.The Law of Electronic Signatures and Records, by Jeremiah S. Buckley, John P. Kromer, Margo H.K. Tank, R. David Whitaker (December, 2011) 6.COM(2010) 245 of 19.5.2010, A Digital Agenda for Europe, Art. 2(1)

Qualified Certificate

A digital certificate issued by a government-approved Certificate Authority (CA) that has met stringent certificate reliability, storage, forgery detection and revocation requirements in addition to financial and security scrutiny.

(5)

QES is only required in a minority of use cases and is often impractical for use.

Ultimately, the use of any electronic signature depends on the nature of the transaction and the associated risk, balanced with cost. For example, the advanced signature requirements met by the digital signature are not needed for every transaction type. The non-discrimination provision of the Electronic Signatures Directive, followed by all EU member states, states that an electronic signature cannot be denied legal effectiveness and admissibility solely on the grounds that it is in electronic form, not based upon a qualified certificate, or not created by a secure signature-creation device.7 Confusion in the EU over what types of business transactions can be electronically signed, when a QES is required, and what combination of hardware and software are necessary have resulted in significantly lower adoption of electronic signatures in Europe compared to North America.

The Future of QES in the EU

The European Commision, recognizing the limitations of its original Electronic Signatures Directive, proposed new electronic signature regulations8 in 2012. This proposal is specifically designed to spur the development of usable, pan-EU QES solutions for business use. Among many changes, specific elements in this proposal that could increase the adoption of QES include:

• The introduction of electronic identification and trust services as a distinct concept, separate from electronic signature. • The ability for signers to entrust qualified electronic signature creation devices to a third party, provided that the signer

has sole control of that device. • Requirements

Until this or another proposal becomes law, and new standards established as a result, QES adoption will remain limited in the EU, and country-specific, non-interoperable solutions will remain the norm.

Electronic Signature Beyond the EU

Other countries may also describe a similar two-tier structure and define “simple electronic signature” as a basic electronic signature and refer to “secure electronic signature” with the same characteristics of the digital signature. Countries also using the two-tier model include Japan, Singapore, China, Hong Kong, India, New Zealand and South Africa.

7. 1999/93/EC Directive Art. 5(2)

8.Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market /* COM/2012/0238 final - 2012/0146 (COD) */

AES

QES Legal Assurance

Ease of Implementation

(6)

Finally, there are a few civil law countries such as Belarus, Bulgaria, South Korea, Colombia, and Costa Rica where the legal experts advise clients to accept only a digital signature with a qualified certificate.

Digital Signature is used in Specific Industries

Several verticals such as the pharma, banking, aviation, government and education sectors are also required to use digital signatures. Often these verticals require specific digital certificates to authenticate the signer such as the SAFE-BioPharma certificates required for transactions within the pharmaceutical and life sciences sectors and for transactions with or regulated by the United States Food and Drug Administration.

Choosing an Electronic Signature Type — Consider Transaction, Risk, Culture

Businesses should adopt an electronic signature type that not only meets the regional legal requirements, but also reflects the cultural acceptance, nature and level of risk in the transaction balanced with the cost. In the majority of cases, a QES is not necessary unless a specific law exists that requires a written signature for the specific transaction. In addition, outside of these specific cases, an AES is still legally enforceable for business use and must be admissible

as evidence in court.

How Digital Signature Technology Works The digital signature technology

works in the following way: 1. Issue: A certificate issuer or CA

authenticates, or validates the identity of the signer and issues a digital certificate that includes the signer’s information and his public key.

2. Sign: The document content is encrypted enabling any changes or tampering with the content to be detected. The unique digital signature is created by encrypting the document using the signer’s private key. The resulting unique encrypted hash value is linked to the document and the digital certificate.

3. Verify: The recipient can decrypt the hash value using the public key on the digital certificate and verify the signer’s identity and confirm document content integrity. The integrity of the signer’s digital certificate can be verified because it is digitally signed by the certificate issuer. Possible Identification Requirements In-Person Witness Hardware Multi-Factor Email Auth Document (PDF, GIF, etc.) Digital Signature Linked to Cert Tamper Evident Encryption  Signer information  Issuer information  Expiration date Certificate Issuer  Different identification requirements for different certificates Issue Auth Strength 11 Sign 22 Verify 33 Signer Private

Key DigitalCertificate

Determining whether to use a Qualified Electronic Signature:

• Legality: Is a written signature explicitly required by law for the specific transaction?

• Ease of Use: Does the signer already have a qualified digital certificate for the transaction jurisdiction?

(7)

The DocuSign eSignature Transaction Management Solution

Unlike other electronic signature solutions, DocuSign’s eSignature Transaction Management Solution is the only solution that provides a secure, cloud-based end-to-end business process to prepare, execute and manage your transactions whether you require a simple eSignature or an Advanced Electronic Signature with X.509 digital certificate technology.

PREPARE DocuSign’s solution allows easy preparation of your documents using drag and drop e-forms and the

capability to access needed data from the cloud or other business applications. Workflows and the ability to assign roles and permissions, provide thorough control and management.

EXECUTE DocuSign enables the efficient and legally binding execution of transactions that can be integrated with services such as payment processing. DocuSign provides a fully compliant digital signature solution that meets AES requirements. Multiple identification methods are also available to authenticate basic eSignature.

MANAGE The platform also provides dashboard reporting that allows you to monitor the progress and status at each stage of the workflow. Signed documents and the complete audit trail are available in DocuSign’s tamper-proof storage system.

DocuSign eSignature

DocuSign’s standard eSignature solution offers features such as multiple authentication options, tamper-detection and consumer consent capture and withdrawal that exceed regulatory requirements to provide the most comprehensive, secure and trusted basic electronic signature solution. Included among our certifications and audits are ISO 270001, SSAE 16, TRUSTe, PCI DSS 2.0 and U.S. Department of Commerce Safe Harbor compliance.

DocuSign Support for Digital Signatures

Customers that prefer or require a digital signature solution can now use DocuSign’s complete eSignature Transaction Management Solution with the DocuSign Express Digital Signature for a secure and comprehensive business solution. DocuSign’s digital signature solution uses industry-standard PKI encryption and tamper-detection. In addition, DocuSign is simplifying the use of digital signature and enabling rapid deployment with our cloud-based, fully integrated digital signature solution.

DocuSign eSignature Transaction Management Solution

1 Prepare 2 Execute Signature 3 Manage Retention Compliance Reporting

Available Secure Configurable International Open APIs

Authentication Services Data Documents Workflow Templates Anyone, Anything, Anywhere Anytime Platform Integration ERP CRM LOB

(8)

About DocuSign

DocuSign® is the global standard for electronic signature®. DocuSign accelerates transactions to increase speed to results, reduce costs, and delight customers with the easiest, fastest, most secure global network for sending, signing, tracking, and storing documents in the cloud.

For U.S. inquiries: toll free 866.219.4318 | docusign.com

For EMEA inquiries: phone +44 203 510 6500 | email emeasales@docusign.com | docusign.co.uk

Copyright © 2003-2014 DocuSign, Inc. All rights reserved. DocuSign, the DocuSign logo, “Close it in the Cloud”, SecureFields, Stick-eTabs, PowerForms, “The fastest way to get a signature”, The No-Paper logo, Smart Envelopes, SmartNav, “DocuSign It!”, “The World Works Better with DocuSign” and

A Comprehensive Transaction Management Solution

Other digital signature solution providers offer only a signature service and require you to obtain and incorporate authentication on your own. DocuSign’s digital signature solution fully meets the preferred definition of an Advanced Electronic Signature in the EU jurisdictions and is provided in a complete end-to-end business solution with extensive features that allow you to prepare, execute, and manage your transactions.

Cloud-based Solution Lowers Cost, Maximizes Usability & Convenience

Most digital signature solutions are hardware-based and as a result are costly and difficult to deploy and manage. Expensive hardware tokens, fobs and smart cards carried by users to provide signing credentials can be an significant investment. DocuSign’s cloud-based digital signature solution requires no hardware and is available, quickly deployed and ready to use around the world whenever you need it.

An Integrated Digital Signature Solution

Until now, deploying a digital signature solution and trying to integrate digital certificates was a complex and costly process. Effort and time was spent trying to get a certificate integrated with a digital signature provider or a costly on-premise certificate solution implementation. DocuSign has simplified the digital signature and certificate deployment by becoming a Certificate Authority and directly issuing certificates as part of our DocuSign Express Digital Signature solution. The DocuSign Express Digital Signature is a fully X.509 PKI standards-compliant digital signature that supports all of DocuSign’s industry-leading choice of authentication methods to enable users to sign documents quickly and easily. The DocuSign Express Digital Signature automatically generates a digital certificate at the time of signing that matches the authentication strength of the transaction. This enables you to request Advanced Electronic Signatures from any signer without requiring that they already have a digital certificate.

Third-Party Digital Signature Support

DocuSign also continues to support third-party digital signatures with the SAFE-BioPharma digital certificate for the pharmaceutical and life sciences industries.

Some SAFE BioPharma Use Cases:

1. Signing regulatory submissions, clinical trial documents, laboratory notebooks and contracts for pharmaceutical companies.

2. ePrescription signing for the DEA.

3. Regulated transactions with the FDA (Food and Drug Administration) and EMA (European Medical Association). For more information on DocuSign Express Digital Signatures, contact your DocuSign sales representative or email sales@docusign.com.

References

Related documents

instruction If you pay D6 x 100 gold and spend the instruction If you pay D6 x 100 gold and spend the next D6 days in the Fighting School, you gain an next D6 days in the

Best-of-Breed Cloud Based Apps & Tools Electronic Digital Signature EchoSign Docusign Right Signature Accounting Software Hosting Right Networks Cloud 9 InsynQ (CPAASP)

by using a digital signature solution to complete the “last mile” in the electronic document management process, MeDraD eliminated an enormous paper burden while accelerating

By using a digital signature solution to complete the “last mile” in the electronic document management process, MEDRAD eliminated an enormous paper burden while accelerating

‘Engage Targets with Main and Secondary Armament,’ the element commander coordinates the direct and indirect fire plans with the higher commander, flanking units, and FC

Should OSHA move forward with its rulemaking efforts on combustible dust, in addition to promulgating a well tailored regulation, the Chamber urges OSHA to provide

A secure, cloud-hosted and configurable end-to-end claims administration solution supporting multiple clients, accounts, and lines of business with automated workflows and rules —

A secure, cloud-hosted and configurable end-to-end policy, claims and billing administration solution supporting carriers, agents, customers and lines of business with