Electronic signature is a modern method of signing documents, but how trusted can it be?
Electronic signatures are rapidly expanding and more and more companies and organizations have noticed the benefits of digital signature. Those who are worried about the security of e-signatures should pay attention to, for example, the following points.
Security of the service
To ensure scalability, signing usually takes place in a browser. To ensure that no one is listening or spying on your connection, ensure that the solution always utilizes encrypted browser connection (HTTPS).
Sometimes the invitations to sign also need to be encrypted. In Deltagon's solution for example, there is a possibility to use an encrypted connection automatically when sending requests for signatures and receiving reports of the signed documents.
When shopping for a web-based solution, you must make sure that the developer of the service takes in notion the commonly known good practices in internet security.
Is electronic signature legally valid?
With strong electronic identification, a user’s identity can be validated digitally. This means that, for example, a document signed electronically by a person who has authenticated with their Bank ID is legally as valid as a hand-written document. E-signature can be even more safe than a hand-written signature delivered by the post as the person has been authenticated by a trusted third party.
Strong electronic identification means that the user is authenticated with bank credentials, mobile-ID or other such service.
In conjuction with the methods described above, there are often optional identification methods for identifying the signatory. These are, for example, methods based on e-mail address, text message (SMS), or taking a webcam snapshot while signing. Using these identification methods with external stakeholders should be carefully thought out.
Digital data trail (Audit Trail)
Check that the solution you have chosen has a method to track and audit the signatures in a clear and comprehensive way so that each document and each signature can be traced. Audit trail should show the user IP address, timestamp and measures taken.
Perhaps there is also a need to monitor the progress of the process. As you choose a system, decide if you want your organization to have a view on who has signed the document and when, and also who is yet to sign the document. Process can be cancelled if needed or a notification can be sent to the signatory that there are still documents waiting for their signatures.
Electronically signed documents must be able to be verified after signing. If the signed document is in PDF format, and the digital signature method is PaDES standard compatible, the check can be run with Adobe PDF-reader, for example.
In other cases, the certification needs to be based in an undisputed technology. For example, when sending the request for a signature, a strong checksum does the job.