The technology of the modern world has changed the way the world conducts business. From marketing to supply chain management to end user delivery, technology has radically changed processes. Throughout the shift from paper to computer, one thing has retained its importance: the signature. It may be hand written or typed on a smartphone, but attaching your name to a piece of paper is still the sign of a person’s bond. Electronic signatures are exploding in use, but now much do you really know about them? How do you know when it’s ok to use, or when it’s legally binding? Are electronic signature companies using your data in an appropriate way?
YPO member Shamsh Hadi has built a business around being true to one’s word. Hadi is the Co-Founder and CEO of ZorroSign, which provides companies with a streamlined and automated platform for Digital Transaction Management (DTM). Hadi is also the Managing Director at Brown Orange Solutions, which offers management consulting in a variety of industries in the United Arab Emirates.
Under Shamsh’s leadership, ZorroSign has won a number of awards. Corporate Vision Magazine named him CEO of the Year in the UAE. The Silicon Review Magazine named ZorroSign one of the 50 Most Valuable Brands of the Year for 2018. CIO Review named ZorroSign among the 50 Most Promising Corporate Fintech Solutions Providers, and Insights Success Magazine listed them among the 20 Most Innovative FinTech Companies. ZorroSign was among APAC CIO Review Top 25 Fintech Companies, and Aragon Research recognized them as a Hot Vendor in the Digital Transactions Management Space.
Here is Hadi’s advice on security and enforceability issues you should consider before using an electronic signature:
1. Is the signature real, or just an image?
I asked Hadi to start with the basics. He began, “Almost all signature solutions today take a digital copy of your signature and paste it on a document to show your signature. Legally, they capture your intent to sign.” So far, so good. He goes on, “Your signature is captured by your finger or stylus, or is computer generated. But that image has limited or no validation for the receiving party that it is your signature, signed by you and not anyone else, and with your permission or knowledge.” Then Hadi connects the dots: “A real electronic signature uses the technology based on the eSignature patent that was brought into law in 2000 by then-President Bill Clinton through the E-Sign Act. This technology allows you to electronically sign a document, not just capture the intent to sign.” Got it!
2. Do you need a 3rd party security certificate?
To ensure the security of internet commerce, many companies use a third party to validate a transaction. This is also true in the world of digital signatures. Hadi says, “Since most companies are using just an image of your signature, they use a digital certificate to validate a picture of your signature has been placed on a document.” Of course, there’s no free lunch. “The costs for these digital certificates are normally baked into your annual license cost and have a validity of two years, after which they expire,” Hadi says. Hadi notes, “The digital certificate cannot prove the points mentioned above: that is it your signature, signed by you and not anyone else, and with your permission and knowledge.” More on verifying that information later.
3. Do you have to keep paying for the 3rd party certificate?
Unfortunately, the 3rd party certificate is not a one-time cost, and Hadi warns that this can cause a host of problems. He explains, “The cost to keep the digital certificate valid is built into your annual license cost. The biggest issue that majority of the people do not think about is what happens when you stop paying or using that electronic signature solution and your digital certificates expire.” The answer may surprise you. Hadi says, “Once the digital certificates expire, they are not legally enforceable. This is where users get a shock of their lives, when they are asked to produce that document with a valid digital certificate.” Thankfully, it’s not an insurmountable obstacle. “Almost all the solutions in the market will charge you for the period of inactivity or non-renewal so the digital certificate can be valid again,” Hadi assures.
- What data is captured along with your signature?
Hadi is pleased people are paying attention to these security issues, although their awareness came at a price. “With recent data breaches at places like Facebook, LinkedIn, DocuSign, Google, and Yahoo, just to name a few…people are now conscious and pay more attention to their digital profiles and data on the internet. Users are now willing to pay more for security and privacy instead of cheap or free solutions that do not protect them, and in many cases use their data without their knowledge for financial benefit,” he shares. The data collected depends on the type of digital signature company you’re using. Hadi explains, “If the electronic signature solution is using the patented electronic signature technology, then there are 7 different types of metadata that are captured and are legally enforceable when brought into court.” But you may be surprised to hear that not every digital signature company uses that patented technology. Hadi clarifies, “Other companies that do not license the technology use alternate methods, as they have built workarounds to using the real electronic signature technology.”
- Is there a chain of custody or audit trail?
Hadi believes an audit trail is a critical part of any digital transaction management platform. “An audit trail should be a mandatory component of the solution you use. By not capturing the chain of custody and audit trail, there cannot be any validation that the document presented is the actual document, or who the participants were,” he asserts. The problem, he says, is that some solutions use limited or no audit trail technology. Hadi is firm: “Use solutions that have detailed chain of custody and audit trails. Companies using blockchain technology are highly preferable. They provide additional confidence that the audit trail was not modified, because blockchains are immutable.” Don’t let this critical flaw trip your company.
- What if you have to go to court years from now?
It’s a nightmare scenario, but it happens all the time: years after a transaction is completed, you find yourself in court. Hadi wants to help people feel confident that their contracts will hold up in court, saying there are 3 components. “First, if you are using a solution that uses 3rd party digital certificates, make sure that your account is paid up and the certificates are valid. This may require you to pay to make those digital certificates valid. If you used or are using a solution that provides its own security certificates, you have nothing to worry about,” he assures. He goes on, “Second, be prepared to share which solution was used to electronically sign. If it is the one that uses the real electronic signature technology, then you are ok. If not, gather as much additional data for that transaction as possible in the form of emails, signed paper-based contracts, etc., as validation. Authentication of those users and documents may also be required in court. You can do so by establishing and documenting timelines to prove it.” Then Hadi has a unique idea. He suggests, “Third, if acceptable to the court, ask them to become a free user of that solution and share the document within the solution to assist with the verification and validation.” Let them see it for themselves.
- How do you know it hasn’t been tampered with?
On your own, you probably can’t tell. Hadi explains, “You will not know if the PDF (digital or printed versions) has not been tampered with or signature forged unless you use an advanced DTM that has its own unique ways of verifying this. Most customers of eSignature solutions don’t ask this question, but it is a very, very important issue today.” Make sure you do the necessary due diligence on your provider. Hadi recommends, “Do the right research and choose the solution provider that uses the technology that suits your needs. Not all eSignature solutions are advanced DTMs, and even if they do provide this service, it can cost extra. Some also include it in their license cost.” Go in with your eyes wide open, and try to anticipate the challenges.
- How do you know the correct person signed it?
This issue is a challenge for the industry. “Use a solution that uses additional verification and validation of users. Most of the time, it is done by creating an account and verifying that account before being allowed to sign,” Hadi recommends. “Do not use solutions that allow you to sign within the email you received, or that allow you to sign let you sign without creating an account. There is no way to verify and validate the user,” he warns.
- How are the documents protected and verified?
With all the options in the marketplace, you should consider the nuances of each.
“The solution that works for you will depend on how important document longevity, legal enforceability, and validity are to you,” he shares. “If those issues are not as important, then using the standard eSignature solutions in the market should be sufficient. However, if this is an important part of your requirements and compliance, then verify and validate that your documents will be protected,” he advises. This can be done by researching which solutions use advanced methods of securing your data and privacy. Hadi says, “You should also see if they are compliant with local and international standards like GDPR. If they don’t post it in their website, it does not hurt to send an email asking if they are compliant.”
- What if someone claims they didn’t sign the document?
Hadi knows this can be an issue in court as well. He advises, “A solution that uses blockchain will have the evidence and truth of the transaction and document in question.” If you haven’t chosen the more secure solution, that won’t be an option. In that case, Hadi advises, “then a solution with an extensive audit trail can also provide proof. If the solution does not use the one of these two suggested methods, then it will be very difficult, although not impossible, to prove.” Make sure you have the protection you need.
Each week Kevin explores exclusive stories inside YPO, the world's premiere peer-to-peer organization for chief executives, eligible at age 45 or younger.