Are you concerned about the legality of using electronic signature software to sign important documents and contracts? Does relying on an online electronic signature seem less secure than signing on paper? If you read the news lately, that doesn’t come as a surprise.
It doesn’t have to be the case though. Relying on the right digital signature provider that offers complete legal compliance at different levels of assurance (as well as the highest security standards) will ensure that your documents and contracts get signed without complications.
Here are some recent digital signature fails that your company should be aware of, and how Docuten can help:
1. For important contracts, make sure you’re relying on a Qualified Trust Service Provider that is EU compliant
Last month, Swiss-based train manufacturer Stadler announced that it had lost a €3billion contract with the Austrian Federal Railways ÖBB as a result of “a legally impermissible electronic signature on the purchase agreement.”
Read more about what happened here.
Under Austrian law, the contract must be signed with a Qualified Electronic Signature (QES). This law is derived from Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). The European electronic signature legislation eIDAS outlines that a QES provides the highest level of assurance, has the presumption of legal validity and is the legal equivalent to a handwritten signature.
The issue boils down to this: Stadler used a Swiss Trust Service Provider (TSP) to execute the QES. Although the QES is qualified under Swiss Signature Law (ZertES), which is very similar to eIDAS, there is a difference in “the liability of the services rendered.” The eIDAS framework offers cross-border interoperability for EU and EEA countries, but that doesn’t include Switzerland. “The eIDAS and ZertES regulations allow for the possibility to establish a recognition agreement with third-party countries, but, in this case, none had been negotiated or entered into.” Even if the standards are understood to be the same, interoperability is not automatic. In this vein, the Austrian Federal Administrative Court found that “Switzerland is not part of the EU and that the jurisdictions are not aligned.” As a result, the contract fell through.
What could the company have done differently?
In the context of qualified electronic trust service providers, a trust service means an electronic service normally provided for remuneration which consists of:
- the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
- the creation, verification and validation of certificates for website authentication; or
- the preservation of electronic signatures, seals or certificates related to those services.
A trust service is considered qualified when, in addition to the above, it meets the applicable requirements established in the eIDAS Regulation. Thus, a Qualified Trust Service Provider is a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body.
Docuten is currently recognised as a Qualified Trust Service Provider. All of our solutions for digitally signing documents (like the Qualified Electronic Signature) are included in the eIDAS Regulation, which provides full legal validity across the EU.
2. Verify that your digital signature is backed by a digital certificate when it counts
This second case is more common than you may think. A judge in Spain rejected the validity of a loan agreement signed through a digital signature provider’s system due to the fact that the signature was not backed by a digital certificate.
Read more about what happened here.
It goes like this: a financial entity sued for payment of the balance of a loan contract that was signed through the digital signature provider’s system. The defendant, however, claimed that the signature was false. Although the court first sided with the financial entity, on appeal it was found that the defendant was not liable for payment of the loan contract since it was not adequately proven that the signature that appears on the contract was real.
As stated by the court, the signature was made through the digital signature provider’s system, an electronic signature platform through which the document is sent to an email and returned manually signed. There is no proof that the person who signed it is who they say they are, especially without authentication of the account.
Thus, the signature was not considered a proper electronic signature based on a recognised certificate and created by a legally recognised entity that provides digital signature certification. The court sided with the defendant.
What could the company have done differently?
The company should have chosen a digital signature that was more appropriate for this particular use case. For example, they could have used a digital signature backed by a digital certificate.
A digital certificate is a certification or electronic document issued by a Certification Authority (like the FNMT in Spain) that links a person with a public key and confirms his or her identity. This allows you to carry out certain processes and procedures online, including signing documents electronically.
With a digital certificate, you can sign using a digital signature over the internet. However, you do not need a digital certificate generated by a Certification Authority to be able to securely sign documents electronically that hold legal validity.
There are other tools that allow you to sign documents securely and legally. At Docuten, we offer different types of valid digital signature solutions that are adapted to the needs of your company so that you can get all your documentation signed electronically.
For example, with Docuten you can sign documents with a digital certificate. Our electronic signature software lets you sign electronically with a digital certificate in two ways: with a certificate that you have hosted on your computer (an on-premise signature), or a certificate in the cloud (a centralised signature that lets you sign from anywhere). Relying on a digital certificate for important documents and contracts will ensure that your signatures stand up in court.
Ultimately, we recommend that our clients rely on the idea of proportionality when choosing what type of signature to use. While all our electronic signature options are secure and legal, for particularly important documents, the highest level of assurance should be used, which would be the Qualified Electronic Signature. However, not all documents are created equal: signing a commercial contract is not the same as signing a vacation time request. In the latter, usability may be more desirable than the highest assurance level. It is essential that you have a digital signature provider that can explain everything you need to know when using electronic signature software.
3. Ensure your digital signature provider complies with the highest security guarantees
As digital signature use becomes more commonplace, incidents of hacking are on the rise. It is understood that there are three main ways to hack a PDF, and that all three methods “manipulate the PDF between the creator and the signer so both see a document that is correct.”
Read more about what can happen here.
These methods are called “hide,” “replace” and “hide and replace.” The first entails hiding various malicious content behind other content. When the signatory signs the document and sends it back, “the attacker can reveal the hidden content and access the information.” A replace attack, however, involves “changing or replacing certain minor aspects of a legitimate form,” but importing malicious code with the changes. Finally, hide and replace proves the most dangerous as it “enables hackers to replace the entire content of a PDF” through hiding and replacing certain elements.
What can companies do to prevent this?
First and foremost, your team should be provided with thorough training to be able to identify scams since human error is “one of the weakest links in cybersecurity.” At Docuten, this is a given as it was part of the process for Docuten to obtain the Information Security Certificate based on the requirements established by the international standard ISO 27001. It provides the highest guarantee of security for our electronic signature software and accredits the implementation of a management system that protects information within our organisation.
After having successfully passed the external audit (carried out by the certification entity EQA), it was verified that Docuten has an Information Security Management System certified in accordance with the UNE-ISO/IEC 27001: 2014 standard.
ISO 27001 is an international standard issued by the International Organization for Standardization (ISO) that outlines how to manage information security in a company. The focal point of ISO 27001 is to protect the confidentiality, integrity and availability of information in a company.
To achieve this, potential problems that could affect the information are evaluated (risk assessment) and what needs to be done to prevent these problems (risk mitigation or treatment) is defined. Part of the process involved implementing regular training and awareness for staff, as well as ensuring that all computers are updated with the correct security measures in place.
Relying on a digital signature provider that offers the strictest security guarantees like Docuten will enable your company to rest assured that your documents and contracts are safeguarded.
If you’d like to talk to our team about signature on an electronic document, digital signature online, or our complete repertoire of solutions through Docuten’s electronic signature software, contact us today.