A Look Behind the E-Signature Security Curtain
Electronic signatures have seen significant adoption in the past decade, predominantly within highly regulated industries like banking, insurance, government, pharmaceuticals and healthcare. In fact, a recent report from Forester Research, “E-Signatures – A Few Simple Best Practices Drive Adoption,”states, “Customers are becoming more digital and increasingly expect the companies they do business with to provide high quality digital experiences.” Replacing manual, paper processes with ones that are automated and electronically signed has enabled organizations of all sizes to significantly reduce cycle times, errors and costs while offering the experience customers expect.
As companies transfer more of their customer transactions online, security is understandably a top concern. In order to mitigate e-signing risks, let’s take a peek behind the curtain at the different security processes that companies should look for when choosing an e-signature solution.
Identification, Authentication and Attribution
When discussing the identification and authentication processes, it is important to keep in mind that identification and authentication are not the same. User identification is the process of verifying someone’s identity in-person or remotely. User authentication is the process of verifying user credentials prior to giving access to a system – in this case, e-signing.
The identification process depends on the situation. For example, in electronic processes that take place in-person, like a new account opening, identification will take place by verifying a government issued ID such as a driver’s license, just as it does with paper processes.
When identifying new customers through remote channels like online, call centers and mail, first time applicants are often identified using two types of personal information – personally identifiable information (e.g. address) or non-public personal information (amount of your last paycheck).
Depending on the transaction, companies may choose to verify that personal information using a third-party identification service (i.e. Experian, Trans Union, Equifax). Financial service providers frequently use third-party services, since they are often already accessing credit databases as part of a loan application process.
For remote transactions, email notifications can act as an additional point of identification. An invitation sent to a signer through a personal email address or a corporate email account presumes only that person has access to the account. This invitation becomes part of the evidence audit trail which further establishes the identity of the signer.
Once a signer’s identity is verified, a company may choose to issue electronic credentials to authenticate a signer and establish attribution, which is the process of proving who actually clicked or signed to apply an e-signature. The most widely accepted standard for user authentication and attribution in online transactions has traditionally been user name and password combined with email notification because it is a reliable and cost-effective way to authenticate signers. Other alternatives include email notifications, which rely on the user ID and PIN generated by the email system, SMS text, signature capture and fingerprint ID. In some higher security applications, as well as specific industries and countries, digital certificates will also be used.
When attributing a signature to a particular signer in face-to-face or shared device situations, affidavit text is presented affirming that control is being handed over to the signer in conjunction with additional authentication methods like a one-time passcode sent to the signer’s smartphone by SMS text.
Document and Signature Security
Document and signature security are at the heart of any electronically signed business transaction. Here are a few things a robust e-signature solution should have:
- The document as well as each signature must be individually secured with a digital signature to render the document tamperproof and ensure that signatures cannot be copied and pasted – a single tamper seal only validates the document, not the signatures;
- A comprehensive electronic evidence and audit trail should include the date and time of each signature, as well as what the signer saw on their browser and the actions they took;
- The audit trail must be securely embedded in the document and linked to each signature;
- It must be easy to verify, independently of the vendor, that no changes have been made to the signed record;
- The document must be accessible to all parties;
- The verification process should be simple – just one click – and completely vendor independent.
Cloud Security
Flexible e-signature solutions offer companies the choice of deploying either on-premise or in the cloud. Many companies are drawn to on-premise deployment because of the control it provides. However, the recent trends show companies are implementing cloud-based e-signature solutions, or a combination of on-premise and cloud depending on the process or line of business. The draw for many ranges from cost savings to speed to market.
When considering a cloud e-signature solution, companies should do due diligence to ensure the security and privacy of any sensitive customer data. Part of that evaluation should include reviewing an e-signature vendor’s security practices, certifications like SOC 2, track record and the frequency of its security audits. This due diligence will expose any previous incidents such as privacy breaches, incidents of data loss/leakage or insufficient cloud security expertise.
Organizations should also look for a vendor that uses a leading cloud hosting solution such as Amazon Web Services or IBM Cloud. The vendor can take advantage of the trusted hosting partner’s expertise and best practices in their data centers and infrastructure to provide the highest levels of security and availability of the customers’ data under any load or situation.
To learn more about e-signature security, download the Security for E-Signatures and E-Transactions whitepaper.
