Digital Signature Compliance – How To Sign Off On It

This paper serves as a reference point for organizational decision makers that have the responsibility of establishing which electronic signature solution best protects their organization’s documentation.

“The advantage of digital signatures is that they provide, in a single step, what other systems do not: a straightforward means of determining record integrity.”

- US DEA (Drug Enforcement Agency)

Introduction

As trends continue to show that organizations are migrating their businesses to electronic workflows, studies convey that the upside of these transformations are significant, with electronic workflows saving time and diminishing the costs of paper-related expenses such as printing and physical archiving. However, once these organizations have put an electronic workflow into practice, they still require some form of signature capacity, such as an electronic or handwritten signature. The reasons behind this need are generally authorization or security related:

  • Authorization purposes. Some organizations wish to retain the significance of a hand-written signature for authorization purposes. In these cases, the motive is to allow the continuation of existing workflow processes, which require signatures for endorsement. In the move to electronic processes, utilizing an electronic signature allows them to continue signing documentation that is now electronic.
  • Compliance purposes. Organizations may utilize an electronic signature because of a need to be compliant with specific laws and regulations that demand their documentation be secure as they move from a paper-based process to an electronic one. Electronic documents that are left unprotected can be easily altered, jeopardizing document integrity, and subsequent business processes. As such, laws and regulations have been enacted that set both legal and regulatory standards for organizations that are utilizing electronic documentation (with regards to electronic signatures this can be done implicitly or explicitly).

While authorization purposes is a popular rationale for organizations implementing electronic signatures, this paper explicitly focuses on legal and regulatory motivation for implementation.
The purpose of this white paper is to serve as a reference point for organizational decision makers that have the responsibility of establishing which electronic signature solution best protects their organization’s documentation. It does so by reviewing the various types of electronic signatures and the differences between electronic and digital signatures; the various pieces of legislation, regulation and industry standards which call for the implementation of electronic and digital signatures; and how electronic and digital signatures satisfy these legal requirements. For a guideline that provides insight into the necessary elements of a digital signature solution, please click here.
* Important note: Since a digital signature is a type of electronic signature offering the highest security standards, whenever an electronic signature satisfies a regulation or standard, a digital signature equally satisfies the regulation or standard.

Types of Electronic Signatures and the Differences Between Them

The category of electronic signatures incorporates a varied group of alternatives to handwritten signatures, namely electronic signatures, digitized signatures, and digital signatures. The various types are described below.

Electronic Signatures

Electronic signatures are defined as an electronic sound (e.g., audio files of a person’s voice), symbol (e.g., a graphic representation of a person in JPEG file), or process (e.g., a procedure that conveys assent), attached to or logically associated with a record, and executed or adopted by a person with the intent to sign the record.
An electronic signature is easy to implement, since something as simple as a typed name can serve as one. Consequently, electronic signatures are very problematic with regards to maintaining integrity and security, as there is nothing to prevent one individual from typing another individual’s name. Due to this reality, electronic signatures that do not incorporate additional measures of security (similar to digital signatures, described below) are considered an insecure way of signing documentation.

Digitized Signatures

A sub-category of electronic signatures, referring specifically to a digitized image of a handwritten signature. Creating a digitized signature utilizes a signature capture device, which the user signs their name on. The captured signature is imported into a computer. The use of digitized signatures is prevalent in the consumer marketplace at points of purchase. Often times, a digitized signature is required with the use of a credit card.
Simplicity is a key aspect of this signing option. However, digitized signatures are a lacking signing option when it comes to security capacity, since there is no way to verify the integrity of the document has not been violated once the signature has been placed on the document. As such, digitized signatures alone are not considered a secure form of electronic signatures, and individuals and organizations that use them risk the possibility of document forgery.

Digital Signatures (Standard Electronic Signatures)

A very specific sub-category of electronic signatures that are based on an industry standard called Public Key Infrastructure (PKI) – a cryptographic that has been used successfully to secure many different types of information exchanges for over 30 years. Digital signatures are based on standard PKI technology and guarantee signer identity, intent, and data integrity of signed documents. They cannot be copied, tampered, or altered. Furthermore, digital signatures made within one application can be validated by others using the same application.
Considered by the electronic signature industry as the most reliable way to sign of the three types of electronic signatures and the only standard signing solution available, digital signatures are a thoroughly-tested and well established technology.

Legislation and Regulation for Electronic and Digital Signatures

Legislation

Numerous laws and pieces of American and European legislation have provided a foundation for the wide spread legal acceptance of electronic signatures. Outlined below are some examples of laws that have established the cornerstone of standards for electronic signatures. More detailed information about these examples can be found in Appendix 1.

  • EU Directive on Electronic Signatures.
    This directive has set the guidelines for EU member states to adopt or modify their recognition of electronic signatures. The directive mandates that digital signatures (referred to as advanced electronic signatures in the directive) that are based on a qualified certificate and are created by a secure signature-creation device are regarded as legally equivalent to handwritten signatures. The directive further specifies that an advanced electronic signature must be uniquely linked to the signatory, is capable of identifying the signatory, its creation is maintained under the sole control of the signatory, and it is linked to the data in a way which detects any changes made to the data.
    PKI-based digital signatures are the only electronic signatures that satisfy all four of the requirements needed to be considered an advanced electronic signature. The only reason the EU Directive on Electronic Signatures didn’t specifically mention PKI as a mandated technology was to remain technology neutral in case other technologies in the future may meet these requirements. For more information, read the EU Directive on Electronic Signatures.
  • US Electronic Signatures in Global and National Commerce Act (ESIGN).
    ESIGN is the US federal law that lays out the foundation for the individual state laws governing electronic signatures (e.g., UETA described below). ESIGN defines an electronic signature and establishes that a signature may not be denied legal effect, validity, or enforceability solely because it is in electronic form. This was a significant development as it federally acknowledged the legal legitimacy of electronic and digital signatures.
    While any electronic signature can satisfy the standards of ESIGN, only digital signatures can satisfy them in a standard capacity, as they follow a set of pre-established industry-based standards. For more information, read the ESIGN Act.
  • US Uniform Electronic Transactions Act (UETA).
    UETA addresses the retention of paper records and the validity of electronic signatures. UETA is closely related to ESIGN, as both laws were designed to enhance the ability to conduct electronic business by validating electronic signatures and electronic records. UETA is essentially the state version to ESIGN’s federal law, and provides legal recognition to electronic signatures, records and contracts. UETA’s definition of electronic signatures and their legal legitimacy has been adopted in 47 States, the District of Columbia, Puerto Rico and the U.S. Virgin Islands.
    While any electronic signature can satisfy UETA’s definition of an electronic signature, only digital signatures can satisfy them in a standard capacity, as they follow a set of pre-established industry-based standards. For more information, read the UETA act.
  • The Sarbanes-Oxley Act (SOX).
    SOX is a US federal law that was created to establish accountability with corporate accounting practices. While the law does not call explicitly for the use of digital signature technology, it relies on a set of IT best practices referred to as The Control Objectives for Information and Related Technology (COBIT), which specifically call for document change control. The COBIT framework mandates that the system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems.
    Since a document that is digitally signed cannot be altered without clearly invalidating the signature, digital signatures provide a change control capacity and ability to verify integrity that fully satisfies SOX regulations. For more information, read the COBIT framework.
  • US Health Insurance Portability and Accountability Act (HIPAA).
    Enacted in 1996 by the US Congress for the healthcare industry, the Act details the requirements for correctly managing communications containing protected health information, which are transmitted electronically over open networks. HIPAA calls for ensuring document confidentiality, integrity, and compliance with HIPAA throughout the organization.
    While HIPAA does not exclusively mandate the use of electronic or digital signatures, it does specifically require that data integrity be maintained in all documentation. A digital signature based on PKI technology is the only standard technology capable of fully satisfying the integrity-based requirements of the regulation, as any document that is altered after being signed digitally results in an invalidated digital signature. For more information read the HIPAA Act.

Regulations

In addition to legislation, specific industries have established regulations explicitly requiring the use of electronic signatures. An example is the FDA’s regulation described below.

  • The FDA’s 21 CFR Part 11 (Part 11).
    This regulation addresses electronic signatures as a form of control for software and systems involved in business operations and product development in the pharmaceutical, medical, biotech, biologics, and other FDA-regulated industries. Part 11 calls for the use of electronic signatures when closed systems[1] are being utilized. However, the regulation specifies that open systems[2] require controls that guarantee authenticity, integrity and confidentiality of electronic records. It goes on to establish that digital signatures are a sufficient method for satisfying the regulation. For more information read on the FDA 21 CFR Part 11 regulation.

Common Practices and Standards

In addition to the regulatory example outlined above, various industries acknowledge the value of electronic signatures by accepting them as common practice within the industry. While this acknowledgment does not mandate the use of electronic signatures, it has established standards for their use, whenever applicable. Two examples of such standards are described below.

  • US Federal Aviation Administration (FAA) Advisory Circular 120-78.
    Issued by the FAA in 2002 to provide guidance on the acceptance and use of electronic signatures, the advisory aims at satisfying certain operational and maintenance requirements. This Circular stipulated that one of the requirements of any electronic signature employed during maintenance documentation is that it must provide non-repudiation, meaning that it should prevent a signatory from denying that he or she attached the signature to a specific record or document.
    While the FAA did not establish digital signatures as the only acceptable method for signing, a digital signature is the only standard electronic signature technology that provides the required element of non-repudiation. For more information, read the Advisory Circular 120-78.
  • US National Association for Variable Annuities (NAVA).
    Relying on ESIGN as a legal and regulatory foundation, NAVA established digital signatures as one of the standards by which the association signs documentation. There are five basic types of electronic signature technologies that have been deemed suitable for NAVA New Sales and Submission of Annuities. The technologies are: Username/Passwords, Smart Cards and other electronic physical tokens, biometric devices, signature pads, and PKI encryption.
    NAVA’s institutional acceptance of PKI encryption, the technology behind digital signatures, highlights a growing trend in industry-leading organizations throughout the world to recognize the validity and benefits of digital signatures.

Who Decides that You Need an Electronic or Digital Signature

Many organizations choose to implement an electronic or digital signature in order to adhere to legal requirements, or provide a more stringent capacity for ensuring the integrity of their documentation. In certain cases, a non PKI-based electronic signature is sufficient for satisfying the requirements associated with placing an electronic signature on documentation. However, there are many instances where a non-secure signature, such as a basic electronic or digitized signature, fails to provide the level of veracity a regulation or standard demands. In such scenarios, the only electronic signature solution that can fully satisfy the requirements is a PKI-based digital signature.
Organizations that implement an electronic signature based on compliance requirements may do so for several reasons:

  • A regulatory body requires the organization specifically to use an electronic signature on their documentation.
  • A regulatory body establishes that the organization must sign documentation, but they do not specify how, leaving the organization to decide how to best satisfy this requirement. An electronic signature is one method that would satisfy this obligation.
  • As an organization moves towards electronic documentation, they are required by a regulatory body to protect the integrity of their documents.

However, organizations that adopt digital signatures based on their need for document integrity do so because digital signatures are the only type of electronic signatures available that incorporate the four elements necessary to guarantee a document cannot be altered after signing, whether intentionally or accidentally. These elements, discussed in further detail below, are that the technology identifies the signer, detects any changes made to the document, is unique, and remains under the sole control of the signer. Using a non-standard electronic signature technology may prove insufficient or costly to prove that it satisfies legal requirements in court.

Necessary Elements of an Electronic Signature Solution

An electronic signature solution that satisfies the strictest of standards and expectations should identify the signer, detect changes in the document, provide a unique signature, provide sole control of the signature, and allow portability.

Identify the Signer

Digital signatures in PDF
Click to enlarge

In order to maintain legality, an electronic signature needs to verify the identity of the signer, but, as mentioned above, an electronic signature does not inherently verify this. As certain electronic signatures are simply symbols or sounds, an individual that receives an electronic document with this type of electronic signature has no way of verifying the identity of the signer. Clearly, such a scenario lacks in terms of legal enforcement. That said, when someone receives a document signed with a digital signature, they can easily verify the identity of the signer via the digital certificate incorporated by the digital signature, which indicates the signers’ name and email address (see Figure 1).

Detecting Changes to the Document

A digital signature must be able to detect changes that have been made to the content of an electronic form once the electronic signature has been placed on the document if it is to be considered a secure signature, and upheld by a court of law. Digital signatures based on PKI technology are the only form of electronic signatures that are capable of this, as any change to the document, once it has been signed, invalidates the digital signature.
The capacity to convey alterations to documentation is such a strong asset that the US DEA (Drug Enforcement Agency) has actually proposed using digital signatures to verify the integrity of prescriptions for controlled substances. The agency’s proposal states that “The advantage of digital signatures is that they provide, in a single step, what other systems do not: a straightforward means of determining record integrity. If the first recipient of an electronic prescription signs it digitally, DEA will be able to prove what the practitioner signed. If the prescription is altered after that point, the practitioner will be able to demonstrate that he did not issue the altered prescription. Similarly, if the contents of the prescription sent and prescription received match, DEA and the intermediaries will be able to prove that the contents of the record were not altered in transit.”[3]

Unique Signature

From a legal aspect, the uniqueness of an electronic signature is essential. For instance, if John Smith electronically signs a document by typing his name on a keyboard – other individuals with the same name may have the exact same electronic signature. Such a scenario would make it very difficult, if not impossible to verify which John Smith actually signed the document. This type of signature cannot meet the standards set by numerous laws and regulatory bodies. Conversely, digital signature technology utilizes mathematical operations and algorithms that create one-of-a-kind digital “fingerprints” that cannot be duplicated.

Sole Control of the Signature

In order to satisfy the benchmarks for legal compliance, only one individual can have access to or control an electronic signature. Once again, the only form of electronic signatures that accomplish this requirement are digital signatures, which do so through user credentialing. The owner of the digital signature is the only person with access to the One Time Password (OTP) or smartcard that grants them use and control of their digital signature.

Portability

While not a required element for document security, portability is a vitally important characteristic of electronic signatures usability. If an organization uses an electronic signature that is not readable or verifiable by a third party, the electronic signature is irrelevant. A practical electronic signature is one that a third party can read and verify, without having to download any software in order to do so. Digital signatures, as a standard technology, uphold the aspect of portability since third parties can verify the signature without having to download any software.

Conclusion

Worldwide, there are numerous standards and legal requirements related to electronic signatures with either explicit or implicit calls to use digital signatures. It is imperative for organizations attempting to satisfy requirements set forth by either legal or regulatory bodies that their decision makers fully understand the expectations placed on them so that they implement the appropriate solution.
While a non-PKI-based electronic signature may be used by some organizations to sign documentation, such a solution cannot protect the document against changes or verify the integrity of a signed document. For that matter, it cannot even guarantee that the electronic signature was signed by the person it represents. Only a PKI-based digital signature is capable of satisfying the requirements that guarantee the integrity and security of a document.
There is a significant discrepancy between the capacity an electronic signature provides and the capacity that a digital signature affords. That said, in any instance that an electronic signature is called for, a digital signature satisfies all requirements. If compliance calls for an electronic signature, with no ability to guarantee document integrity or non repudiation, both a basic electronic signature as well as a digital signature can suffice. However, if compliance calls for document integrity, non-repudiation, uniqueness, or sole control, the only option that satisfies the requirement is a digital signature. Moreover, since a digital signature currently satisfies or exceeds all current compliance requirements, it is also the best way to ensure future compatibility with new regulations.
If it is decided that the proper business solution for an organization is a digital signature, further information discussing important guidelines for choosing a digital signature solution can be found here.

 

 

Appendix 1 – Legislation and Regulation for Electronic and Digital Signatures

Legislation

Numerous laws and pieces of American and European legislation have provided a foundation for the wide spread legal acceptance of electronic signatures. Outlined below are the laws that have established the cornerstone of standards for electronic signatures.

EU Directive on Electronic Signatures [4]

This directive has set the guidelines for EU member states to adopt or modify their recognition of electronic signatures. The directive mandates that advanced electronic signatures that are based on a qualified certificate and are created by a secure signature-creation device are regarded as legally equivalent to handwritten signatures. The directive further explains the attributes of an advanced electronic signature as follows:

Article 2.2:
(a) It is uniquely linked to the signatory;
(b)It is capable of identifying the signatory;
(c) It is created using means that the signatory can maintain under his sole control; and
(d) It is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

PKI-based digital signatures are the only electronic signatures that satisfy all four of the requirements needed to be considered an advanced electronic signature. The only reason the EU Directive on Electronic Signatures didn’t specifically mention PKI as a mandated technology was to remain technology neutral in case other technologies in the future may meet these requirements. For more information, read the EU Directive on Electronic Signatures.

US Electronic Signatures in Global and National Commerce Act (ESIGN)

ESIGN is the US federal law that lays out the foundation for the individual state laws governing electronic signatures (e.g., UETA described below). ESIGN defines an electronic signature as follows:

Sec. 106. Definitions. (5) The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

The essence of the ESIGN Act is that a signature may not be denied legal effect, validity, or enforceability solely because it is in electronic form. This was a significant development as it federally acknowledged the legal legitimacy of electronic and digital signatures:

Sec. 101. General Rule of Validity. (2) A contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

While any electronic signature can satisfy the standards of ESIGN, only digital signatures can satisfy them in a standard capacity, as they follow a set of pre-established industry-based standards. For more information, read the ESIGN Act.

US Uniform Electronic Transactions Act (UETA)

UETA addresses the retention of paper records and the validity of electronic signatures. UETA is closely related to ESIGN, as both laws were designed to enhance the ability to conduct electronic business by validating electronic signatures and electronic records. UETA is essentially the state version to ESIGN’s federal law, and provides legal recognition to electronic signatures, records and contracts. UETA has been adopted in 47 States, the District of Columbia, Puerto Rico and the U.S. Virgin Islands. The Act defines an electronic signature as follows:

Section 2. (8) “Electronic signature” means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

UETA acknowledges the legal legitimacy of electronic records and signatures as follows:

Section 7. a) A record or signature may not be denied legal effect or enforceability solely because it is in electronic form;
(b) A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation;
(c) If a law requires a record to be in writing, an electronic record satisfies the law;
(d) If a law requires a signature, an electronic signature satisfies the law.

While any electronic signature can satisfy UETA’s definition of an electronic signature, only digital signatures can satisfy them in a standard capacity, as they follow a set of pre-established industry-based standards. For more information, read the UETA act.

The Sarbanes-Oxley Act (SOX)

SOX is a US federal law that was created to establish accountability with corporate accounting practices. While the law does not call explicitly for the use of digital signature technology, it relies on a set of IT best practices referred to as The Control Objectives for Information and Related Technology (COBIT), which specifically call for document change control. The COBIT framework mandates the following:

“IT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems.”
“Whoever corruptly -1) alters, destroys, mutilates or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in a legal proceeding…shall be fined under this title or imprisoned not more than 20 years, or both.”

Since a document that is digitally signed cannot be altered without clearly invalidating the signature, digital signatures provide a change control capacity and ability to verify integrity that fully satisfies SOX regulations. For more information, read the COBIT framework.

US Health Insurance Portability and Accountability Act (HIPAA)

Enacted in 1996 by the US Congress for the healthcare industry. the Act details the requirements for correctly managing communications containing protected health information, which are transmitted electronically over open networks. Several of the key elements HIPAA calls for are highlighted below (in bold):

§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.

While HIPAA does not exclusively mandate the use of electronic or digital signatures, it does specifically require that data integrity be maintained in all documentation. A digital signature based on PKI technology is the only standard technology capable of fully satisfying the integrity-based requirements of the regulation, as any document that is altered after being signed digitally results in an invalidated digital signature. For more information read the HIPAA Act.

Regulations

In addition to legislation, specific industries have established regulations explicitly requiring the use of electronic signatures. An example is the FDA’s regulation described below.

The FDA’s 21 CFR Part 11 (Part 11)

This regulation addresses electronic signatures as a form of control for software and systems involved in business operations and product development in the pharmaceutical, medical, biotech, biologics, and other FDA-regulated industries. The regulation establishes the following:

VIII. § 11.30. Open systems[5] used to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity and confidentiality of electronic records from the point of their creation to the point of their receipt.
VIII. § 11.30. Such procedures and controls shall include those identified in § 11.10, as appropriate, and such additional measures as document encryption and use of established digital signature standards acceptable to the agency, to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

Part 11 only calls for the use of electronic signatures when closed systems[6] are being utilized. However, it explicitly calls for the use of digital signatures to ensure authenticity, integrity, and confidentiality when open systems are utilized. For more information read on the FDA 21 CFR Part 11 regulation.

Common Practices and Standards

In addition to the regulatory example outlined above, various industries acknowledge the value of electronic signatures by accepting them as common practice within the industry. While this acknowledgment does not mandate the use of electronic signatures, it has established standards for their use, whenever applicable. Two examples of such standards are described below.

US Federal Aviation Administration (FAA) Advisory Circular 120-78

Issued by the FAA in 2002 to provide guidance on the acceptance and use of electronic signatures, the advisory aims at satisfying certain operational and maintenance requirements. This Circular stipulated that one of the requirements of any electronic signature employed during maintenance documentation is that it must provide non-repudiation:

AC 120-78. 5.(5) Non-repudiation. An electronic signature should prevent a signatory from denying that he or she affixed a signature to a specific record, record entry, or document.

While the FAA did not establish digital signatures as the only acceptable method for signing, a digital signature is the only standard electronic signature technology that provides the required element of non-repudiation. For more information, read the Advisory Circular 120-78.

US National Association for Variable Annuities (NAVA)

Relying on ESIGN as a legal and regulatory foundation, NAVA established digital signatures as one of the standards by which the association signs documentation. There are five basic types of electronic signature technologies that have been deemed suitable for NAVA New Sales and Submission of Annuities. The technologies are: Username/Passwords, Smart Cards and other electronic physical tokens, biometric devices, signature pads, and PKI encryption.
NAVA’s institutional acceptance of PKI encryption, the technology behind digital signatures, highlights a growing trend in industry-leading organizations throughout the world to recognize the validity and benefits of digital signatures.

 

[1] A closed system describes a computer system providing a combination of portability, interoperability, and open software standards.
[2] An open system refers to computer systems that provide some amalgamation of portability, interoperability, and open software standards.
[3] 21 CFR Parts 1300, 1304, et al. Electronic Prescriptions for Controlled Substances; Proposed Rule, June 27th, 2008.
[4] Published in the EC Official Journal as Directive 1999/93/EC.
[5] An open system refers to computer systems that provide some amalgamation of portability, interoperability, and open software standards.
[6] A closed system describes a computer system providing a combination of portability, interoperability, and open software standards.