An interesting case rose in the state of California this year regarding a bankruptcy lawyer who utilized DocuSign for many official legal documents. Paul Bains, the lawyer who leveraged DocuSign for bankruptcy petitions and other important matters, used the software in place of original signatures as is done in many commercial settings in the US and globally. Judge Robert Bardwil of the U.S. Bankruptcy court in California ruled that while DocuSign is appropriate in many business settings, overall it does not constitute as a replacement for original signatures on legal documents and the like.
The United States Trustee (UST) sanctioned the Sacramento-based lawyer, citing Local Bankruptcy Rules [9004-1(c)(1)(C) and (D)] which state that an electronically signed document can only be used where a copy of the document with an original signature (aka “wet signature”) is also available. Additionally, in compliance with local data retention policies, originally signed documents must be held for three years in the event evidence is requested again from the court. Bains failed to obtain original signatures on documents in lieu of using DocuSign – which was the biggest issue in the case. But why is it an issue in the first place? Why can’t DocuSign provide security for documents? Primary concerns were that DocuSign signatures could easily be manipulated or forged, opening the door for the individuals filing bankruptcy to claim that they were not the signers – thus impacting the integrity of the legal system. An important point is that when the attorney was asked to prove that the e-signature belonged to the legitimate signer, it was shown that it was not possible because the DocuSign e-signature is generated by just a ‘click to sign’ button. There is no guarantee who clicks on the button and the declared name by itself (the area where the signer enters their name) is just a placeholder that can be filled by anybody.
Prior to this case, there was little to no basis set in the US legal system for digital authentication platforms. They are widely used across many industries (including real estate where legal documents are passed around through multiple parties). Though this ruling affected that small district in California, it is common practice for other cities and states to cite pre-established cases, thus setting a precedent across the US. It is important to note that not all e-signatures can be rejected simply because of their electronic nature. The US adopted the E-Sign Act which states that documents can’t be rendered invalid simply because of an electronic signature. This means that in order for a signature to be invalid, there must be a reason – such as, the platform (in this case DocuSign) is possibly vulnerable to corruption or wrongdoing.
This ruling will have major implications on DocuSign as it is now questioned as being a trusted source for e-verification in the legal setting. E-authentication is still a very important concept in today’s world as it is often not practicable to ship documents or meet in person to obtain “wet signatures”. However, understandably controls need to be in place that provide for authenticity of the signer, and a way to verify that the signature really did come from the correct person. One question to ask includes: “If I create a signature on my computer (using my handwriting), does that count as a ‘wet signature’?”. DocuSign fell short by failing to prove to the courts that the signature truly counted as an original signature – a fatal flaw that will hurt digital signature platforms, as this is their primary objective. While we believe there are certainly ways to incorporate e-authentication into the legal systems, it is critical that non-repudiation be the primary goal of the software platform, as well as security to prevent malpractice.
EU regulation on e-signature usage in court
Within the EU, regulatory standards on eID and e-signatures are implemented to ensure that, when adhering to said standards, the issues raised in the DocuSign case are not applicable. The eIDAS regulation enforces the standards and procedures on issuing e-signatures, where the e-signature with the highest level of security and probative value is called a qualified electronic signature (QES).
- Simple Electronic Signatures – Broad scope, general usage, typically low security and no authentication of the user is required.
- Advanced Electronic Signatures – Authentication of the signer is provided through the issuance of a digital certification by a trusted certificate authority (CA), combined with the usage of multi-factor authentication.
- Qualified Electronic Signatures – Similar to advanced electronic signatures, the signer is authenticated; however, in this case the CA is supervised by authorities which have been accredited by the EU.
As a result of the eIDAS standards and regulation, users must be positively identified and certified as being the individual they claim to be before they can issue an e-signature above the simple electronic signature level. Advanced and qualified electronic signatures cannot be dismissed as evidence in court within the EU. With the most stringent identification and security audit requirements, QES also has the same legal value in court as a handwritten signature.
Cryptomathic Signer (Cryptomathic's remote e-signature solution)
fulfills the requirements of both advanced and qualified electronic signatures, which in turn ensures no court of law within the EU could dismiss the documents. Signer ensures both Non-Repudiation of Origin (NRO) and Non-Repudiation of Emission (NRE), which provides proof of both the identity of the sender, as well as evidence of them sending specific content in messages .
Whether or not this will affect how the US courts accept e-signatures remains to be seen. In order to enable digitalization of such attorney documents, a new US act is needed to define advanced and qualified signatures, with handwritten equivalence for qualified ones. Nevertheless, the judge in the mentioned court case would perhaps have accepted an advanced or qualified electronic signature, as advanced and qualified electronic signatures require proper identification of the signer before they can use such e-signatures.
While the concept of digital signatures and non-repudiation can be difficult and sticky, with the right controls in place, e-signatures can become a widely accepted form of authorization in US legal systems and other industries, where questions remain. The concern about non-repudiation doesn’t simply exist in e-signatures – anyone can forge a signature and mail in a contract as well. The concern is simply over the unknown, the security risks surrounding these platforms. The path forward will require building trust with governments and demonstrating how the technology works – and also, how specific solutions prevent mischief and corruption. .
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority