With the increasing popularity of remote work, the demand for electronic signatures (“eSignatures” or “e-signatures”) has skyrocketed. Employees may be working from home but businesses still need to continue operations and obtain properly signed documents.
They must still sign off on purchases, onboard new hires, and approve invoices. With e-signatures, users can easily sign electronic documents online using their mouse, stylus, or touchscreen device. Businesses can still enforce corporate policies and proper governance.
Electronic signature software also speeds up these everyday activities since there’s no need for printing, signing, scanning, and filing. Managers can even electronically sign off on a PO or new hire using their mobile device at any time and from anywhere.
But are electronic signatures legally binding? In this piece, we’ll tell you everything you need to know about whether your e-signature is legal or not.
Electronic Signature Laws
That is, electronic signatures include a variety of ways to sign documents electronically without a traditional pen and paper signature.
These signatures have been used over the years to electronically sign all manner of legal documents including mortgage contracts, financial documents, employment agreements, leases, student consent forms, non-disclosure agreements, and more.
So, are electronic signatures legally binding? Assuming they meet certain conditions that we describe below, e-signatures are legally binding and have been in the United States for over 20 years. A landmark federal law, the Electronic Signatures in Global and National Commerce (E-SIGN) Act along with the Uniform Electronic Transactions Act (UETA), have created a legal agreement for the use of electronic signatures and ensure that they’re just as legally binding as their paper counterparts. Forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have simply adopted UETA. New York, Illinois, and Washington all have similar laws making electronic signatures legal. Since E-SIGN was passed in June 2000, electronic signatures are widely used in business transactions.
Digital Signatures: Meeting the Legal Standard
Electronic and digital signatures are often used interchangeably but they are different in important ways. “Electronic signatures” is a generic term for a wide-ranging set of methods for signing a document electronically without physical ink.
Digital signatures are an implementation of electronic signatures using certain technical protocols. The most common method, adopted by many digital signature providers such as DocuSign and frevvo, is to use Public Key Infrastructure (PKI) and certificates.
PKI helps secure electronic transactions from tampering, which is one of the factors that makes an e-signature legal.
How Does Public Key Infrastructure Work?
Here are the meanings of terms you need to know when it comes to Public Key Infrastructure and digital signatures:
A hash is a fixed length string of characters generated using a mathematical algorithm and applying it to arbitrarily data. This string is unique to the data being hashed. Changing any part of the data changes the generated hash. The hash is also a one-way function meaning it cannot be reversed to find the data. Popular examples of hash functions are the Secure Hash Algorithm variants (SHA-1, SHA-2, and SHA-256) and Message Digest 5 (MD5).
Private and Public Keys
A pair of keys generated for an entity – a particular individual, website, or organization. The private key is confidential while the public key is freely shared. It’s not possible to generate the private key by knowing the public key.
A certificate authority (CA) is a trusted third party that guarantees the identity of an entity. The CA will generate a private-public key pair or certify that an existing public key is associated with the entity in question. Once validated, the CA will issue a digital certificate that’s signed by the CA.
The digital certificate is akin to a passport and identifies the entity that owns the certificate. It usually embeds the public key and may also include other desired information.
Here’s how a digital signature works in action:
Acme Inc. sends an electronic document over to Jane for digital signature. The steps below unambiguously identify Jane and validate the contents of the document:
- The system first generates a unique hash from the data (contents of the document) and a randomly generated ID. This random ID ensures that the hash is unique every time. So, if Jane signs the same data multiple times, the hash is different each time.
- It then encrypts the hash using Jane’s private key.
- The document along with the encrypted hash and Jane’s digital certificate is sent electronically to Acme.
- Acme generates their own hash from the document contents.
- Acme obtains Jane’s public key from her digital certificate and decrypts the hash that Jane sent.
- They can compare the two hash functions and verify that they are identical. If they are, the digital signature and the document contents are valid.
The difficulty with PKI is that most people don’t actually have private and public keys and the associated digital certificates. Without access to these components, they can’t actually sign electronic documents digitally, rendering the secure infrastructure–and legal effect–moot.