E-signatures sound like a potential headache relief for HR professionals, removing tiresome signature-chasing and form-filling. But where exactly do you stand if you accept an e-signature?
Nigel Miller, a partner at law firm Fox Williams, specialises in legal aspects of technology. His interest in digital signatures goes back a long way. “When the internet started being used for commercial reasons, the question was soon asked: ‘Can you create a valid contract online?'”
He adds: “There was a lot of academic interest in this before the Electronic Communications Act came into force in 2000. But English law is quite adaptable, and the courts have found ways to make the traditional legal principles apply to the online space.
“After all, a signature is just a piece of evidence, nothing more. It is an indicator that someone wishes to be bound by something.”
Dom Saunders, operations director of software company NETconsent, puts it plainly. “In an ideal world, getting a piece of paper signed by an individual is 100% binding,” he says. “However, it is not practical to do that in a large organisation where you have lots of documents that need signing.
“If an organisation takes practical, sensible steps to deliver electronic signatures, then that should be accepted in a court of law,” he adds.
The real deal
Are we at risk of ending up with a signature hierarchy? Mike Ellerton, head of IT technical architecture at Premier Foods, has seen it in action.
“You can stand outside your boss’s office just to get something signed off, or use externally hosted e-procurement systems, but the big contracts that can hurt your business are always done face to face with paper, lawyers and contracts,” he says.
“Electronic signatures are never going to be used to sign a 10-year lease on a new property, or seal a major deal with a supermarket. Those big orders are still signed with a pen.”
Saunders agrees. “I think it also comes back to how sure you need to be of the identity of that individual,” he says. “Pharmaceutical organisations need to be 100% sure of who is doing what. Therefore, it is those types of organisations that are putting in big IT solutions, because they need an extra level of absolute assurance of identity. It’s never going to be 100% sure, as is a signature on a piece of paper.”
Miller believes that the legal question e-signatures raise is who is bearing the risk?
“There are potentially three parties involved: the sender, receiver and the certification authority,” he explains. “Analysis of where the risk lies is often not well understood, and is also altered by the terms of the contract between those parties, where liability is often restricted. While the technology might provide a solution to the problem, one then has to look at what the underlying contractual obligations are to see where the responsibilities lie.”
It looks like the signature headache may have just turned into a migraine.
Identify the problem you are trying to solve and determine how much risk is involved.
Agree what level of authenticity you really need to prove that person’s identity – from a simple password to certified digital signature. Don’t use a sledgehammer to crack a nut.
Use a digital signature system to get all the benefits of high-level cryptography if necessary.
Implement public key infrastructure certificates, which allow someone to combine their digital signature with a public key and something that identifies them, for example their name.
Treat electronic signatures as you would a handwritten signature. Would you accept at face value a contract from someone you’d never heard of if it arrived in the post?
Source: Richard Trevorah, technical manager, TScheme