Ensuring Your Electronic Signature Stands Up in Court

Today, Ken Moyle, DocuSign's Vice President of Legal and Corporate Affairs and Chief Legal Officer, shares his thoughts regarding issues your should consider so that your electronic signature will stand up in court. Of course, this blog post was written, published and distributed in accordance with DocuSign's blog policy.

From Ken...
When you do business electronically, you should anticipate the need to produce evidence that proves a given person signed a given electronic document on a given date. That means you should look at taking such steps as:

• Including authentication procedures to verify the identity of the signatory
• Maintaining evidence of the particular electronic document that was signed electronically
• Maintaining evidence of the electronic process that was followed in obtaining the electronic signature on the electronic document

In Prudential Insurance Company of America v Dukoff, the US District Court for the Eastern District of New York affirmed the importance of implementing clear electronic transaction procedures. Prudential initiated the action to void a life insurance policy issued on the life of the wife of the defendant and beneficiary on the basis of alleged misrepresentations in the application.

In response to Prudential's complaint, defendant Dukoff and his wife's estate filed a counterclaim for the full value of the policy, disputing the charge that it had been procured via fraud. The court was also called upon to consider a host of issues stemming directly from the fact that the application was submitted electronically via what the court called “a standard internet click-through process.”

The defendants argued that a box that was checked at the end of the electronic application process did not constitute a valid electronic signature under New York's Electronic Signatures and Records Act (ESRA), and thus, Prudential was barred from challenging statements in the application to invalidate the contract.

While the court was unaware of any other court that had addressed the validity of electronic signatures for insurance documents under ESRA, in deference to holdings in advisory opinions by the New York Insurance Department, the court held that Prudential could challenge the statements if Prudential could reasonably identify the person who made them. The court then held that there was a triable issue of fact as to whether the final page of the application, which included personal information inputted by the applicant, sufficiently identified the person who signed the application.

The electronically filed application also raised evidentiary issues with regard to who actually submitted the application and when. According to the court, a computer printout produced by the plaintiff insurer shows the application was submitted on a date suggesting that Mrs. Dukoff did not submit the application. The court concluded, however, that the plaintiff insurer did not offer sufficient evidence to establish that this printout accurately reflects the date of submission.
Considerations When Choosing an Electronic Signature Vendor
Given that you may need to provide evidence that a given person signed a given electronic document on a given day, you should understand your electronic signature provider's authentication services, the electronic signature capture process and subsequent documentation and the value of selecting a neutral third party provider.
Authentication
DocuSign provides an integrated authentication system that works with the electronic signature process to ensure any level of authentication can be provider and that the authentication provides positive identification of the person signing, NOT the equipment.

DocuSign's authentication process is designed and architected with no single point of authentication failure. Authentication can be required each time a signer reviews and signs a document, if requested. One authentication session for a document from company “A” does not mean company “B” must rely on that authentication, as is the case with PKI digital certificates.

DocuSign's Authentication Systems

1. Email Authentication: validates a person's email address and access to that email address.
2. Access Code Authentication: validates a person's ability to provide a shared secret or passphrase.
3. ID Check: validates a person's knowledge based on a knowledge-based authentication process provided by RSA.
4. OFAC Checking: validates whether a person's name is on the Specially Designated Nationals List administered by the Office of Foreign Assets Control.
5. Age Verification: validates a person's age is correct as entered.
6. Federated Authentication: accepts and records authentication by another system when integrated with DocuSign. This can be any form.
7. Two Factor Biometric Authentication: validates a person's phone number and access to that phone number. This authentication process also records a voiceprint of the signer.

Additionally, DocuSign's authentication system supports a workflow of authentication for integrated customers, enabling decision-making during the authentication process. DocuSign also collects the IP addresses of all users and time stamps all activity into the encrypted, tamper-proof audit trail along with all the authentication results.
The DocuSign Electronic Signing Process

Visible Elements of a DocuSign Electronic Signature:

1. Script Signature Name: The script-written name generated in the DocuSign system by the document signer has legal significance, as the signer is required to agree that the script signature will have the same legal effect as his or her handwritten signature.
2. "DocuSigned By:" Box: Every electronic signature is bordered by a signature block that contains a portion of the signer's Globally Unique Identifier (GUID) A GUID is a 128-bit number in hexadecimal form, such as { 3F2504E0-4F89-11D3-9A0C-0305E82C3301}, which is created for the signer by DocuSign. This partially visible GUID conceals the full ID.

Invisible Elements of a DocuSign electronic signature:

1. GUID: Each person in the DocuSign system has a unique GUID, a pseudo-random number used in software applications. Each GUID is “mathematically guaranteed” to be unique, based on the principle that the total number of unique keys is so large that the possibility of the same number being generated twice is virtually zero. The full GUID is associated with a user upon authentication and electronic signature creation. The signer - electronic signature association is managed by DocuSign, encrypted and hashed to ensure that it cannot be modified. The hashing process entails the application of an algorithm to the GUID to create a digital representation of the GUID, resulting in a “hash value.” Any change in the underlying document would produce a different hash value, which would be evidence of tampering.
2. Hash of Signature: The entire signature element is stored in the DocuSign system in secure (hashed) format.
3. Signer Certificate: The data structure of the DocuSign system links a signer's attributes, GUID and signature stamp to ensure that only that particular person ever has access to use that particular electronic signature.

The visible and invisible elements work together to link the person, document and electronic signature in an auditable system. Copying or duplicating only the visible elements of the electronic signature does not compromise the signer's identity because only the invisible elements are solely under the electronic signature owner's control.

Due to DocuSign's strict adherence to the authentication and electronic signature process, which includes the signer's involvement in creating and placing his or her electronic signature in specified locations on documents, DocuSign enables the most familiar and enforceable process for signers. For more information, take a look at the Electronic Signature Vendor Checklist.