CAN WE TRUST DIGITAL SIGNING?

Posted by Rachel Holland on September 23 2022 in News

A general manager is a manager of all things general. You need to know enough to not get in trouble, but not so much you become an expert in one area, neglecting others. I decided I needed to know more about digital signatures. Not necessarily understanding coding or encryption techniques, but enough to feel comfortable with pasting a copy of my signature onto a document. During my learning journey, I discovered three things that I think were most important – for both my own understanding and our clients.

It’s highly likely that a large percentage of people who have signed a document with a digital signature, do so with no idea how it works, and purely out of trust. It was only 20 years ago when the majority of New Zealand were on dial-up and didn’t trust the internet enough to enter in credit card details for purchase. These days, our trust has grown towards online banking, giving credit card details to websites that offer the most reasonable price, and now, the age of the digital signature.

Trust is one thing, but users need to be aware of the following…

Firstly, outside of IT professionals, digital signing and e-signing are used interchangeably. It is difficult to differentiate when referring to the word for adding a scanned image of a signature to a document (electronic signature), and the word for a fully encrypted, forensically traceable “signature stamp” on a protected document (digital signature). I wouldn’t be surprised if we soon refer to the latter as Docusigning (DocuSign being a well-known provider of this service) much the same as we now use the verb to google.  

Secondly, adding a scanned signature to a document feels the most comfortable to those that are more “old school” because it replicates what we have always done and trusted. However, the ability to copy and paste a scanned signature onto any document is child’s play, as is the ability to alter PDF documents (either signed or unsigned). So if we are relying on a scrawled signature to authenticate a document, we should really be sticking with a witnessed, physical signature. In cases where signatures are not legally binding, and are only relied on for adding credibility, such as a letter, then a scanned e-signature seems appropriate. The general advice is to keep the use of your e-signature limited to those you trust, such as your accountant if filing with the Companies Office. However, once a signature is sent to anyone either digitally or physically, it is easily replicated anywhere. This is important to understand if you are relying on someone else’s e-signature. For these reasons, an e-signature is unlikely to be considered reliable given the provisions of the Contract and Commercial Law Act 2017.

Lastly, if you are digitally signing a fully encrypted document with a verifiable “stamp” then you need to be aware of a few things…

This is a complex service that carries the risk of cyber-attack, so only use trusted suppliers. I’m not promoting one in particular, but the message is to do your own research on credibility of the software platform you are being asked to sign on (and where their servers are located/where your data is going – this is another topic of its own, particularly with the shift from onsite servers to cloud services). This provider should be providing an encryption service to limit the ability for the document to be altered en route to you or back to the sender. They also provide the verification services such as verifying the identity and origin of the sender and signers. They must also provide a “time stamp” to ensure the signature doesn’t expire. These aspects need to be robust, dependable, and verifiable.

Once the document is signed by all parties, make sure you receive a fully signed copy. If the service has been provided securely then this is the final document. Essential to this document is the electronic certificate it is embedded with, which amongst other things should make any changes after signing detectable. This will be relied on if the document is contested. For this reason, the document must be retained in electronic format. Many of us are in the habit of printing and filing these important documents so they are not lost when laptops crash or are replaced. With digitally signed documents you will need to safeguard the digital integrity and electronically store them in the cloud. Alternatively, you can go really old school and have your lawyer retain them. Whatever your solution, know that the printed format is good for reading purposes only, and it will have no value if the document or signatures need validation. Private note: If you have retired parents you may need to check how they are filing their documents when you are next reconnecting their TV to the internet.

There are still a number of legal restrictions around what documents can be digitally signed and how to ensure informed consent. Some amendments were rushed to allow a business to continue during lockdown restrictions, and may change again since the traffic light system has stopped, so you will need to be advised of the latest requirements. The lawyers involved will be aware of these.

Regarding the trusting of digital signatures, technology has allowed us to change the way we work, and the faster we adapt to these changes, the more opportunity we find to change further. It is happening so quickly, and often the back end of how this is technologically possible is well beyond the average user’s comprehension. In recent years, cyber security came to rank consistently in the top five things CEOs were thinking about due to our now almost complete reliance on the internet. Cybercrime remains a risk in all we do.

So to answer the headlining question, we have to trust digital signing because it is here now, and not going anywhere. But with that, we need to learn the new language, so we know what we are actually doing, we need to be aware of the risks, and we need to understand the changing requirements. These are exciting times that come with a responsibility to keep informed.

Rachel Holland | Practice Manager | Rachel.Holland@shieffangland.co.nz