Are e-signatures legal in the U.S.?
Yes. Today, more than 15 years after the passing of the ESIGN Act, there is no longer any question about whether electronic signatures are legal. Federal and state law gives electronic signatures the same legal status as handwritten signatures. Forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have adopted the Uniform Electronic Transactions Act (UETA). Additionally, the Electronic Signatures in Global and National Commerce Act (ESIGN), a federal law, provides that electronic signatures are legally enforceable for intrastate commerce and within those states that have not adopted UETA.
For more information on e-signature case law and legal best practices, watch this webcast: Beyond E-SIGN – Evidence Considerations for Electronic Signatures & Transactions
Are e-signatures legal in Canada?
Yes. According to Stikeman Elliott LLP, “All the provinces and territories have stand-alone electronic commerce statutes of general application based on model laws promulgated by the U.N. and the Uniform Law Conference of Canada. For example, in Ontario, the Electronic Commerce Act, 2000 addresses the use of electronic documents in commercial transactions.
While there are some variations, the provincial e-commerce statutes generally stipulate that signatures, documents, and originals are not invalid or unenforceable by reason only of being in electronic form.” For more information, read the full document from Stikeman Elliott entitled, Electronic Signatures in Canadian Law.
Are e-signatures legal in Europe?
Directive 1999/93/EC of the European Parliament and of the Council of 1999 on a Community framework for electronic signatures (also referred to as the 1999 European Directive) establishes the criteria for the legality of e-signatures. It sets out three levels of e-signature (simple, advanced, qualified). According to the Directive, an advanced e-signature based on a qualified certificate satisfies the legal requirements of a signature in relation to data in electronic form – in the same way a handwritten signature satisfies those requirements in relation to paper-based data.
For more information, read the full document from Lorna Brazell of Osborne Clarke LLP entitled, eIDAS and E-Signature: A Legal Perspective.
For a legal opinion on the enforceability of e-signatures in any given EU country and any local data residency requirements, consult your legal counsel.
What is the ESIGN Act?
The Electronic Signatures in Global and National Commerce Act (ESIGN) is a U.S. Federal law that was passed in 2000 that enabled the use of electronic records and signatures for commercial transactions. The Act essentially enables organizations to adopt a uniform e-signature process across all 50 states with the assurance that records cannot be refused by a court of law solely on the basis that they were signed electronically.
Because the act is technology-neutral and doesn’t favor any one type of solution over another, the onus is on the organization to determine how it plans to meet the ESIGN Act’s requirements for capturing signing intent and authenticating data and signers.
In the U.S., do legal requirements differ from state to state?
Yes and no. The federal Electronic Signatures in Global and National Commerce law (ESIGN) and the state Uniform Electronic Transactions Acts (UETA) are similar in substance and together enable the use of electronic signatures in commerce throughout the U.S.
That said, there may be additional regulations or compliance requirements that apply to certain processes, like truth-in-lending disclosures or protecting the privacy of medical records. But these requirements exist for paper processes as much as electronic ones.
Have e-signed documents been challenged in court?
Yes, there is a growing body of case law that is establishing precedence for electronic records and signatures. Examples include:
- Lorraine v. Markel
- Barwick v. GEICO
- Vinhnee v. American Express
- Labajo v. Best Buy Stores
- Long v. Time Insurance Company
- Shattuck v. Klotzback
- Hotmail Corporation v. Van$ Money Pie Inc.
While there have been several cases of contract disputes involving e-signatures and e-records, most of these cases do not challenge the e-signature itself. Instead, the majority challenge the circumstances surrounding the signing process, such as whether intent was properly established or whether the correct process and evidentiary rules were followed. In some cases, electronic records were accepted as evidence and the transaction under question upheld.
In other cases, the court did not admit, or at least criticized, the electronic records as evidence. For more information on many of the case law examples cited here, download ESIGN Is Not Enough: How to reduce legal and compliance risk with electronic evidence white paper.
Does the law require a minimum level of user authentication?
In a word, no. The federal ESIGN law does not specify the type of user authentication to be used with e-signatures. The definition of an e-signature under ESIGN refers to user authentication in the phrase “a contract or other record . . . adopted by a person”; however, it does not specify how the signer should “adopt” the contract or record.
Ideally, the choice of a user authentication method should depend on the risk profile of the organization and the process it is automating. For example, smart cards with digital certificates may make sense when signing highly sensitive military requisitions, but they are not necessary for consumers applying for a loan online.
What are some of the key takeaways from recent court rulings?
In a landmark ruling on the admissibility of electronically stored information (ESI), US Magistrate Judge Paul W. Grimm discussed examples of the essential elements of an effective e-contracting process, notably “creating and securely archiving and retrieving an audit trail of the entire ESI management process, from the steps to verify the identity of the persons signing the record all the way through to sealing electronically the document and then securely archiving and retrieving the e-contract.” In fact, Judge Grimm wrote a 100-page opinion that provides guidance on the authentication and admissibility of electronically-stored evidence.
How can we ensure our electronic records & audit trails will be easy for internal and external auditors to review?
When regulated companies undergo a compliance audit, they are often asked to prove the exact business process they followed. This applies to both customer-facing transactions and internal controls. As part of this, auditors also look for a record of every time key documents were touched, when, and by whom.
OneSpan Sign provides both document and process audit trails for the purpose of demonstrating compliance to auditors. To facilitate sharing with internal and external parties, a self-contained audit trail package can be exported out of the OneSpan Sign database as a standalone file and imported into an ECM or records management system. In addition, screens of the visual audit trail can be securely output to PDF or paper and sent to auditors, so they can review it offline.
Are e-signatures legal around the world?
Dozens of countries worldwide have adopted e-signature, digital signature, and e-commerce laws, including:
- China (Electronic Signature Law 2004)
- India (Information Technology Act 2000)
- The Russian Federation (Electronic Signature Law 2011)
- Australia (section 10 of the Electronic Transactions Act 1999)
- Japan (Law Concerning Electronic Signatures and Certification Services)
- Mexico (E-Commerce Act 2000)
For additional information:
For a legal opinion on the enforceability of e-signatures in any given country and any local data residency requirements, consult your legal counsel.
Are there any special requirements for presenting legal disclosures over the web?
As with paper transactions, an organization must still prove that it presented consumers with the government-mandated disclosures in the required format and within the required timeframe. In addition, the organization must be capable of demonstrating that the consumer has consented to receiving disclosures electronically and that he/she can access the information in the electronic format provided.
Delivering disclosures via your website requires more than simply posting disclosures on a web page. Evidence of the entire disclosure delivery process, including how the disclosure was rendered to the consumer’s browser and which actions the consumer took, must be securely stored in an audit trail. To learn more, read our white paper on the Secure Electronic Delivery of Consumer Disclosures.
Where is the best place to get help with my integration?
Our developer community is the best place for developers to get up and running quickly with OneSpan Sign's API and SDKs.
Are there any quick-start guides with a basic example that I can build on?
Yes. There are four ways to get started with OneSpan Sign:
- The provided UI
- The Java SDK
- The .NET SDK
- The REST API
Read our quick-start blog for an overview of how to get started with each.
How do I automatically bring form fields into OneSpan Sign?
To learn more about how to use document extraction to automatically bring form fields into OneSpan Sign, read this blog:
OneSpan Sign How To: Document Extraction (.NET SDK)
How does OneSpan Sign Work?
OneSpan Sign Professional is a web-based e-signature service. You use a web browser to send and sign documents. It’s that simple.
Here’s how it works:
- Upload your documents
- Add your recipients
- Define where the recipients will sign by simply dragging a signature block to the correct location(s) in the document
- Select the authentication method (username/password, secret question/answer, one time passcode (OTP), third-party authentication services)
- Click “SEND”
An email will be sent to each signer, inviting them to e-sign the document(s). If you are face-to-face with the signer, you have the option of using your own computer or mobile device to capture their signature. Each signer is guided step-by-step through the signing process. Once the documents are signed, they can be downloaded. The e-signed documents can be stored in OneSpan Sign or downloaded for retention in your own system of record and deleted from OneSpan Sign.
The e-signed documents are standard PDF files that can be viewed in Adobe Reader and other PDF readers.
Do I need Adobe Reader?
Adobe Reader is not required to prepare or sign documents. It is only necessary to open and view e-signed documents and to see all the e-signatures. When viewing a document using Adobe Reader, you can verify that a document and its signatures have not been tampered with.
Other PDF viewers will not necessarily display the signature seal. You will need Adobe Reader version 5 and up to view e-signed documents.
Do I need any special hardware or software to e-sign?
No. Signers don’t need anything more than a web browser. When asking customers to sign over the Internet, the best solution is to e-sign documents through a web browser – without asking the customer to download any software. This eliminates the risk that the customer might abandon the process because of frustration and delays caused by software incompatibilities.
Signing with OneSpan Sign is easy. In fact, signers do not even need to create an account. They simply receive an email with a link to a secure site, enter their username and password, and gain access to the e-sign process through the browser.
What’s more, the Mobile Signature Capture feature in OneSpan Sign transforms any web-enabled touchscreen device into a signature capture pad – eliminating the need for hardware for signing. This feature is ideal for remote account opening and customer onboarding processes, if there is a need for a hand-scripted signature and the document review process take place on a desktop/laptop.
Which browsers does OneSpan Sign support?
- Internet Explorer 11
- Google Chrome
Which mobile devices can my customers use to e-sign? Which devices are supported?
OneSpan Sign offers you the ability to e-sign documents anywhere, anytime from any web-enabled device, including a smartphone, tablet, and laptop.
Which deployment option is right for me?
OneSpan Sign can be deployed:
- On a public cloud anywhere in the world (the most popular option because of speed-to-market and low cost)
- On a private cloud anywhere in the world (often selected because of increased security requirements and for greater control over where and how data is stored)
- On-premises behind your company’s firewall (selected by organizations that require total control over the servers and data)
Regardless of how you deploy, we offer the exact same product, the same code base, and the same user experience without compromising on security or functionality.
Our single SaaS platform means that you can start developing using a common REST API and SDKs and deploy however and wherever you want. If your needs change over time, you have the flexibility to migrate from one deployment to another, as well as implement OneSpan Sign as a shared service to deliver e-signatures company-wide.
Where can I find information about pricing?
For more information about pricing, visit our pricing page.
Are electronic signatures secure?
Yes. Security is always top-of-mind when organizations begin signing online with customers, partners, and suppliers. OneSpan Sign provides three levels of security:
- User authentication: OneSpan Sign offers multiple ways to verify the signer’s identity, including traditional login/password, secret question/answer, one time passcode (OTP), third-party authentication services (e.g., Equifax), support for CAC/PIV smartcards, and more. To learn more, read the user authentication white paper.
- Document authentication: Once a document is signed with OneSpan Sign, it is locked down with a digital signature (essentially a tamper-proof seal). Unlike paper-based contracts and signatures that require careful attention to detail and that rely on the human eye for verification, e-signed contracts based on digital signatures can automatically flag any errors or alterations. So any attempt to alter the document’s contents will render it invalid. Plus, it is not possible to copy and paste a signature since OneSpan Sign also secures the signature blocks with a digital signature. Even with all this security, we make it easy for you to verify the authenticity of the document and signatures – in just one click.
- Audit trails: OneSpan Sign captures all the digital fingerprints that people leave as they go through a signing process. These are captured in two types of audit trails: a static audit trail (what the signer signed) and a patented visual audit trail (how the signer signed). OneSpan Sign resonates with legal and compliance teams, because these audit trails provide visibility into when and how the transaction took place – something that simply isn’t possible in the paper world.
What are the top security features to look for in an e-signature solution?
Strong security requires the right mix of people, processes, and technology. Taking a multi-pronged approach to e-signature security in the cloud will ensure your records (and the records of your customers) are handled and managed appropriately. It will also foster customer confidence and protect your organization’s reputation. That’s why we recommend taking a broad view of e-signature security that includes:
- The ability to choose the appropriate level of authentication for each of your processes (internal processes require less authentication, while external processes with customers typically require stronger authentication).
- Protecting e-signatures and documents from tampering.
- Making it easy to verify e-signed records – independently of the vendor – to ensure that no changes have been made to the document since it was signed.
- Ensuring the long term reliability of your e-records, independent of your vendor.
- Choosing a vendor with a consistent track record for protecting customer data.
To learn more, check out the Ultimate E-Signature Security Checklist.
What is the best way to authenticate signers online?
It really depends on the type of transaction and the risk associated with it. For example, an online mortgage renewal with an existing customer is a transaction with someone who likely already has online banking credentials. In that case, the customer could log in to the banking portal using their existing credentials, access the renewal document, and e-sign it directly inside the online banking portal.
However, if the participant is an “unknown customer,” the bank must have a method of verifying the customer's identity documents. This can include a proof of residence, passport, driver’s license, state-issued ID, or other uniquely identifying documents.
There are two methods of ID Verification:
- In-person Verification: This requires the customer to show a bank associate a physical copy of their government-issued photo ID. The associate must then confirm that the ID is genuine and approve the transaction.
- Digital ID Verification: With new technology and regulations, such as the U.S. MOBILE Act, organizations can now digitize the ID verification process. Harnessing the power of mobile devices, banks can accept a scanned copy of the customer's photo ID to verify its authenticity, and ask the customer to upload a selfie to match against the scanned ID.
To learn more, read the user authentication white paper.
Can I choose where my data resides?
Yes. Data residency is top of mind for organizations today. In addition to existing deployments in the US and Canada, we offer customers around the world access to both public and private cloud instances of OneSpan Sign in Australia, the UK, Germany, Japan, Singapore, and Brazil. For example, many of our Canadian customers are already processing their e-signed documents through data centers in Toronto and Montreal.
The same applies to our connectors. For example, our e-signature app for Salesforce provides organizations with the flexibility to connect to any global instance of OneSpan Sign – whether that’s in the US, Canada, or any of the six countries listed above. So contracts, NDAs, and documents that are delivered to your customers and partners for signature via Salesforce reside wherever your internal IT policies dictate. OneSpan Sign is the only e-signature solution in the market to provide this level of global flexibility. To learn more, read this data residency blog.
What security certifications does OneSpan Sign have?
Security-conscious organizations are looking for assurance that the vendors they work with meet the necessary security requirements. While there are a number of compliance programs in place at the data center level (e.g., HIPAA, SOC 1/SSAE 16, SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, etc.), as well as military-grade physical controls, we wanted to go above and beyond for our customers. OneSpan Sign meets additional security control and compliance requirements, including:
- ISO/IEC 27001:2013: ISO/IEC 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how OneSpan Sign continuously manages security in a holistic, comprehensive manner.
- ISO/IEC 27017:2015: OneSpan takes a structured approach to cloud security by implementing a series of best practices to comply with the ISO/IEC 27017 standard for specific requirements for cloud security services and cloud security controls. ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is not only relevant to organizations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information.
- ISO/IEC 27018:2019: OneSpan meets the standard for protecting customer data in the cloud as an ISO/IEC 27018 certified organization. ISO/IEC 27018 is a code of practice that focuses on protection of personal data in the cloud. ISO/IEC 27018 is a code of practice that focuses on protection and privacy of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance applicable to storing of Personally Identifiable Information (PII) in a public cloud. It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.
- SOC 2 Type II: In a security audit by KPMG, OneSpan Sign’s data protection technologies and processes were verified as SOC 2 compliant.
- FedRAMP: OneSpan Sign allows government agencies to securely leverage e-signatures in the cloud and take advantage of cost-savings and drive employee and citizen engagement.
- Skyhigh: Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): For the U.S. healthcare industry, OneSpan Sign is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA outlines the requirements for the management, storage, and transmission of protected health information in both physical and digital form.
We also meet the government security certification standards issued by:
- The National Institute of Standards and Technology (NIST).
- The Joint Interoperability Test Command (JITC). OneSpan Sign has 13 JITC certifications, more than any electronic signature solution provider.
- The National Security Agency’s National Information Assurance Partnership (NIAP), through our support for FIPS PUB 140-2, a computer security standard used to accredit cryptographic modules.
- OneSpan Sign also supports the latest SHA encryption standards.
For more information, see our Trust Center.