Security Best Practices for E-Signatures

Featured article by Michael Laurie, Vice President, Product Strategy, and co-founder of Silanis Technology

Recent large-scale data breaches at companies such as Home Depot, Target and JPMorgan Chase have left many wary that completing transactions electronically may not guarantee the security of their data. And it’s not just a handful of breaches or offenders that people can point to; making a retail purchase or signing for a mortgage loan means transacting with several companies with varying levels of data protection. As businesses increasingly move into the digital world, they require technologies that enable transactions to start and finish completely electronically without ever falling to paper when a signature is required. With multiple data touch points in every transaction, it’s more important than ever for companies to integrate technologies with built-in, best-in-class security to help automate business transactions and keep data safe.

Electronic signatures are a critical technology for new business process improvements in industries such as banking, insurance, real estate and healthcare. With security understandably being a top concern for those looking to implement a cloud-based e-signature solution, it is not enough to simply look for one that is ESIGN compliant or that has standard security measures in place. Taking a broader view of e-signature security will not only safeguard a company’s data and its customers’ data, but also strengthen its legal and compliance position.

A company should approach the selection of a secure e-signature solution with two areas in mind: what’s built into the solution and the security practices around the technology. Firstly, companies should look for:

• * Strong authentication methods;
• * Data protection through encryption in transit and at rest;
• * Document and process evidence that is easily replayed and verified in one click, and stored independently of the e-signature vendor.

In addition to the criteria listed above, security-conscious organizations should also look at the protocols an e-signature vendor has in place to identify and prevent data breaches. There are a number of compliance programs and frameworks in place to guide how such protocols are built and implemented, however it’s important that companies understand the difference between the options and what works best for them and their customers.

– SSAE 16 / Service Organization Controls (SOC) 1 – This attestation is best suited for financial processing systems such as a payroll system because it focuses on controls over financial reporting. SOC 1 does not look at technology and does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls.

– ISO 27001– This certification provides proof of an organization’s ability to maintain an effective Information Security Management System. The certification lasts for three years and comes with spot checks, providing “point-in-time” assurance. This program does not provide enough assurance that a system is secure every day over an extensive period of time. Companies can compare this attestation to getting a house inspected. On the day of the inspection, the house may be clean and up to standards, but once the inspection is complete, there is no real way to verify the cleanliness standard of the house.

– Service Organization Controls (SOC) 2 – This attestation focuses on the technology and the processes behind the security of the service and ensures that controls are in place at all times, rather than simply a single point in time. SOC 2 was introduced in 2011 to answer the need to assess technology, which SOC 1 was not doing, and is considered the most meaningful and relevant security standard in the market. Audits are performed every six or 12 months to ensure that security is integrated, day in and day out. SOC 2 has the added benefit of offering customers insight into a vendor’s technology and processes by way of a consolidated report, offering an independent assessment of a company’s control environment relevant to system security.

Out of the three common compliance programs mentioned above, companies should look for an e-signature vendor that has completed SOC 2 attestation, as it offers assurances on internal controls, policies and procedures for the security of the system, rather than on financial reporting, which is the main focus of SSAE 16 (SOC 1). SOC 2 better assists companies to evaluate security controls and reliability of a vendor’s service under a consistent set of stringent processes and over a period of time, ensuring processes in place to secure data are consistently monitored.

When it comes to choosing and implementing an electronic signature solution, it is essential for companies to balance security concerns with the ease-of use that people expect in the online world. A simple user experience helps ensure customer adoption of a technology that is designed to keep customer data and contracts secure. To find out more on what to look for when it comes to e-signature security, download the Security for E-Signatures and E-Transactions whitepaper.

Michael Laurie, Vice President, Product Strategy, and co-founder of Silanis Technology

Michael co-founded Silanis more than 20 years ago. Today he is responsible for planning and growth strategies for product marketing and product management.

An expert in the field of compliance and standards for electronic signatures and e-vaulting solutions, Michael has been a driving force in advancing the e-signature marketplace through his participation in industry associations and contribution to standards including SPeRS, ESRA, MISMO and IRI. He is a frequent featured speaker at industry conferences and events. In 2013, he was recognized by BuckleySandler LLP with an ESIGN Service Award for his pioneering educational efforts, innovation within the industry and championing of electronic signatures in commerce.