Best Practices for Digital Signatures

Everyone’s John Hancock is unique. Our signature verifies our identity when we sign a paper document like a contract — or use a notary seal on a legal document. Signing electronic documents, however, is a little different. Enter the digital signature. Digital signatures also indicate the authenticity of electronic documents and the people signing them.

Many countries, including the United States, consider digital signatures legally binding — something that became incredibly important during the global pandemic when restrictions restricted face-to-face meetings, including those involving paper documents and contracts.

While some may still question the legality of these digital signatures, the U.S.’s 2000 Electronic Signatures in Global and National Commerce Act (ESIGN) confirmed that if all parties accept e-signatures, those signed documents are legally binding. E-signatures are legal and admissible in court when they include:

  • A digital seal that tracks its origins.
  • An audit trail back to the original signer.
  • Robust authentication methods used to confirm the signers’ identities.

If someone forges a signature electronically, they may face penalties that include community service, fines, restitution, probation or even jail time. One way companies can protect themselves from forgery is to use public and private keys.

The keys to encryption

Digital keys aren’t literal keys, but they work similarly. Meet cryptographic keys. They’re often referred to based on their roles in different cryptographic processes. 

Private or “secret” keys encrypt and decrypt data. They include long, randomly-generated sequences of numbers, letters and symbols that are hard to guess. The longer and more complex the sequence, the better it withstands a brute-force attack. Private keys are never shared or publicly transmitted. They’re stored on the owner’s system. Public keys are exactly what they sound like. Anyone can access a public key, which is often posted on public key servers, like a public key infrastructure system

A digital signature’s public and private keys are related mathematically but can’t be generated from each other. Private keys verify the sent message’s authenticity because they’re specifically assigned — and unique — to each user.

Creating Digital Signatures

Many signing software programs like DocuSign or Dropbox Sign enable digital signatures. These signatures play a crucial role in establishing trust among diverse stakeholders like vendors, business partners, real estate brokers and their clients, and many others by offering proof that an online document is unaltered — intentionally or unintentionally. Digital signatures also facilitate and support transparency in online transactions and remain popular for their convenience and security.

Public key encryption is characterized by its relatively slow processing speed. To mitigate this issue, the technology hashes (transforms the key or string of characters into a new value) and encrypts messages with a private key first rather than encrypting the entire message. 

So signing software would create a one-way hash of the digital document needing a signature. Applying the hash function to this digital signature helps identify potential hampering, which would reveal itself with a different hash value than the original hash value. Matching hash values ensure the document’s integrity. Mismatched hash values alert the sender and recipient to a potential problem.

Digital Signatures Versus Digital Certificates

You’ve probably seen a digital certificate in the past. It’s used for sharing keys used to authenticate digital signatures. Web browsers like Chrome, Safari and Firefox use digital certificates to verify that cybercriminals haven’t modified or hacked into a particular website or infected its content with a virus. If you click on the lock to the right of most URLs, it’ll take you to the digital certificate verifying the domain is authentic and trusted. 

But they’re used in other ways, too:

  • Debit and credit cards use digital certificates embedded in the chips to secure connections between merchants and banks during financial transactions.
  • Digital payment companies like Square, PayPal and Apple Wallet rely on digital certificates to authenticate kiosks, point-of-sale equipment and automated teller equipment with the central servers located in the data center.
  • Digital certificates are embedded into cable modems during manufacture to prevent device cloning, which allows hackers to steal broadband service.
  • Emails use digital certificates to identify senders and recipients and protect their messages and attachments, including any documents sent and returned with electronic signatures.

Essentially, digital certificates store the public key, information about the owner, expiration dates and the certificate issuer’s digital signature. A certificate authority like GlobalSign or DigiCert will issue the digital certificate. When you choose one, always verify that it’s issued from a trusted third party, double-check its expiration date and ensure you understand how to renew it when it expires.

Unlike digital certificates, a digital signature validates the authenticity of the digital document, email message or software. Digital certificates verify that the public key belongs to the issuer.

Using a Digital Signature for Important Documents

Does it make sense to return to paper signatures? Consider that businesses opting for paperless solutions reduce processing errors by about 90%. If your company implemented e-signatures during COVID but didn’t have time to implement best practices, here are some tips to protect your business and its clients.

  1. Check for compliance certificates required under the E-Sign Act 2000 and various other electronic regulations and legislation like UETA and eIDAS. Those terms include that:
  • Every signing party agrees to sign electronically.
  • Signatures must include a visible mark on the electronic statement and be connected to the document needing that signature.
  • Electronic signatures are valid if the signer intends to sign, but signatories must have the option to decline to sign.
  • Regardless of the signature, it must show who signed the document.
  1. Develop a clear, uniform, robust e-signature policy. Employees and clients must understand the e-signature policy. Share it with everyone, defining who can sign what documents. Define unfamiliar terms and make sure you review and update the policy regularly.
  2. Train your staff on how to use your electronic signature software.
  3. Ensure that your e-signature software includes an audit trail or certificate of completion. The audit trail proves transactions with tamper-free evidence. The audit should include:
  • A timestamp of each signature.
  • The signer’s IP address.
  • The signer’s name and email address.
  • Detailed documentation of any changes made to the document.
  1. Offer clients diverse signing options: digital or hard copy.
  2. Maximize the electronic signature process to include additional information or promote and scale your business. Your e-signature solution might include a call to action or a link to social media.
  3. Evaluate and measure success to see how well your e-signature process — and platform — align with your requirements.  

Electronic signatures improve efficiency, save time and reduce errors when implemented properly. The right processes streamline business operations while keeping sensitive data safe.

Are you a commercial real estate investor or looking for a specific property to meet your company’s needs? We invite you to talk to the professionals at CREA United: an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more.

Related Articles