In a recent study, Creation Technologies found that the average employee with signing authority uses roughly $1,350 in annual paper-related costs. For the signature-heavy architecture, engineering, and construction (AEC) industry, where project plans, RFIs, contracts, drawings and designs can all involve multiple signers, the costs can really add up. These costs could be significantly reduced by using an all-electronic workflow for signing, sharing and storing documents.
Digital Signatures are a core component to enabling end-to-end electronic document workflows because they allow you to securely replace physical wet ink signatures (and the manual processes that go along with them). Despite the obvious benefits of adopting Digital Signatures, such as reducing paper waste, decreasing overhead costs and shortening project timelines, many AEC companies are holding off on making the switch until required by government mandate.
Well, those days are numbered. A growing list of US states have already released their baseline requirements for signing city and state documents with Digital Signatures as a replacement for wet ink signatures, seals and stamps. Some states even have separate documentation and requirements specifically for AEC. Therefore, it is important that when you pick your Digital Signature solution that you get one that meets or exceeds those standards.
But what exactly are those standards? Because each state has the authority to decide which rules it will enforce, it can be difficult to nail those down. However, there are some common core requirements. We’ve compiled these below based on language from signature laws in California, Oregon and Washington D.C. You should make sure to check your local laws and regulations before investigating solutions that will best meet your needs.
Note: You’ll notice we’re using the term ‘Digital Signature’ versus ‘electronic signature’ throughout this post. While the term electronic signature is broad and unstandardized, Digital Signature refers to a very specific kind of signature that is based on Public Key Cryptography. This underlying cryptography provides greater security and assurance over the signer’s identity, validity of the signature and integrity of the document contents. These concepts are important to meeting engineering requirements and most state signature laws specify the use of Digital Signatures. For more on digital vs. electronic signatures, check out our related post.
Four Common Digital Signature Requirements from US State Regulations
- The Digital Signature must be unique to the person using it [1][2][3]
This requirement should not be a surprise to anyone. Whether you are receiving a signed document, or signing one yourself, you want to make sure that the person who needs to be signing your document is actually the right person.
Because of the anonymity of the internet, there are limited ways to confirm that someone is who he or she says they are. One method is to be externally vetted by a third-party public Certificate Authority (CA). CAs are entities that are publicly trusted to assign Digital Identities to individuals, departments or companies.
This is similar to the process of getting a passport. You submit all the appropriate documentation to the US Department of State and they give you a passport that uniquely identifies you. Likewise, you submit identity verification documents to a CA and they issue you a unique Digital Certificate that confirms your online identity. You use this certificate to apply Digital Signatures. This means you can be confident that you alone can apply a Digital Signature in your name and your recipients can also be confident that it was really you who signed the document.
2. The Digital Signature must be capable of verification [1][2][3]
Verifying the validity of a signature is extremely important whether it is digital or wet ink. This is the reason high value transactions (e.g. applying for loans and certain contracts) often require a notary for wet ink signatures – the parties involved want to ensure the people signing the documents are who they say they are. In this case, the signatures are verified by the notary.
But what about Digital Signatures? This is where getting your Digital Signature from a publicly trusted CA comes in handy. Because a trusted third party CA verifies your identity before issuing your certificate and you use that unique certificate to apply your Digital Signature, there is clear evidence on every document you sign that shows who signed the document, when it was signed and who verified the signer.
3. The Digital Signature must be under the sole control of the person using it [1][2][3]
There is an obvious trend here that you need to make sure that the signature in the document was actually applied by the individual. All parties involved in the electronic document exchange need to know that you and you alone, can apply your Digital Signature.
For Digital Signatures, this comes down to protecting your signing certificate because if someone has access to your certificate, they can use it to digitally sign in your name. Storing your certificate on cryptographic hardware (e.g. FIPS-compliant USB token) is a common option for this and means in order to apply your signature, you need the token itself and a password. In the case of theft of your physical hardware token, the thief would still need your token password use your signing credentials.
When you’re ready to start researching vendors, you should make sure they offer some kind of hardware certificate protection or if not, that they have an alternative means of meeting this requirement.
4. The Digital Signature must be linked to data in such a manner that if the data is changed, the Digital Signature is invalidated [1][2][3]
Content integrity and protecting intellectual property is essential, especially for the engineering industry. You want to ensure that whatever is in the document you sign off on or publish isn’t later changed. Fortunately, applying a Digital Signature essentially creates a tamper-evident seal on the document.
Part of the signature validation process (which happens automatically and behind the scenes when someone opens a signed document) involves comparing the content of the document before and after the signature was applied. If any changes were made, an error message will be shown. For more details on the cryptography behind this process, check out our related blog – How Do Digital Signatures Work.
Note: It is possible to allow certain changes to be made after a signature is applied (e.g. additional Digital Signatures, form fill-ins and annotations). In this case, these types of additions will not invalidate the signature and trigger error message
Digital Signatures Play a Key Role in Going Paperless
The benefits of going paperless have been clear for years, but signatures were often a sticking point - what is a secure electronic alternative and would that electronic signature be accepted legally? Fortunately, state electronic signature regulations are helping to answer both of those questions for engineering companies who want to make the switch.
Digital signatures are the clear solution. Capable of authenticating the signer, validating the signature and ensuring content integrity, they meet the requirements highlighted above that are the basis to most state engineering electronic signature requirements. In fact, the three state laws we referenced in this post all mention Digital Signatures specifically, as opposed to other types of electronic signatures.
While there are other components needed to implement a fully electronic document workflow, when it comes to signatures, all signs are pointing to digital.
Want to know more about Digital Signatures? Check out our recent webinar. As always, if you have questions, please contact us online or leave a comment!
[1] California Regulation
[2] Washington D.C. Regulation
[3] Oregon Regulation