When looking for an eSignature Cloud Service Provider (CSP), security and privacy are crucial. Your eSignature CSP will likely be helping you manage sensitive information. So, it’s important to choose a provider that you can trust to protect your organization’s and your customer’s data. In this article, we review six things to look for when assessing a CSP’s security and privacy protection.
Industry Security Certifications
The world of data processing is complex, even dangerous. In this age, data drives much of our day-to-day life. Hence, there are malicious actors always trying to steal and ransom data, and compromise data processing systems. Thankfully, many security frameworks like the globally adopted NIST Cyber Security Framework (CSF), have been developed to help keep organizations safe.
There are many security frameworks and standards. In the cloud industry a few important ones include:
- NIST Cyber Security Framework together with other supporting NIST standards
- ISO 27001, ISO 27017 and ISO 27018
- Service Organizational Control (SOC) (1, 2 and 3).
These frameworks contain important security guidelines and controls that help ensure the protection of your data. If your CSP has or leverages one or more of them, it means that your data is likely well-protected.
Note that there are three SOC certifications: SOC 1, SOC 2, and SOC 3. SOC 1 focuses on financial reporting and might not be relevant to your needs. SOC 2 was partially created in response to the rise of cloud computing. In most cases, it will be the most relevant. SOC 2 Type 1 signifies that a CSP has been initially audited and the controls were found to be in place. SOC 2 Type 2 signifies that the CSP has maintained the controls over a period of time. Finally, a SOC 3 report is a more general type of report that’s often used for marketing purposes. It covers much of the same topics as a SOC 2 report, but is simpler and easier to digest.
Legislative and Regulatory Compliance
When it comes to government laws and regulations, things can get complex. Depending on the jurisdiction, the laws and regulations that apply will be different. For eSignature CSPs, privacy protection legislation and electronic signature legislation are legal considerations.
In Canada, one law to keep in mind is the PIPEDA. It stands for “Personal Information Protection and Electronic Documents Act”. As its name suggests, it covers personal information and electronic documents.
With its first part, PIPEDA applies to Canadian private-sector organizations. Specifically, those that collect, use or disclose personal information in commercial activity. Organizations subject to a provincial privacy law that’s substantially similar, are often exempt from PIPEDA. Examples include organizations in British Columbia, Quebec and Alberta. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation. Note that in British Columbia and Nova Scotia, provincial privacy laws require public sector organizations to store and access personal information in Canada only. In the rest of the provinces, Canadian data residency may be encouraged, but isn’t mandatory. Therefore it is very important in these cases to use CSPs that store your data in Canadian data centres. To help assure your customers, you may wish to ensure that your organization’s data remains in Canada regardless. If you are not sure which Canadian laws apply to your organization, this decision tree can help:
In the United States, there isn’t one set of regulations that governs data privacy protection. Instead, several federal and state laws determine how to handle and protect data. For example, organizations in California may be subject to the California Consumer Privacy Act (CCPA).
Other countries also have their own laws and regulations governing data privacy protection. CSPs with customers in the EU may be subject to privacy regulations from the EU General Data Protection Regulation (GDPR).
The second overall consideration is the legality of electronic signatures. There are a myriad of Canadian federal acts and regulations that address eSignatures. Examples include:
- PIPEDA, Part 2 (governs private-sector organizations’ use of electronic documents and signatures for purposes required by federal laws)
- Secure Electronic Signature Regulations
- Electronic Payments Regulations (annexed to the Financial Administration Act (FAA)
- Payments and Settlements Requisitioning Regulations (annexed to the FAA)
Besides these, over 20 federal acts and 30 regulations include references to “electronic signature”.
As well, most Canadian provinces and territories have enacted e-commerce and e-transaction laws. These provide electronic equivalents to paper-based signatures, along with other requirements.
In the US, there are numerous related laws including:
- The US Electronic Signatures in Global and National Commerce Act (E-SIGN)
- The US Government Paperwork Elimination Act (GPEA)
- The US Uniform Electronic Transactions Act (UETA). This covers most States, D.C. and the US Virgin Islands.
As well, some FDA-regulated industries may need to be compliant with the Code of Federal Regulations (CFR) Title 21 Part 11. This identifies certain technical eSignature requirements. Some examples of these industries include:
- US drug makers
- Medical device manufacturers
- Biotech companies
- Biologics developers
- Contact research organizations (CROs)
There are many other existing and evolving eSignature laws around the world. For example, the EU Regulation No 910/2014. This covers electronic identification and trust services for electronic transactions in the European internal market (eIDAS).
One often misunderstood fact is that laws and regulations don’t have associated technology certification programs. Simply put, there aren’t any third-party audits to check compliance with them. That’s different from the industry security frameworks and standards that discussed above.
Ultimately, it is up to your organization to operate under applicable laws and regulation. Your CSP and its eSignature solution should help you remain compliant with all relevant regulation. But in general, you will still remain responsible and legally accountable.
Third-Party Data Sub-Processing
Third-party evaluated security certifications are a good proxy to test how well a CSP handles an organization’s data. However, sometimes you may wish to go a little deeper. Especially about third-party data sub-processors involved in the provision of an eSignature service.
For example, ask questions about the sub-processors that the CSP uses to process data. What data do they share with them for sub-processing? In which countries are those sub-processors storing that data? Does your CSP hold them accountable to the same high security standards that the CSP uses? Has your CSP provided you details on their sub-processors? Are they certified? Have you agreed to their use, in contract?
Another best practice is to document the types of technical and organizational measures (TOMS) that are expected to be in place. Around the world, this is done using a Data Processing Agreement (DPA). You’ll usually see it as an appendix to the main contract with the CSP.
Security Governance Principles
Having a corporate culture stressing the protection of data and implementation of standard privacy practices is very important for a CSP. Even with security certifications, a CSP always needs to take security and privacy seriously at all levels. Good info security and privacy governance ensures that a company can operate securely. It means they’ve got the right board and executive involvement, leadership, organization, policies, standards, practices, processes, and tools.
To assess a CSP’s information security and privacy governance, here are a couple tips. 1. Check if the CSP’s goals and priorities are linked with security and privacy. 2. Make sure that the CSP has designated senior individuals responsible for overseeing and making security and privacy decisions. Usually this is the Chief Security Officer (CSO) and Chief Privacy Officer (CPO).
Solution Security and Privacy
Your cloud software provider’s product must be designed with security in mind. For cloud solutions, there are several important requirements. For example, using TLS 1.2 or 1.3 certificates to encrypt “data in transit”, and encrypting “data at rest”. It’s also important to know how the service keeps data in customer accounts separate from each other. Qualys is an app that can help you assess how secure a cloud-based application is. An “A” means that the web application is securely built using the latest web protocols. A “C” or “D” indicates seri
Your eSignature CSP’s solution should be designed and maintained with security and privacy in mind. For example: implementing a Development-Security-Operations or “DevSecOps” approach to software development. This helps ensure that security is considered at every stage of the software development life cycle. Another example is using the “Privacy by Design” or PbD principles, practices and approaches. This is a solid way of ensuring privacy considerations at every stage.
One simple check that you can undertake is to test the security of its website. Go to ssllabs.com and input the CSP’s website URL, and then run the test. A score of “A” or higher suggests that the CSP pays attention to security. A score of “B+” or below may suggest otherwise. Under no circumstances these days should a CSP be permitting the use of older SSL, or weak TLS 1.0 and 1.1. Nor should it be permitting the use of weak browsers, protocols or ciphers.
Solution Security Features
An eSignature CSP solution should support your privacy and security needs. This is especially true if you’re handling sensitive information. So, you’ll want to look for solution features that help you control and protect that information. For example, look for strong password dynamics and standardized multi-factor authentication methods. Ideally they should be available for both the creators and signers of your documents. Also look for SAML 2.0 capability so you can use your own organizational electronic identifies and related security policies.
Also, ensure that you will have the ability to use more secure ones eSignature options. For example, those that involve the use of public-key infrastructure (PKI) and notarization services. These are often called “digital” signatures.
You will also want to look for granular security roles and the ability to restrict certain documents to a few individuals. Make sure to clarify and ask questions!