Subscribe

Signatory processes risk POPI breach

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 21 May 2015
Electronic signatures ensure accountability can be easily identified in the event of a breach, says Avi Rose, SA regional sales manager at DocuSign.
Electronic signatures ensure accountability can be easily identified in the event of a breach, says Avi Rose, SA regional sales manager at DocuSign.

Proper signatory processes are essential to ensure all documentation is legally binding. However, the typical practice currently used to collect the required signatures - e-mail, print, sign and scan - exposes this information to risk in contravention with the Protection of Personal Information (POPI) Act.

So says Avi Rose, SA regional sales manager at DocuSign, who notes all signature-dependent processes - from internal HR forms, through to financial notifications and external customer contracts - need to be carefully considered in light of POPI.

The POPI Act was signed into law by president Jacob Zuma in November 2013, and promotes transparency with regard to what information is collected and how it is to be processed. Once the Act comes into effect - a date is yet to be announced - non-compliance will carry a maximum penalty of 10 years in prison, or a R10 million fine.

The new law is about to come into effect after the Department of Justice announced it would start the ball rolling for the appointment of an Information Regulator. The appointment of the regulator was one of the main issues holding up the new law.

Unacceptable practices

For example, Rose says, the law can be infringed when a vendor generates an order, service level agreement, or any other customer agreement, electronically.

"These documents are sent to a client via e-mail or fax, are then printed by the customer for signing with an insecure wet-ink signature. These documents are then scanned and e-mailed back to the vendor with an insecure digitised signature or couriered back to the vendor. This process may even be repeated numerous times for co-signing," he explains.

David Luyt, an attorney from Michalsons, notes this creates numerous copies of the same document, all of which include sensitive personal information such as address, ID numbers, or account numbers - the unlawful disclosure of which is a criminal offence under the POPI Act - making them accessible to others in the office.

"When POPI commences fully, this practice will no longer be acceptable, as personal information must be kept secure and confidential," Luyt says.

However, he believes electronic signatures are a potential solution with numerous benefits, including improved efficiency, lower costs and support for the transition towards a paperless office.

SA embraced the use of electronic signatures as binding following the passing Electronic Communications and Transactions (ECT) Act 25 of 2002. The legislation recognises data as the functional equivalent of writing, or evidence in writing, by guaranteeing data messages the same legal validity as messages written on paper.

"Electronic signatures provide a complete, tamper-evident audit trail with time and date stamps, which ensures accountability can be easily identified in the event of a breach," Rose adds.

"By using them, any changes to security policies, processes and other documents requiring a signature will be far easier to manage, clearly showing who approved which change when and at what time."

Inefficient and time-consuming

In addition, he points out electronic signatures can dramatically speed up the time it takes for security policy changes to be approved. With a wet-ink process, Rose explains, the policy must be printed and then physically signed, often by up to five different people, which is not only inefficient and time-consuming, but can be risky since the time it takes to sign off the security policy might be critical.

"This is because the new policy needs to be approved before deployed and during the sign off period the organisation might be exposed to a security threat," adds Rose.

With the prospect of POPI enforcement looming over many organisations' heads, now is the time to examine all existing processes for compliance, says Luyt.

In particular, Luyt notes, when signing documents, electronic signatures can help organisations to ensure that personal customer information remains private and confidential.

"They provide a full audit trail and can integrate into workflows to minimise data exposure, as well as help the organisation to more tightly manage all signatory processes. Ensuring your electronic signature solution supports POPI compliance can ease the process of gearing up to handle this new piece of legislation," concludes Luyt.

Share