Electronic Document (and Signature) Protection and Compliance
Why you Need Securitised Electronic Archiving which also Retains its Probative Value
The fight against cyber-attacks is a reality facing companies across all business sectors. IT, finance, real estate, HR and healthcare, among others, have already all been impacted by the threat of theft of unprotected data. In France for example, 20,000 computers are infected every month by ransomwares (source: Altospam).
All too frequently, electronic documents are stored internally by companies and saved onto unsecure servers or hard disks, which are almost freely accessible to employees and easy for external individuals or companies to hack into. However, European legislation is clear on this subject. Company management documents are subject to archiving obligations. Furthermore, under digital transition, the use of electronic documents is spreading almost exponentially and the archiving requirements applied to hard copies are also applied to digital documents. For example, retention duration obligations, which usually span a long period, are the same.
However, specific European and overseas legislation states that electronic documents are only legally admissible, in the event of an administrative control or under litigation procedures, if they are archived under conditions which guarantee their integrity. It is therefore necessary to ensure that the documents in question cannot be voluntarily or accidentally altered during the entire period covered by retention obligations.
This high level of protection, if carried out under optimum conditions, enables companies to comply with archiving legislation and also keep legally admissible documents in the event of litigation, while providing protection against cyber-attacks and avoiding data theft. This is the case when outsourcing to a qualified external service provider.
The importance of electronic data archiving
Electronic archiving, which is indispensable under corporate digital transformation, may alarm certain users who are still attached to hard-copy archives.
However, electronic archiving involves the same legal constraints as hard-copy archiving, while also enhancing the advantages. Digital transformation is governed by a variety of regulations. These include national laws among EU member countries, which are sourced from the same original European text published in 1999, along with tax legislation and personal data protection acts such as the GDPR, as well as healthcare data guidelines and the European eIDAS regulation concerning the inclusion of an electronic signature in digital documents. Companies now have the right to conserve invoices solely in electronic format and can therefore jettison the original hard copies. This is also the case for expense-claims invoices, personal healthcare data documents and private deeds, such as contracts and terms & conditions etc.
Furthermore, electronic archiving also maintains document confidentiality with regard to unauthorised third parties, within or outside of companies.
Long-term electronic document retention therefore provides a number of advantages over hard-copy archiving. These include improved process fluidity, automation, time and space saving, avoiding painstaking handling and reducing wastage associated with paper in terms of water, wood and CO2, as well as reducing real estate space and avoiding errors.
As we outlined above, electronic documents comply with the same legal retention constraints as hard-copy documents, notably in terms of duration. It should also be noted that even in the absence of a legal retention period, most corporate documents including contracts, order forms and project delivery receipts, are liable to be admissible as proof in the event of litigation. It is therefore vital for companies to have these documents at their disposal at all times for use in their defence against a legal challenge, until the expiry of the statute of limitations.
Under electronic retention procedures, meeting the requirements in terms of guaranteeing the integrity of documents during the entire legally-binding period is a key factor.
In the event of litigation, notably implying documents signed electronically, proof of traceability will also have to be provided demonstrating the processes which have been implemented, the security controls carried out and the algorithm used to manage the electronic signature and its validity at the time of signing the document.
Proof will also be required to ascertain that the security of the signature algorithm has not been breached, as defined within specific confidential services implemented under the eIDAS regulation. These factors will enable experts mandated by the courts to carry out technical controls to determine whether electronic documents submitted for judgement are admissible as evidence.
An inertly-stored file in PDF format on a server, or within a GED/ECM software network, will therefore not comply with legal obligations under litigation challenging an electronic document.
Cyber-criminality, a reality impacting all sectors
Electronic archiving is clearly the most secure option in terms of long-term conservation. It would be unthinkable to store confidential data on a hard disk or on a server within a company, where it would be exposed to any type of internal or external attack.
2017 was marked by a number of high-profile cyber-attacks which have continued to hit the headlines this year as well. Cases such as WannaCry and NotPetya have adopted multiple forms and hit all types of companies. They share the characteristic of being mostly associated with unsecured data, or an IT flaw, enabling easy access to the system.
In February 2016 for example, the Hollywood Presbyterian Medical Center in California was hit by a cyber-attack. The hackers paralysed the IT system and demanded a ransom of 3.4 million dollars in bitcoins. Over 900 patients had to be transferred to other hospitals during the time taken to pay the ransom and restore the IT system.
In September 2017, the US personal credit rating group Equifax was also attacked. Hackers accessed the personal data of 145 million of the company’s clients via an IT flaw in the corporate website. It was not difficult for the cyber pirates to locate the data stored on the company servers.
This case demonstrates the importance of securing documents, particularly for long-term retention. Adequate protection requires specific skills and financial, technical and human resources which are not necessarily available to all companies. Outsourcing to a specialist electronic data retention service provider can therefore clearly help companies.
Why outsource to a qualified service provider to archive documents securely?
Outsourcing to a qualified service provider specialising in electronic data archiving is an advantageous solution to potentially prevent cyber-attacks. As we outlined above, companies which no longer have access to archived documents are exposed to administrative risks, in that they will not be able to defend themselves in the event of litigation, implying heavy financial consequences and also penal risks for managers.
Furthermore, hackers may have different motives for breaking into IT systems and storage servers. They may, for example, plan to steal an important document to avoid its use in litigation, or spy on a competitor by stealing sensitive business documents or curb their business activity, or even damage their image by publishing false documents.
However, it is almost impossible to delete, insert or steal documents which are stored via an EAS-certified electronic archiving system complying with the standards currently in force relating to archiving and security, using cryptographic resources which can control the integrity of each document and the entire archive audit trail for each client company. These types of system also make it impossible to overwrite disks used and ensure long-term data security and integrity. The role of the service provider in the archiving process is to protect a company’s IT assets, including safeguarding against employees attempting to inflict damage on their employer. These assets include documents associated with a company’s know-how and the proofs which must be preserved in the event of litigation or an administrative control, as well as personal data which may be contained within the archived documents, particularly in the case of BtoC clients. By outsourcing to a certified electronic archiver, companies ensure the long term retention of their documents in a reliable securitised format and also maintain their probative value.
Outsourcing to a certified third-party archiver also guarantees that documents cannot be altered. Companies cannot therefore be suspected of manipulating their documents and they also avoid systems failures and technological obsolescence, while keeping pace with legal and normative changes. Only authorised employees have access to the conserved data and all interventions are logged. Traceability of the audit trail for documents and events during their retention is guaranteed, along with permanent format readability and security.
The outsourced third-party archiver selected for long term document retention must be certified and comply with current standards in order to guarantee the security of the entrusted data. A number of indispensable authorisations, standards, certifications and qualifications exist. These include ISO 27001, for IT security management systems, NF 461, for compliance with AFNOR NF Z 42-013 and ISO 14641-1 standards relating to certified electronic archiving systems, the France Cybersecurity label, the healthcare data website licence, and the eIDAS company service provider qualification for the validation and preservation of electronic signatures.
Outsourcing to a qualified service provider for electronic archiving which maintains probative value is therefore indispensable for companies wishing to ensure full compliance and protection against legal risks and the safeguard of their documents against cyber-attacks. Qualified service providers possess the technical and human resources to secure the entrusted documents. They commit most of their R&D to these services and are controlled very frequently by third-parties with regard to all aspects associated with compliance.
As well as possessing cutting-edge technological systems, specialist IT and cyber-security teams are committed to ensuring compliance with current standards and certification and are also able to adapt to the regulations in force. These teams strive not only to protect archived data, they also manage systems with the capacity to conserve massive quantities of documents and ensure that they do not lose their integrity. Data security, confidentiality and availability are the hallmarks of these service providers, who devote all of their resources on a real-time basis towards protecting and securing data, while committing to developing their R&D in order to keep pace with cyber-threats.
For further information: